0

So I'm making a Square Point of Sale integration for a web app.

Square Point of Sale Web API for Android

I'm passing in the CLIENT_ID in the intent:#Intent declaration as described in the documentation linked above. This information is passed to the Square Point of Sale app that handles the transactions. The passed CLIENT_ID is supposed to match the APPLICATION_ID of the account used to sign into the Square POS app.

The problem I am having is that the transaction doesn't throw an error when those IDs are mismatched. This potentially creates a situation where the POS operator can log into their own Square POS account and divert our revenue to their personal account. Seems like a significant security hole.

The documentation linked above indicates that I should receive an UNAUTHORIZED_CLIENT_ID error.

I have literally passed in a CLIENT_ID of 'sausage' and it still failed to throw any error whatsoever.

Any insight whatsoever would be very much appreciated. Thanks in advance.

luxdlux
  • 3
  • 5
  • can you share your complete intent? – tristansokol Jul 10 '18 at 21:49
  • `intent:#Intent;action=com.squareup.pos.action.CHARGE;package=com.squareup;S.com.squareup.pos.WEB_CALLBACK_URI=https://url.com;S.com.squareup.pos.CLIENT_ID=sausage;S.com.squareup.pos.API_VERSION=v1.3;i.com.squareup.pos.TOTAL_AMOUNT=100;S.com.squareup.pos.CURRENCY_CODE=USD;S.com.squareup.pos.TENDER_TYPES=com.squareup.pos.TENDER_CARD,com.squareup.pos.TENDER_CASH;S.com.squareup.pos.REQUEST_METADATA=${orderID};end` – luxdlux Jul 10 '18 at 21:51
  • Is there a reason you are using version 1.3 instead of 2? Which version of the point of sale app are you using? – tristansokol Jul 10 '18 at 21:54
  • If I target version 2, none of my response handling works and there is zero documentation that describes differences between v1.3 and v2.0 so I don't really have much of a choice and I'm using version 4.92 of the Point of Sale app – luxdlux Jul 11 '18 at 15:01
  • When I target version 2.0 of the API, I still don't get an error for passing in a mismatched `APPLICATION_ID` – luxdlux Jul 11 '18 at 20:27
  • If you want to ensure it's the correct account, you should use the `location_id` parameter. In Android it looks like `S.com.squareup.pos.LOCATION_ID`. If a different location is logged into the POS application it will result in an error. – sjosey Jul 12 '18 at 18:28

0 Answers0