Problem Description:
I am currently using the Square Mobile Payments SDK, and the official documentation shows how to authorize the SDK directly by passing the accessToken
and locationID
from the frontend, as shown in the example below:
swift
import SquareMobilePaymentsSDK
class MyViewController: UIViewController {
func authorizeMobilePaymentsSDK(accessToken: String, locationID: String) {
guard MobilePaymentsSDK.shared.authorizationManager.state == .notAuthorized else {
return
}
MobilePaymentsSDK.shared.authorizationManager.authorize(
accessToken: accessToken,
locationID: locationID) { error in
if let authError = error {
// Handle auth error
print("error: \(authError.localizedDescription)")
return
}
print("Square Mobile Payments SDK successfully authorized.")
}
}
}
This method works but involves passing the accessToken
directly in the frontend, which is not ideal for a production environment due to security concerns.
My Approach:
To improve security, my approach is as follows:
- Frontend requests an authorization code from a Lambda function.
- BACK END handles the actual authorization process using Square API and returns an
authorization code
to the frontend. - Frontend receives this
authorization code
and uses it with the Mobile Payments SDK to complete the authorization process, instead of passing theaccessToken
directly.
My Question:
In the official documentation, I couldn’t find any methods for authorizing the Mobile Payments SDK using an authorization code
rather than the accessToken
. I am looking for guidance on whether this is possible.
I would like to achieve the following workflow:
- The frontend gets an
authorization code
from the backend . - The frontend uses this
authorization code
with the Mobile Payments SDK to complete the authorization.
My specific questions are:
- Does the Square Mobile Payments SDK support authorization using an
authorization code
? - If so, which method or function should I call to complete this authorization?
- If not, is there any recommended best practice to secure the
accessToken
and avoid exposing it directly in the client-side code?
Thank You:
Any guidance or alternative solutions would be greatly appreciated. My goal is to securely authorize the SDK without exposing sensitive information like the accessToken
to the client-side.