Skip to content

Security: Remove integration_key from client bundle#3

Draft
Copilot wants to merge 5 commits intomainfrom
copilot/fix-integration-key-bundling
Draft

Security: Remove integration_key from client bundle#3
Copilot wants to merge 5 commits intomainfrom
copilot/fix-integration-key-bundling

Conversation

Copy link

Copilot AI commented Nov 1, 2025
edited
Loading

The integration_key was being passed to the React component and bundled into client JavaScript, exposing it to anyone inspecting the application.

Solution

Implemented server-side proxy pattern. Client now calls user's backend API, which handles Paynow interactions with the integration_key securely.

[React App] → [User's Server] → [Paynow API]
              (holds integration_key)

Changes

API (Breaking)

  • Removed integration_key from PaynowReactProps
  • Added apiEndpoint: string for user's backend URL
  • Created PaynowClient class for server communication

React Components

  • PaynowContext: Stores config instead of instantiating Paynow
  • Payment: Uses PaynowClient to call backend endpoints

Server Implementation

  • server-example.js: Complete Express.js reference implementation
  • Required endpoints: /init, /init-mobile, /poll

Documentation

  • MIGRATION-GUIDE.md: Step-by-step migration with framework examples
  • Updated README with security warnings and new setup flow

Usage

Before:

<PaynowReactWrapper
  integration_id="..."
  integration_key="secret" // ❌ Exposed in bundle
  {...urls}
/>

After:

<PaynowReactWrapper
  integration_id="..."
  apiEndpoint="https://api.yourdomain.com/paynow" // ✅ Calls your backend
  {...urls}
/>

Users must implement backend endpoints using the provided server-example.js as reference.

Test Coverage

  • Added 6 tests for PaynowClient
  • All 22 tests passing
  • CodeQL: 0 alerts
Original prompt

This section details on the original issue you should resolve

<issue_title>[bug]: integration_key should not be bundled into the app</issue_title>
<issue_description>I generally think that the integration_key should not be bundled into the client side code. I didn't think about that when I initially built this. Its a fork of the paynow package which is meant to be used at the server side hence this wasn't a concern for them.</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits November 1, 2025 06:39
@tate2301
Remove integration_key from client-side, implement server-side proxy …
8c2dfba 
…pattern

Co-authored-by: tate2301 <16937098+tate2301@users.noreply.github.com>
@tate2301
Add comprehensive tests for PaynowClient
1f7b7f2 
Co-authored-by: tate2301 <16937098+tate2301@users.noreply.github.com>
@tate2301
Address code review feedback: fix payment.add calls and remove empty …
f6a5005 
…useEffect

Co-authored-by: tate2301 <16937098+tate2301@users.noreply.github.com>
@tate2301
Add comprehensive security fix summary documentation
be22c19 
Co-authored-by: tate2301 <16937098+tate2301@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix integration_key bundling into client-side code Security: Remove integration_key from client bundle Nov 1, 2025
Copilot AI requested a review from tate2301 November 1, 2025 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tate2301 tate2301 Awaiting requested review from tate2301

Assignees

@tate2301 tate2301

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[bug]: integration_key should not be bundled into the app

2 participants

@tate2301