6.29.0

Co-authored-by: David Johnson <djohnson14@paypal.com>

Author: braintreeps

.github/workflows/dependency-review.yml

@@ -0,0 +1,10 @@
+name: Security
+
+on:
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  dependency-review:
+    uses: PayPal-Braintree/security-workflows/.github/workflows/dependency-review.yml@main

.github/workflows/security.yml

@@ -0,0 +1,23 @@
+name: Security
+
+permissions:
+  contents: write         # Needed by both CodeQL and dependency review
+  pull-requests: write    # Needed by dependency review
+  statuses: write         # Needed by dependency review (to post checks)
+  security-events: write  # Needed by CodeQL to upload SARIF
+  packages: read          # Needed by CodeQL for private/internal packs
+  actions: read           # Needed by CodeQL to access internal actions
+
+on:
+  pull_request:
+    branches: [ master ]
+  push:
+    branches: [ master ]
+  workflow_dispatch:
+
+jobs:
+  semgrep-php:
+    uses: PayPal-Braintree/security-workflows/.github/workflows/semgrep-php.yml@main
+
+  dependency-review:
+    uses: PayPal-Braintree/security-workflows/.github/workflows/dependency-review.yml@main

CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 6.29.0
+
+* Add Bank Account Instant Verification functionality
+* Add `BankAccountInstantVerificationGateway` for creating JWT tokens
+* Add `BankAccountInstantVerificationJwt` and `BankAccountInstantVerificationJwtRequest` classes
+* Add `bankAccountInstantVerification()` method to main Gateway class
+* Add ACH mandate support for US Bank Account transactions
+* Add `achMandateText` and `achMandateAcceptedAt` fields to Transaction and PaymentMethod create signatures
+* Add `usBankAccount` parameter support for ACH mandate details
+* Add `INSTANT_VERIFICATION_ACCOUNT_VALIDATION` as a new US Bank Account verification method
+* Add `sender` and `receiver` to `transfer` in `Transaction`
+* Add `achRejectReason` field to `Transaction`
+* Add `sender` and `receiver` to `transfer` in `Transaction`
+* Add `isDeviceToken` and `merchantTokenIdentifier` to `ApplePayCard` and `ApplePayDetails`
+* Add `paymentAccountReference` to `ApplePayCardDetails`, `GooglePayCardDetails`, `CreditCardDetails` and `CreditCardVerification`
+
 ## 6.28.0
 * Add `upcomingRetryDate` to Transaction
 * Add `remainingFileEvidenceStorage` to `Dispute`

lib/Braintree/BankAccountInstantVerificationGateway.php

@@ -0,0 +1,69 @@
+<?php
+
+namespace Braintree;
+
+/**
+ * Provides methods to interact with Bank Account Instant Verification functionality.
+ *
+ * This gateway enables merchants to create JWTs for initiating the Open Banking flow
+ * and retrieve bank account details for display purposes.
+ */
+class BankAccountInstantVerificationGateway
+{
+    private $_gateway;
+    private $_http;
+    private $_config;
+    private $_graphQLClient;
+
+    private static $CREATE_JWT_MUTATION =
+        'mutation CreateBankAccountInstantVerificationJwt($input: CreateBankAccountInstantVerificationJwtInput!) { ' .
+        'createBankAccountInstantVerificationJwt(input: $input) {' .
+        '    jwt' .
+        '  }' .
+        '}';
+
+    /**
+     * BankAccountInstantVerificationGateway constructor.
+     *
+     * @param object $gateway The gateway object providing configuration and GraphQL client.
+     */
+    public function __construct($gateway)
+    {
+        $this->_gateway = $gateway;
+        $this->_http = new Http($gateway->config);
+        $this->_config = $gateway->config;
+        $this->_graphQLClient = $gateway->graphQLClient;
+    }
+
+    /**
+     * Creates a Bank Account Instant Verification JWT for initiating the Open Banking flow.
+     *
+     * @param BankAccountInstantVerificationJwtRequest $request the JWT creation request containing business name and redirect URLs
+     *
+     * @return Result\Successful|Result\Error a Result containing the JWT and client mutation ID
+     */
+    public function createJwt($request)
+    {
+        $response = $this->_graphQLClient->query(self::$CREATE_JWT_MUTATION, $request->toGraphQLVariables());
+        $errors = GraphQLClient::getValidationErrors($response);
+
+        if ($errors) {
+            return new Result\Error(['errors' => $errors]);
+        }
+
+        try {
+            $data = $response['data'];
+            $result = $data['createBankAccountInstantVerificationJwt'];
+
+            $jwt = $result['jwt'];
+
+            $jwtObject = BankAccountInstantVerificationJwt::factory([
+                'jwt' => $jwt
+            ]);
+
+            return new Result\Successful($jwtObject, 'bankAccountInstantVerificationJwt');
+        } catch (\Exception $e) {
+            throw new Exception\Unexpected("Couldn't parse response: " . $e->getMessage());
+        }
+    }
+}

lib/Braintree/BankAccountInstantVerificationJwt.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace Braintree;
+
+/**
+ * Represents a Bank Account Instant Verification JWT containing a JWT.
+ *
+ * @property-read string $jwt
+ */
+class BankAccountInstantVerificationJwt extends Base
+{
+    protected $_attributes = [
+        'jwt'
+    ];
+
+    /**
+     * factory method: returns an instance of BankAccountInstantVerificationJwt
+     * from given attributes
+     *
+     * @param array $attributes attributes for the verification JWT
+     *
+     * @return BankAccountInstantVerificationJwt
+     */
+    public static function factory($attributes)
+    {
+        $instance = new self();
+        $instance->_initialize($attributes);
+
+        return $instance;
+    }
+
+    /**
+     * Initializes the instance with given attributes
+     *
+     * @param array $attributes
+     */
+    protected function _initialize($attributes)
+    {
+        $this->_attributes = $attributes;
+    }
+
+    /**
+     * Returns the JWT for Bank Account Instant Verification.
+     *
+     * @return string the JWT
+     */
+    public function getJwt()
+    {
+        return $this->jwt;
+    }
+}

lib/Braintree/BankAccountInstantVerificationJwtRequest.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace Braintree;
+
+/**
+ * Provides a fluent interface to build requests for creating Bank Account Instant Verification JWTs.
+ */
+class BankAccountInstantVerificationJwtRequest
+{
+    private $_businessName;
+    private $_returnUrl;
+    private $_cancelUrl;
+
+    /**
+     * Sets the officially registered business name for the merchant.
+     *
+     * @param string $businessName the business name
+     *
+     * @return BankAccountInstantVerificationJwtRequest
+     */
+    public function businessName($businessName)
+    {
+        $this->_businessName = $businessName;
+        return $this;
+    }
+
+    /**
+     * Sets the URL to redirect the consumer after successful account selection.
+     *
+     * @param string $returnUrl the return URL
+     *
+     * @return BankAccountInstantVerificationJwtRequest
+     */
+    public function returnUrl($returnUrl)
+    {
+        $this->_returnUrl = $returnUrl;
+        return $this;
+    }
+
+    /**
+     * Sets the URL to redirect the consumer upon cancellation of the Open Banking flow.
+     *
+     * @param string $cancelUrl the cancel URL
+     *
+     * @return BankAccountInstantVerificationJwtRequest
+     */
+    public function cancelUrl($cancelUrl)
+    {
+        $this->_cancelUrl = $cancelUrl;
+        return $this;
+    }
+
+
+    /**
+     * Gets the business name.
+     *
+     * @return string
+     */
+    public function getBusinessName()
+    {
+        return $this->_businessName;
+    }
+
+    /**
+     * Gets the return URL.
+     *
+     * @return string
+     */
+    public function getReturnUrl()
+    {
+        return $this->_returnUrl;
+    }
+
+    /**
+     * Gets the cancel URL.
+     *
+     * @return string
+     */
+    public function getCancelUrl()
+    {
+        return $this->_cancelUrl;
+    }
+
+
+    /**
+     * Converts the request to GraphQL variables format
+     *
+     * @return array
+     */
+    public function toGraphQLVariables()
+    {
+        $variables = [];
+        $input = [];
+
+        if ($this->_businessName !== null) {
+            $input['businessName'] = $this->_businessName;
+        }
+        if ($this->_returnUrl !== null) {
+            $input['returnUrl'] = $this->_returnUrl;
+        }
+        if ($this->_cancelUrl !== null) {
+            $input['cancelUrl'] = $this->_cancelUrl;
+        }
+
+        $variables['input'] = $input;
+        return $variables;
+    }
+}

lib/Braintree/ClientTokenGateway.php

@@ -39,7 +39,7 @@ public function generate($params = [])
             $params["version"] = ClientToken::DEFAULT_VERSION;
         }
 
-        Util::verifyKeys(self::generateSignature(), $params);
+        $this->conditionallyVerifyKeys($params);
         $generateParams = ["client_token" => $params];
 
         return $this->_doGenerate('/client_token', $generateParams);

lib/Braintree/Configuration.php

@@ -631,6 +631,16 @@ public function graphQLBaseUrl()
         return sprintf('%s://%s:%d/graphql', $this->protocol(), $this->graphQLServerName(), $this->graphQLPortNumber());
     }
 
+    /**
+     * returns the base URL for Braintree's Atmosphere service based on config values
+     *
+     * @return string Braintree Atmosphere URL
+     */
+    public function atmosphereBaseUrl()
+    {
+        return sprintf('%s://%s:%d', $this->protocol(), $this->atmosphereServerName(), $this->atmospherePortNumber());
+    }
+
     /**
      * sets the merchant path based on merchant ID
      *
@@ -687,6 +697,19 @@ public function graphQLPortNumber()
         return getenv("GRAPHQL_PORT") ?: 8080;
     }
 
+    /**
+     * returns the port number for Atmosphere service depending on environment
+     *
+     * @return integer atmosphere portnumber
+     */
+    public function atmospherePortNumber()
+    {
+        if ($this->sslOn()) {
+            return 443;
+        }
+        return getenv("ATMOSPHERE_PORT") ?: 8080;
+    }
+
     /**
      * Specifies whether or not a proxy is properly configured
      *
@@ -776,6 +799,33 @@ public function graphQLServerName()
         return $graphQLServerName;
     }
 
+    /**
+     * returns Braintree Atmosphere server name depending on environment
+     *
+     * @return string atmosphere domain name
+     */
+    public function atmosphereServerName()
+    {
+        switch ($this->_environment) {
+            case 'production':
+                $atmosphereServerName = 'payments.braintree-api.com';
+                break;
+            case 'qa':
+                $atmosphereServerName = 'payments-qa.dev.braintree-api.com';
+                break;
+            case 'sandbox':
+                $atmosphereServerName = 'payments.sandbox.braintree-api.com';
+                break;
+            case 'development':
+            case 'integration':
+            default:
+                $atmosphereServerName = 'atmosphere.bt.local';
+                break;
+        }
+
+        return $atmosphereServerName;
+    }
+
     /**
      * returns boolean indicating SSL is on or off for this session,
      * depending on environment

lib/Braintree/Error/Codes.php

@@ -639,6 +639,10 @@ class Codes
 
     const TRANSACTION_TRANSACTION_SOURCE_IS_INVALID                                   = '915133';
 
+
+     const TRANSFER_DETAILS_NOT_APPLICABLE                                            = '97501';
+    const TRANSFER_DETAILS_NOT_AVAILABLE                                              = '97510';
+
     const US_BANK_ACCOUNT_VERIFICATION_NOT_CONFIRMABLE                      = '96101';
     const US_BANK_ACCOUNT_VERIFICATION_MUST_BE_MICRO_TRANSFERS_VERIFICATION = '96102';
     const US_BANK_ACCOUNT_VERIFICATION_AMOUNTS_DO_NOT_MATCH                 = '96103';

lib/Braintree/Gateway.php

@@ -298,4 +298,15 @@ public function webhookTesting()
     {
         return new WebhookTestingGateway($this);
     }
+
+    /**
+     * Returns a BankAccountInstantVerificationGateway for interacting with
+     * Bank Account Instant Verification functionality.
+     *
+     * @return BankAccountInstantVerificationGateway
+     */
+    public function bankAccountInstantVerification()
+    {
+        return new BankAccountInstantVerificationGateway($this);
+    }
 }