Add verification token to payment request for 3DS/SCA

[qooplmao]

3D Secure (Strong Customer Authentication, or SCA, in the EEA) requires a verification token that is generated on the frontend be sent with the charge.

This just adds the verification_token to the $prepData (null if not present) and then sets it in the CreatePaymentRequest.

In addition the Simple Example could be updated to

$amount = 5000; //Is in USD currency and is in smallest denomination (cents). ($amount = 5000 == 50 Dollars)

// nonce reference => https://developer.squareup.com/docs/payment-form/payment-form-walkthrough
// single-use token (nonce) generated by the client-side javascript library
$formNonce = 'some nonce';

$location_id = 'some location id'; //$location_id is id of a location from Square

// optional, default=USD
$currency = 'USD'; //available currencies => https://developer.squareup.com/reference/square/objects/Currency

// optional
$note = 'This is my first payment to Square with this library'; //note about this charge

// optional
$reference_id = '25'; //some kind of reference id to an object or resource

// optional
$verification_token = 'xxxxxx'; // The 3DS token provided by verifiyBuyer request => https://developer.squareup.com/docs/web-payments/sca

$options = [
  'amount' => $amount,
  'source_id' => $formNonce,
  'location_id' => $location_id,
  'currency' => $currency,
  'note' => $note,
  'reference_id' => $reference_id,
  'verification_token' => $verification_token,
];

[NikolaGavric94]

Thanks for making this PR because I was thinking of doing something similar. I just never got the time to focus on the library due to my IRL stuff.

[NikolaGavric94]

To cover the cases where there is no verification token needed, can we instead of setting it's value as null set the attribute itself only if the value for it exists.

Something along these lines:

if (array_key_exists('verification_token', $data)) {
    $prepData['verification_token'] = $data['verification_token'];
}

[NikolaGavric94]

Reason for this is that it's bad practice to keep sending null values for attributes used in securing someones identity, especially in financial apps.

[qooplmao]

Yeah, no worries. It's null anyway in the Square CreatePaymentRequest so you're still kind of sending null values, unless they strip it themselves, but it's not a problem.

[NikolaGavric94]

I would prefer if we apply the same approach here for the request, only set the attribute if it's value exists:

if (array_key_exists('verification_token', $prepData)) $request->setVerificationToken($prepData['verification_token']);

[qooplmao]

No problem on making the PR. A guy working on our project made a fork with this change initially. We only used it to build a create a charge and we store all of the data elsewhere so refactored things so the additional dependency wasn't necessary but I this might be worth pushing back up.

[NikolaGavric94]

Can you rebase your changes off of master? There was a glitch with autoloading and github actions

[qooplmao]

It should be good now. I'm doing this all through the GitHub site because I'm being too lazy to clone it on my local so sorry if I'm missing something.