Add enableDPoP flag for Hosted Buttons

[jshawl]

Description

This PR adds a new prop enableDPoP to the hosted buttons component to feature-flag adding DPoP headers to /v1/oauth2/token and protected resource requests.

paypal.HostedButtons({
  hostedButtonId: "H1234567890",
  enableDPoP: true // 🆕
})

When enableDPoP is true, requests to create an access token will include a DPoP header (see https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-access-token-request) that includes information about the request (request method and uri) and information about the device (the in-memory public key generated from the buyer's browser) and signed with an in-memory and non-extractable private key.

When enableDPoP is true, requests to protected resources will replace the existing Authorization: Bearer <token> with the new authentication scheme: Authorization: DPoP <token> and also include a DPoP header. (see https://datatracker.ietf.org/doc/html/rfc9449#name-protected-resource-access).

When enableDPoP is false (or undefined), no existing functionality is changed. This property is used as a feature flag only before general availability.

Why are we making these changes?

The hosted buttons component creates access tokens cross-origin from the merchant's site. DPoP enforces a policy where access tokens can only be used from the device that requested the access token.

From https://datatracker.ietf.org/doc/html/rfc9449#name-objectives:

The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens, by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding private key when using the token.

Reproduction Steps

add enableDPoP: true to paypal.HostedButtons({})

Screenshots

See an example DPoP proof (and its contents) validated in the jwt.io debugger .

I also wanted to include the above link to show that no sensitive information is included in the DPoP proof. Even when an access token is passed to buildDPoPHeaders, it is hashed (ath).

Dependent Changes

Everything related to JWT creation, key pair generation, and signatures is implemented in @paypal/sdk-client:

• add DPoP encoding utils paypal-sdk-client#184
• add DPoP keygen and thumbprint paypal-sdk-client#186
• add DPoP createJWT and buildDPoPHeaders function paypal-sdk-client#187

Future PRs:

• this feature flag can be removed (and default to DPoP requests) when e2e testing has been completed.

Groups who should review (if applicable)

❤️ Thank you!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 51.58%. Comparing base (2fb3820) to head (4bb7822).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2340   +/-   ##
=======================================
  Coverage   51.58%   51.58%           
=======================================
  Files         105      105           
  Lines        2055     2055           
  Branches      616      616           
=======================================
  Hits         1060     1060           
  Misses        892      892           
  Partials      103      103           

Flag	Coverage Δ
jest	32.29% <ø> (ø)
karma	50.29% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ravishekhar]

🎉