I have and app that uses connected accounts with Stripe. I need to store information about which Stripe account is linked to the specific client in my app. So my current workflow is:
I set a Stripe Account Id to the client of my app in Database
On the specific page, my Frontend sends request about which Account Id is linked to the specific client
I send a Stripe Account Id as a response to my Frontend
I process Card information with the connected account on my Frontend and send the Token to my Backend
On the backend, I create Source and retrieve it back to Frontend
On the Frontend, I handle the possible 3DS and send a Source back to my Backend
On the backend, I finish the payment and send status back to my Frontend
So, my question is - Is there any possible security risk during the process? I could not figure out any other way of passing Account Id information to the frontend. I need to initialize Stripe on Frontend with a specific Account Id to check Credit card data via Stripe Elements. Without the Account Id in my Frontend, I cannot create Card payment linked to the specific connected Stripe Account, so I think, there is no other way - Am I wrong?
As clients in my application changes, there is no possibility to store an Account Ids in an ENV file, I just have to get it from my server somehow.
I also tried to check Card info via Stripe elements using just PK stored in my ENV file, but then, when I wanted to finish payment with a connected Account, the process failed.
Do you guys have any secure workflow for this situation?
Sharing account and source (did you mean PaymentMethod?) IDs with your frontend is not just fine, it's expected. In order to make requests with Stripe.js on behalf of connected accounts you need to provide the account ID when initializing.
Doing anything malicious with those IDs requires a secret key, which as long as you aren't sharing that with the client you should be fine.
Related
I have a react website with a payment module for PayPal.
It has an ability for cloud provision as well, for which, when the user requests for provision, he enters the form data and at that time, I will be taking his PayPal Client ID and secret ID as well, using which I will be making him a new provision
Is there a way to verify that the PayPal client ID and secret values are valid ones?
An API request to get an access token, https://developer.paypal.com/docs/api/get-an-access-token-curl/
I'm currently trying to create managed accounts entirely clientside, storing on the backend only the stripe account ID associated with each user. At first, I tried using stripe.js, but it doesn't seem to provide any API for working with managed accounts at all. Then, I tried using RESTful API directly, and made a request to create a managed account (a POST request to https://api.stripe.com/v1/accounts), using a publishable key. Response was a 403:
{
"error": {
"type": "invalid_request_error",
"message": "This API call cannot be made with a publishable API key. Please use a secret API key. You can find a list of your API keys at https://dashboard.stripe.com/account/apikeys."
}
}
But doesn't that mean that creating a managed account clientside is impossible or, at least, unsafe and not intended? Secret key is not supposed to become visible to the client at any point and in any form, is it? Is there something I don't understand, or are managed accounts to be created only serverside?
Stripe integrations require both a front-end and a back-end component.
You use Checkout or Stripe.js and your Publishable Key to collect a Customer's credit card information, which is then sent to Stripe. In return Stripe sends back a token that you can use to charge this card.
https://stripe.com/docs/checkout
https://stripe.com/docs/stripe.js
You must use a backend, with your Secret Key, to create an account, a charge, a customer or take other actions on your account. So, yes, managed accounts are only created server-side.
If you need a minimal backend I'd suggest spinning up a small instance at AWS, Heroku, Digital Ocean, Linode, etc
I am using the Dropbox Core API for a web application. On my server, I want to have a profile for each user, that is linked with his Dropbox account. How can I ensure, that only this user has access to his information? Can I get some sort of a secure unique Dropbox password hash for the Dropbox user?
Thanks.
Maybe you could just store the profile in the user's Dropbox (e.g. via the Datastore API). Then you don't have to worry about it at all... only the authenticated user can see his or her own data.
Otherwise you could just use the user ID. If you're doing this server-side, pass the OAuth token to the server, and on the server call /account/info to get the user ID. Then just tie the profile to that user ID.
A very simple question which I've seen kinda answers to.
Can you do a facebook login with PHP to authenticate a user and grab information?
Why then is there a JS version?
I just don't understand the difference between the two above options.
My web app will need to gleen the users email address as there will be a mailing list component to signing up for our service.
How do you manage this local information and uniquely identify the user each time they log in from facebook? Do you store their facebook ID?
Thanks
1- Yes - https://developers.facebook.com/docs/reference/php/
2- So you can do it on the client side.
You can get user's email address if you have appropriate permissions.
Yes you store their facebook id and associate users with it.
They both do the same thing, just on different sides: on the server or on the client.
If your authentication process relies heavily on server interaction and you have your server side code ready, use the PHP SDK. It provids you with methods to get the ID from the user. This will be unique so you can store them.
If you want to manage an application flow, say the user needs to give your website certain permissions in order to view something, it can be easy done with the Javascript SDK.
I have client-side FB connect working. In my example you just click login with Facebook and then a popup appears, they login and then are returned to the app, where I display their name and pic.
My questions are around how to make use of this connection.
If they are using fb to log in would I create an account with this
information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
How would something like finding out if two people are friends work?
Would this be done on the server? What does the query look like?
How long do sessions last and how is it decided? Will the login persist across multiple visits?
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Any help figuring out how this works would be spectacular. Thanks very much for the help!
If they are using fb to log in would I create an account with this information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Yes, and you'd use their Facebook ID to find if they have an existing account.
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
Store the access token. If you need long-lasting access (the default token expires after an hour or two) you need to request offline_access extended permissions.
How would something like finding out if two people are friends work? Would this be done on the server? What does the query look like?
Fetch a user's friends list from https://graph.facebook.com/me/friends and see if the friend's Facebook ID is in there.
How long do sessions last and how is it decided? Will the login persist across multiple visits?
When the user authorizes your app via OAuth, the expiration time in seconds is appended to the URL.
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Yes, until the token expires. See above regarding offline_access.