Skip to content

Instantly share code, notes, and snippets.

@reggi

reggi/stripe-freenode.md

Created March 13, 2014 20:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save reggi/9536344 to your computer and use it in GitHub Desktop.
Save reggi/9536344 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
stripe-freenode.md

#stripe freenode

<Guest84175> yo any live people here?
<Guest84175> Q: do i need a server to handle this token business
<Guest84175> i wanna send the token directly to you stripe
<Guest84175> via client
<Guest84175> oh comeon!
<Guest84175> this is a simple yes / no question!
<Guest84175> anyone!
<Guest84175> anyone in the vastness of this chat room
<Guest84175> lend out a helping hand
<Guest84175> i'm sinking into the abyss
<Guest84175> the stripe-abyss
<henriwatson> Guest84175: don't do that
<Guest84175> not to be confused with striped-bass
<henriwatson> I really, really should write down why not because I end up repeating it quite a bit
<Guest84175> -_-
<Guest84175> henriwatson: got anything for me?
<henriwatson> okay, basically you need your secret key to actually do things (make charges, create customers, etc.)
<henriwatson> the only way for you to directly interact with the token on the client side is by giving the client your secret key
<Guest84175> and that cant be online / client
<Guest84175> public
<Guest84175> got it
<henriwatson> the problem is that a bad actor can pull the secret key out and do nasty things on your account
<Guest84175> right
<henriwatson> they can try stolen credit cards, refund/leak all your customers, etc.
<Guest84175> Q: why doesn't stripe provide a backend for this?
<henriwatson> they do.
<Guest84175> no, they give secret keys and make you do it yourself
<henriwatson> the problem is that it's not exposed for use by the client.
<Guest84175> so I need to take the token from a form send it to my server | create customer, charges, subscription on the server | which talks back to stripe
<Guest84175> within those brackets, those things should be able to do via the stripe backend itself
<henriwatson> the problem is that if you can directly talk to stripe, so can a bad actor
<Guest84175> that bad actor can talk directly with my server!
<Guest84175> which is proxying eveything
<henriwatson> right but the idea is that your server won't be a blind proxy
<henriwatson> your server won't allow you to pull all the customers, your server won't allow you to run a thousand cards at once, etc.
@erostripe
Copy link

Hi I need help

@erostripe
Copy link

Need help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment