We're adding Stripe as one of the several providers for our payment gateway.
The workflow we currently use for processing Apple / Google / Samsung Pay payments is the following:
Mobile Client generates an encrypted payment token via API provided by the OS
Mobile Client sends a payment request to the Backend (user ID, amount, token).
Backend sends a request to Bank API
Bank API responds to Backend with either success or failure
Backend responds to Mobile Client
However, after reading Stripe's documentation, I haven't found a way to implement the same workflow. Apparently, the interaction is inverted:
Mobile Client requests a "client secret" from Backend
Backend sends a PaymentIntent request to Stripe's API
Backend returns the created PaymentIntent's "client secret" to Mobile Client
Mobile Client executes the payment by directly communicating with Stripe's API using the client SDK
This seems problematic, because it requires a major redesign for both our Mobile Client and Backend applications. Moreover, it makes the abstraction leak, because now the Mobile Client is bound to a particular payment provider.
Is it possible to implement our existing workflow with Stripe's API?
You definitely can obtain ApplePay/GooglePay token directly from Apple/Google, and use it to exchange for a Stripe token to "get into Stripe's world", similar to your original approach. However this approach requires some tweak and you would want to reach out to their Support.
Yes, it is possible to implement the flow you described with Stripe.
Refer to https://github.com/google-pay/pay-server-demos/blob/main/google-pay-psp-client/handlers/stripe.js for an example of how you might implement it for Google Pay:
return stripe(config.secretKey).charges.create({
amount: order.totalInt,
currency: order.currency.toLowerCase(),
source: order.paymentToken.id,
});
order.paymentToken.id is the payment token returned by Google Pay.
Related
I'm building a mobile app (and possibly a website) that uses a REST API to handle all the logic.
That being said, the REST api itself should call a 3rd party REST API (the Spotify one) to handle the logic for the app/website.
So basically the user should sign in to my app/website using its Spotify account and my API should make calls to the Spotify Web Api to retrieve user data using its access token, and then send them back to the app/website.
Now I've spent quite some time studying Spotify guidelines about authentication here and it looks like the Authorization Code Flow should fit my use case.
I definitely need to call the /authorize endpoint to retrieve the code from my app since I need user interaction for that. After that, I do get back the **code** that I should exchange for an access_token and refresh_token.
But as I said, it's not the app itself the makes the calls to the Spotify API, but my API. So theoretically I should send the received code to my API and let him handled retrieving and refreshing the access_token and refresh_token.
So my question is if this makes sense? Is it ok to send the code from the app to my api?
Not sure if it's clear so I'll attach a diagram of what I'm intending of doing.
Also probably after receiving the code, I would send back my own token to the app to be used with each future request (somehow similar with what you would do when you handle authorization with Facebook or other socials)
Hmm - some assumptions below, but I would aim to use standard flows. Some solutions are not possible in a good way though.
BUSINESS SOLUTION
Are you trying to build an app that combines the user's Spotify data with your own data for the user?
ARCHITECTURE TO AIM FOR
Your own UIs and APIs should use tokens issued by you and not Spotify. Only use Spotify tokens when you need to access Spotify resources. This leads to simple and reliable code.
STANDARD OPTION 1
This is based on you being in control of data from multiple sources:
You should have your own login and token issuing system. UI first logs into your app, which enables it to call your API with a token.
When you want to access Spotify you need to redirect the user again. The user can then consent to you using Spotify resources in your app, after which your web / mobile UIs get a Spotify token and can call Spotify APIs.
STANDARD OPTION 2
This is based on allowing the user to sign in with a familiar credential, which works via a federated login:
User needs to login
Your app redirects to your Authorization Server
There is a second redirect to Spotify
User logs in at Spotify
Spotify posts a token to your Authorization Server
Your Authorization Server posts its own token to your mobile app
Meanwhile your Web API has its own connection to Spotify that uses the Client Credentials Flow.
DOUBLE HOPPING CODES / TOKENS
This is not insecure, but it will add a lot of complexity and is not standard. You would need to maintain some kind of API session with 2 types of token per user and access token expiry would be a horrible area.
MOBILE FLOW
For mobile apps you should use Authorization Code Flow (PKCE) - my blog posts have some stuff on messages and user experience.
I hope to build a mobile app that sends credit card information to an aws-lambda microservice, which then submits that information to stripe. I'm concerned about PCI compliance/security, and I'm wondering if there is something I'm missing. The following is my plan:
1) Users sign in using PCI compliant passwords - and are assigned unique ids and get cognito access keys.
2) Users enter payment information in the mobile app. The app then sends that credit card data via POST request using HTTPS to a cognito authenticated aws-lambda instance (api gateway is used to create endpoints).
3) Upon a successful post request the app deletes the local credit card data.
4) The lambda instance decrypts encrypted stripe secret access keys using KMS.
5) The lambda instance uses Stripe NodeJS sdk to send the data to stripe and stores stripe tokens in databases.
6) At no point does the Lambda instance save ANY credit card data - it ONLY writes Stripe tokens to the database.
Is there anything I'm missing here? Is there something I should be concerned about?
EDIT:
Additional Info:
Credit card details are collected within the app and stored in the app state until they are deleted. The https POST does not use Stripe tools because I'm using React Native.
Further to our discussion in the comments, you could write a service wrapper to POST the data directly to Stripe using their JavaScript API. You'd just need to embed the public API key in your app.
See the solution in this blog post: http://blog.bigbinary.com/2015/11/03/using-stripe-api-in-react-native-with-fetch.html
I am using angular.js for Stripe Integration.
I found a couple of libraries for anuglar.js but I think they don't provide features.
This is what I am trying to do on angular.js using Stripe API for subscription payment.
Create Customer.
Add credit card information on this customer.
Add customer with subscription plan.
Check customer's subscription is expired or not.
If expired, renew subscription.
Does stripe.js will handle this?
What libraries should I use? if not, is it possible using standard $http.post for stripe API?
Looking forward your help.
A payment flow with Stripe is divided in two parts:
client-side, in your frontend code, you collect and tokenize the customer's payment information using Stripe.js or Checkout. You then send the token to your server
server-side, in your backend code, you use the token in an API request, e.g. to create a charge or a customer
Except for token creation requests, all other API requests need to be sent using your secret API key, so you can't do this from your frontend code without revealing the secret API key, which you definitely don't want to do (because then anyone could retrieve it and use it to send API requests on your behalf).
I want to let my customers on mobile application to be able to make payments using Pypal .. so far so good!
Now I want the mobile application to send to the backend server a payment confirmation with the amount payed, if I just made the mobile application to send those information to the backend just like that without any type of authenticity, that will be very hackable and totally insecure, is there some kind of token that Paypal passes to the client, and then to the my backend server, that the server can authorize the payment?
From the official documentation, steps are listed by details:
https://developer.paypal.com/webapps/developer/docs/integration/mobile/verify-mobile-payment/
Any method of payments through the API requires credentials, but for security reasons I don't want to store credentials on my server.
Can I do payments like this:
1. Using the API make Mass Payments
2. After that, login to my PayPal account and confirm payments
3. Using the API get information about payments
From PayPal forum:
Unfortunately to use any of the API's
you would pass over the API
credentials in the API call.