How can I offer secure links when selling downloads with Stripe? - stripe-payments

I'm interested in selling e-books on my site that will come packaged as a ZIP file. I've got the purchase process all hooked up using Stripe's Checkout feature. Once I make a test purchase it's sending me to my "Thank You" page and creating the new customer (cia Stripe_Customer::create) and charge (via Stripe_Charge::create).
How can I offer a download link on this page that can't then just be passed around to anyone else? Is it safer to just ask for their email address and email the ZIP to them?

The best thing to do would probably be to create a download token object in your database, and to have that know about the user and the creation time. Then, the user's download link can be something like download.php?token=f136803ab9c241079ba0cc1b5d02ee77.
When download.php sees a token, it can 1) make sure that it's valid, and 2) that it's being used within n minutes of when the token was created. (And maybe that it's been used fewer than 10 times, or something like that.)
Obviously, this means that the user can't redownload his/her ebook -- you'll need some way of regenerating/reissuing tokens if you want to support that use case.

Related

Request and/or receive money via transferwise ~ WISE with a Balance Account Invitation Link

I am new to transferwise and want to ask if the thing i want to do is achiviable via the wise-api
The platform/business needs to automate one action among others:
Business need to ask the User to pay via Wise whenever they feel like ready.
Business give the balance account details (Wise balance account) (i think it is the borderless account, right? or is one of the overseas balance accounts [usd, eur, gbp...] )
User pay to business
Via webhook (i think so) we manage the user info and linked the stuff to the DB
Would be nice if i can use the "Request money" flow-endpoint which give you a payment-link with 14 days of exp. But i think you can't use that in the api :(
Are someone who made something like this before using wise?
I'm so new to wise and it is my first time implementing a thing like this from scratch (i'm the only backend dev haha)
I tried to folllow the docs, and i see the endpoints to do this in the Postman Collection, but i dont know if can solve the needs of the business.
If this the only way?
I cant use the "Request money" flow with the api?
Big thanks for reading!

Best way to handle one-time payments with STRIPE webhooks in nodeJS

I am using STRIPE as my payment processor, in an REACT + nodeJS app. I already have something that already works, but I would like some feedback, maybe I'm doing something wrong.
So... I have this Redirect-To-Checkout functionality thats made available by STRIPE, basically I redirect the user to this STRIPE page where all card-data (sensitive information) is processes in order for the payment to full-fill.
What I do in my nodeJS server part is the following:
Once the user acces the redirect to check-out page, I already create a PendingOrder, with the products selected by client (Here I save some information based on client/stripe payment-intent, in order to check in later steps)
Once webhook gives me the 'payment_intent.succeeded' I check for the payment-intent information to see if it exists in my PendingOrder collection, then proceed to add in to ConfirmedOrders and remove it from PendingOrders.
I have to do this whole process because Stripe no longer gives me access to some information I require when the user is checking-out his order(such as observation that the user has based on the type of service he chooses).
Are there any down-sides to this approach or is there any other way to do it?
Thanks in advance!
You’re not really far from the best practices that Stripe recommends here. The only thing that I would change is listening to checkout.session.completed instead of the payment_intent.succeeded event. As of the latest API version, a PaymentIntent is no longer created upfront so a better to way to handle order fulfillment is to either store the Checkout Session ID (e.g. cs_live_xxx) or you could add some metadata when creating the Checkout Session and use that instead to identify the order.
I have to do this whole process because Stripe no longer gives me access to some information I require when the user is checking-out his order
As for this, I’m not sure what you mean, you can always use your app with the success page customization described here alongside webhooks. I wouldn’t use that to fulfill the order though since the user might close the page before the redirection completes which means that the fulfillment wouldn’t be done in that case. As such, webhooks are essential to order fulfillment.

Is it possible to access a friends Instagram pictures without his access_token?

I heard that Instagram recently changed their APIs and I have a related question to that.
Let's assume I would like to build an "Instagram feed app of people I follow". So this app would just show me the pictures of all people I follow. From what I understand this would be possible, but I would always have same manual effort:
From the Instagram developer website I understand that I need the access_token from all my friends.
Do I understand that correctly?
This would mean every time I follow someone new, I would have to get his/her access_token manually and add it into my app.
Do I understand this correctly or is there a programmatic/automated way to get the needed access_token from the new followed person?
Yes, you are correct. This is not possible at the moment. I'm not sure how you would get the access token of friends. You would have to have them login as well. BTW: This seems to be the way facebook is going (since they now control Instagram). They require that both friends have authorized your app and then they will list their followers.

MEAN Stack / How do I create and manage temporary users without a login or signup?

Okay so I'm currently developing a bit coin related website!
I want it to work like this:
User visits the page and sees a balance of 0.000BTC + a deposit address.
If the user deposits money to that address it shoos up after x confirmations and updates a mongodb doc with the amount they sent.
The user can then make api calls that do stuff with the doc.
Here's what I don't want:
Users to have to sign up to do this...
How can I accomplish this using angularJS or NodeJS?
I was thinking about doing something with sessions / a mongoDB that uses a TTL collection.
However I can't wrap my head around how to do this correctly.
Any ideas, solutions, or example code would be extremely helpful!
-Thanks
I think that when the money is deposited you should open a user with their deposit email and the ability to update details in his profile later on.
I would send mail confirmation on both deposit and the user profile opened.
That way they don't "sign up" but a user object will be created automatically based on the deposit.
All of this stuff should happen in node BTW (logic and workflow in node, appearance and UX in angular)
Lior

Intuitive Website owner verification

Hello I'm developing a web app where the user needs to verify that they are the "Owner" of the website. I know there is code verification but how would I check if that verification is on their site without over complicating the verification method?
Also, I'm thinking about giving the site owner an hour to verify, how would I automatically detect if the hour is over and be able to delete them from the database?
The way Google or Yahoo do this is to require the webmaster to create a file with a special cryptic name (the file length can be 0), which is generated by Google/Yahoo. Could be something like "dsaa6fd4sgfdsf324gd.html". So you generate such a unique (name) string for each websit eto be verified, store it in the DB, and then you go and try to GET it from that site. If the GET succeeds you can set "verified=true" in the DB for that site and file name.
To answer the 1hr question we'd have to know what technology you are using. There are many options to run timed background jobs from a web application. Usually you write the job details into the database, and have a background daemon check the DB periodically and execute any pending jobs. You could tell it (that daemon) to execute a job one hour later to see if the file (see above) exists. Well, you have to do it that way in any case, it's no use simultaneously telling the webmaster to create that file and check for it right away :)

Resources