#domo__knows-paymentmethod-frontend

1 messages · Page 1 of 1 (latest)

sick yewBOT
twilit hollow
#

domo__knows-paymentmethod-frontend

#

hello

#

you can return the PaymentMethod ID client-side, that's totally fine

#

what I don't recommend is, don't start logging it extensively or passing it around on public pages.

A PaymentMethod ID + your publishable key can be used to confirm a PaymentIntent (unless you associate the PaymentMethod/ PaymentIntent with a particular Customer obj)

sleek latch
#

thank you for your fast assistance @twilit hollow ! so really:

  1. a public key + payment method id aren't useful together
  2. a public key + payment method id + paymentIntent can be used to confirm payments

and that is the only risk?

I also noticed that in the docs that confirmCardPayment payment_method is not required but recommended?

twilit hollow
#
  1. a public key + payment method id aren't useful together
    they are usable if say, you log out pm_123 to Bob when he was paying
    and say I hmunoz come to the same PC, inspect browser console and see "aha pm_123"

so I try to pay on your payment page, I get a PaymentIntent client_secret. Instead of using my card, I take PaymentIntent client_secret + your publishable key and make a scripted HTTP request to Stripe's API but pass Bob's pm_123 PaymentMethod instead

that works IF your PaymentIntent that II paid on, was not linked to a Customer object.

If pm_123 was attached to cus_aaa, then I cannot use pm_123 to pay any other PaymentIntent (as I would have to make your backend create a PaymentIntent on cus_aaa which shouldn't be possible since you presumably authenticate end customers on your end)

#

ah well above I'm detailing this scenario:

  1. a public key + payment method id + paymentIntent can be used to confirm payments
    (hadn't read that far)
#

I also noticed that in the docs that confirmCardPayment payment_method is not required but recommended?
the recommended integration is to NOT create a PaymentMethod first.

instead, pass in the instance of cardElement and that passes the card details to the PaymentIntent confirm request in one go

sleek latch
#

thank you @twilit hollow that makes sense. for us though we're going to have users who have multiple payment methods and the users will be able to choose whichever credit card/bank accounts they want to use to pay the monthly bill so having existing payment methods will be a very typical flow