EwokTrader | Stripe Developers | Page 1

hollow veldtBOT Nov 23, 2022, 7:25 AM

#

radiant cobalt Nov 23, 2022, 7:25 AM

#

Hi there, how can I help?

midnight stone Nov 23, 2022, 7:26 AM

#

yeah so i want to create a rule to block request coming from this source

#

is it possible using radar?

radiant cobalt Nov 23, 2022, 7:27 AM

#

So to confirm, you want to block a payment if it's requested with the above mentioned user_agent ?

midnight stone Nov 23, 2022, 7:28 AM

#

yeah blocking the request coming from that user agent,, it is spamming this request api
POST /v1/payment_methods

#

having the ip address list in radar block rule does not prevent it

radiant cobalt Nov 23, 2022, 7:31 AM

#

There's a user_agent rule that you can use https://stripe.com/docs/radar/rules/reference

Rules reference

Learn more about the structure of rules and the order in which Radar processes them.

midnight stone Nov 23, 2022, 7:33 AM

#

oh i see,, so user_agent is equal to source here right?

#

let me add it now and see

#

so i have this rule added

#

is it correct? seems that the request api
POST /v1/payment_methods
was still accessible even having the rule added

radiant cobalt Nov 23, 2022, 7:43 AM

#

POST /v1/payment_methods requests are to create a payment_method, not payments

midnight stone Nov 23, 2022, 7:45 AM

#

so radar is for the actual payments?
then for that instance, payment_methods, is there any way to prevent api attack on that?

radiant cobalt Nov 23, 2022, 7:46 AM

#

Can you share with me a PaymentIntent ID so that I can take a look?

midnight stone Nov 23, 2022, 7:47 AM

#

where can i get it?

is it this one?

ID. req_20FNUO5xgEW3Yc

radiant cobalt Nov 23, 2022, 7:49 AM

#

https://dashboard.stripe.com/payments you can find the PaymentIntent ID here

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.

#

Can you show me a PaymentIntent ID that you want to block?

midnight stone Nov 23, 2022, 7:51 AM

#

okay, so there were no PaymentIntent, there were before, but now only using that specific api /v1/payment_methods

#

another question though, can we change publishable key? any impact?

#

for example, what if pubkey was somewhat hacked, and is using it to attack.
so if i change the publishable key, it will resolve that issue and only will happen again if they got again this pub key right?

but will there be any impact on other data? like recurring payment?

radiant cobalt Nov 23, 2022, 7:55 AM

#

Please note that the transaction_type for Radar rule is one of charge, payment_intent and setup_intent. payment_method is not one of them.

#

Publishable key, as the name suggest, is meant for public. So it's totally OK for you to reveal the publishable key to any one.

#

However, you should keep the secret key secure. If compromised, you can go to your Dashboard and roll the key https://stripe.com/docs/keys#rolling-keys

midnight stone Nov 23, 2022, 7:57 AM

#

oh okay, so could be that they got somehow my secret key

#

thanks, so it won't have any impact on revoking and creating a new secret key right?
and maybe as practice change this often?

radiant cobalt Nov 23, 2022, 8:01 AM

#

It's entirely up to you. the old key will become invalid once a new key is created.

midnight stone Nov 23, 2022, 8:01 AM

#

thanks, i think key is compromised and need a new one..

#

thanks for your time and help

#EwokTrader