jpress | Stripe Developers | Page 1

dense crestBOT Mar 23, 2023, 5:05 PM

#

mortal skiff Mar 23, 2023, 5:06 PM

#

Hello! I recommend explaining your issue in more detail, with the exact outcome(s) you want. You can email support directly here: https://support.stripe.com/contact/email

brittle fossil Mar 23, 2023, 5:08 PM

#

yep, I've given them a ton of detail but each time it's a new support member who doesn't have context on the issue. They keep linking the generic "card testing" doc page no matter how we try to engage them

mortal skiff Mar 23, 2023, 5:11 PM

#

What kind of rate limiting are you seeing?

brittle fossil Mar 23, 2023, 5:14 PM

#

The message from stripe is generic, but there are few endpoints in particular that are relevant

Request rate limit exceeded. You can learn more about rate limits here https://stripe.com/docs/rate-limits.

#

what's troubling is that our whole account got limited by a few bad actors

#

instead of those tokens/those users specifically

#

one example was hitting setup_intents using the public token from stripe checkout

mortal skiff Mar 23, 2023, 5:16 PM

#

To clarify, are you seeing rate limiting inside Checkout itself, or are you seeing rate limiting after Checkout completes?

brittle fossil Mar 23, 2023, 5:16 PM

#

after, these were applied to any api call made using our accounts key

#

so things like acting on a webhook, etc.

#

let me confirm, because the first event I'm looking at is checkout success that was rate limited

mortal skiff Mar 23, 2023, 5:21 PM

#

When you say "our accounts key" what are you referring to? Your secret API key? Your publishable API key?

brittle fossil Mar 23, 2023, 5:25 PM

#

yep, the secret one

#

at that time, 12 users were unable to create a checkout URL

#

so

users do bad stuff with a token generated by checkout that lives on the client
we see rate limits on our secret key used on our backend to create checkout URLs for other users

#

The number of users is not huge, but this directly blocked our ability to do business with these users

#

for seemingly something that is out of our control, it's reasonable for anyone to get a public checkout token.

I'm trying to find someone on the support side that can help validate, or tell us what actually happened that is in our control

mortal skiff Mar 23, 2023, 5:35 PM

#

Can you give me a request ID for creating a Checkout Session? Here's how you can find a request ID: https://support.stripe.com/questions/finding-the-id-for-an-api-request

brittle fossil Mar 23, 2023, 5:41 PM

#

sure thing, let's see if we logged the required info

#

so far I've only found lock timeouts. It's interesting that 429s get logged as invalid requests

mortal skiff Mar 23, 2023, 5:52 PM

#

You can give me any request ID from your account, that will let me see the rate limited requests as well.

brittle fossil Mar 23, 2023, 5:54 PM

#

so here's the error in our sentry instance

Screen_Shot_2023-03-23_at_10.54.18_AM.png

#

but I don't see a corresponding log in stripe

Screen_Shot_2023-03-23_at_10.54.35_AM.png

#

at that time

mortal skiff Mar 23, 2023, 5:55 PM

#

Yeah, rate limited requests don't generate a request log.

brittle fossil Mar 23, 2023, 5:55 PM

#

ohhh, i see. so any request id will help here?

#

sorry for misunderstanding

#

req_AJsoo7SWR25D6N there's a random 402

mortal skiff Mar 23, 2023, 6:01 PM

#

Yep, thanks! Looking...

mortal skiff Mar 23, 2023, 6:23 PM

#

Still looking into this. I do see the rate limiting you're talking about though.

#

To clarify, this rate limiting is preventing legitimate transactions on your integration?

#jpress