#harshitbhargava
still arrowBOT
hearty sentinel
Yes that endpoint does not require a customer ID. But it is only callable with your API secret key so only you should be able to make that call to detatch
median mirage
But i belive customer level security should be present while detaching the card, ehen you are updating payment method there also we are sending customer id
Then why it is bot present while detaching
Sorry my bad while updating we are not sending customer id as param
But it should present right?
hearty sentinel
We don't require it. If a bad actor has your secret key to make that detach call, they would be able to get the customer ID by retrieving the payment method or by listing your customers. You can require the customer ID or additional info on your side but at the moment Stripe does not require the customer ID to detach a payment method
median mirage
When i am working with one application then only one secret key will be used in whole application.
Suppose i have on onborded A and B customer and attach card1 and card2 respectively then B can easily remove card1 if he knows payment method Id
hearty sentinel
Ah, so in that case you would want to check which customer is asking you to make the detatch request and check if they actually own that payment method ID
median mirage
Yes
hearty sentinel
If possible I would reccommend against your customers having access to their payment method IDs like that at all
Though that does more or less just push the problem back. One way or another your server is making the detatch call, so it should be sure that the request to delete the PM is legitimate before making that call
median mirage
Or we can do one thing saving the customerId in database and when we are detaching payment method we can retrieve customerId from paymentmethod if that match then detach otherwise throw an error
hearty sentinel
Yes, that would be a sensible way to check that as well