aaronk_72176 | Stripe Developers | Page 1

wicked roseBOT Aug 23, 2023, 5:57 PM

#

prisma moss Aug 23, 2023, 6:08 PM

#

Hello! Sorry for the wait (got a bit busy in the channel)

devout ravine Aug 23, 2023, 6:08 PM

#

Or - is there a simple way to query for payment intent using client_secret from a backend perspective? Would like to use this package https://github.com/stripe/stripe-node

GitHub

GitHub - stripe/stripe-node: Node.js library for the Stripe API.

Node.js library for the Stripe API. . Contribute to stripe/stripe-node development by creating an account on GitHub.

prisma moss Aug 23, 2023, 6:09 PM

#

Is there a reason you only have the client secret?

devout ravine Aug 23, 2023, 6:10 PM

#

I have payment intent id as well, Im just reticent to set up a public route on my server that will return information based on payment intent id

#

regardless of how "public" that information might be

#

I'm making an assumption here that stripe purposely added a separate parameter to return public information about a payment intent (client_secret) rather than just allowing to query based on payment intent id

#

so I would like to respect that on my end as well

#

oh ok I think I figured it out

#

it looks like client_secret has payment intent embedded in it

#

so I can use the client secret in the interface, extract the payment intent to query against the stripe api, and fail if the resulting client secret doesn't match what was passed in

#

look at me go

prisma moss Aug 23, 2023, 6:19 PM

#

backing up for a quick minutes though - let me clarify that client_secret was specifically because we needed a way for users to retrieve/interact with Payment Intents while using publishable keys (which are meant to be public). We don't want payment intents to retrievable/confirmable just with the intent ID and a publishable key since it's likely bad actors will take advantage of that

devout ravine Aug 23, 2023, 6:19 PM

#

got it, yeah that was my assumption

#

which is why I don't want to expose a route that takes in payment intent id

prisma moss Aug 23, 2023, 6:24 PM

#

If it's going to be an entirely public route with no protections then I can't say I'd recommend that - you'd need to be incredibly careful to make sure you're never exposing information that isn't safe

devout ravine Aug 23, 2023, 6:25 PM

#

Interesting. Even if the interface is client secret?

#

Like lets say the only thing I ever wanted to expose was an internal order id to be used for communciations between buyer and seller, would you still advise against?

prisma moss Aug 23, 2023, 6:34 PM

#

If it's JUST an internal order ID and you're absolutely sure that nobody could take advantage of that ID in any way you'll likely be fine

devout ravine Aug 23, 2023, 6:38 PM

#

Im assuming you would definitely recommend against returning last 4 digits of cc payment method then?

#

or anything of the like

prisma moss Aug 23, 2023, 6:39 PM

#

I don't think last4 is necessarily considered sensitive

devout ravine Aug 23, 2023, 6:39 PM

#

why is payment_method not exposed via stripe publishable key then?

wicked roseBOT Aug 23, 2023, 6:46 PM

#

prisma moss Aug 23, 2023, 6:48 PM

#

It's not exposed when retrieving a Payment Intent client-side, because we currently don't support expansion with payment intent retrieval client-side (using stripe.js)

devout ravine Aug 23, 2023, 6:57 PM

#

does that mean that everything in payment method is intended to be returned via publishable key and the only reason it isnt is because of this lack of an expansion feature?

obsidian scarab Aug 23, 2023, 7:02 PM

#

Anything sensitive would no be retrievable by PK alone

#aaronk_72176