#nikolakg80
heavy owl
Hello
Do you have a request ID associated with that error? You can find that in your Dashboard, see: https://support.stripe.com/questions/finding-the-id-for-an-api-request
tame mason
req_xUCnzQsZU5khNn
heavy owl
Alright yeah this looks like you are attempting to pass the raw credit card details server-side to create a Token. As the error states, this is unsafe. You should be using Stripe Elements or Stripe Checkout to collect these sensitive details.
Can you tell me more about exactly what you are trying to do?
tame mason
const elementsResult = await elements.submit();
clientSecret = await retrieveStripeClientSecret();
async function retrieveStripeClientSecret() {
const values = {
restaurant_id: RESTORANT.id,
total_price: cart.withDelivery
}
const { data } = await axios.post(createPaymentIntentUrl, values);
const { clientSecret = null } = data;
}
heavy owl
That is all client-side stuff. You'll want to check your server-side code because that is where this request is coming from
You basically are going to want to look for where you are calling stripe.createToken() server-side
tame mason
$stripe_secret = config('settings.stripe_secret');
$this->stripe = new StripeClient($stripe_secret);
$this->stripeOptions = ['stripe_account' => $restaurant->user->stripe_account];
// Creating Payment Intent
$amount = (int) ($this->getFinalPrice($total_price) * 100);
$currency = config('settings.cashier_currency');
$payment_intent = $this->stripe->paymentIntents->create([
'customer' => $this->getStripeCustomerId(),
'amount' => $amount,
'currency' => $currency,
'payment_method_types' => ['link', 'card'],
], $this->stripeOptions);
$output = [
'clientSecret' => $payment_intent->client_secret
];
return ($output);
Yep so all that looks fine and isn't the culprit
Somewhere you are trying to create a Token
tame mason
const paymenIntentResult = await stripe.confirmPayment({
clientSecret,
elements,
redirect: 'if_required'
});
heavy owl
This is the API call you are making
So what you should do next is stop, and start adding logs to your code
To trace through everything that is happening up until when you hit that error
tame mason
Can you send me a screenshot of that log entry?
Only my client has the access to that
heavy owl
No I can't do that, sorry.
I can't share account info for you.
You'll have to work with your client
heavy owl
Unclear
It is a bit strange because the log indicates that the user agent is from a browser
But it does use your secret key
Are you able to replicate this error reliably?
tame mason
I didn't see that error at all, ever
heavy owl
Ah so this is a one-off?
In that case it could be that your secret key leaked
And you would want to roll your keys in that case.
Fortunately this is just your test mode key
But you may want to double check that your live mode key hasn't been used unusually.
tame mason
Can I try now to make the payment?
heavy owl
Not sure what you mean by that?
heavy owl
Yeah within seconds
heavy owl
That doesn't look to be the right account
I see a few attempts to create Tokens in test mode
2 failed from server-side attempts and 2 successful client-side
tame mason
Yes, but the code is identical...
heavy owl
Yeah I don't think this is coming from your code
Seems more likely someone has access to your keys
This looks to be on an account that hasn't been touched in many months
I'd recommend reaching out to our Support team via https://support.stripe.com/contact/login -- they can give you more details since you will be authenticated when talking to them.
I can only help so much here since this is a public server
tame mason
We're looking at the same thing...?
tame mason
Well spotted, I hope I'll get the correct screenshot shortly
heavy owl
👍
Not much more I can do for you -- biggest recommendation is to just roll your keys
Since it sounds like these are unexpected requests
And then make sure these keys are being stored securely
pale coralBOT