letscheckthis_unexpected | Stripe Developers | Page 1

rapid aspenBOT Feb 20, 2025, 3:33 PM

#

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1342157151942213755

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

#

plucky fox Feb 20, 2025, 3:35 PM

#

Hello

void sigil Feb 20, 2025, 3:35 PM

#

Hi

plucky fox Feb 20, 2025, 3:36 PM

#

Can you share the relevant Checkout Session?

#

In reality it is possible that a bad-actor removed the customer-session-client-secret from being passed to the Pricing Table since this happens client side.

void sigil Feb 20, 2025, 3:37 PM

#

{
"id": "ppage_1QgslvJGtlvk1doh4cFLifM8",
"object": "checkout.session",

void sigil Feb 20, 2025, 3:38 PM

#

plucky fox In reality it is possible that a bad-actor removed the `customer-session-client-...

You mean like on purpose? I can assure you this is not the case

#

I mean we are a startup on an early stage and we know the customers

#

The id that I gave you is from the "duplicate" session that was not supposed to be created

#

The logs for the original customer (the one we have created from our BE calling your API and that was supposed to be reused in the checkout) are here:

#

and we use the client secret in the pricing table

#

and here are the logs of the customer that was NOT supposed to be created:

#

Let me know if you want me to copy paste some of that info so that it is easier to check it

plucky fox Feb 20, 2025, 3:45 PM

#

Unfortunately this is outside our internal log retention which is 30 days which means I have limited insight. That said, I can see our internal Checkout Session creation request from the Pricing Table and no customer-session-client-secret was passed there which is why a new Customer was created.

void sigil Feb 20, 2025, 3:46 PM

#

so you are sure that our front end didn't pass the secret?

#

i know there is never 100% certainty

#

i am just asking for some confidence before we start digging in the FE

#

because we have had many clients, hundreds, and this has never happened

plucky fox Feb 20, 2025, 3:49 PM

#

Yes I can confirm with 100% certainty that the network request we received from your frontend to create the Checkout Session did not contain the customer-session-client-secret in its POST body for this specific case.

#

That POST body is derived from how Pricing Table is rendered.

void sigil Feb 20, 2025, 3:49 PM

#

That is incredibly helpful! THANK YOU!

plucky fox Feb 20, 2025, 3:49 PM

#

Sure thing

void sigil Feb 20, 2025, 3:50 PM

#

BIG BIG THANK YOU!
Have a wonderful day!

#letscheckthis_unexpected