#erztemplerobba_best-practices

1 messages · Page 1 of 1 (latest)

candid dirgeBOT
#

đź‘‹ Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

đź”— This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1364460952811999303

đź“ť Have more to share? Add more details, code, screenshots, videos, etc. below.

tepid whale
#

Hi! Yes, it is safe to provide the customer object ID.

#

Can I understand more about your concern with regard to the customer portal?

earnest gust
#

Hi! Obviously, no private user info like address information and also the stripe customer id would/should be shared between different users of my site.

But I was wondering if this specifically needed attention because it seems that if the customer Id gets into the wrong hands, somebody could just access the customer portal and e.g. renew/cancel subscriptions and maybe more. The payment information is hidden which wouldn be a problem but some actions could be taken.

#

So right now, I've just added the customer Id to the user object of my app which is passed to the client for future identification (when adding subscriptions or accessing the customer portal).

tepid whale
#

Are you creating the customer portal via the API or using the generic link from your dashboard?

earnest gust
#

Right now, I am sending the customer Id to my backend where I create the customer portal like this:

      const session = await stripe.billingPortal.sessions.create({
        customer: customerId,
        return_url: `${clientUrl}`,
      });
#

not sure what the generic link is - I guess I'm not using that. I just call my server API endpoint where the code above sends the user to the stripe customer portal.

tepid whale
#

Got it! To generate a customer portal link, you’ll also need your account's secret API key. Simply having the object ID isn’t enough for someone to create the link and access the customer’s subscriptions and other details.