#Galax - PI client secret

That's sensitive data, so no, I wouldn't log it or use it as a URL param: https://stripe.com/docs/api/payment_intents/object#payment_intent_object-client_secret

Can you share your code related to that?

Just trying to confirm if it's something you're doing in your code or something wrong on our end

const stripe = Stripe("pk_test_51K1ahGIspOj3DXwa4lflabdysfFSspzbC5rKrd15vfsO7yllbKy07slwkIUr1o8xaEFVsfoiYMwtfcTXFkBiQuvi00XheIEcJ3");

let elements;

checkStatus();

document
  .querySelector("#payment-form")
  .addEventListener("submit", handleSubmit);

// Fetches a payment intent and captures the client secret
var clientSecret = document.getElementById("payment-form").dataset.secret;
var stripeSessionId = document.getElementById("payment-form").dataset.session;


elements = stripe.elements({ clientSecret });

const paymentElement = elements.create("payment");
paymentElement.mount("#payment-element");

async function handleSubmit(e) {
  e.preventDefault();
  setLoading(true);

  const { error } = await stripe.confirmPayment({
    elements,
    //redirect: 'if_required'
    confirmParams: {
      // Make sure to change this to your payment completion page
      return_url: "https://127.0.0.1:8000/commande/merci",
      payment_method_data: {
        billing_details: {
          phone: document.getElementById("inputPhone").value,
          name: document.getElementById("inputName").value
        }
      }
    },
  });

I just reused the js here https://stripe.com/docs/payments/quickstart

There is no any get method into my code

Also, where are you grabbing the url in the screenshot you provided?

Is that just showing in the browser's address bar after the return_url redirect?

Yes, when I proceed to the payment, I'm redirected to the corrrect url, but with this parameter in addition

I think there is a bit of confusion here. The payment intent's secret is fine to have client side. I think the secret being added to the URL is intended behavior and can check further on that in a bit

I'm sorry I don't understand

I'm using symfony framework,
for testing purpose, I'm adding a non existent page into the return_url
The number in the route is just a uniqID I created earlier, as you can see, It shows in the address bar too, but there is the client secret showing in the bar again

Right, I think Stripe adds those to the URL before redirecting

anyway, the customer only is able to see this page, so is there any security problem ?

okay so you're right, it is intended

but it is kind of contradictory with the api

How is that contradictory? I am not familiar with that video of ours

The client secret can be used to complete a payment from your frontend. It should not be stored, logged, embedded in URLs, or exposed to anyone other than the customer

Oh I think I get it

A missunderstood

As far as the customer is the only person that can have access to this data, there should be not any issues

Ah I see, yes that does contradict what we have documented there. I am guessing that we thought it was fine to ad as the payment is already completed at that point so nothing else can be done with it but am not completely sure

But yes, either way, there is not a security issue and you don't need to make any code changes

My payment Intent is set to manual, so after the redirection I need in some way to get the secret client to capture the payment, I guess that was maybe one of the purpose of this.
Anyway, glad to hear that was intended