Matt6607699
Posts: 0
Joined: Sat Jan 25, 2014 7:18 am

Stripe Payment plugin Security, Should it be done in html without name attribute?

HI, I've been looking at the stripe payment docs and it says the following:

"Note how input fields representing sensitive card data (number, CVC, expiration month and year) do not have a "name" attribute. This prevents them from hitting your server when the form is submitted."
a rel="nofollow"https://stripe.com/docs/tutorials/forms/a

The Appery plugin has names for input components, should we use the html form that stripe provides or is it still safe to use the plug-in?

Thanks

Matt6607699
Posts: 0
Joined: Sat Jan 25, 2014 7:18 am

Stripe Payment plugin Security, Should it be done in html without name attribute?

Also along this same question, and this may be a dumb question but, should Appery proxy be left unchecked so that the card data is not sent to Appery server first before creating an a customer object in stripe?

Matt6607699
Posts: 0
Joined: Sat Jan 25, 2014 7:18 am

Stripe Payment plugin Security, Should it be done in html without name attribute?

Do I need the JS files that are in the plug-in in order to make the API calls to stripe secure? i.e., I have the getToken and Customer create working in test mode but do I have to run all of the JS files that are in the plug-in for run-time or am I ok just executing the services without it?

Evgene Karachevtsev
Posts: 12
Joined: Mon Apr 28, 2014 1:12 pm

Stripe Payment plugin Security, Should it be done in html without name attribute?

Hello Matt,

1) The problem with the attribute name is that you have never kept a user data in the clear (neither in the database nor in the logs or anywhere else). So you won't send anything from this form on your server, so you don't have to worry about the name attribute.
2) Appery.io proxy is needed only during testing of an application in a browser. And when you build apk/ipa of course you should disable Appery.io proxy. it is not just for this service, it is relevant for all services.

Peter Lam
Posts: 0
Joined: Mon Nov 24, 2014 4:34 pm

Stripe Payment plugin Security, Should it be done in html without name attribute?

I don't agree to skip appery.io proxy. In fact, I think there is a security issue in the current stripe plugin. There are two keys provided by stripe: one is private and the another is publishable. The publishable is used in client side (either browser or mobile app) to tokenize the credit card information. Since the key is stored in the plugin_setting service which is installed to client, it is possible to be visible to end user. Since it is publishable, it is fine. However, when credit card is tokenized, client software should create the sales with appery.io proxy in order to hide the private key. As the key is stored in appery.io server, it will be invisible to end user. If it is correct, please correct the current plugin and modify the tutorial as soon as possible in order to avoid any security problem. Thanks.

Maryna Brodina
Posts: 0
Joined: Thu Apr 05, 2012 7:27 am

Stripe Payment plugin Security, Should it be done in html without name attribute?

Hello!

We are checking it currently. It might take some time.

maxkatz
Posts: 0
Joined: Fri Aug 13, 2010 3:24 pm

Stripe Payment plugin Security, Should it be done in html without name attribute?

Just to add, there are two ways to keep the secret key off the client:

1) Use the Secure Proxy
2) Make the request to get the access token (with the secret key) from Server Code.

Jon Haider
Posts: 0
Joined: Thu Oct 16, 2014 2:53 pm

Stripe Payment plugin Security, Should it be done in html without name attribute?

How would the request look from server side? I'm trying to do that using this code (to no avail):

pre
var url = "https://api.stripe.com/v1/charges/";
var postData = {
"parameters": {
"currency": "usd",
"amount": 1200
"customer": "cus_XXXXXXXXXXXXX"
},
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Bearer sk_test_XXXXXXXXXXXXXXXXXXXXXXX"
}
};
var XHRResponse = XHR.send("POST", url, postData);
response.success(XHRResponse, "JSON");

/pre

I get an error:
"Script chargeCustomer: Error ( @ 43 : 18 ) - throw e;"
Even though my script is only 14 lines long (there aren't 43 lines)...

Maryna Brodina
Posts: 0
Joined: Thu Apr 05, 2012 7:27 am

Stripe Payment plugin Security, Should it be done in html without name attribute?

Hello!

Sorry for delay!

1) In the end of URL there shouldn't be /
2) You should pass request data in body, not in parameters
3) There is missing comma after "amount": 1200 between object fields
4) You should specify entire response content-type

Fixed request would look like:
prevar url = "https://api.stripe.com/v1/charges";

var postData = {
"body": {
"currency": "usd",
"amount": 1200,
"customer": "cus_XXXXXXXXXXXXX"
},
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Bearer sk_test_XXXXXXXXXXXXXXXXXXXXXXX"
}
};

var XHRResponse = XHR.send("POST", url, postData);
response.success(XHRResponse, "application/json");/pre

Return to “Issues”