add node example #1
Conversation
|
|
||
| // Listens to all network interfaces. This allows any device on your | ||
| // network to connect. | ||
| app.listen(port, '0.0.0.0', () => { |
There was a problem hiding this comment.
port is undefined here i think?
| const cardholderDB = { | ||
| [`${env.USERNAME}-${env.PASSWORD}`]: env.CARDHOLDER_ID | ||
| }; | ||
| return cardholderDB[req.headers.authorization.split(' ')[1]]; |
There was a problem hiding this comment.
authorization is undefined here. This is because this backend doesn't issue a challenge along with the 401 response.
Please see this comment for details.
| }); | ||
|
|
||
| function authenticate(req) { | ||
| return req.session.authenticated && req.session.cardholderId; |
There was a problem hiding this comment.
session is undefined here
| // Replace if using a different env file or config | ||
| const env = require('dotenv').config({ path: './.env' }); | ||
|
|
||
| const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY, { |
There was a problem hiding this comment.
we call this STRIPE_LIVE_SECRET_KEY in the ruby .env: https://github.com/vbc-stripe/push-provisioning-samples/blob/main/server/ruby/.env.example#L2
i'm ok with picking either one and sticking with it for both backend impls.
There was a problem hiding this comment.
i think we'll stick with the STRIPE_SECRET_KEY for consistency with other sample code https://github.com/stripe-samples/template/blob/main/.env.example
There was a problem hiding this comment.
ok, changed everything from STRIPE_LIVE_SECRET_KEY to STRIPE_SECRET_KEY: 30a2cbf
| if (authenticate(req)) { | ||
| try { | ||
| const key = await stripe.ephemeralKeys.create( | ||
| { issuing_card: req.body.card_id }, |
There was a problem hiding this comment.
api_version and card_id are application/x-www-form-urlencoded, perhaps that's why card_id and api_version are undefined on req.body for me.
After some googling, i found a way to parse these params from the request body:
const body = await getBody(req);
const params = new URLSearchParams(body);
const key = await stripe.ephemeralKeys.create(
{ issuing_card: params.get('card_id') },
{ stripe_version: params.get('api_version') }
);
and here's getBody:
function getBody(request) {
return new Promise((resolve) => {
const bodyParts = [];
let body;
request.on('data', (chunk) => {
bodyParts.push(chunk);
}).on('end', () => {
body = Buffer.concat(bodyParts).toString();
resolve(body)
});
});
}
| try { | ||
| const key = await stripe.ephemeralKeys.create( | ||
| { issuing_card: req.body.card_id }, | ||
| { stripe_version: req.body.api_version } |
There was a problem hiding this comment.
got this deprecation warning:
Stripe: 'stripe_version' is deprecated; use 'apiVersion' instead.
still works for now, though
| res.status(404).send(`Error listing cards: ${error.message}`); | ||
| } | ||
| } else { | ||
| res.status(401).send('Not authorized'); |
There was a problem hiding this comment.
In our ruby implementation of http basic auth, when the client sends a request to the server without an authorization header, it too responds with a 401 status and also a WWW-Authenticate header with a value of 'Basic realm="Restricted Area"' which is the challenge[1]: https://github.com/vbc-stripe/push-provisioning-samples/blob/main/server/ruby/server.rb#L94
When the client receives this 401 response with the challenge in the WWW-Authenticate header, it reissues the request, this time with the authorization request header set to "$username:$password"
[1]:
Upon receipt of a request for a URI within the protection space that
lacks credentials, the server can reply with a challenge using the
401 (Unauthorized) status code ([RFC7235], Section 3.1) and the
WWW-Authenticate header field ([RFC7235], Section 4.1).
|
@stevekaliski-stripe heads i transferred this repo to the stripe samples organization at https://github.com/stripe-samples/push-provisioning-samples i don't think that should affect this PR until you push any subsequent commits, might need to update your remote. |
No description provided.