stripe checkout form and server validation - javascript

I´m a Stripe beginner and I integrated the (really nice) Stripe checkout form into my Ionic App. Everything is working, the fields get validated and the I get the token and data in the callback.
I have more of an general question:
When everything is validated and the credit card token is generated, the button changes to green and the form closes.
But that does not mean that the payment was successful.
Depending on a one-time or recurring payment, I need to send the data to my server, create a customer/charge/plan/subscription and there something can go wrong.
But in the end the user thinks everything is fine.
I saw that other people are sending mails if something goes wrong.
What`s the best way to handle such an error?

I got this answer from the Stripe support:
tl;dr
We have to add our own server validation or send an email to the user. I will implement a spinner after the checkout and if the server says OK then redirect the user. Also sending a mail is an option.
Hey there,
Thanks for reaching out to us, I'm happy to help you with this!
When you create a one-time charge or a subscription with Stripe in
your backend, the payment is attempted synchronously, so you could
simply create code to handle exceptions in your backend and inform the
user that their charge failed. You could use this code to send an
email or simply display an error message on the resulting page.
There's an outline of this in our API docs here.
https://stripe.com/docs/api#errors
You can also use webhooks to inform your application of certain events
(such as failed or successful payments) and trigger actions such as
sending emails. More on this here:
https://stripe.com/docs/webhooks
https://stripe.com/docs/api#event_types
https://github.com/boucher/stripe-webhook-mailer
Stripe does not receive any information from you if the token is
created but not processed on your backend, so in this case I'd offer a
customer support email and if a customer writes in, ask them to enter
their card details again through your app and make any adjustments to
your integration to ensure you are charging the token after creation.
I hope this helps and please let me know if you have any other
questions!
All the best

Related

3D S Payment callback issue

I'm working on a payment system with React-Native. I want to do research on how to apply 3D payment methods. I want to listen to an event happening on my server on the client side. actually i only need this for the following reason. I feel there is something I got wrong here.
3D Secure Steps
I send the product to be purchased to a service named iyzico with
credit card information.
If the information entered is correct, it gives me an answer as below.
There is a special field here and I need to decrypto it and show it to the user.
In fact, this crypoto information contains an html page.
By decoding this code, I show the user an html page.
The password sent to the user's phone via SMS is entered on that
screen and presses the confirmation button.
The part I don't understand starts here. The person is in a true asynchronous. I want to callback. Because he can enter or cancel the password sent by SMS whenever he wants.
I'm not wondering how the process turned out. How will we inform the client application only in this case?
Should we use push notifications or other push services for this?
The client has to get information about this process. According to the information he receives, I would like to suggest that your payment is successful or your balance is insufficient.
I know that I should avoid making circular calls.
In short, how should I listen to the client for an event that will take place on my server? Which would be the best method?
I am working on React-native and I do not want to include push services in the application just for this. It is costly for me to this. I believe it is a more beautiful solution.
What do you think about this subject?
Thanks.
You either need push notifications or long polling. https://ably.com/blog/websockets-vs-long-polling

NuxtJS and Vue2 Can I write server side code for Recaptcha?

I recently picked up NuxtJS en Vue to write a blog and wish to add a Google Recaptcha.
The best validation is a server side validation obviously. So before users can submit the form, the back-end needs to verify the google recaptcha response. I was wondering if I could do this through my Nuxt-app itself?
So instead of having a method that validates if there is a recaptcha response, I was wondering if I can write something in a special hook(maybe validate()?) that is unavailable from bots on the clientside but still checks if the recaptcha response is valid. Before sending the form.
Is this possible, is yes/no how and why not? Please enlighten me!
Cheers and thanks in advance.
Technically it might be possible to validate the Recapthca key on the frontend, but since you need to use your private key to do so, your private key would be exposed.
Also it shouldn't be the frontend's decision whether or not to submit the form based on a Recaptcha. The frontend should submit the form - and the backend should decide how to handle the submission based on the Recaptcha result. Otherwise bots would still be able to hit the endpoint.

Firebase Authentication via "Magic-Link"

I want to send notification mails to users of my community platform coded with react and firebase. I was wondering is there is a way to authenticate the user via a magic link which is contained in his or her personal notification mails.
E.g. You've got 5 new comments on your post click HERE to read them
Clicking "here" should redirect the user to the page and automatically authenticate him without having to enter their individual passwords or usernames.
Due to the cancelation of the privacy shield framework and Schrems II, you might no longer be able to store customer details in the GCP.
A solution for it can be pseudonymization.
I am running an open-source project that can help you with that.
Check out the following article for more information:
https://databunker.org/use-case/schrems-ii-compliance/
I think your question can be divided into 2 different questions.
1. How do I send notification mails to my community platform?
I have never used notification mails in Firebase, I usually use google's SMTP server directly and send a request to the server to send an email on behalf of me. So, in your case, I would search up the library on your tech stack (for me it was Go's gomail), then you can use Google's SMTP server (host:smtp.gmail.com, port:587).
2. How do I make a link that automatically authenticate your users whenever they click the link?
I feel like this is the harder question. I think you need to consider a few things:
Your links need to be short lived. Why? to prevent unauthorized brute force login attempt (this also depends on the structure of your link). However, best practices suggests that links should be short lived (less than 24 hours).
Given that links are short lived, this depends on whether the user checked their email frequently for notification from you! There's a pretty good chance that they will miss that email in the 24 hour window.
I'm pretty much against sending time sensitive notification like that through emails. But if it is something that you still want to do, it is pretty easy to create the link, the simplest way I did it was:
Generate a random uuid for a link.
Associate it to the user who will login with the link. You should save this association in a persistent data storage.
Create an endpoint for magic link, for example /magic/:link_id that takes link_id then checks what user should be logged in.
Voila! You got yourself a magic link!
Finally, you can send the link through email like the first part of the problem!

How do I use the Reddit API to log a user in or register them in Spark and Javascript?

My project team and I are currently working on a Single Web Application project using Java Spark in the back-end and Javascript, HTML and CSS (with Bootstrap) in the front-end. We use MySQL as our DBMS.
We're trying to make a system to log a user on Reddit in to our site. We need Reddit to get a user's karma and not manage passwords and usernames ourselves.
We're using Reddit's OAuth API in order to ask for a token, and Reddit then redirects the user to our website again.
We've made a button on our website to log the user in.
What we're trying to achieve is:
The user clicks the log-in button.
The user gets redirected to the Reddit login page and needs to give permission to us to use their Reddit account with a few permissions.
The user accepts the request and then gets redirected to our website. The Reddit API sends a GET request to localhost/login and appends the state and Reddit token to the link (so the link becomes localhost/login?state=STATECODE&code=REDDITTOKEN).
In the back-end (Spark/Java), we catch that GET-request and extract the state and code. We then send the code to Reddit to get a JSON with the user's data (such as comment karma, link karma and username) using https://oauth.reddit.com/api/v1/me.
The back-end then checks if the username is already in our User table. If it is, the user already registered, and the user gets redirected to the mainpage and gets logged in. (We do log-ins by assigning session IDs to users in out User table.)
If, however, the usernameis not yet in our database, then the user gets redirected to the registration page/section of our website, and in some way, the username and karma-values are passed to this page.
The user then fills in the remaining details about their account (email, address, age, etc.) and then clicks on register. This then sends a POST-request to our server with all the details (username, comment karma, link karma, email, address, age, etc.) and puts that user in our Database. The user then gets logged into our website and gets redirected to our website.
The problems we are facing right now is
we don't know how we can pass the username, comment karma and link karma from our back-end to our front-end. We thought doing it with a cookie would do the trick, but this causes security-issues and just makes it more confusing for us.
Maybe there is a better way to handle this system. We would really appreciate suggestion for doing this in a better manner than this way. However, we have to deliver something working by Nov 10th.
Is there a way to pass values from Spark/Java to a webpage when registering someone?
I can share some bits of our code if wanted. Right now, our GitHub repository is private, however.
Your help is extremely appreciated. I might even buy you coffee.
Sincerely,
Jeroen Meijer.

Ajax and form authentication

I am trying to implement form authentication in my ajax application.
The problem I have is that when the session expires I get 302 code which redirects me to a login page I specified in web.xml (and it messes everything up refreshing the whole app to login page).
What I want to do is to get a "not authenticated" (401) code, then display the login form in a popup window and when the login is successful continue with what I was doing.
here is a picture of what is going on:
and the docs
http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html
basically, I want to display the popup instead of redirect to login page and then don't do the redirect to the resource but do my update in AJAX way.
From what I understand it couldn't be done only on the client side since the redirect can't be avoided (see here: redirect info), I would need to write some kind of logic on the server to prevent redirect, see here for detail about doing it in IIS: IIS implementation
P.S. So far this: http://www.oracle.com/technetwork/articles/entarch/session-lifecycle-096133.html looks like the most promising way to implement it. The class is deprecated, but I can't find the new one and think it's the only way to do it for Weblogic.
This is not an easy way but still it works
You have a form in your page which is filled by the user.
User clicks submit button.
An ajax request is sent to the server.
The server side implementation can check whether session exists or not. and accordingly you can send a response code 401..(response.setStatus());
This 401 can be checked in client side using ajax --- xhr.status
If response is 401 you can show the login form and hide the current form. using js and css.
User fills in the login details and clicks submit..
You can do the same server side check and client side check for the status of that login request.
if login is successful then you can you can submit the first form using ajax or js..
You may need to use servlet authentication filters as described in weblogic.xml Deployment Descriptor Elements
Below tutorials may help you:
oracle Servlet Authentication Filters
Using servlet filters for user authentication
Writing Servlet Filters
You could use a heartbeat checking with an ajax request to your server to any resource that needs to be authenticated to get it.. if you cannot receive this resource so means that youre not logged in.. so you could send another authentication request an go on with your rendering..
see this article.. http://ajaxpatterns.org/archive/Heartbeat.php
so your checking routine of authentication would be implemented..
You need to push to page and not poll. So you need Strophe and your session handler connected. When session expires signal is sent to Strophe instance that is running in your web app and after that it is easy to do popup or whatever.
For all real time stuff I am using Strophe!
This is book on this metter and this is link for Strophe, also this is link of php xmpp class.
It will take you couple of days to figure out this but it is couple of days well spent!
If you read carefully book and go to examples, with just basic javascript/jquery understanding you will be able to develop powerful web apps.
I know you're trying to do FORM authentication with you ajax application but is it really needed?
BASIC authentication works simpler and transparently for ajax requests as it is handled by the browser, not by your app. But I admit/understand that a popup is ugly.

Categories