search

invertase / stripe-firebase-extensions

Repository of Firebase Extensions built by Stripe.
https://firebase.google.com/products/extensions
Apache License 2.0
423 stars 160 forks source link

Unable to Create PaymentIntent with Recommended Restricted Key #339

Closed apogee23 closed 1 year ago

apogee23 commented 2 years ago

Bug report

Describe the bug

With the suggested restricted key configuration, the createCheckoutSession method results in an error while attempting to create an ephemeralKey.

To Reproduce

  1. Setup extension with recommended Restricted API Key.
  2. Trigger the createCheckoutSession function where the client="mobile".
  3. Receive error: the provided key 'rk_test_***' does not have the required permissions for this endpoint on account 'acct_****'. this is a restricted api key, but the required permissions are not available for use by restricted keys.

Expected behavior

The firebase object is populated with the paymentIntentClientSecret and EphemeralKeySecret.

DCSnip3r commented 2 years ago

I believe this is for setting up a payment for future usage? If so I also have this problem. The current restricted key that the docs have us create do not have the correct permissions configured for this feature to work. Curious how to do this?

Set up a payment method for future usage

You can collect a payment method from your customer to charge it at a later point in time. To do so create a new doc in your ${param:CUSTOMERS_COLLECTION}/{uid}/checkout_sessions collection with the following parameters:

    client: 'mobile'
    mode: 'setup'

Then listen for the extension to append setupIntentClientSecret, ephemeralKeySecret, and customer to the doc and use these to [integrate the mobile payment sheet](https://stripe.com/docs/payments/accept-a-payment?platform=ios&ui=payment-sheet#integrate-payment-sheet).
jsteele-stripe commented 2 years ago

@DCSnip3r Can you share the payload you're passing when creating the Checkout Session? What specific error are you seeing?

My guess is that the initial issue is related to the restricted key not having write permissions for the Payment Intents API:

https://github.com/stripe/stripe-firebase-extensions/blob/2c99a55d3eb47d3d59d12df7a1dd0714129eb74b/firestore-stripe-payments/functions/src/index.ts#L255-L257

DCSnip3r commented 2 years ago

@jsteele-stripe Sure, trying to set up a card for future use this way:

await this.$fire.firestore
          .collection('customers')
          .doc(customerId)
          .collection('checkout_sessions')
          .add({
            client: 'mobile',
            mode: 'setup',
          })

Error message:

403 Error: POST /v1/ephemeral_keys

invalid_request_error

The provided key 'rk_test_*****************************************************************************************' 
does not have the required permissions for this endpoint on account 'ACC'. 
This is a restricted API key, but the required permissions are not available for use by restricted keys.

Related to https://github.com/stripe/stripe-firebase-extensions/issues/314

jsteele-stripe commented 2 years ago

@DCSnip3r Yeah, that Firestore document creation will fire this Stripe API call: https://github.com/stripe/stripe-firebase-extensions/blob/2ad018aeb45564fce06540a952253715aba1ef79/firestore-stripe-payments/functions/src/index.ts#L263-L267

My guess is your restricted key doesn't have write permissions for the Setup Intents and/or Ephemeral Keys APIs.

edit: I think the issue is indeed Ephemeral Keys based on the error message? (403 Error: POST /v1/ephemeral_keys). Which can't be accessed with restricted keys.

DCSnip3r commented 2 years ago

@jsteele-stripe Interesting. Do you have suggestions for what to do then? I believe I am using the recommended setup based on the Pre/PostInstall. I don't think I have control over whether this uses the Restricted Key as opposed to the correct one. Or is there a configuration that I can change?

jsteele-stripe commented 2 years ago

@DCSnip3r This seems like an oversight in the initial implementation of one-time payments (in that Ephemeral Keys can't be managed with a restricted API key). In this instance, you'd need to use your secret key with the extension, in place of the restricted key.

We'll discuss how we'll handle this going forward.

DCSnip3r commented 2 years ago

@jsteele-stripe

In this instance, you'd need to use your secret key with the extension, in place of the restricted key.

Nice, is this something I can configure? Or is this handled by the extension?

jsteele-stripe commented 2 years ago

@DCSnip3r You would just re-configure the extension in your Firebase Console and provide your secret key.

DCSnip3r commented 2 years ago

@jsteele-stripe Thank you for your help with this!! So in the extension configuration, replace the restricted key we make for stripe with our secret key? Surprised this is a drop-in replacement.

Does this create any vulnerabilities, given that the RK has limited access?

jsteele-stripe commented 2 years ago

So in the extension configuration, replace the restricted key we make for stripe with our secret key?

Yep!

Does this create any vulnerabilities, given that the RK has limited access?

There is a small inherent risk I guess. Which is why the extension originally (and still) recommends you create a restricted API key with only access to the endpoints/objects you need. It just means your secret key will be used in the Firebase functions.

koteus commented 2 years ago

Is there any update on this issue? I faced the same problem In the Logs in Stripe dashboard this endpoint POST /v1/ephemeral_keys returns 403

invalid_request_error
The provided key 'rk_test_*******************************************************************************************XXX' 
does not have the required permissions for this endpoint on account 'acct_XXXX'. 
This is a restricted API key, but the required permissions are not available for use by restricted keys.

API version: 2020-08-27 Source: Stripe/v1 NodeBindings/8.191.0 Firebase firestore-stripe-payments/0.2.7

jsteele-stripe commented 1 year ago

@koteus The workaround is outlined here:

In this instance, you'd need to use your secret key with the extension, in place of the restricted key.

jsteele-stripe commented 1 year ago

image You can now create restricted API keys with ephemeral key permissions in your Dashboard, which should alleviate this error!

MatkoMilic commented 3 months ago

I fixed it guys. I was using restricted test key and each key (product and restricted and any) has different api keys settings for different actions, the error message will tell you which api key action you must change from none to write. Where it says reveal your key U have three dots on the right and there U can edit api keys, I had to change three api keys because each were giving error until I changed all three to write mode.