Closed apogee23 closed 1 year ago
I believe this is for setting up a payment for future usage? If so I also have this problem. The current restricted key that the docs have us create do not have the correct permissions configured for this feature to work. Curious how to do this?
Set up a payment method for future usage
You can collect a payment method from your customer to charge it at a later point in time. To do so create a new doc in your ${param:CUSTOMERS_COLLECTION}/{uid}/checkout_sessions collection with the following parameters:
client: 'mobile'
mode: 'setup'
Then listen for the extension to append setupIntentClientSecret, ephemeralKeySecret, and customer to the doc and use these to [integrate the mobile payment sheet](https://stripe.com/docs/payments/accept-a-payment?platform=ios&ui=payment-sheet#integrate-payment-sheet).
@DCSnip3r Can you share the payload you're passing when creating the Checkout Session? What specific error are you seeing?
My guess is that the initial issue is related to the restricted key not having write permissions for the Payment Intents API:
@jsteele-stripe Sure, trying to set up a card for future use this way:
await this.$fire.firestore
.collection('customers')
.doc(customerId)
.collection('checkout_sessions')
.add({
client: 'mobile',
mode: 'setup',
})
Error message:
403 Error: POST /v1/ephemeral_keys
invalid_request_error
The provided key 'rk_test_*****************************************************************************************'
does not have the required permissions for this endpoint on account 'ACC'.
This is a restricted API key, but the required permissions are not available for use by restricted keys.
Related to https://github.com/stripe/stripe-firebase-extensions/issues/314
@DCSnip3r Yeah, that Firestore document creation will fire this Stripe API call: https://github.com/stripe/stripe-firebase-extensions/blob/2ad018aeb45564fce06540a952253715aba1ef79/firestore-stripe-payments/functions/src/index.ts#L263-L267
My guess is your restricted key doesn't have write permissions for the Setup Intents and/or Ephemeral Keys APIs.
edit: I think the issue is indeed Ephemeral Keys based on the error message? (403 Error: POST /v1/ephemeral_keys
). Which can't be accessed with restricted keys.
@jsteele-stripe Interesting. Do you have suggestions for what to do then? I believe I am using the recommended setup based on the Pre/PostInstall. I don't think I have control over whether this uses the Restricted Key as opposed to the correct one. Or is there a configuration that I can change?
@DCSnip3r This seems like an oversight in the initial implementation of one-time payments (in that Ephemeral Keys can't be managed with a restricted API key). In this instance, you'd need to use your secret key with the extension, in place of the restricted key.
We'll discuss how we'll handle this going forward.
@jsteele-stripe
In this instance, you'd need to use your secret key with the extension, in place of the restricted key.
Nice, is this something I can configure? Or is this handled by the extension?
@DCSnip3r You would just re-configure the extension in your Firebase Console and provide your secret key.
@jsteele-stripe Thank you for your help with this!! So in the extension configuration, replace the restricted key we make for stripe with our secret key? Surprised this is a drop-in replacement.
Does this create any vulnerabilities, given that the RK has limited access?
So in the extension configuration, replace the restricted key we make for stripe with our secret key?
Yep!
Does this create any vulnerabilities, given that the RK has limited access?
There is a small inherent risk I guess. Which is why the extension originally (and still) recommends you create a restricted API key with only access to the endpoints/objects you need. It just means your secret key will be used in the Firebase functions.
Is there any update on this issue? I faced the same problem
In the Logs in Stripe dashboard this endpoint POST /v1/ephemeral_keys
returns 403
invalid_request_error
The provided key 'rk_test_*******************************************************************************************XXX'
does not have the required permissions for this endpoint on account 'acct_XXXX'.
This is a restricted API key, but the required permissions are not available for use by restricted keys.
API version: 2020-08-27 Source: Stripe/v1 NodeBindings/8.191.0 Firebase firestore-stripe-payments/0.2.7
@koteus The workaround is outlined here:
In this instance, you'd need to use your secret key with the extension, in place of the restricted key.
You can now create restricted API keys with ephemeral key permissions in your Dashboard, which should alleviate this error!
I fixed it guys. I was using restricted test key and each key (product and restricted and any) has different api keys settings for different actions, the error message will tell you which api key action you must change from none to write. Where it says reveal your key U have three dots on the right and there U can edit api keys, I had to change three api keys because each were giving error until I changed all three to write mode.
Bug report
Describe the bug
With the suggested restricted key configuration, the
createCheckoutSession
method results in an error while attempting to create an ephemeralKey.To Reproduce
createCheckoutSession
function where theclient="mobile"
.the provided key 'rk_test_***' does not have the required permissions for this endpoint on account 'acct_****'. this is a restricted api key, but the required permissions are not available for use by restricted keys.
Expected behavior
The firebase object is populated with the paymentIntentClientSecret and EphemeralKeySecret.