The getSettings route is not authenticated, leaving all secret values open to the public.
To reproduce, launch a Strapi instance on your local machine, install the plugin, fill out the configuration page, then a simple curl http://localhost:1337/strapi-stripe/getSettings shows all your credentials in the terminal.
Production environment doesn't do anything more.
Solution : remove the config: { auth: false }} on both routes related to the settings in server/routes/index.js
Best : set the admin::isAuthenticatedAdmin policy on both routes with config: { policies: ['admin::isAuthenticatedAdmin'] }
The
getSettings
route is not authenticated, leaving all secret values open to the public.To reproduce, launch a Strapi instance on your local machine, install the plugin, fill out the configuration page, then a simple
curl http://localhost:1337/strapi-stripe/getSettings
shows all your credentials in the terminal.Production environment doesn't do anything more.
Solution : remove the
config: { auth: false }}
on both routes related to the settings in server/routes/index.js Best : set theadmin::isAuthenticatedAdmin
policy on both routes withconfig: { policies: ['admin::isAuthenticatedAdmin'] }