Visibility of Paystack secret key in the frontend

[yunusdev]

Hello I want to ask if its safe for the secretkey to be open in the form just as it was stipulated. Just want to confirm if its okay for security reasons . Thanks in adv

[ionware]

I really don't think it is. From what I know about ssh keys (public and secret), the secret key is never meant to be shared.

I also saws this and thinking of submitting a PR to fix it, but seem like it work without binding secret key to the payment form. However, you can setup a middleware and inside the middleware you can bind the secret key and other things you don't want on the frontend.

<?php

namespace App\Http\Middleware;

use Closure;

class InterceptPayment
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $request->merge([
            'secret' => config('paystack.secretKey'),
            'amount' => $request->get('amount') * 100
        ]);
        return $next($request);
    }
}

Register and use the controller on the supposed redirectToGateway PaymentController method or whatever your case may be.

[yunusdev]

Ok tanks. The code actually worked if replaced with the private key also. Which is safe i guess

[seunafara]

My main concern with using this right now, I'm just wondering if you meant using "public key" in place of "secret key" for the hidden input in front end it will work fine?

[unicodeveloper]

Removed it in the latest release