search

vercel / nextjs-subscription-payments

Clone, deploy, and fully customize a SaaS subscription application with Next.js.
https://subscription-payments.vercel.app/
MIT License
5.83k stars 1.19k forks source link

Sensitive data is unneccessarily (?) saved to database. #232

Open EarthlingDavey opened 11 months ago

EarthlingDavey commented 11 months ago

It looks like billing_address & payment_method are saved to the database by default. Even though this starter project doesn't really need them.

Should saving this sensitive data be turned off by default? If the subscription is a digital product, is there any benefit in saving the billing_details?

For context it could look like this:

address: {
  city: 'Test City',
  country: 'US',
  line1: 'Test Address',
  line2: null,
  postal_code: '12345',
  state: 'Test State',
},
payment_method: {
  brand: 'visa',
  checks: {
    address_line1_check: 'pass',
    address_postal_code_check: 'pass',
    cvc_check: 'pass',
  },
  country: 'US',
  exp_month: 1,
  exp_year: 2022,
  fingerprint: 'test',
  funding: 'credit',
  last4: '4242',
  networks: {
    available: ['visa'],
    preferred: null,
  },
  three_d_secure_usage: {
    supported: true,
  },
  wallet: null,
}
nate-oo commented 11 months ago

Hi @EarthlingDavey

I had some similar questions and these are some of the answers I found through my own research and talking with Stripe support.

I had a call with Stripe Support because I was new to Stripe and worried about accidentally pulling certain sensitive Stripe data into my Supabase database. They said to me "all the information from the Stripe API is safe to replicate and store and no information like full card details can be returned from the Stripe API" (which you for sure would never want). Now I am not a security expert or data compliance lawyer here but that sounds like we should be good to pull what we want into our database from the Stripe API.

However, I would still always think about security and who has access to the data in your database and what they can do with it. If you search for public vs private schemas, granting privileges, and RLS in the context of PostgreSQL / Supabase you should find some great information on how people are making their databases secure.

Here is some great stuff on RLS:

The way I see the address information is that it could be beneficial if you wanted to create these as contacts in a CRM or Email Marketing platform or for analysis and automations in your database. Looking through the code, I did not see the pieces of information you are referring to being critical for the functionality of anything in this repo. I believe they just provided because address information is pretty common place to collect for a 'person' record and to show what you can do with the Stripe API and Supabase.

On another note, to my understanding, many people pull a bunch of Stripe data into their own databases / data warehouses (such as snowflake) and basically replicate objects and fields such as Invoices, Checkout Sessions, etc in their own database / data warehouse for analysis and automations.

Hope this helps or steers you in the right direction.

EarthlingDavey commented 11 months ago

Hey @nate-oo thanks, that makes a lot of this makes sense.

Though, in terms of this repo, I think it at least deserves a warning in the readme that the Stripe data is being stored.

Say 95% of developers take care of the security that you mentioned, 5% are rookies and may not realise they are responsible for the data. A leak could leave the customers open to a reverse engineering attack.

chriscarrollsmith commented 7 months ago

In the supabase-admin.ts file, you will find that by default, createAction = false. The customer's billing address and payment method won't be copied into the Supabase db unless you opt in to this functionality by changing this argument to createAction = true.