Working with the stripe API
Recently I have been integrating an app to work with stripe API and thought I'd share some things I learned. Please excuse my coffeescript =).
Know where to find the docs
Use the correct publishable key
Protect customer credit cards and yourself
Don't have to require cvc when it's not required
Stripe application webhooks (added: July 18th, 2013)
Reading the rubydoc is hard, since things are so abstracted you'll have to hop from class to class. Just check out the stripe documentation at https://stripe.com/docs/api/ruby.
if you are making stripe requests both server-side and client-side, you will have to ensure you are using the right access tokens and publishable keys!
This bit me once when I was using stripe.js to add a card to a customer client-side (so the card info never touches the server but gets a token from stripe) and was setting
Stripe.setPublishableKey('YOUR_PUBLISHABLE_KEY');
to my stripe account, but it needs to be set to the stripe connected account's stripe publishable key. You should be storing that along with the access token in your database for future reference. Hint: save all the attributes stripe gives you because you never know when you will need them: https://stripe.com/docs/connect/oauth .
Protect your users and yourself from exposing credit card information by not having it even touch your server.
Using stripe.js you can create a form with inputs for credit card inputs that is submitted to stripe and returns to you very basic info (last 4-digits, etc) , which you can store on your server, and a single-use token that references a credit card.
Stripe gives you a basic implementation for doing this, but lacks a few things such as submitting the basic card information back to your server, and also while the stripe docs say that the card CVC is optional, using the boilerplate stripe.js form, a card would be rejected without it.
To pass the card's basic information to the server, I append hidden inputs to the form with the basic information
Since the CVC number from the card is not required, but it is checked for when submitting to stripe, the input needs to be checked and removed before submitting it to stripe.
I use these simple functions to check if cvc is blank and simply remove it before calling Stripe.createToken(form, ...).
Here's the working coffeescript class I use to handle stripe.js interactions:
Handling stripe.js interactions
The code could be cleaned up a lot more, but the way it works is through the bindStripeForm() handling the form submission to get a stripe payment method token which then stripeResponseHandler() passes information to StripePaymentMethodForm to render any error messages and then add basic payment information as hidden inputs into the form and submits it along with the stripe payment method token to the server.
Stripe application webhooks
Stripe webhooks are handled slightly differently for a standalone Stripe integration versus a Stripe application. What this means is if you have a stripe application where others can integrate their own stripe accounts.
When setting up a stripe events callback, I noticed I was getting several exceptions for Stripe::InvalidRequestError: No such event: evt_****; a similar object exists in test mode, but a live mode key was used to make this request.. This means that test events are being sent to a live events callback.
I confirmed this after checking the documentation under Configuring your webhooks:
You can enter any URL you'd like to have receive the events. The mode determines whether test events or live events are sent to this URL — if you want to send both live and test events to the same URL you need to create two separate settings (application webhooks do not follow this rule).
What this means is you will have to for livemode root level param to see if the event should be ignored.