署名チェックはフロント・サーバー両方に実装
23
JP_Stripes in サッポロ Vol.7 Stripe再入門 & アプリ開発入門
const stripe = require('stripe')(process.env.STRIPE_API_KEY);
// Find your app's secret in your app settings page in the Developers
Dashboard.
const appSecret = 'absec_...';
app.post('/do_secret_stuff', (request, response) => {
const sig = request.headers['stripe-signature'];
// Retrieve user id and account id from the request body
const payload = JSON.stringify({
user_id: request.body['user_id'],
account_id: request.body['account_id']
});
try {
// Verify the payload and signature from the request with the app secret.
stripe.webhooks.signature.verifyHeader(payload, sig, appSecret);
} catch (error) {
response.status(400).send(error.message);
}
import fetchStripeSignature from '@stripe/ui-extension-sdk/signature';
const App = ({ userContext, environment }) => {
const makeRequestToMyBackend = async (endpoint, requestData) =>
{
// By default the signature is signed with user id and account id.
const signaturePayload = {
user_id: userContext?.id,
account_id: userContext?.account.id,
};
return fetch(`https://example.com/${endpoint}/`, {
method: 'POST',
headers: {
'Stripe-Signature': await fetchStripeSignature(),
'Content-Type': 'application/json',
},
body: JSON.stringify({ ...requestData, ...signaturePayload, }),
});
};
...
}