I am building an event management app and am currently in the stage of adding payment funcionality to it. I have followed the firebase documentation and all seems to be in working order and I can easily add products to my firestore database when using the Stripe dashboard. I am just wondering how this could be done either client side (flutter) or using cloud functions?
I have tried watching tutorials, looking at the limited github examples and reading the documentation however all the products seem to be made through the stripe dashboard - obviously not ideal to have to manually create every one!
Creating Products via the Stripe API requires an Account's secret API key. You should never expose this since it provides full access to your account. So creating Products from the client-side is not something we will consider.
Additionally the Stripe Firebase Extension does not include any cloud functions for creating Products. The docs even have you create a restricted key to keep your account safe. All of that suggests to me that you will want to either
Create products from the Stripe Dashboard as previously indicated in tutorials and documentation.
Run local scripts to create products via the API using one of Stripe's client libraries which you can install locally.
Related
We are using google cloud platform to host our stripe payment gateway. The cloud function sends the payment intent to stripe and a callback that stripe calls with a session object.
Inside the google cloud platform, we are not sure what permission to set our cloud function. Right now, we allow all public access and we are fearing that a hacker can see our secret key from our index.js (where the cloud functions live), or has the ability to manipulated the code inside of the index.js.
With the function's purpose described above, what is the safest permission setting that does not allow any public users to read or manipulate our functions? All we want is to allow the users to invoke the function,
thank you
I've implemented Stripe for an app using a combination of the Golang SDK and JavaScript SDKs that I'm deploying as an app to Cloud Run. So my config is slightly different to yours.
You should be able to:
Provide some protection by keeping Stripe's API keys as environment variables so that the JavsScript only accesses these in-memory. You may want to consider using Secret Manager.
Differentiate between authenticated handlers that trigger the flow and restricted handlers that accept the callback from Stripe.
You can authenticate using Cloud IAP (Google auth requiring users be part of the project) or e.g. Cloud Endpoints and Firebase auth
You can restrict access to the callback to Stripe's endpoints
I'm not a security guy.
Your learnings would make an interesting customer story for Stripe and GCP.
check how these guys implement their stripe functions, they have a bunch of them https://functions.store
TL;DL
Is it OK to store api key for Google map api on Firebase Firestore with security rules ?
Question
I'm working on map features using google_maps_flutter plugin. This package describes to store the key on source code on its document, but this seems to be insecure.
Many developers describing that the most secure way to manage api key is to store on server side and I agree with this idea.
I found the issue but it seems that the plugin does not have a way to provide the api key dynamically.
In the iOS sdk, they have GMSServices.provideAPIKey(Could not find same kind of methods on Android) and this allows to provide api key dynamically.
If the plugin support these features in future, is it OK to store the key on firestore with security rules?
Thank you
If your third-Party API Key are sensitive, they should stay on the server and never reach the User's device.
So, you could store them on Firestore with strong security rules (i.e. only readable with admin privileges) and then place the third-party API calls within Firebase Cloud Functions.
I need to implement Stripe payment gateway in one of my application, is there any plugin or something I can use to add card and charge customers for some service. If anyone having any references please suggest.
I have gone through some tutorials and plugin but none of them are as per my requirement some plugin allows only to add a card but I am unable to find the plugin that can manage payments with the Stripe.
After successfully adding card, you will get a response with a token.
Pass that token to your backend server, you could call charge.create(it depends on your backend language, check stripe documentations) function to make the actual charge and other stuff.
You can use stripe_payment plugin
Here is an article showing you how to do implement payment in flutter using firebase and stripe
https://medium.com/#info_4766/build-a-marketplace-in-your-flutter-app-and-accept-payments-using-stripe-and-firebase-59f074201718
This is best done in Firebase using cloud functions, rather than from the app. Find links below for more info on how to do this:
https://github.com/firebase/functions-samples/tree/master/stripe
https://www.youtube.com/watch?v=JeyxolsJ3aE
https://www.youtube.com/watch?v=BrLTF4QdRrM
For these reasons:
There's the security aspect and one of these links explains it's not a great idea to have your stripe secret inside your client.
I want to be able to make this available from flutterweb, as well as other devices. Flutterweb is currently not yet supported by any plugin. The plugin that's best evolved and most used is https://pub.dev/packages/stripe_payment. Flutter-web has not been released yet (more, see https://github.com/jonasbark/flutter_stripe_payment/pull/147)
I am planning to use Firebase as my backend service for the mobile application. As part of the functionality, I need to get the data from external rest API which returns JSON data. I need to update the data periodically so that I can have updated information.
I have an option to call the rest API and update firebase on the mobile application however it is not the right approach. I prefer to keep this logic on the backend service.
Is there a way to use Firebase cloud function to periodically update firebase database from external Rest API?
#Ioki, I assume what you are trying to do is make a mobile app which gets updated data every time a user goes to the app but you want this to be on the backend. I haven't tried it but you might want to use Node js with their Firebase Admin SDK.
See the link: https://firebase.google.com/docs/admin/setup
Although I think it might make more sense to use the real-time database via the iOS/ Android SDK because automatic/ value event updates are basically the purpose of the real- time database. Good luck! :)
I am wondering if it is possible to use just the Firebase authentication system together with your own API and database.
It has some nice features I want to take advantage of, however I do not wish to use their database or storage.
The application I am building is an Angular2 and express application with a MongoDB database.
Any answers will be greatly appreciated!
That definitely is possible: you can create your own identity provider that plugs into Firebase Authentication. This is often referred to as custom authentication. To implement this, you need a server (or other trusted process) where you authenticate your users and mint security tokens for then. You then pass this token to the user and have them pass it into Firebase.
But keep in mind: many Firebase features work fine without authentication. For example: if you use Cloud Messaging, Crash Reporting, Test Lab or many other features, you might not need to implement Firebase Authentication at all.