We are using google cloud platform to host our stripe payment gateway. The cloud function sends the payment intent to stripe and a callback that stripe calls with a session object.
Inside the google cloud platform, we are not sure what permission to set our cloud function. Right now, we allow all public access and we are fearing that a hacker can see our secret key from our index.js (where the cloud functions live), or has the ability to manipulated the code inside of the index.js.
With the function's purpose described above, what is the safest permission setting that does not allow any public users to read or manipulate our functions? All we want is to allow the users to invoke the function,
thank you
I've implemented Stripe for an app using a combination of the Golang SDK and JavaScript SDKs that I'm deploying as an app to Cloud Run. So my config is slightly different to yours.
You should be able to:
Provide some protection by keeping Stripe's API keys as environment variables so that the JavsScript only accesses these in-memory. You may want to consider using Secret Manager.
Differentiate between authenticated handlers that trigger the flow and restricted handlers that accept the callback from Stripe.
You can authenticate using Cloud IAP (Google auth requiring users be part of the project) or e.g. Cloud Endpoints and Firebase auth
You can restrict access to the callback to Stripe's endpoints
I'm not a security guy.
Your learnings would make an interesting customer story for Stripe and GCP.
check how these guys implement their stripe functions, they have a bunch of them https://functions.store
Related
I have been wondering if it is possible to integrate Google Cloud Services such as Cloud Text-to-Speech in Flutter. The lack of documentation makes me wonder if there's some workaround or something because I can't find a way to integrate.
As you can see in the documentation, there are only samples for different languages, no presence for Flutter:
https://cloud.google.com/text-to-speech/docs/samples/tts-synthesize-text
enter image description here
Any suggestions? Will appreciate it.
GCP TtS is available also by REST API calls, as any other GCP service. So you can write Dartcode to perform an HTTP POST request to send text or audio.
BTW you have to consider how to authenticate to TtS, and there are different options, some of them:
your users need to be authenticated in your GCP organization by your mobile app, and they also need to have the permissions to invoke that service. Then your app can invoke TtS using HTTP POST and impersonating the user.
your mobile app authenticate the users without a GCP or Firebase identity. In that case you need a backend layer (might be a REST service or a simple Cloud function) acting as a proxy between your mobile app and TtS. Your app calls your backend, the backend authenticates to TtS using a service account (GPC identity), then the backend invokes TtS and sends back the result to your mobile app.
I am building an event management app and am currently in the stage of adding payment funcionality to it. I have followed the firebase documentation and all seems to be in working order and I can easily add products to my firestore database when using the Stripe dashboard. I am just wondering how this could be done either client side (flutter) or using cloud functions?
I have tried watching tutorials, looking at the limited github examples and reading the documentation however all the products seem to be made through the stripe dashboard - obviously not ideal to have to manually create every one!
Creating Products via the Stripe API requires an Account's secret API key. You should never expose this since it provides full access to your account. So creating Products from the client-side is not something we will consider.
Additionally the Stripe Firebase Extension does not include any cloud functions for creating Products. The docs even have you create a restricted key to keep your account safe. All of that suggests to me that you will want to either
Create products from the Stripe Dashboard as previously indicated in tutorials and documentation.
Run local scripts to create products via the API using one of Stripe's client libraries which you can install locally.
I'm trying to generate access token to access google APIs without the google consent screen. It will enable us to implement code which can automate certain actions in GCP like stopping a VM and lots more. I prefer to use dotnet core for this implementation.
I except to generate a bearer auth token through which I can access Google rest APIs without any environment setup or Google OAuth consent screen.
I have found answer for this question and it will be useful for the community members who are working on GCP or google APIs.
First you have to download json credentials for your gcp account, please refer to this documentation Download service account keys
Please refer to this git repo gcp-auth , it's dotnet core class library which contains static method to GenerateJwt, ExchangeTokenAsync and GetAccessTokenAsync.
Let me explain each method for better clarity.
GenerateJwt - this method generates a signed JWT token from PrivateKey, PrivateKeyID, ServiceAccountEmail which are present in downloaded json from previous step and scope which will be different for different api endpoint like we have https://www.googleapis.com/auth/compute for google apis under compute.
ExchangeTokenAsync - this method need the generated JWT from previous step to generate the actual access token from google which will be valid to access google apis under that scope.
GetAccessTokenAsync - this is combination of above two methods, here you've pass parameters same as passed in GenerateJwt.
Please let me know if it requires any further explanation.
I'm working with a service that will forward data to a URL of your choosing via HTTP POST requests.
Is there a simple way to publish to a Pubsub topic with a POST? The service I'm using (Hologram.io's Advanced Webhook Builder) can't store any files, so I can't upload a Google Cloud service account JSON key file.
Thanks,
Ryan
You have 2 challenges in your use cases:
Format
Authentication
Format
You need to customize the webhook to comply with the PubSub format. Some webhoock are enough customizable for that but it's not the case of all. If you can't customize the webhook call as PubSub expect, you need to use an intermediary layer (Cloud Functions or Cloud Run for example)
Authentication
Directly to PubSub or with an intermediary layer, the situation is the same: the requester (the webhook) needs to be authenticated and authorized to access to the Google Cloud service.
One of the bad, and possible, practice, is to set allUsers authorized to access your resources. Here an example with a PubSub topic
Don't do that. Even if you increase "your" process security by defining a schema (and thus to reject all the messages that aren't compliant with this schema), letting a resource publicly, and without authentication, accessible on the wild internet is criminal!
In the webhook context (I had this case previously in my company) I recommend you to use a static authentication (a long lived authentication header; not a short lived (1h) as a Google OAuth2 token); an API Key for example. It's not perfect, because in case of API Key leak, the bad actors will be able to use this breach for a long time (rotate as soon as you can your API Keys!), but it's safer than nothing!
I wrote a pretty old article on this use case (with ESPv2 and Cloud Run), but the principle, and the configuration, is almost the same on API Gateway, a Google Cloud manage services. In the article, I create a proxy for Cloud Run, Cloud Functions and App Engine, but you can do the same thing with PubSub by setting the correct target URL.
I have seen the tutorial for starting the cloud functions and creating a guestbook on IBM Cloud, but when trying to connect an App ID it actually requires an application and not a Cloud Functions API.
So how can I connect them? Is there some tutorial somewhere? What needs to be considered?
depending on what you want to do, take a look in https://console.bluemix.net/docs/services/appid/relatedlinks.html#secure.
Specifically one of
Securing your Cloud Functions API
Securing your serverless Cloud Functions mobile backend with App ID
Tutorial: GitHub traffic analytics with Cloud Functions and Cloud Foundry
Cloud Functions supports OAuth 2.0 user authorization out of the box and you can bound your App ID instance directly to it.
Here's a fairly recent tutorial showing the steps:
https://www.ibm.com/cloud/blog/authenticating-users-with-cloud-functions-api-gateway-and-app-id
If you're looking to automatically initiate a new authentication flow as in redirect to the an identity provider where you're user will sign in, you'll have to either add logic to your application using an OIDC SDK (For instance App ID's: https://github.com/ibm-cloud-security/appid-serversdk-nodejs/) or add it manually handle the flow from a set of actions.
If you go the action approach, you'll have to keep in mind that they are ephemeral and can't keep session state, so you'll have to keep secure cookies in the user's browser.