hotcakes-commerce-core icon indicating copy to clipboard operation
hotcakes-commerce-core copied to clipboard

Published 20 hours ago verified publisher icon HotcakesCommerce

SI: Stripe Payment Credit Card Gateway "invalid_request_error" using card numbers directly in API calls - Not Using Tokens

Open gnossosp opened this issue 8 months ago • 0 comments

Sponsorship

If this request requires additional support (e.g., such as direct email/phone/meeting/development), I have the following interest in helping to sponsor the effort via GitHub Sponsors:

  • [ ] None, please continue to work for me for free :P
  • [ x] Absolutely, I get value out of this!
  • [ ] Maybe later
  • [x] I'm already a sponsor... Woot!

Describe the bug

Credit Cards numbers not tokenized (or do I mean encrypted?) using Stripe Payment Gateway

Software Versions

  • DNN: 09.13.01
  • Hotcakes: 03.08.01

To Reproduce

Steps to reproduce the behavior:
Payment Methods>Credit Cards> Gateway "Stripe" In Sandbox using API and Public Keys

Submit any payment in any amount. Nothing appears to occur on public site.

Expected behavior

Site should send credit card payment to Stripe Gateway and return to store with approved payment

Actual behavior

Nothing appears to occur, however the Stripe Gateway sandbox records an error I presume that the credit card information is not properly encrypted or otherwise obfuscated for use.

Screenshots

NA

Error log

Note: Debug DLL's

Please replace the current extension DLL's with the debug DLL's (if these are available with the release) and reproduce the error with the debug DLL's before pasting the error log.

STRIPE ERROR LOG

ID req_aeCbRcu1sGNf7v Time 12/8/23, 5:01:38 PM IP address (my IP address here) API version 2022-11-15 Source Stripe/v1 .NetBindings/41.2.0 Idempotency Key — b0024065-876a-4941-a903-b477228208f9

invalid_request_error Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing.

REQUEST { "type": "card", "card": { "number": "*********4242", "exp_month": "12", "cvc": "", "exp_year": "2028" } }

RESPONSE

{ "error": { "message": "Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.com/questions/enabling-access-to-raw-card-data-apis.", "request_log_url": "https://dashboard.stripe.com/test/logs/req_UAhzJcybLWdzR5?t=1702072924", "type": "invalid_request_error" } }

Additional context

If I was smarter/more experienced I would attempt to fix this. Are there any suggestions on a method/path/tutorial to encrypt credit card data? Can I use an existing processor to view this in action?

gnossosp avatar Dec 10 '23 15:12 gnossosp