stripe-cli icon indicating copy to clipboard operation
stripe-cli copied to clipboard
verified publisher icon stripe

Add rak_stripecli_session_write permission to stripe app key

Open reesericci opened this issue 1 year ago • 2 comments

The more information we have the easier it is for us to help. Feel free to remove any sections that might not apply

Issue

I'm trying to add the rak_stripecli_session_write to my apps' API key to be able to create WebSocket sessions to forward webhooks behind a firewall.

Expected Behavior

I expected to be able to add the permission

Steps to reproduce

Add

{
      "permission": "rak_stripecli_session_write",
      "purpose": "..."
}

to stripe-app.json and run stripe apps upload

Traceback

stripe apps upload

✔ Enter a different version to upload: 0.0.3█
✔ Enter a different version to upload
⬆ You are about to upload your app to Obl.ong

Name:    United
ID:      ci.reeseric.united
Version: 0.0.3

Would you like to proceed: y
✔ Built files for production
✔ Packaged files for upload
× Failed to upload United
Request failed, status=400, body={
  "error": {
    "message": "3:Permission rak_stripecli_session_write does not exist",
    "request_log_url": "https://dashboard.stripe.com/test/logs/req_ECEnlr9wSmMqBz?t=1719673328",
    "type": "invalid_request_error"
  }
}

Yet when creating a session with that API key:

The provided key 'rk_test_*********************************************************************************************' does not have the required permissions for this endpoint on account 'acct_***'. Having the 'rak_stripecli_session_write' permission would allow this request to continue.

Environment

Linux and manual HTTP requests

reesericci avatar Jun 29 '24 15:06 reesericci

Did some more poking around and realized that I shouldn't add rak_ in apps permissions, so I switched it out for stripecli_session_write but got the same error:

Request failed, status=400, body={
  "error": {
    "message": "3:Permission stripecli_session_write does not exist",
    "request_log_url": "https://dashboard.stripe.com/test/logs/req_xIpfJdZHXkayJF?t=1719697974",
    "type": "invalid_request_error"
  }
}

reesericci avatar Jun 29 '24 21:06 reesericci 

{
  "id": "ci.reeseric.united",
  "version": "0.0.3",
  "name": "United",
  "icon": "./pictures/icon-filled.png",
  "permissions": [
    {
      "permission": "payment_intent_write",
      "purpose": "Checkout"
    },
    {
      "permission": "webhook_write",
      "purpose": "Listen for payment events"
    },
    {
      "permission": "stripecli_session_write",
      "purpose": "Creating WebSocket connection to forward webhooks"
    }
  ],
  "ui_extension": {},
  "stripe_api_access_type": "restricted_api_key",
  "distribution_type": "private"
}

full app.json for reference

reesericci avatar Jun 29 '24 21:06 reesericci

Hi there, this is not a permission available for use, as the error indicates. That's an internal-only system designed specifically to facilitate Stripe CLI listen functionality and is not possible to use for your own events/endpoints outside the CLI.

You need to have an HTTP endpoint reachable from Stripe's notification servers (ie, accept requests from these IPs) to receive events, after which you can re-process or re-transmit those events however you need.

brendanm-stripe avatar Jul 05 '24 02:07 brendanm-stripe