stripe-node icon indicating copy to clipboard operation
stripe-node copied to clipboard

Published 20 hours ago verified publisher icon stripe

Add setting to set additional `https.request` params

Open bryanvaz opened this issue 3 years ago • 2 comments

Changes made

Adds the requestOptions parameter to the Stripe class constructor and makeRequest function. Can be used to send additional params to the https.request() function call, which cannot be set any other way.

Purpose of changes

Initially created to allow local testing against HTTPS mock endpoints without setting the NODE_EXTRA_CA_CERTS or NODE_TLS_REJECT_UNAUTHORIZED command line options, allowing the https module to trust self-signed certificates used by the local mock HTTPS endpoints.

This setting is also required when using HTTP Proxy-based PCI data vaults which tokenize and detokenize data in-flight (e.g. verygoodsecurity/vgs-satellite#194) without revealing card data to the client. Passing the vault's RootCA to the Stripe client only when required is far safer than trusting the vault's CA globally (via NODE_EXTRA_CA_CERTS) or ignoring all invalid certificate completely (via NODE_TLS_REJECT_UNAUTHORIZED), both of which open a system up to MITM attacks.

This is also much safer than monkey patching the https.request or tls.secureContext functions to inject additional options.

Sample Usage

const stripe = Stripe('sk_test_...', {
  apiVersion: '2019-08-08',
  maxNetworkRetries: 1,
  timeout: 1000,
  host: 'api.example.com',
  port: 123,
  telemetry: true,
  requestOptions: {
    ca: fs.readFileSync('/path/to/local/rootca.pem')
  },
});

Breaking change

No. requestOptions parameter is completely optional and defaults to an empty object if not set. Does not affect any existing functionality.

Documentation updated

  • README

bryanvaz avatar Sep 01 '21 03:09 bryanvaz

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Sep 01 '21 03:09 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Sep 01 '21 03:09 CLAassistant

Hi, I appologize for the delayed response.

The Stripe object constructor allows providing a custom HttpClient instance. With that you can override any behaviors related to sending HTTP requests .

You can inherit the default implementation and override the request method to your needs.

pakrym-stripe avatar Feb 07 '23 23:02 pakrym-stripe

Closing for housekeeping purposes. Please feel free to reopen!

pakrym-stripe avatar Feb 27 '23 17:02 pakrym-stripe