Securing google firebase cloud function with stripe integration

flutter google-cloud-platform google-cloud-functions
128

Solution 1

check how these guys implement their stripe functions, they have a bunch of them https://functions.store

Solution 2

I've implemented Stripe for an app using a combination of the Golang SDK and JavaScript SDKs that I'm deploying as an app to Cloud Run. So my config is slightly different to yours.

You should be able to:

  1. Provide some protection by keeping Stripe's API keys as environment variables so that the JavsScript only accesses these in-memory. You may want to consider using Secret Manager.
  2. Differentiate between authenticated handlers that trigger the flow and restricted handlers that accept the callback from Stripe.
  3. You can authenticate using Cloud IAP (Google auth requiring users be part of the project) or e.g. Cloud Endpoints and Firebase auth
  4. You can restrict access to the callback to Stripe's endpoints

I'm not a security guy.

Your learnings would make an interesting customer story for Stripe and GCP.

Share:
128
Brendon Cheung
Author by

Brendon Cheung

Updated on January 01, 2023

Comments

  • Brendon Cheung
    Brendon Cheung over 1 year

    We are using google cloud platform to host our stripe payment gateway. The cloud function sends the payment intent to stripe and a callback that stripe calls with a session object.

    Inside the google cloud platform, we are not sure what permission to set our cloud function. Right now, we allow all public access and we are fearing that a hacker can see our secret key from our index.js (where the cloud functions live), or has the ability to manipulated the code inside of the index.js.

    With the function's purpose described above, what is the safest permission setting that does not allow any public users to read or manipulate our functions? All we want is to allow the users to invoke the function,

    enter image description here

    thank you

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Failed to create function project when deploying firebase cloud function
Google Cloud Functions: Return valid JSON
How to send and verify OTP using cloud function in flutter?
How to use Google Secret Manager with Flutter
Flutter - Firebase callable functions with region not working
Error on Firebase Crashlytics installation for Flutter - IOS app
How can I get specific documents using conditions from flutter real-time database
How to use node-fetch with Cloud Functions for Firebase. Can't deploy
Get Firestore documents with a field that is equal to a particular string in flutter
Does flutter package flutter_stripe require backend to process payments?