0

Is there a need for encrypting the Stripe customer ID within the NextJS environment? I have a NextJS API route which updates the customer email address based on the Stripe Customer ID from the Firestore database (Stripe extension for Firebase):

const {
  email = '',
  name = '',
  customerId = ''
} = req.body;

const customer = await stripe.customers.update(
  customerId, {
  email,
  name
  }
);

This looks like a thread, as others who might guess the Stripe customer ID can update the value. Should all Stripe payment-related functionality better be migrated to Firebase Functions, or is it safe to expose it? Think about the Setup Intents... how different are they?

Update:

useEffect(() => {
  const { stripeId } = authUser || {};

  if (stripeId) {
    fetch('/api/setup_intent', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ customerId: stripeId })
    })
    .then((res) => res.json())
    .then((data) => setClientSecret(data.clientSecret));
  }
}, [authUser]);
Aleksandrs
  • 81
  • 6
  • In the Stripe documentation they clearly separate the actions that have to done from a client (browser, mobile app) and from a server (back-end). When it is back-end you should use some Cloud Functions. – Renaud Tarnec Feb 08 '23 at 14:21
  • This seems to largely be a decision for you to make based on your requirements. What is your main concern with using an API route in Next.js? They seem to be server-side, so seem like they would be reasonable for making requests that require using your Stripe secret key. If the concern is ensuring the requests hit the route are valid and expected, then I think you would want to add the desired validations to that route. The questions in the post are a bit broad as written, the post may benefit from being edited to ask more targeted/specific questions. – toby Feb 08 '23 at 14:49
  • For the Firebase UID, see: https://stackoverflow.com/a/37222341 – Frank van Puffelen Feb 08 '23 at 15:04
  • @toby basically, I store the Stripe ID in a Firestore database, which is then fetched, and passed as a context to the whole application. This is required to initiate Setup and Payment intents (See the `Updated` block). Do you think this should be refactored to the Server side of NextJS, and is a security violation in some way? – Aleksandrs Feb 09 '23 at 09:11
  • 1
    Customer IDs are not inherently sensitive, as no action can be taken using the Stripe API with that ID unless there is also access to an API key for that account, so my initial impression is that exposing those is not a security risk. That being said, if the Customer ID you're relying on is being provided by your client-side code, then I believe it would be possible for a savvy user to adjust the value that is being provided in your client-side requests, and that could be a concern. – toby Feb 10 '23 at 16:08

1 Answers1

1

Posting this as community wiki to help other members that will encounter this issue:

As stated by @toby:

Customer IDs are not inherently sensitive, as no action can be taken using the Stripe API with that ID unless there is also access to an API key for that account, so my initial impression is that exposing those is not a security risk. That being said, if the Customer ID you're relying on is being provided by your client-side code, then I believe it would be possible for a savvy user to adjust the value that is being provided in your client-side requests, and that could be a concern.

Marc Anthony B
  • 3,635
  • 2
  • 4
  • 19