Secure way to accept payments on Django Heroku? - django

I'm trying to accept payments on Django using Heroku.
I've had a ton of issues using Stripe because I don't know much about client-side/server-side and every time I get something that works, I have to expose my private key. I feel like there's no resource out there for this. Does anyone have something that can help?

Typically any secrets you don't want to expose to users (like secret API keys) can be kept on your Django server backend and is not exposed to your application's users.
What's important to understand with Stripe is that there are two kinds of API keys: publishable API keys and secret API keys.
Per the stripe documentation:
Key type
example
When to use
Publishable
pk_test_TYooMQauvdEDq54NiTphI7jx
On the client-side. Can be publicly-accessible in your web or mobile app’s client-side code (such as checkout.js) to tokenize payment information such as with Stripe Elements. By default, Stripe Checkout tokenizes payment information.
Secret
sk_test_4eC39HqLyjWDarjtT1zdp7dc
On the server-side. Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Stripe APIs.
So, you would keep your secret key in your Django app only. Your frontend would either only call your backend or would only use the publishable key.
There are a few products that stripe offers for integrating payments into your app. You can look at the Stripe Checkout quickstart for code samples on how to properly use these keys in your app.

Related

GCP Identity platform integration with golang backend

I am developing web platform which has to have 3 type of users (user, admin, partner companies). For the authentication I am considering to use google Identity platform with multitenancy (probably users in one tenant and admins are in different tenant).
As I understand from documentation, how do we integrate identity platform to our application is to create identity platform provider from console and integrate it into frontend with UI. From front-end, without contacting backend service we can sign up, login and logout by calling firebase SDK and it will give us authentication token. From backend I can check that token with middleware and decide if I agree the user as authenticated or not. Correct me if I am wrong.
Then I can get some metadata of authenticated user from the token, maybe email or name etc. But I want to store user related information on noSQL database as well. For example, if user wants to change his email I need to handle it in backend server, also, I'd like to store users log (access and audit log on somewhere else). In case of, I am using frontend UI and SDK how do log the access and audit information on my backend? also, when changing user's information, do I just write handler function in backend end update user's data with REST API or Admin SDK? what is the best practice over here? Or should I better write my own login and logout function on my backend then call REST API or Admin SDK? is there preferred way? Google is showing me only integration way of authentication from frontend?
BTW, I am deploying backend application on google cloud run, and frontend would be developed in react and should be deployed maybe in firebase or in cloud run as well.
Thanks
As per the Documentation,Yes your understanding is correct to integrate identity platform to the application.
You can store the user related information on a noSQL database like Firestore or Firebase Realtime Database. You can write the Rest API to change or update the user's information in the database.
If you want to write your own login and logout function, I don’t think it is necessary because Firebase Admin SDK provides these features. But if you want to manage user authentication in the backend for specific requirements, you can write your own login and logout function on the backend and use the Firebase Admin SDK.
For access and audit log information you can use Firebase Analytics, Firebase Analytics helps you understand what your users are doing in your app. It has all of the metrics that you’d expect in an app analytics tool combined with user properties like device type, app version, and OS version to give you insight into how users interact with your app.
But finally, the best way would depend on your requirements and use case.

How can I hide an API key in a GitHub public repo?

I am doing a simple front-end project where I (or a user) make an API call to the openweathermap api, fetch weather info and display it on a website.
Simple HTML, CSS and vanilla JS
So I want to keep the repo public & host the site with GitHub Pages... but my js file contains the API key which is required at runtime.
Extra Info:
(all this I found when I searched)
I know there is a way to keep an API key in a GitHub secret, then reference it in a yml file as an environmental variable in GitHub Actions.
But how can I put that secret in js code at runtime for any user who access my website?
Please note that what you're attempting to do is not secure. Even if there was a way to get GH Pages to inject the secret API key into the js file at the time of the request, every web client would then have a copy of that js file with the cleartext key embedded.
You will need some sort of minimal backend which stores the API key securely and relays calls from your static web page to the openweathermap API.
There are many ways to set up such a backend. The older question linked in the comments discusses some approaches. Note that nowadays, you could use a serverless FaaS service such as AWS Lambda or Azure Functions.
This is a perfectly valid question by the way and you're certainly not "too dumb". Good luck!

Client secret for Django oauth

I an using Django OAuth Toolkit and Django Rest for OAuth authentication for mobile app. For accessing any protected resource client id and secret of the app is required . Where should I store client secret. Storing in APK is unsafe as it can be decompiled. Even obfuscation can be reverse engineered . Then whats the best and safe way to serve client secret to the app.
It isn't extremely important to keep the client id hidden, but you are right not to save the client secret somewhere in your app. Exposing it would definitely compromise your security.
In your case, you could set up an OAuth app that uses the Password Grant type (my personal preference), or have your user authenticate with your server which will grant them an expirey access token to use with future requests. These are two different "OAuth flows" that are common for mobile apps.
There's also this awkwardly titled slideshow which I thought had some useful illustrations to describe the use of OAuth with mobile apps.

Automatically add users to API Manager

I am looking for a way to automatically add users to WSO2 API Manager. I have a basic install with the H2 database, but someday I might move to postgres or something like that. What is the best way to add users from say a script?
In Carbon products (APIM, IS), All user store operations can be exposed via web services. External application can use these web services to add/delete/update/get in to user store users and groups. Please note, H2 is not recommended for products`
REST web service according to the SCIM provisioning specification.
SOAP based Web service. You can find more detail from here

Windows Azure Webservices custom Authentication

Greetings fellow Stackoverflowiens,
I have web services and a database setup in Windows Azure and I am using the javascript backend for the web services as this gives me basic CRUD calls without having to write the API. I also have a user table for all users that can login on the app with a field for username and password, I am trying to authenticate the user based on this table without writing the entire API. I can't just do a GET call to see if the user has entered a valid username and password as this would not be secure. And I can't use the Facebook, Twitter or other 3rd party authentication services as the requirement is to use a database of users.
Is there anyway of implementing a custom authentication into Azure without writing the entire API? Or is there another way of doing this that I am not aware of?
Any help that can be provided would be fantastic