#1
  1. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,150
    Rep Power
    220

    How to protext API end points form direct access


    Hi;

    How can I get my api end points to be only accessible by Stripe, Clickbank, and the other merchant account?

    My end point code is pretty simple:
    PHP Code:
    require_once "stripe-php-5.1.1/init.php";
                \
    Stripe\Stripe::setApiKey("sk_live_xxxxxxxxxx");
                
    $input = @file_get_contents("php://input");
                
    $event_json json_decode($input);
                
    http_response_code(200); // PHP 5.4 or greater 

    Thanks
  2. #2
  3. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,260
    Rep Power
    9645
    Make the URL obscure, whitelist their IP addresses if possible (either all or nothing for that), respond with your standard 404 if the request does not look appropriate, and always verify whatever information is passed.
  4. #3
  5. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    6,067
    Rep Power
    4101
    Stripe lists their IPs so you could validate that. I couldn't find any info for Clickbank regarding their IP list. Some API's require that when you receive a notification you have to verify it by calling back to them. That way if someone sends a fake notification or the notification is somehow altered in transit the verification would fail.

    I'm not familiar with either of the API's you listed so I can't say how they worked. The proper way to handle notifications is something you'd have to find in their documentation or contact their support and ask about.
    Recycle your old CD's



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  6. #4
  7. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,150
    Rep Power
    220
    Git it! In an ideal world, I check back with the api to make sure it's valid.


    The issue is, I got so much work left for this launch, don't really care about making it perfect perfect. As long as it's not too bad I don't care.

    It's for small product launches maximum 400 sales and total is usually never over 60k per launch.

    I think for Evergreen launches it would come back with check.

    I leave it like this for now:

    PHP Code:
    <?php
    defined
    ('BASEPATH') OR exit('No direct script access allowed');

    class 
    Stripe_Instant_Notification_Controller extends CI_Controller {

        public function 
    stripe_instant_notification_method()
            { 
                require_once 
    "stripe-php-5.1.1/init.php";
                \
    Stripe\Stripe::setApiKey("******");
                
    $input = @file_get_contents("php://input");
                
    $event_json json_decode($input);

    #########
    if(!isset($event_json))
         {
              
    //redirect to north Korea
         
    }
    #########

                
    http_response_code(200); // PHP 5.4 or greater
                
    $type $event_json->type//charge.succeeded
                
    $description $event_json->data->object->description;
                
    $contact_id $event_json->data->object->metadata->contact_id;
                
    $email $event_json->data->object->metadata->email;
                
    $order_id $event_json->data->object->metadata->order_id;
                
    $product_id $event_json->data->object->metadata->product_id;
                
    $qualtity $event_json->data->object->metadata->qualtity;
                
    $price $event_json->data->object->metadata->price;
                
    $paid $event_json->data->object->paid;
                
    $name $event_json->data->object->source->name;
                
    $status $event_json->data->status;
                
                
    $message  "";
                
    $message .= "Date: ".date('d/m/Y')."<br />";
                
    $message .= "Type: ".$type."<br />";
                
    $message .= "Description: ".$description."<br />";
                
    $message .= "Contact_id: ".$contact_id."<br />";
                
    $message .= "Email: ".$email."<br />";
                
    $message .= "Order_id: ".$order_id."<br />";
                
    $message .= "Product_id: ".$product_id."<br />";
                
    $message .= "Qualtity: ".$qualtity."<br />";
                
    $message .= "Price: ".$price."<br />";
                
    $message .= "Paid: ".$paid."<br />";
                
    $message .= "Name: ".$name."<br />";
                
    $message .= "Status: ".$status."<br />";

                
    $stripe_transaction_data = array('stripe_type' => $type,
                      
    'stripe_order_id' =>$order_id,
                      
    'stripe_description'=> $description
                      
    'stripe_meta_data_contact_id'=> $contact_id,
                      
    'stripe_email'=>$email,
                      
    'stripe_price'=>$price,
                      
    'stripe_product_id'=>$product_id);
                
    $this->update_db($stripe_transaction_data);
                
    mail('me@...com','Stripe Api Request',$message);
            


            }
    }
  8. #5
  9. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,150
    Rep Power
    220
    Actually......... Kicken while I got you here... you mind linking me to "checking transaction status request" here so when I receive the id I can validate?
    event_json->data->object->metadata->order_id
    Thanks
  10. #6
  11. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    6,067
    Rep Power
    4101
    I'm not sure what you're asking.

    On a topic related note, you should probably update your stripe handler to verify the signature.
    Recycle your old CD's



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  12. #7
  13. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,260
    Rep Power
    9645
    Originally Posted by English Breakfast Tea
    Git it! In an ideal world, I check back with the api to make sure it's valid.


    The issue is, I got so much work left for this launch, don't really care about making it perfect perfect. As long as it's not too bad I don't care.
    I'd slap you if I could. And a mean slap, not a "nice" slap.
  14. #8
  15. A Change of Season
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    3,150
    Rep Power
    220
    Originally Posted by requinix
    I'd slap you if I could. And a mean slap, not a "nice" slap.
    If I get to see you, I'm down to get slapped. It's been years I've been keen to meet you in person. Maybe this slap is a good excuse to finally meet.

    Jokes aside... Requinix I've asked you +1000 questions and not even once you were wrong. However... I do product launches and none of them are perfect.

    I know thousands of people hold back because they want it to be perfect.

    Clickbank's top sellers making +70 K a day with membership sites and simple pds don't have their sites password protected.

    I went from basic programming background to marketing and sales world and I couldn't believe how much they don't give a shet about code quality.

    They have mass traffic and make so much money with a few simple pages.

    Kevin's membership's videos are simply on Youtube as unlisted. His product launch made millions.

    I do occasional internal launches and from things I've learned here, it seems to be working well.

    I'd never code for a bank or an airline but selling information product it's working.

    Still, I never disagree with you because at the end you're right. The right thing would be to do it properly.

    I added Kicken's update I guess it's "safer" now.

    PHP Code:
    <?php
    defined
    ('BASEPATH') OR exit('No direct script access allowed');

    class 
    Stripe_Instant_Notification_Controller extends CI_Controller {

        public function 
    stripe_instant_notification_method()
            { 
                require_once 
    "stripe-php-5.1.1/init.php";
                \
    Stripe\Stripe::setApiKey("sk_live_******");
                
                
    //Test
                //$endpoint_secret = "whsec_******";
                
                //Live
                
    $endpoint_secret "whsec_******";

                
    //
                
    $payload = @file_get_contents("php://input");
                
    $sig_header $_SERVER["HTTP_STRIPE_SIGNATURE"];
                
    $event null;

                try {
                  
    $event = \Stripe\Webhook::constructEvent(
                    
    $payload$sig_header$endpoint_secret
                  
    );
                } catch(\
    UnexpectedValueException $e) {
                  
    // Invalid payload
                  
    http_response_code(400); // PHP 5.4 or greater
                  
    exit();
                } catch(\
    Stripe\Error\SignatureVerification $e) {
                  
    // Invalid signature
                  
    http_response_code(400); // PHP 5.4 or greater
                  
    exit();
                }
                
    //

                
                
    $event_json json_decode($payload);
                
    http_response_code(200); // PHP 5.4 or greater
                
    $type $event_json->type//charge.succeeded
                
    $description $event_json->data->object->description;
                
    $contact_id $event_json->data->object->metadata->contact_id;
                
    $email $event_json->data->object->metadata->email;
                
    $order_id $event_json->data->object->metadata->order_id;
                
    $product_id $event_json->data->object->metadata->product_id;
                
    $qualtity $event_json->data->object->metadata->qualtity;
                
    $price $event_json->data->object->metadata->price;
                
    $paid $event_json->data->object->paid;
                
    $name $event_json->data->object->source->name;
                
    $status $event_json->data->object->status;
                

                
    $message  "";
                
    $message .= "Date: ".date('d/m/Y')."\n";
                
    $message .= "Type: ".$type."\n";
                
    $message .= "Description: ".$description."\n";
                
    $message .= "Contact_id: ".$contact_id."\n";
                
    $message .= "Email: ".$email."\n";
                
    $message .= "Order_id: ".$order_id."\n";
                
    $message .= "Product_id: ".$product_id."\n";
                
    $message .= "Qualtity: ".$qualtity."\n";
                
    $message .= "Price: ".$price."\n";
                
    $message .= "Paid: ".$paid."\n";
                
    $message .= "Name: ".$name."\n";
                
    $message .= "Status: ".$status."\n";

                
    $stripe_transaction_data = array(
                      
    'transaction_time' => date('c'),
                      
    'receipt'=> $order_id,
                      
    'transaction_type' => $type,
                      
    'item_no'=> $product_id,
                      
    'first_name' => $name,
                      
    'email'=> $email,
                      
    'stripe_order_id' => $order_id,
                      
    'stripe_description'=> $description
                      
    'ontraport_id_from_srtipe'=> $contact_id,
                      
    'payment_system'=> 'Stripe',
                      
    'stripe_price'=> $price,
                      
    'stripe_meta_data_contact_id' => $contact_id
                      
    );
                
                
      
                
    print_r($stripe_transaction_data);
                
    mail('me@yahoo.com','Stripe Api Request',$message);
                
                
    //Insert into db
                
                
    $this->db->insert('transactions',$stripe_transaction_data); 
                
    //
                //$event_json->type = charge.failed
                //$event_json->type = customer.subscription.created
                //$event_json->order.payment_succeeded


            
    }
    }
    When are you beating me? I'm in Amsterdam for next few days.

IMN logo majestic logo threadwatch logo seochat tools logo