Hey there. After reading docs about stripe, it looks like the best way to stay PCI compliant is to make all the logic directly from the front-end part of your app (react-native in my case), without ever communicating with your backend. Can anyone confirm that?

Confirmed. Let Stripe web hook your backend with a token

And how would I listen to that hook from a graphql server 😐 ?

It’s going to post a rest response back, so you’ll need to open up a route

Yeah.. it just feels weird to add

express

as a dependency to handle such a little thing. I might consider using a lambda, but then I’d have to make another step to communicate back with my graph-api

Are you using Yoga?

Yep!

Then Express is already a dependency. You can open up a route from Yoga, but I'm not looking at my implementation or the docs. There's a way to get ahold of the Express

app

instance

Alright, I'll see how to tackle this. Thanks a lot man!

... duh, that's where it came from 🙂 Changing that to a

get

with the web hook's endpoint should do it

Thanks again 🙏

Also, something to keep an eye out for.. Stripe may have the ability to give the token to a client, the client passes you the token, and your server can validate the token (oAuth style) which could also work

I don't see how that could work with 3D Secure payments as the charge is done asynchronously?

... thinking about it further, that might be the way to do it because that client token doesn't need to be secure or validated because it's signed to your server secret and will only be authorized with your server secret.

It's one of many security protections, where your bank sends you a code via text message and the payment is done only once that code is validated

I'm talking out of my ass here (... as per usual 🙂 ), but I know Stripe's big goal is to merge all of these different payment methods into one API. It wouldn't surprise me if the token passing worked the same regardless of method.

Great great great 🎉🙏