Hey guys Hope everyone is doing good I have a question on bu Serverless Stack #help

Hey guys! Hope everyone is doing good. I have a qu...

Yap Yee Qiang

02/10/2022, 4:46 AM

Hey guys! Hope everyone is doing good. I have a question on building a Serverless Payment System with Stripe. Is it possible to create a serverless app with SST that can allow multiple applications to talk to different Stripe Endpoint? Let me know your thoughts or if anything unclear, let me know so I can try to explain it better. Thanks in advance guys!

Omi Chowdhury

02/10/2022, 5:33 AM

Don't think SST or serverless has any impact on calling the Stripe API...did you have a specific problem?

Frank

02/10/2022, 11:02 AM

I second @Omi Chowdhury. Definitely possible.

Yap Yee Qiang

02/10/2022, 2:10 PM

Because it will contain different Stripe Secret Key, whenever an application call my serverless app, I need to determine what’s the app calling my serverless function, then load the stripe based on the their secret key

Yap Yee Qiang

02/10/2022, 2:11 PM

In my opinion, I think has some security issue

Yap Yee Qiang

02/10/2022, 2:11 PM

Any opinion on this?

Omi Chowdhury

02/10/2022, 3:02 PM

The different applications will be authenticating to your API, right? You can use various methods (OAuth 2, static API keys etc) - and use API Gateway to authenticate it, One way is to issue JWTs to each application and use a JWT Authorizer in API Gateway: https://docs.serverless-stack.com/constructs/Api#adding-jwt-authorization You can generate your own JWTs using a lib, or use a tool like cognito or auth0 to generate them, and check them in the authorizer. Another way is to issue static api tokens to each application, and use a Lambda Authorizer to check it and look up which one called the API

Yap Yee Qiang

02/20/2022, 8:51 PM

Yea I think I will not have problems tracking which one called the API. But the problem is, how to direct those application to talk to DIFFERENT STRIPE API. As each Stripe API requires different Secret_Key, which is not a good idea to be passing around the key or putting it in the token. And also doing if else check on the application that is calling the API and attach their specific Secret Key is not scalable or dynamic enough.

Omi Chowdhury

02/20/2022, 8:59 PM

Retrieve the stripe token at runtime based on the application. You can store it encrypted in your DB, store them in AWS secrets manager (expensive), or parameter store, or use something like hashicorp vault - I think they are coming out with a serverless version, but it was expensive to get started last time I checked

3 Views

Open in Slack

Previous Next