A quick note on my first steps using stripe.com

Posted on Fri 14 March 2014 in WebDev & Code

I'm building a web site for a charity that needs to take credit cards for tickets being sold. I've chosen to use stripe.com as:

  • It's simple to implement
  • They take care of all the security and PCI DSS (I never get any card details to save, that's a good thing).
  • It's not expensive (compared to other options like having a merchant account for the charity).
  • I couldn't get away with using existing services (eg: eventbrite, picatic, etc)

Users don't have to register on this charity site (essentially it's selling a one off event ticket) so my process is:
1) Vistor completes form and submits [let's call it 'Registration']
2) Server validates form (email address present, other information entered, etc)
3) Server sends page with Stripe pay now button. That button contains the code to precomplete some of the stripe form (eg: the email address).
4) Vistor clicks stripe button, enters card details which are sent direct to the stripe server (ie: not through my server)
5) stripe returns a 'token' that can be used to charge the credit card and visitor is directed to my 'charge' page with their token (sent as a https post request).
6) when my /charge page is requested, My server can request the card is charged using the single use stripe token. Then thank the customer for paying.

I wanted to record the payment as processed against my Registration_ID, and thought I would be able to use the browser session to link the stripe request with a specific registration. It didn't work, every test transaction came back with nothing in the session. It was as if the session was being refreshed every time a Stripe transaction occurred.
After several hours of frustration, I tracked it down to rails built in CSRF protection.
As the post form is coming via Stripe, it won't read the session cookie from the browser and resets it.

All I have to match the registration record with the stripe transaction is the visitors email address. This obviously causes problems if:

  • A visitor wants to buy more than one registration on the same email address
  • A visitor changes their email address during the stripe process (not easy for them to do, but possible).

However, it's the best I've got so I'll have to write some backup code to prevent two registrations on one email address (they'll have to get in touch and pay another way) and raise an error if the email address that stripe got is different from the address in our records (the charity will have to match the records manually which isn't difficult for such a small event).

Here's the part in my dev log that help me find the problem, along with this blog post on kalzumeus.com.

Started POST "/registers/charge" for 127.0.0.1 at 2014-03-14 16:12:34 +0000 Processing by RegistersController#charge as HTML Parameters: {"stripeToken"=>"tok_1234sometokendata", "stripeEmail"=>"asdf@asdf", "stripeBillingName"=>"CARDNAME", "stripeBillingAddressLine1"=>"asdf", "stripeBillingAddressZip"=>"ME13 9AB", "stripeBillingAddressCity"=>"Faversham", "stripeBillingAddressState"=>"Kent", "stripeBillingAddressCountry"=>"United Kingdom"} WARNING: Can't verify CSRF token authenticity