One thing I noticed was that passing the price value from the client would allow anyone to modify the value on the client side to pay whatever they want. This looks like a great way to handle donations where the customer pays what they want.
To avoid that vulnerability and ensure tight control over the price that customers pay, I'd pass reference to the items they are purchasing from the client and lookup the price value on the server.
Another note, stripe.createToken is older and doesn't support SCA, a feature you'll want in order to accept payments from someone in EU. Instead, I'd recommend using stripe.createPaymentMethod on the frontend and PaymentIntents on the server (instead of Charges).
Thanks for sharing, @hajarnasr !
One thing I noticed was that passing the price value from the client would allow anyone to modify the value on the client side to pay whatever they want. This looks like a great way to handle donations where the customer pays what they want.
To avoid that vulnerability and ensure tight control over the price that customers pay, I'd pass reference to the items they are purchasing from the client and lookup the price value on the server.
Another note,
stripe.createToken
is older and doesn't support SCA, a feature you'll want in order to accept payments from someone in EU. Instead, I'd recommend usingstripe.createPaymentMethod
on the frontend and PaymentIntents on the server (instead of Charges).Thanks so much for your helpful comment. @cjav_dev 🙂