Hacker News new | ask | show | jobs
by hundchenkatze 1979 days ago
Oh, wow I didn't realize that. I'm a little surprised it's a common thing. Stripe's secret key is the "keys to kingdom" so to speak. This means someone with the key can get up to all kinds of funny stuff.

Stripe also says not to do it:

> Your API keys give you access to Stripe’s systems and a global financial network. That access is what card testers want to exploit, so it’s important to keep your keys safe and put safeguards around the functionality those keys provide to prevent fraud and other malicious activity.

https://stripe.com/docs/card-testing#stripe-mitigations

> Your secret API key can be used to make any API call on behalf of your account, such as creating charges or performing refunds. Treat your secret API key as you would any other password. Grant access only to those who need it. Ensure it is kept out of any version control system you may be using.

https://stripe.com/docs/keys#keeping-your-keys-safe
1 comments
x86ARMsRace 1979 days ago
To me this sounds like an example of bad practice commonly implemented. Along the lines of the litany of open source projects who's install instructions involve CURLing a shell file into sh directly. It's bad practice, but so commonly implemented people mistake it for good/fine practice.
link
bpicolo 1979 days ago
To be fair, sometimes you need bad practice to make things possible to do. Plaid takes your bank username and password to scrape pages because it’s the only choice to make the tech.

Flouting the rules is the basis for a lot of successful businesses.

link
x86ARMsRace 1978 days ago
A qualified absolutely. I love to build side projects, and generally the first iteration is very poorly built. If your goal is to put "ideas on paper" so to speak, then you're 100% right. This could even make it to early production if you're really in a pinch.

I think though that there's a point where you need to move past the bad practice and find, or create the right way to do what you're trying to do.

link
hundchenkatze 1979 days ago
Except in this case Stripe provides a way for 3rd parties to access your Stripe account without giving the 3rd party your password.
link