是否可以用条纹元素实现验证验?
我们目前在下一个.js网站上设置了条纹元素。这是一种捐赠表格,用户可以作为客人进行简单的一次性付款。
这是表格的“提交”方法的实现方式:
export const makeOneOffPayment = async (
e,
stripe,
elements,
clientSecret,
setError,
billingInfo,
paymentAmount,
paymentIntentId,
CardNumberElement,
): Promise<boolean> => {
// Initialise
e.preventDefault();
// Update the payment intent
try {
const res = await fetch('/api/payment-intent/update', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
amount: paymentAmount * 100,
paymentIntentId: paymentIntentId,
}),
});
if (!(res.status >= 200 && res.status <= 299)) {
const result = await res.json();
const message = result.message;
setError(`Payment failed: ${message}`);
return false;
}
} catch (err) {
setError(`Process failure on client`);
return false;
}
// Finish the payment
try {
const payload = await stripe.confirmCardPayment(clientSecret, {
payment_method: {
card: elements.getElement(CardNumberElement),
billing_details: {
address: {
city: billingInfo.city || '',
line1: billingInfo.AddressLine1 || '',
line2: billingInfo.AddressLine2 || '',
},
email: billingInfo.email,
name: billingInfo.name,
phone: billingInfo.phone,
},
},
});
if (payload.error) {
setError(`Payment failed ${payload.error.message}`);
} else {
return true;
}
} catch (err) {
setError(`Process failure on client`);
return false;
}
};<script src="https://cdnjs.cloudflare.com/ajax/libs/react/16.6.3/umd/react.production.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.6.3/umd/react-dom.production.min.js"></script>这是一个简单的付款流程,但是我们遇到了问题 - 人们使用我们的表格正在“卡测试”。
根据Stripe的文档在这里,应使用验证码来防止这种情况。
问题是该代码在前端执行。
Stripe Support建议我们在“完成付款”试验块开始时添加Google Recaptcha验证,然后使用结果确定是否尝试完成卡付款。
但是,我们怎么能确定recaptcha验证的结果是真实的呢?我可以想象,由于所有逻辑在前端都运行,攻击者很容易欺骗响应?
我有什么办法可以成功地将验证码与当前处理流程集成在一起?
我能想到的方法是将逻辑移至API路线,然后验证验证码并在后端处理付款。但是我相信条纹。Confirmcardpayment旨在在前端运行(这有助于3D卡验证),因此我将面临一些不同的挑战,可以克服这种方法。
We've currently got Stripe Elements set up on our Next.js website. It's a donation form where users can make a simple one-off payment as a guest.
Here is how the 'submit' method of the form is implemented:
export const makeOneOffPayment = async (
e,
stripe,
elements,
clientSecret,
setError,
billingInfo,
paymentAmount,
paymentIntentId,
CardNumberElement,
): Promise<boolean> => {
// Initialise
e.preventDefault();
// Update the payment intent
try {
const res = await fetch('/api/payment-intent/update', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
amount: paymentAmount * 100,
paymentIntentId: paymentIntentId,
}),
});
if (!(res.status >= 200 && res.status <= 299)) {
const result = await res.json();
const message = result.message;
setError(`Payment failed: ${message}`);
return false;
}
} catch (err) {
setError(`Process failure on client`);
return false;
}
// Finish the payment
try {
const payload = await stripe.confirmCardPayment(clientSecret, {
payment_method: {
card: elements.getElement(CardNumberElement),
billing_details: {
address: {
city: billingInfo.city || '',
line1: billingInfo.AddressLine1 || '',
line2: billingInfo.AddressLine2 || '',
},
email: billingInfo.email,
name: billingInfo.name,
phone: billingInfo.phone,
},
},
});
if (payload.error) {
setError(`Payment failed ${payload.error.message}`);
} else {
return true;
}
} catch (err) {
setError(`Process failure on client`);
return false;
}
};<script src="https://cdnjs.cloudflare.com/ajax/libs/react/16.6.3/umd/react.production.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react-dom/16.6.3/umd/react-dom.production.min.js"></script>It's a simple payment flow that works, but we're having a problem - people are 'card testing' using our form.
According to Stripe's documentation here, a captcha should be used to prevent this.
The problem is that this code is executing on the front end.
Stripe support has suggested that we add Google ReCAPTCHA verification at the beginning of the 'Finish the payment' try-catch block, then use the result to determine whether to try and complete the card payment.
But how can we be sure that the result from the ReCAPTCHA verification is genuine? I can imagine it's pretty easy for the attackers to spoof a response since all of the logic is running on the front end?
Is there any way for me to successfully integrate a captcha with the current processing flow?
The approach I can think of that would work is to move the logic to an API route, then verify the captcha and process the payment on the back end. But I believe the stripe.confirmCardPayment is designed to run on the front end (and it helps with 3D card verification), so I'd have some different challenges to overcome with this approach.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在公开结帐表格之前,您需要添加验证码。看看此视频。您也可以添加当无疑的情况下显示了无疑的行为。
You would want to add a captcha prior to exposing the checkout form. Take a look at this video. You could also add the invisible reCaptcha to only show when suspicious behavior is detected.