Stripe Portal URL不安全 Python

huangapple go评论86阅读模式
英文:

Stripe Portal url not secure Python

问题

我正在开发一个与Stripe集成的Django应用程序,我面临一个与通过Stripe门户管理用户订阅相关的安全问题。目前,我为具有订阅的用户提供一个简单的链接以访问门户。但是,我注意到如果我从视图生成的浏览器标签中复制链接,并将其粘贴到另一个浏览器中的私人标签中,门户就会加载,允许访问其他人的订阅详细信息。

示例生成的URL:
https://billing.stripe.com/p/session/test_YWNjdF8xSGFuNG5KV3p0WnBRQUJ4LF9POHM5UWlrYlhtM0FadVZmV3NUU3hQFMrgrrgg0HK1DtM1hxe

这带来了重大的安全问题,因为未经授权的用户如果获取了URL,有可能操纵订阅者的计费信息。

所以我的视图:

def customer_portal(request):
    # 认证您的用户。

    customer_id = request.user.customer.id

    # 创建一个会话。
    session = stripe.billing_portal.Session.create(
      customer=customer_id,
      return_url='http://127.0.0.1:8000/account/billing/',
    )

    # 直接重定向用户到门户。
    return redirect(session.url)

链接:

<h4><a href="{% url 'subscriptions:customerPortal' %}">管理计费</a></h4>

URLs:

path('billing/portal/', customer_portal, name='customerPortal'),

我做错了什么吗?

英文:

I'm working on a Django application integrated with Stripe, and I'm facing a security issue related to user subscription management through the Stripe portal. Currently, I provide a simple link for users with subscriptions to access the portal. However, I've noticed that if I copy the link from the browser tab that the view generate and paste it into a private tab in another browser, the portal loads up, allowing access to someone else's subscription details.

an example of the url generated :
https://billing.stripe.com/p/session/test_YWNjdF8xSGFuNG5KV3p0WnBRQUJ4LF9POHM5UWlrYlhtM0FadVZmV3NUU3hQFMrgrrgg0HK1DtM1hxe

This presents a significant security concern since an unauthorized user who obtains the URL could potentially manipulate the billing information of a subscriber.

so my view :

def customer_portal(request):
    # Authenticate your user.

    customer_id = request.user.customer.id

    # Create a session.
    session = stripe.billing_portal.Session.create(
      customer=customer_id,
      return_url=&#39;http://127.0.0.1:8000/account/billing/&#39;,
    )

    # Directly redirect the user to the portal.
    return redirect(session.url)

the link :
&lt;h4&gt;&lt;a href=&quot;{% url &#39;subscriptions:customerPortal&#39; %}&quot;&gt;Manage Billing&lt;/a&gt;&lt;/h4&gt;

the urls :
path(&#39;billing/portal/&#39;, customer_portal, name=&#39;customerPortal&#39;),

I'm doing something wrong ?

答案1

得分: 0

该网址是一个短期有效的网址,是的,您的应用程序需要确保只将该网址提供给经过身份验证的客户。否则,您可以使用无代码选项的全局链接,该链接需要通过电子邮件登录。

英文:

The url is a short lived URL and yes, your application would need to make sure to only give the URL to an authenticated customer. Otherwise, you can use a no-code option global link which requires login by email.

huangapple
  • 本文由 发表于 2023年6月26日 01:19:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76551615.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定