[Bug] Can’t manually enter API Keys

  • Resolved maltfield

    (@maltfield)


    10 months, 1 week ago

    This thread is to report a bug that it’s not possible to manually enter the Stripe API key in this plugin.

    <h2>Problem<h2>

    Despite providing a more streamlined UX, Stripe Connect is less secure than manually creating and copying the Restricted API keys into this app’s settings.

    The documentation describes how one should be able to setup this plugin with manually copying the API Keys here:

    Unfortunately, it’s not possible to enter the API keys into this plugin’s settings, because there are no input fields on the page /wp-admin/admin.php?page=wc-settings&tab=fkwcs_api_settings

    <h2>Steps to Reproduce</h2>

    1. Fresh install of this plugin
    2. Activate this plugin
    3. Go to woocommerce settings -> Payments tab (/wp-admin/admin.php?page=wc-settings&tab=checkout)
    4. Click the “Manage” button next to the “Stripe Gateway – Credit Card (Stripe)” row
    5. Click the “Stripe Settings” sub-tab link (/wp-admin/admin.php?page=wc-settings&tab=fkwcs_api_settings)
    6. As the page is loading, you can very quickly see some text input fields appear, but they disappear before the page finishes loading
    7. After the page fully loads, the only option is the “Connect with Stripe” button. There are no input fields for entering the API keys.

    <h2>Solution</h2>

    The input fields shouldn’t disappear, so that a user can configure the plugin, as described in the documentation

    The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter maltfield

    (@maltfield)

    10 months, 1 week ago

    Here’s a screenshot of the issue

    Thread Starter maltfield

    (@maltfield)

    10 months, 1 week ago

    Note: If I disable javascript in the browser, then the rest of the input fields on the page do not disappear after the page loads.

    Plugin Support Funnelkit Support

    (@supportfunnelkit)

    10 months ago

    Hi @maltfield,

    Thanks for using the Funnelkit Stripe and for reaching out to us with feedback.

    Actually, having manual keys on the website is a much insecure process and it’s going to be depreciated in the next version.

    “Connect with Stripe” will be the only option during the onboarding and to enter the API keys will be available with a specific link only and flashing of API key manual entry will be resolved.

    Let us know if you have any follow-up questions.

    Thanks
    Team Funnelkit

    Plugin Support Funnelkit Support

    (@supportfunnelkit)

    10 months ago

    Hi @maltfield,

    Hope you are doing well.

    We haven’t heard back. So marking this as resolved.

    Feel free to create a new thread for any other query.

    Thanks
    Team Funnelkit

    Thread Starter maltfield

    (@maltfield)

    9 months, 3 weeks ago

    Having manual keys on the website is a much insecure process and it’s going to be depreciated in the next version.

    Please do not spread misinformation. This is absolutely not true.

    I’ve had many back-and-forth discussions with Stripe Support, who confirmed that most implementations of the OAuth (Stripe Connect) are more insecure than the Restricted API Keys

    There’s two things that I think you’re missing

    1. I’m talking about Restricted API Keys (it would be correct to say that non-restricted API keys are less secure)

    2. Stripe Connect using the OAuth Authorization Code Flow leaks the bearer tokens with a third party (defined by the redirect_uri)

    Therefore, it is far more secure for users to generate Restricted API Keys and manually set them in their woocommerce plugin’s settings, thereby bypassing the risk associated with the OAuth Authorization Code Flow, which leaks these critical bearer tokens with the third party.

    As a security expert, I implore you to reconsider removing the most secure way to setup this plugin with Stripe’s API.

    Please forward this request to your Security Team.

    • This reply was modified 9 months, 3 weeks ago by maltfield.
    • This reply was modified 9 months, 3 weeks ago by maltfield.
    Thread Starter maltfield

    (@maltfield)

    9 months, 3 weeks ago

    See also Support for Stripe Restricted API Keys?

    * https://ww.wp.xz.cn/support/topic/support-for-stripe-restricted-api-keys-4/

    • This reply was modified 9 months, 3 weeks ago by maltfield.
    Plugin Support Funnelkit Support

    (@supportfunnelkit)

    9 months, 1 week ago

    Hi @maltfield,

    Let me explain to you.

    Initially when Stripe we started the Stripe Gateway there was a way to add manual keys but you could refer to this doc here where Stripe was encouraging all the apps to move to either Stripe connect method or the other method as proposed in this doc. Then that’s what we followed and have moved over.

    Yes, we did provide a way to enter manual keys but after some internal discussion since Stripe was not recommending it we have removed the provision.

    Regarding restricted API keys, our team will dig deep and take a call at some point, because this is the only request as of now. We have spent a lot of time in back and forth. We need to conserve the bandwidth at this point of time and take a call and that is why as for the Stripe, we will be removing the ability to take the manual keys.

    Thanks
    Team Funnelkit

    Thread Starter maltfield

    (@maltfield)

    9 months, 1 week ago

    Stripe was not recommending it

    This is not true. Stripe *does* recommend Restricted API Keys. It’s the most secure way to authenticate.

    Please re-visit the document that you linked-to above:

    * https://docs.stripe.com/stripe-apps/plugins/decide-migration

    It recommends three possible integration types:

    1. Stripe Connect

    2. Stripe Apps

    3. Restricted API Keys

    Note, again, that the last (Restricted API Keys) is the most secure option of the three. This was confirmed by Stripe Support.

    Please reconsider keeping support for the most-secure authentication method.

    • This reply was modified 9 months, 1 week ago by maltfield.
    Plugin Support Funnelkit Support

    (@supportfunnelkit)

    9 months, 1 week ago

    Hi @maltfield,

    Thank you very much for your remark, and I appreciate our continuous discussion to figure things out.

    I’ve spoken with our payments team, and they mentioned that restricted keys are secure, but they are not suitable for everyone. They require a lot of manual clicking, setup, and manual configuration of webhooks. Most users would not be able to do this themselves, which is why the connect route is preferred.

    Having said that, there is an additional challenge in reliably determining whether the keys being input are restricted. Furthermore, restricted keys do expire, so someone needs to constantly monitor and ensure they are updated to avoid impacting transactions.

    Opening up for restricted keys involves several considerations, and this is the first time we’ve received such a request. We need some time to think through how we can build this into a seamless customer experience.

    In the meantime, here is the link to manually add the keys:
    http://example.com/wp-admin/admin.php?page=wc-settings&tab=fkwcs_api_settings&connect=manually

    You will need to ensure that you add your restricted keys here and continue with the payment processing.

    Let us know if you have any other questions.

    Thank you.
    Team Funnelkit

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘[Bug] Can’t manually enter API Keys’ is closed to new replies.