#stripe

hm thats weird, they wont allow me to use shopify payments anymore D:

Would you guys recommend inputting my products in the stripe dashboard or is there a way to integrate products into stripe from shopify?

chris___: I don't think Shopify supports relay

alright, so from the sounds of things my website is functional for payment again

markin: sorry, yeah. I understand.

chris___: separately, if your shopify payments account was rejected, there's a relatively high chance your stripe account is going to be rejected as well, since shopify payments is basically just a white-labelled version of stripe

chris___: you may want to sanity check with support that stripe will be able to work with your business

how to do check with stripe?

They just stopped letting me use shopify because of "Elevated Chargeback Risks"

yeah, Stripe tends to be fairly chargeback sensitive, so its possible that Stripe might find you a bit risky too

it'd depend a bit if Shopify thought you were risky or Stripe did

Yeah fair enough

I have a back-up plan of using authorize.net if all falls through with stripe

But in the mean-time stripe seems like the quickest and easiest method with shopify

Hi, In my balance history it says one balance will be available on 1/28/16 16:00, but it is already 4:30 pm now. What happened to that balance?

It is still pending

ditiha: available_on dates are not totally precise, you should listen to the balance.available webhook

Thanks for the response. but this is really annoy... so you are telling me the dashboard is incorrect? .....That's ..

But what if we have no webhook setup.... How can I know when will my balance be available?

Funds generally become available after 2 days or after 7 days. The exact minute can be a bit off

k, it is 7 days already... I can wait for a bit more..

thanks

Or you can just use automatic transfers

hello guys

I was wondering if stripe is available for businesses in the middle east

moeabdol: stripe isn't available in the middle east yet: https://stripe.com/global

Hi guys

hello

Does anyone know when you send your prospective connect users to signup/login, whether it's possible to be sent back additional meta data (like there user id in a database) so when they are returned to your url, you can save there stripe connect account id into there user record?

irctc830: there's a `state` parameter you can pass to the oauth link to do exactly this

cool:) i just seen that, that will be perfect.

note, of course, that the user can tamper with this value

so if you're passing a user_id back, you'd need to make sure that I can't just plug in alice's user id

hmm, good point:)

if the value you're passing around is essentially "which user is this", you may want to just key this off your normal session authentication, if you have one of those

because when the user is redirected, they're still using their own browser, so they'd still have their session cookie set, if your system uses those

yeah, unfortunately not.

This is for an App.

like a mobile app?

so we have a single page with no login / session control in place.

you're presumably doing this in a webframe or something?

well, we're actually diverting the user to a url outside of the App to do this.

The user can't login to the App until they successfully connect to our Stripe account.

they're presumably halfway through signup or something at this point, right?

otherwise you'd have nothing to tie back to in your db

Our flow at the moment is 1) Email to user (who already has a user id in our database but can't login) with url to connect Stripe. 2) Once signed up, taken to a open url with which we direct them to download the app and login.

yes

they're already half way through the signup, so a userid exists.

presumably that url contains a secret already, right?

something to identify the user?

you could just pass that same secret as the state param

actually, better yet

set it as an http-only cookie tied to your own domain when you render out the response to that url

then stripe doesn't get to see that secret

Ok tr12, thanks, will give it ago.

one question on your previous suggestion.

neato

if we do simply pass it userid to the state method, i thought as soon as it url redirects, you could simply query the user table for this stateid and update...how is it possible for this stateid to be modified before reaching this point?

regarding your point that someone could modify this stateid..

update the table how?

as for the modification thing, your app gives me the client a url that it wants me to go to. but I might go to that url, then notice that there are some parameters in the url that I can fiddle with.

there's absolutely nothing stopping me from going to connect.stripe.com/oauth/authorize?state=foo&am..., and editing that to connect.stripe.com/oauth/authorize?state=bar&am....

ahh:P

gotya.

tr12: does the chrome developer console let you change http only cookies?

markin: it does, but that's not the point of http-only cookies

markin: it's just generally good practice to make secrets http-only, because then they're not going to get leaked if you get XSS'd

markin: this absolutely doesn't defend against a user tampering with the value - what defends against that is the fact that you're using something considered to be secret as the cookie

yeah, I was just making sure that the reason behind it wasn't to defend against user tampering

reasonable sanity check