#stripe

and how do I get to the accounts stripe dashboard? I can search on the account_id and pull up the account page, but it doesn't appear to have webhook logs

You can click view dashboard on the account page

hey any stripe engineers here?

i'm not seeing that, maybe because it's prompting that account to login to active the account?

unfortunately, if i attempt to activate, it just keeps looping through asking me to enter the user's PW over and over again

andrew: can you try like incognito mode?

yes, i am in incognito mode, tried quitting to kill any session data and retrying, same problem

tried to create another standalone account (deferred) and i'm running into the same problem

I get the "claim your Stripe account" email, click the link, try to activate, and get asked for PW over and over again

You're logged out of Stripe before you click that link?

yes

Hmm, I'd email support then

ok, thanks for the help!

Will Checkout.js automatically update a Customer object's email when they enter their email in?

or is that something I'm supposed to do when I receive it?

Generally if you already have the email you'd pre-fill it for checkout

Stripe won't automatically update it

mattwc: in the case where I *don't* have the email, and the customer is providing it themselves in Checkout, the behaviour I'm seeing in the dashboard is that Checkout won't update the email by itself

so I'm wondering, why does Checkout provide the email option at all (both prefilled and user-filled)?

The email still gets sent to your server so you can save it

but stripe does nothing with it by itself, right?

it *only* gets sent to my own server

It gets set to the card name field unless you also collect billing address

are you sure? I'm not seeing that at all

it appears from my usage that checkout.js does not send the email to stripe at all

(i do need to set the email field as I want to make sure customers receive an invoice from stripe)

It should be set as a property of the card object

if that's the intended behaviour then I'm not seeing that

at least in test mode

But to set in the customer object you'd need to specify that when you can the create customer api

oh wait, you're totally right

it's set on the *card* name

but not on the customer email, hm

The email will get posted to your server along side the token and you should grab it from there and use it to populate the customer email field

mattwc: can i save an API call somehow and tell Stripe to attach the email to the customer?

stripeEmail (alongside stripeToken)

when the card is added to the customer, that is

aye i got that

im successfully receiving it, I just want to save one more POST to stripe :)

You would need to call the update customer api and add card api

Or just the update customer api if you want to replace their old card

This is for add card

Hi guys, Is it possible to know how "fingerprint" attribute is being calculated on The (account) bank_account object for External Accounts of managed account? I want this to be able to detect whether or not update bank account data on stripe.

Alir: its essentially md5(stripe account that made the request + bank account number)

jleclanche: then it's two api calls

mattwc: shame

jleclanche: though if you already have a customer object I would just pre-fill the email you have on file

Since presumably they gave you an email to like sign up for your site

mattwc: I pre-create the customer object when the user sees the page, but no, I don't gather emails at all

Okay, so md5(account_id, bank account number)? jleclanche

Alir: its essentially that

Thanks jleclanche

you're welcome!

Alir: the actual internals aren't public

Then I cannot use it mattwc

Alir: why are you trying to calculate the fingerprint yourself?

So what do you suggest?

What are you trying to do Alir?

Because I want to know should I trigger the update of bank account on stripe, to know it has been changed or not

Alir: a bank account token will have a fingerprint

Or just always update it if they give you new details

Yes, but I don't the fingerprint unless I create it on Stripe

If they give you new details, just fire the update request.

mattwc: I think Alir is getting the bank data on his server and wants to check if he has to update it upstream

Yes, that is another thing (update it every time user change profile) but based on our current situation cannot do that

Takes considerably less resources to try it, then it would to pull the fingerprint, calculate, and compare Alir.

Why make a customer fill out a form and enter card details if your just gonna throw it away

How can I change the default card for payment of a user?

Yes, I'm already doing that, that functionality is being done on a background task not on live on action mattwc

You can also use Stripe.js to create a bank account token and that will give you a fingerprint

Lalo_: the update customer api

Lalo_: set default source on customer

It is coming from IOS and Android app and it is part of the user profile, so they can see every time and update it mattwc

I'm pretty sure both those libraries support bank account tokens

(they do)

by bank account token you the first token on validation? mattwc

A token prevents you from sending the raw bank account to your server

jleclanche_: And how can I make a credit card the default one by updating the default source on the customer?

Lalo_: update the default source to the id of the credit card object

Lalo_: you have the credit card's stripe id, you update the Customer to set `default_source` to that id

Okay, I see, the thing is apps are not using that and it all being done on the server, in the app it is just a profile form mattwc

Alir: i would recommend updating the app to use it or just always update the bank account

Okay, so there is no way to compare the data between Stripe and what user sends. I thought maybe using that fingerprint which could be a hash of bank details

mattwc

Lalo_ If you add a new token to a customer, it will automatically become the default_source; if you're trying to change the default source between cards that already exist in the customer object use https://stripe.com/docs/api/node#update_custome...

s/token/source

Alir: you can use the fingerprint but that would require you use tokens

god, I am starting to really hate dj-stripe. Is anyone else using it and wants to redesign it with me? :/

What's wrong with it today? :P

haha

You can always do PR's to it if you want to fix things.

Yeah I did. https://github.com/kavdev/dj-stripe/pull/414

kaylined_ Now I get it. Thank you all!

it turned into a fork.

Okay, but if there was a simple hash property and it was available in API, we could use that to compare the data. Thanks for your help mattwc

kaylined: what's wrong with it today is its implementation of email handling on the Customer object. It's taking a shortcut by using the Django email and doesn't ever touch the Stripe email field... except those times when it does.

lol

I'm reading your PR comments now.

Alir: for compliance purposes a simple hash wouldn't be acceptable

Is there any compliance on bank account info?

There are still security issues that need to be addressed and it's simpler if all fingerprinting was done the same way

Yes, I see, it could be based on the combination of secret key or any other account base properties, so it would be unique per integration and exposing the intervals or algorithm wouldn't cause security issues. mattwc

Then it would make our life way more easier :) mattwc

Exposing the algorithm causes issues with credit card numbers because you could reverse engineer a card number

The real solution here is to use a token

Yeah, I see, so the threat would be the companies who are integrating. You are right mattwc , it was just something on top of my head. Thanks for your help

mattwc: if properly salted it wouldn't be reverse-engineerable

without the salt at any rate

But he wanted to be able to match the generate a matching fingerprint on his side which would require knowing the salt

Also: salts aren't secrets.

right, just replying to exposing the algorithm

But if the salt is based on the integration keys or something, me as a developer would know it and can reverse it. jleclanche

big if