Live keys change with ones of Dashboard

  • Resolved alx359

    (@alx359)


    2 years, 6 months ago

    The Connect to Stripe button of the plugin auto-generates some special live keys that are not made accessible from the Stripe Dashboard, nor updateble from the plugin backend. These are only available in the WP DB.

    Is it safe to change these auto-generated live keys with the Standard API keys the Stripe Dashboard already provides? Will everything in the plugin work normally with the latter if we do that?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Payment Plugins

    (@mrclayton)

    @alx359

    No everything will not work as intended if you manually update the keys. Why would you want to change the API keys generated from the connect process?

    Thanks,

    Thread Starter alx359

    (@alx359)

    Thanks for your reply.

    Atm, there’s no much reason, but as you’re asking, could think of a few scenarios from the top of the head:

    1) If the auto-generated live keys get somehow compromised (they’re stored as-is in the DB), they could be used maliciously, and currently there’s no centralized way to review and make sure they’re destroyed, as they’re out of reach of the Dashboard (which by itself is a very strange thing to be allowed by Stripe, IMHO).

    2) Reconnecting the plugin creates new sets of keys (have done it many times already), but it isn’t clear what happens with all those previous keys that are presumably still stored somewhere at Stripe. Those redundant, hidden keys, if still active, could become backdoors for malicious activity, as per p.1.

    3) I keep copies of real websites that resolve to localhost for dev purposes. Attempting to (re)connect live-mode in such copies is risking making a mess in the actual websites from the inadvertently changed keys that might have now become invalid.

    4) I’m used to store all my sensitive data in one place for reference and for helping me keep it all up to date. That way, I could more easily restore a given plugin etc. w/o having to chase stuff deep down possibly arcane interfaces. Restoring your plugin manually seems currently possible for test-mode only.

    Plugin Author Payment Plugins

    (@mrclayton)

    Hi @alx359

    1. You can revoke the platforms authentication grant via the stripe.com dashboard. By doing that, all keys issued via the connect process will be revoked. You do make a good point though, as that’s not the most convenient. We’ll share that feedback with the Stripe team.

    4. You can restore the plugin for live and test mode. It’s just database entries that you can copy over.

    Kind Regards,

    Thread Starter alx359

    (@alx359)

    Hi @mrclayton

    Thanks, p.1 makes sense. Hope Stripe would listen to you and improve Key Mgmt for connected apps though.

    One more thing please, regarding test mode.

    It’s convenient to me test API keys to be all the same, for all websites under *.domain.com, but the plugin-issued API keys also include test ones.

    Now:

    a) Is it safe to change all those test API keys, and use the Std. test API key instead provided by Stripe?

    b) If one still should use a plugin-issued API test key, are the old ones still good if the plugin reconnects and a new set of keys are reissued?

    Thanks again.

    Plugin Author Payment Plugins

    (@mrclayton)

    @alx359

    a. Yes, you can manually enter test mode API keys without any issues.

    b. Yes, the other keys will still work.

    Kind Regards,

    Thread Starter alx359

    (@alx359)

    Excellent. Thank you!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Live keys change with ones of Dashboard’ is closed to new replies.