Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
@purposity/stripe-graphql-js
Advanced tools
Readme
This package creates a Stripe GraphQL API.
query {
stripe {
customer(id: "cus_xxx" {
id
name
invoices {
data {
id
created
paid
hostedInvoiceUrl
}
}
}
}
}
You can also add the Stripe GraphQL API as a Hasura Remote Schema and connect data from your database and Stripe. This allows you to request data from your database and Stripe in a single GraphQL query:
query {
users {
# User in your database
id
displayName
userData {
stripeCustomerId # Customer's Stripe Customer Id
stripeCustomer {
# Data from Stripe
id
name
paymentMethods {
id
card {
brand
last4
}
}
}
}
}
}
npm install @nhost/stripe-graphql-js
Create a new Serverless Function functions/graphql/stripe.ts
:
import { createStripeGraphQLServer } from '@nhost/stripe-graphql-js'
const server = createStripeGraphQLServer()
export default server
You can run the Stripe GraphQL API in any JS environment because it's built using GraphQL Yoga.
Add STRIPE_SECRET_KEY
as an environment variable. If you're using Nhost, add STRIPE_SECRET_KEY
to .env.development
like this:
STRIPE_SECRET_KEY=sk_test_xxx
Learn more about Stripe API keys.
nhost up
Learn more about the Nhost CLI.
Test the Stripe GraphQL API in the browser:
http://localhost:1337/v1/functions/graphql/stripe
Add the Stripe GraphQL API as a Remote Schema in Hasura.
URL
{{NHOST_BACKEND_URL}}/v1/functions/graphql/stripe
Headers
x-nhost-webhook-secret: NHOST_WEBHOOK_SECRET (from env var)
Here's a minimal example without any custom permissions. Only requests using the x-hasura-admin-secret
header will work:
const server = createStripeGraphQLServer()
For more granular permissions, you can pass an isAllowed
function to the createStripeGraphQLServer
. The isAllowed
function takes a stripeCustomerId
and context
as parameters and runs every time the GraphQL server makes a request to Stripe to get or modify data for a specific Stripe customer.
Here is an example of an isAllowed
function:
const isAllowed = (stripeCustomerId: string, context: Context) => {
const { isAdmin, userClaims } = context
// allow requests if it has a valid `x-hasura-admin-secret`
if (isAdmin) {
return true
}
// get user id
const userId = userClaims['x-hasura-user-id']
// check if user is signed in
if (!userId) {
return false;
}
// get more user information from the database
const { user } = await gqlSDK.getUser({
id: userId,
});
if (!user) {
return false;
}
// check if the user is part of a workspace with the `stripeCustomerId`
return user.workspaceMembers
.some((workspaceMember) => {
return workspaceMember.workspace.stripeCustomerId === stripeCustomerId;
});
}
The context
object contains:
userClaims
- verified JWT claims from the user's access token.isAdmin
- true
if the request was made using a valid x-hasura-admin-secret
header.request
- Fetch API Request object that represents the incoming HTTP request in platform-independent way. It can be useful for accessing headers to authenticate a userquery
- the DocumentNode that was parsed from the GraphQL query stringoperationName
- the operation name selected from the incoming queryvariables
- the variables that were defined in the queryextensions
- the extensions that were received from the clientRead more about the default context from GraphQL Yoga.
Install dependencies:
pnpm install
Start the development server:
pnpm dev
Include the correct admin secret header for admin access
{
"x-hasura-admin-secret":"<secret value matching your NHOST_ADMIN_SECRET environment variable>"
}
The GraphQL Server will reload every time the code changes.
Open GraphiQL:
FAQs
Stripe GraphQL API
The npm package @purposity/stripe-graphql-js receives a total of 0 weekly downloads. As such, @purposity/stripe-graphql-js popularity was classified as not popular.
We found that @purposity/stripe-graphql-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.