ruby-on-railsstripe-paymentsactivemerchant

Is there a safer way to use Stripe and ActiveMerchant together? Ruby on Rails

I'm trying to use Stripe for payments in my rails app. I remember at one internship I had, we used the active merchant gem to abstract the process by using gateways. Although, at the internship, we used Authorize.net. We didn't use Stripe. For this particular application, I would like to use Stripe and ActiveMerchant together.

Looking at the documentation on the Active Merchant GitHub page, I found that I could connect to Stripe using the StripeGateway provided by the Active Merchant gem. This is how I did it:

ActiveMerchant::Billing::Base.mode = :test

# Create a new credit card object
credit_card = ActiveMerchant::Billing::CreditCard.new(
  :number     => '4242424242424242',
  :month      => '8',
  :year       => '2022',
  :first_name => 'Tobias',
  :last_name  => 'Luetke',
  :verification_value  => '123'
)

if credit_card.valid?
  gateway = ActiveMerchant::Billing::StripeGateway.new(
    login: Rails.application.credentials.development[:stripe_private_key]
  )

  # Authorize for $10 dollars (1000 cents)
  response = gateway.authorize(1000, credit_card)

  if response.success?
    # Capture the money
    gateway.capture(1000, response.authorization)
  else
    raise StandardError, response.message
  end
end

However, this is a problem. Whenever I run this, I get a strange error: 

StandardError (Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing.)

I understand that this is a security issue, but I don't understand how to ago about fixing it using Active Merchant. I tried using Stripe's documentation for ruby on rails, but the form was very simple. It only had a credit card number, expiration data, and CVC entry, as well as email. But i need a billing address as well. This is my reasoning for using Active Merchant. It's very simple to use and abstracts a lot of the fluff out while still being able to create custom forms. But, I keep getting this error here with Stripe, and I don't know how to fix it.

Any help is appreciated!

Solution

  • Using the Stripe gateway, ActiveMerchant's purchase and authorize methods should take either a card object, as you are passing above, or a token value (a string)

    #   purchase(money, card_hash_or_token, { ... })

    https://github.com/activemerchant/active_merchant/blob/master/lib/active_merchant/billing/gateways/stripe.rb#L96

    Instead of passing raw card details, for PCI compliance reasons, you could create a token on your client-side using Stripe's Checkout or Elements libraries, pass the source/token id to your backend (it should look like tok_xxxyyyzzz or src_xxxyyyyz), and then pass that value into the second card_hash_or_token parameter of your authorize request.

    response = gateway.authorize(1000, params[:stripeToken])