-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encode undefined
parameters as the empty string
#1587
Comments
Hello @exocode, thank you for writing in and bringing this to our attention. I'm sorry that this happened and I agree that the design of I don't think this is something we can or should fix in It would also be possible in theory to attempt to prevent this situation at the API level, rather than on the SDK. The API could have been designed so that The github issues here are for tracking bugs in Feel free to reopen if you disagree and think the fix should live in the SDK. Possibly we can reimagine this ticket as a more general feature request for SDK validation beyond Typescript. |
Hi @exocode, It turns out I diagnosed this incorrectly:
This would be a breaking and potentially highly dangerous change and would disrupt any users whose integrations unknowingly pass |
undefined
parameters as the empty string
I do not think we should change this behavior. Undefines in JavaScript are confusing enough. Having |
Describe the bug
If - for any reason - the node / js app having a
undefined
customer parameter, all subscriptions are leaked to the user.I totally understand that
stripe.subscriptions.list()
is providing a complete list, butstripe.subscriptions.list({ customer: undefined })
ornull
or similar (or anything else being not a valid ID)should not expose the complete subscriptionsList to the customer.
Sure, the app should check that too, but you'll never know, somehow it can happen, that an invalid
customer
string was provided (a typo,, but espacially providing a{customer: 'whatEverYouWant'}
parameter should not return a complete list.It should return an error message like: "No customer with that ID found". Or "This is a non-existing customer" or "invalid customer ID given".
But it definitely should NOT exposing ALL SUBSCRIPTIONS of a specific Stripe account
To Reproduce
If
session.stripe_id
isundefined
then Stripe Api is not complaining, it just will return all subscriptions of any customerExpected behavior
stripe.subscriptions.list({ customer: "undefined_or_non_existing_customer_id"})
Code snippets
No response
OS
macOS
Node version
v14.17.0
Library version
react-stripe-js": "^1.7.1", stripe-js": "^1.32.0"
API version
2020-08-27
Additional context
No response
The text was updated successfully, but these errors were encountered: