403 forbidden for accessing any stripe object when in "external" testing mode (even if permission already in manifest) #957

xinghengwang · 2024-03-28T19:40:09Z

Describe the bug

When I create an published app, with manifest with the correct permissions. It works fine accessing resources in my own stripe account.

But when another stripe account installs the using the "external test install link", when I try to access any resource, it failed with 403.

To Reproduce
Steps to reproduce the behavior:

in my stripe-app manifest:

    {
      "permission": "plan_read",
      "purpose": "Need to get plan and price details"
    },
    {
      "permission": "plan_write",
      "purpose": "Enable creating plan and price"
    },
    {
      "permission": "product_read",
      "purpose": "Enable creating plan and price"
    },
    {
      "permission": "product_write",
      "purpose": "Enable creating plan and price"
    },
  

// ...

  "ui_extension": {
    "views": [
      {
        "viewport": "stripe.dashboard.product.detail",
        "component": "Product"
      }
    ],

in code of UI extension:

import {
  createHttpClient,
  STRIPE_API_KEY
} from "@stripe/ui-extension-sdk/http_client";

// Initiate communication with the stripe client.
const stripe = new Stripe(STRIPE_API_KEY, {
  httpClient: createHttpClient(),
  apiVersion: "2023-08-16"
});

const Product = ({environment, userContext}) => {

  const downloadProduct = async () => {
    try {
      const product = await stripe.products.retrieve(environment.objectContext.id);
      console.log(JSON.stringify(product, null, '  '));
      showToast("downlaoded product ", { type: "success" });
    } catch (err) {
      showToast("Failed to download product", { type: "caution" });
    }
    console.log(JSON.stringify(environment));
    console.log(JSON.stringify(userContext));
  }

  const downloadPlans = async () => {
    try {
      const plans = await stripe.plans.list({ limit: 50 });
      console.log(JSON.stringify(plans, null, '  '));
      showToast("downlaoded plans ", { type: "success" });
    } catch (err) {
      showToast("Failed to download plan", { type: "caution" });
    }
  }

  return (
    <Box>
      <Box><Button  current Product</Button></Box>
      <Box><Button  Products</Button></Box>
    </Box>
  );
}

In test mode of my own account it works fine, or stripe apps start, it works fine .

upload by stripe app load
Set as "use for external test" and get the external test url link
In a separate stripe account from original app count, click on the link and install the apps.
App installs fine, but any attempt to access the resource will result in 403 error.

Expected behavior

Expect same behvavior in external testing mode vs. in "stripe app start" or in my own account.

Screenshots

Desktop (please complete the following information):

OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

The text was updated successfully, but these errors were encountered:

xinghengwang added bug Something isn't working needs-triage labels Mar 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

403 forbidden for accessing any stripe object when in "external" testing mode (even if permission already in manifest) #957

403 forbidden for accessing any stripe object when in "external" testing mode (even if permission already in manifest) #957

xinghengwang commented Mar 28, 2024 •

edited

Loading

403 forbidden for accessing any stripe object when in "external" testing mode (even if permission already in manifest) #957

403 forbidden for accessing any stripe object when in "external" testing mode (even if permission already in manifest) #957

Comments

xinghengwang commented Mar 28, 2024 • edited Loading

xinghengwang commented Mar 28, 2024 •

edited

Loading