Changes
Page history
service/donate: update api key docs (
#41511
)
authored
Oct 21, 2024
by
Jérôme Charaoui
Show whitespace changes
Inline
Side-by-side
service/donate.md
View page @
81c44ced
...
...
@@ -231,38 +231,16 @@ If we feel our API tokens might have been exposed, or staff leaves and
we would feel more comfortable replacing those secrets, we need to
rotate API tokens. There are two to replace: Stripe and PayPal keys.
Both staging and production sets of Paypal and Stripe API tokens are stored in
Trocla on the Puppet server. To rotate them, the general procedure is to
generate a new token, add it to Trocla, the run Puppet on either
`donate-01`
(production) or
`donate-review-01`
(staging).
### Stripe rotation procedure
Stripe has an excellent
[
Stripe roll key
](
https://docs.stripe.com/keys#rolling-keys
)
procedure. You first need
to have a
[
developer account
](
https://docs.stripe.com/payments/account/teams/roles#developer
)
(
ask
accounting) then head over to
the
[
test API keys page
](
https://dashboard.stripe.com/test/apikeys
)
. You will first rotate the API keys,
test that staging still works, then rotate the live keys. Here's the
full procedure.
1.
test that
[
staging
](
https://donate.staging.torproject.net/
)
still works
*before*
the change (see the
[
test procedure
](
#tests
)
), as it's possible it's broken for other
reasons. if it
*is*
broken, fix that first.
2.
roll the API key, with a 24h expiration
3.
deploy the new secret on the middleware, on
`tordonate@crm-ext-01.torproject.org`
, in the file
`/srv/donate.torproject.org/htdocs-staging/private/settings.local.php`
4.
test donations on staging, again: the transaction should show up
in the staging CiviCRM server and the "test" Stripe environment
5.
wait 24h
6.
test staging again (since the old key is now expired)
7.
run steps 1-6 with the production site, except with a 1h delay
Note that the "public" part of the key is stored in multiple
places. It's possible this was changed (in staging, in particular) but
not correctly updated everywhere. On top of the above
`private/settings.local.php`
, the key is also in
`databags/donate.ini`
on the
[
donate-static
](
https://gitlab.torproject.org/tpo/web/donate-static/
)
site.
the
[
test API keys page
](
https://dashboard.stripe.com/test/apikeys
)
to manage API keys used on staging.
### PayPal rotation procedure
...
...
...
...
