Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Wiki Replica
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
The Tor Project
TPA
Wiki Replica
Commits
81c44ced
Verified
Commit
81c44ced
authored
5 months ago
by
Jérôme Charaoui
Browse files
Options
Downloads
Patches
Plain Diff
service/donate: update api key docs (
team#41511
)
parent
e00ab5bf
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
service/donate.md
+6
-28
6 additions, 28 deletions
service/donate.md
with
6 additions
and
28 deletions
service/donate.md
+
6
−
28
View file @
81c44ced
...
...
@@ -231,38 +231,16 @@ If we feel our API tokens might have been exposed, or staff leaves and
we would feel more comfortable replacing those secrets, we need to
rotate API tokens. There are two to replace: Stripe and PayPal keys.
Both staging and production sets of Paypal and Stripe API tokens are stored in
Trocla on the Puppet server. To rotate them, the general procedure is to
generate a new token, add it to Trocla, the run Puppet on either
`donate-01`
(production) or
`donate-review-01`
(staging).
### Stripe rotation procedure
Stripe has an excellent
[
Stripe roll key
](
https://docs.stripe.com/keys#rolling-keys
)
procedure. You first need
to have a
[
developer account
](
https://docs.stripe.com/payments/account/teams/roles#developer
)
(
ask
accounting) then head over to
the
[
test API keys page
](
https://dashboard.stripe.com/test/apikeys
)
. You will first rotate the API keys,
test that staging still works, then rotate the live keys. Here's the
full procedure.
1.
test that
[
staging
](
https://donate.staging.torproject.net/
)
still works
*before*
the change (see the
[
test procedure
](
#tests
)
), as it's possible it's broken for other
reasons. if it
*is*
broken, fix that first.
2.
roll the API key, with a 24h expiration
3.
deploy the new secret on the middleware, on
`tordonate@crm-ext-01.torproject.org`
, in the file
`/srv/donate.torproject.org/htdocs-staging/private/settings.local.php`
4.
test donations on staging, again: the transaction should show up
in the staging CiviCRM server and the "test" Stripe environment
5.
wait 24h
6.
test staging again (since the old key is now expired)
7.
run steps 1-6 with the production site, except with a 1h delay
Note that the "public" part of the key is stored in multiple
places. It's possible this was changed (in staging, in particular) but
not correctly updated everywhere. On top of the above
`private/settings.local.php`
, the key is also in
`databags/donate.ini`
on the
[
donate-static
](
https://gitlab.torproject.org/tpo/web/donate-static/
)
site.
the
[
test API keys page
](
https://dashboard.stripe.com/test/apikeys
)
to manage API keys used on staging.
### PayPal rotation procedure
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
