[SOLVED] Need some help on Stripe/Oauth pls?



I have integrated with Stripe using Stand Alone accounts - as per https://stripe.com/docs/connect/standalone-accounts using https://atmospherejs.com/mrgalaxy/stripe.

It kinda works. If I am logged in to the Meteor app, I can then jump out to Stripe, authenticate , come back to Meteor via a server based route, call Stripe with the token and get the User ID (as per example above) … great… but when it comes back from Stripe’s oauth to the specified callback URL the Meteor session/user has been lost at that point, so even though I can get the Stripe userID(as I have the token from the Stripe callback), I’ve lost my Meteor session.

Any recommendations on how I should do this and maintain the session.

This is what I had using iron-router for the server side route for the callback from Stripe:

Router.route('/stripecallback', { where: 'server' })
    .get(function () {
        var self = this;
        var req = this.request;
        var res = this.response;
        var query = req.query;
        if (query && typeof query.code !== "undefined"){

            HTTP.call("POST", STRIPE_TOKEN_URI, {
                    data: {
                        grant_type: 'authorization_code',
                        client_id: STRIPE_CLIENT_ID,
                        code: query.code ,
                        client_secret: '<secret code>'
                function (err, result) {
                    console.log("POST RESULT": result, " ERR:", err)
                    if (err) {
                        console.log({message: 'Test failed error.'});
                    } else {
                        var accessToken =result.data.access_token;

                        // Do something with your accessToken

                        // For demo's sake, output in response:
                        res.end({ 'Your Token': accessToken });



        } else if (query && typeof query.error !== "undefined") {
            res.writeHead(200, {'Content-Type': 'text/plain'})
            console.log("query.error:", query.error, query.error_description );
            res.end("query.error:" + query.error + query.error_description);


Doh!, easy fix - I just changed the iron-router router style from:

Router.route('/stripecallback', { where: 'server' })
    .get(function () {


Router.route('/stripecallback2', {
    name: 'stripeCallback2',
    layoutTemplate: 'layoutPublic',
    waitOn: function() {
        var self = this;
        var query = self.params;

So the Meteor session is maintained.


The meteor session is stored over a DDP connection, so if your code isn’t called from the client, Meteor will lose the current user session.
What can be done to help this is passing the userId over a route and save it into a cookie with the cookies npm package.

Picker.route("/authorize/:userId/:loginToken", function(params, request, response, next){
const Cookies = require("cookies");
const cookies = new Cookies(request, response);
cookies.set("userId", params.userId); // lets say userid is "123456"
// saves the userId to be accessible later on in a server route

Picker.route("/stripe/oauth/callback", function(params, request, response, next){
const cookies = require("cookies");
const cookies = new Cookies(request, response);
console.log(cookies.get("userId"); // prints "123456"

Please note that the stripe oauth route will now be vulnerable to a CSRF attack since you are using cookies rather than localStorage within the browser. What you need to do is use the “state” parameter that Stripe offers in oAuth to prevent this.

Hope this helps :grinning:,