Source

flask-stripe-blueprint / docs / philosophy.rst

Full commit

Philosophy

Some notes on how itemshop was created:

  • it was partially inspired by thylacine, which is a rails app that lets you sell a single digital download (with stripe)
  • it is not a full ecommerce platform / shopping cart / online store (like django's Satchmo), but could be used to build something like that, see the demos for some ideas
  • it is an attempt at creating a re-usable app; the :class:`ItemBP` class is meant to be overridden, have new routes added to it, integrated with a larger app, etc.

Reasons for using stripe:

  • no monthly fee or setup fee, just 2.9% + 30¢ for each transaction
  • their JS library (stripe.js) allows you to integrate credit card processing into your site, no redirects, no externally hosted pages, etc.
  • nice Python library and REST API

Reasons not to use stripe:

  • you have to live in the US to sign up for an account
  • it doesn't allow users to use their existing Paypal, Google Checkouts, Amazon Payments, etc. accounts
  • if users are more comfortable with using services like Paypal, they may be wary of entering a credit card number directly on your site

Sensitive information

One of the major reasons to use stripe.js is because you never need to handle sensitive credit card info on your server.

To guarantee that you never receive actual credit card info, you should leave the "name" attribute off of the sensitive form fields, so even if somehow the form gets submitted without javascript, you won't get the raw credit card data.

Even though you do not need to host your site with HTTPS, it's probably best if your site is hosted with HTTPS anyway, to reaffirm with users that the payment process is secure.

Persistence

Just like flask, this package has no idea of persistence, database, ORM, etc. It is agnostic of whichever database you want to use.

The stripe service keeps a record of purchases that you can view through their admin interface or retrieve through the API, so this could be thought of as a persistence layer. See the 03-secure-download demo for an example of using the stripe API to retrieve an existing payment.

To save purchases to a real database of your choosing, just inherit from :class:`ItemBP` and override the :meth:`post_purchase` method.

Form generation / validation

This package also does not do any form generation or validation. By default, :class:`ItemBP` only requires one form field to be POSTed to process the request: stripe_token.

The demos include some Javascript validation. In my opinion, you should validate using javascript (or AJAX) because A.) the stripe.js API validates the credit card information for you, and returns a decent error message B.) you should not be sending users' credit card information to your server for validation, and C.) you want to avoid doing a page refresh, which will clear the credit card fields and annoy users who will then have to reenter their information.