Typing issue in CustomerSourceCreateParams.source

[svallory]

Stripe Node library version: 8.83.0

The source property of CustomerSourcesCreateParams, used in Stripe.customers.createSource() has type string and does not support an object, as specified in the API here

[remi-stripe]

@svallory Thanks for reaching out! This one is by design. Passing raw card details is something that is actively discouraged since it puts you under a higher scope for PCI compliance. Our types actively hide this feature to ensure developers don't mistakenly use this and put their business at risk. Our API also blocks this by default and requires a custom setting to get access.

I hope this helps clarify the decision!

[svallory]

Thanks @remi-stripe. I disagree with the approach, but it does clarify the issue. We use VGS proxy to remain PCI compliant. May I suggest adding a comment to the code explaining this? It would save a lot of time.

Also, the documentation implies sending the card data in the source property, but the test code in the package has the card properties in the object root.

[remi-stripe]

@svallory Thanks for catching the failing tests, I'll get them fixed!

[rubiin]

@remi-stripe any update on this. Using the code mentioned on the customer.spec also gives type issues

  const params = {
          source: {
            object: 'card',
            number: '123456',
            exp_month: '12',
            exp_year: '30',
          },
        };
        stripe.customers.createSource('cus_123', params);

[remi-stripe]

Type issues are expected, we strongly discourage sending raw card details server-side as it drastically increases your PCI compliance burden. It works, it's just not in types.