The Architecture that Helps Stripe Move Faster

1. a talk Making Big Changes at Stripe Evan Broder @ebroder

2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ stripe-api-pci

3. Presented at QCon New York www.qconnewyork.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide

4. Evolving the Stripe API

5. def render_card(stripe_user, card) data = {} [...] if stripe_user.gating(:show_card_brand_as_type) data[:type] = card.brand else data[:brand] = card.brand end [...] return data end

6. Modern Request Handling InputAdapter OutputAdapter

7. def render_card(card) data = {} [...] data[:brand] = card.brand def convert_card_description(stripe_user, data) [...] if stripe_user.gating(:show_card_brand_as_type) data[:type] = data[:brand] end

8. Gating at Stripe

9. - :version: 2014-06-13 :new_gates: - :gate: show_card_brand_as_type :description: Rename `type` to `brand` on the card object. :note_in_reference: - card_object/brand

10. ~$ curl http://169.254.169.254/2014-11-05/meta-data/instance-id i-0511b27a

11. ~$ curl http://169.254.169.254/2014-11-05/meta-data/instance-id i-0511b27a

12. PCI and Go

13. a·pi·o·ri /'äpēˌôrē/

14. apiori

15. POST /v1/charges HTTP/1.1 Accept: */*; q=0.5, application/xml Accept-Encoding: gzip, deflate User-Agent: Stripe/v1 RubyBindings/1.43.0 Authorization: Bearer sk_test_BQokikJOvBiI2HlWgH4olfQ2 Content-Type: application/x-www-form-urlencoded Content-Length: 159 Host: api.stripe.com amount=400&currency=usd&source[number]=4242424242424242&source [exp_month]=6&source[exp_year]=2017&source[cvc] =314&description=Charge%20for%20test%40example.com

16. source[number]=4242424242424242

17. [source]number=4242424242424242 source[number]=4242424242424242

18. [source][number]=4242424242424242 [source]number=4242424242424242 source[number]=4242424242424242

19. ]][[[][]]]source]]]]]number]]=4242424242424242 [source][number]=4242424242424242 [source]number=4242424242424242 source[number]=4242424242424242

20. GET /v1/plans/10USD%2FMONTH HTTP/1.1 By performing this decoding, net.URL has implicitly taken a stance on the semantics of URLs that exceeds what the RFC allows

21. Be conservative in what you do, be liberal in what you accept from others

22. evan@tracey:gopiori (master)$ cat frontend/zoo/funny_path2/input GET /v1/plans/10USD%2fmonth HTTP/1.1 Authorization: Basic c2tfdGVzdF9CUW9raWtKT3ZCaUkySGxXZ0g0b2xmUTI6 User-Agent: curl/7.33.0 Host: localhost:15000 Accept: */*

23. evan@tracey:gopiori (master)$ cat frontend/zoo/funny_path2/input GET /v1/plans/10USD%2Fmonth HTTP/1.1 Host: localhost:15000 User-Agent: curl/7.33.0 Accept: */* Authorization: Basic c2tfdGVzdF9CUW9raWtKT3ZCaUkySGxXZ0g0b2xmUTI6 X-Apiori-Api-Key: sk_test_BQokikJOvBiI2HlWgH4olfQ2 X-Apiori-Api-Key-Provenance: basic X-Apiori-Info: {"forward.original_request_method":"GET", [...]} Accept-Encoding: gzip

24. evan@tracey:~/stripe/apiori/gopiori (master)$ ls frontend/zoo/ applepay emv malformed_pk_token bad_cscrypto funny_path1 malformed_request1 bad_headers funny_path2 malformed_request2 capture_charge funny_path3 malformed_request3 card_present funny_path4 malformed_swipe card_token_declines funny_path5 no_content_type card_with_spaces_or_dashes funny_path6 not_luhn_valid cscrypto_badgcm funny_path7 tokenize_bb cscrypto_badjson funny_path8 tokenize_cors cscrypto_bankaccount malformed_content_type tokenize_jsonp cscrypto_card malformed_emv top_level_cvc duplicate_content_type malformed_pan

25. The Oregon Trail

26. VPN server App server Database server Frontend server App server Database server Frontend server Internet

27. Primary Secondaries

28. Primary Secondaries Application

29. Primary Secondaries Application

30. VPN server Internet App server

31. VPN server Internet App server

32. VPN server Internet App server App server Load Balancer App server App server

33. References • Move Fast, Don't Break Your API: http: //goo.gl/7aOC3P • Migrating from AWS to AWS with Neti: http: //goo.gl/k33v76

34. Questions?

35. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ stripe-api-pci

The Architecture that Helps Stripe Move Faster

C4Media

The Architecture that Helps Stripe Move Faster