refactor: source Stripe API keys from ENV vars

[willopez]

Resolves #5767
Impact: minor
Type: refactor

Issue

The Stripe API key needs to be sourced from environment variables for security considerations.

Solution

Source the secret Stripe API key from environment variables. Some settings were removed as they are no longer needed.
Removed:

• publishable_key: only used by client to create Stripe tokens. details
• client_id - used by client

Why

• In order to move towards PCI compliance
• Secrets should be stored in a secured vault, moving to ENV vars facilitates using a secrets provider
• Remove dependency on Packages collection as it's not needed and we are working on removing it

[willopez]

Note: integration tests pass locally, they fail in Circle CI due to a known issue with in-memory Mongo, that should hopefully be fixed soon.

[willopez]

@mikemurray @aldeed I have verified that I amble to checkout on this branch, so we can move forward and merge.

[mikemurray]

Seem to work, but I had one comment. If I don't have a STRIPE_API_KEY in the .env file the app fails to start with an error form envalid.

Not sure what we want to do here, but if you don't have a stripe key, or don't intend to use stripe, the app shouldn't fail to start. Also might need some docs or put an example in .env.example. Of course in the future, this plugin would be split out of the API into its own package so whatever we do now is probably temporary.

[willopez]

@mikemurray good point, I have added a placeholder key to the example.env that will prevent the app from crashing.

[aldeed]

One suggestion @willopez

[willopez]

@mikemurray @aldeed Removed unnecessary code and re-tested with storefront and can confirm checkout with Stripe works.

[mikemurray]

👍