pay 6.3.0 → 6.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aeee41b07bfa798c33c4d05b73c7035905f562d45cec48564d543e371ff53a7e
-  data.tar.gz: 7b7b1695db44d1f3e00637431f91be10e12c54541921f4b555d83253b981dc04
+  metadata.gz: 5edf40fbd4c73316121bba2d278819cac41f0f4bb6000bc8d216d000fcac59ff
+  data.tar.gz: b93a89d4c256ac814bc133f7b2b5071220187006623eeff76000c3a829780577
 SHA512:
-  metadata.gz: ee0f52b211a5894d00d7226d486ccdbce5ca8f18a66a1fa1fcd7c37344bd842f0672cf4c4070d7ee12684b8c64801fcd8c8674fa22d17f7204e95609f3b5cfa0
-  data.tar.gz: 4dcf8f4142c67ae179749e955baff64b454c2fc2eba3664727fd41572d22b0e6c1913cac9d5bc2c063e4c484ade0663b401b6d44d283a203c65145f678d28e77
+  metadata.gz: e81185537e0d87f658fbf8a27b4e44f7d9942bef953a61ac8f94de2e005bd81625e43970a355fac38c27133f65e08f31067b4d5c62de7fe25bb05b1457d26538
+  data.tar.gz: 673fc7acfe41d96f3ef829279f89e4c9c831f6637ea57cd927acf40206fc1f42bd75b645ceb4b2a9b27cf29a91057c577b0c144408e739baa9d9bdea1c462d9c

data/app/controllers/pay/payments_controller.rb

@@ -2,9 +2,18 @@ module Pay
   class PaymentsController < ApplicationController
     layout "pay/application"
 
+    before_action :set_redirect_to
+
     def show
-      @redirect_to = params[:back].presence || root_path
       @payment = Payment.from_id(params[:id])
     end
+
+    private
+
+    # Ensure the back parameter is a valid path
+    # This safely handles XSS or external redirects
+    def set_redirect_to
+      @redirect_to = URI.parse(params[:back].to_s).path || root_path
+    end
   end
 end

data/app/models/pay/customer.rb

@@ -13,8 +13,6 @@ module Pay
     validates :processor, presence: true
     validates :processor_id, allow_blank: true, uniqueness: {scope: :processor, case_sensitive: true}
 
-    attribute :plan, :string
-    attribute :quantity, :integer
     attribute :payment_method_token, :string
 
     # Account(s) for marketplace payments
@@ -96,7 +94,7 @@ module Pay
     # Attempts to pay all past_due subscription invoices to bring them back to active state
     # Pass in `statuses: []` if you would like to only include specific subscription statuses
     def retry_past_due_subscriptions!(status: [:past_due])
-      subscriptions.where(status: Array.wrap(status)).each(&:retry_failed_payments)
+      subscriptions.where(status: Array.wrap(status)).each(&:pay_open_invoices)
     end
   end
 end

data/app/models/pay/subscription.rb

@@ -83,12 +83,13 @@ module Pay
       trial_ends_at?
     end
 
+    # Does not include the last second of the trial
     def on_trial?
-      trial_ends_at? && trial_ends_at.after?(Time.current)
+      trial_ends_at? && trial_ends_at > Time.current
     end
 
     def trial_ended?
-      trial_ends_at? && trial_ends_at.before?(Time.current)
+      trial_ends_at? && trial_ends_at <= Time.current
     end
 
     def canceled?
@@ -100,11 +101,11 @@ module Pay
     end
 
     def ended?
-      ends_at? && Time.current.after?(ends_at)
+      ends_at? && ends_at <= Time.current
     end
 
     def on_grace_period?
-      (ends_at? && Time.current < ends_at) ||
+      (ends_at? && ends_at > Time.current) ||
         ((status == "paused" || pause_behavior == "void") && will_pause?)
     end
 

data/app/views/pay/payments/show.html.erb

@@ -54,7 +54,7 @@
         </div>
       <% end %>
 
-      <%= link_to t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg" %>
+      <%= sanitize link_to(t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg") %>
     </div>
 
     <p class="text-center text-gray-500 text-sm">
@@ -66,7 +66,7 @@
 <script type="module">
   window.stripe = Stripe('<%= Pay::Stripe.public_key %>');
 
-  import { Application, Controller } from 'https://cdn.skypack.dev/@hotwired/stimulus'
+  import { Application, Controller } from 'https://unpkg.com/@hotwired/stimulus'
   const application = Application.start()
 
   application.register('payment-intent', class extends Controller {

data/lib/pay/env.rb

@@ -11,6 +11,14 @@ module Pay
     # 1. Check environment variable
     # 2. Check environment scoped credentials, then secrets
     # 3. Check unscoped credentials, then secrets
+    #
+    # For example, find_value_by_name("stripe", "private_key") will check the following in order until it finds a value:
+    #
+    #   ENV["STRIPE_PRIVATE_KEY"]
+    #   Rails.application.credentials.dig(:production, :stripe, :private_key)
+    #   Rails.application.secrets.dig(:production, :stripe, :private_key)
+    #   Rails.application.credentials.dig(:stripe, :private_key)
+    #   Rails.application.secrets.dig(:stripe, :private_key)
     def find_value_by_name(scope, name)
       ENV["#{scope.upcase}_#{name.upcase}"] ||
         credentials&.dig(env, scope, name) ||

data/lib/pay/fake_processor/billable.rb

@@ -19,8 +19,9 @@ module Pay
         pay_customer
       end
 
-      def update_customer!
-        # pass
+      def update_customer!(**attributes)
+        # return customer to fake an update
+        customer
       end
 
       def charge(amount, options = {})
@@ -56,6 +57,8 @@ module Pay
           attributes[:trial_ends_at] = trial_period_days.to_i.days.from_now
         end
 
+        attributes.delete(:promotion_code)
+
         pay_customer.subscriptions.create!(attributes)
       end
 

data/lib/pay/stripe/subscription.rb

@@ -315,6 +315,7 @@ module Pay
         raise Pay::Stripe::Error, e
       end
 
+      # Looks up open invoices for a subscription and attempts to pay them
       def pay_open_invoices
         ::Stripe::Invoice.list({subscription: processor_id, status: :open}, stripe_options).auto_paging_each do |invoice|
           retry_failed_payment(payment_intent_id: invoice.payment_intent)

data/lib/pay/version.rb

@@ -1,3 +1,3 @@
 module Pay
-  VERSION = "6.3.0"
+  VERSION = "6.3.2"
 end

data/lib/pay.rb

@@ -3,7 +3,8 @@ require "pay/engine"
 require "pay/errors"
 require "pay/adapter"
 
-require "active_support/dependencies"
+require "action_mailer"
+require "active_support"
 
 module Pay
   autoload :Attributes, "pay/attributes"
@@ -38,7 +39,7 @@ module Pay
   mattr_accessor :support_email
 
   def self.support_email=(value)
-    @@support_email = value.is_a?(Mail::Address) ? value : Mail::Address.new(value)
+    @@support_email = value.is_a?(::Mail::Address) ? value : ::Mail::Address.new(value)
   end
 
   mattr_accessor :automount_routes
@@ -95,10 +96,10 @@ module Pay
   # Should return String or Array of email recipients
   mattr_accessor :mail_to
   @@mail_to = -> {
-    if ActionMailer::Base.respond_to?(:email_address_with_name)
-      ActionMailer::Base.email_address_with_name(params[:pay_customer].email, params[:pay_customer].customer_name)
+    if ::ActionMailer::Base.respond_to?(:email_address_with_name)
+      ::ActionMailer::Base.email_address_with_name(params[:pay_customer].email, params[:pay_customer].customer_name)
     else
-      Mail::Address.new.tap do |builder|
+      ::Mail::Address.new.tap do |builder|
         builder.address = params[:pay_customer].email
         builder.display_name = params[:pay_customer].customer_name.presence
       end.to_s

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pay
 version: !ruby/object:Gem::Version
-  version: 6.3.0
+  version: 6.3.2
 platform: ruby
 authors:
 - Jason Charnes
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-13 00:00:00.000000000 Z
+date: 2023-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -168,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.1
+rubygems_version: 3.4.12
 signing_key:
 specification_version: 4
 summary: Payments engine for Ruby on Rails