pay 6.3.1 → 6.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6bd608f9c9d71623d2c9caab7377cc9bd370fb0c88edf5771b63e4ee13c1d4ee
-  data.tar.gz: '082e316367a83d6152de5fbe31e98dd57a42c2ea32004d1f1cc364afbad6a628'
+  metadata.gz: 3dd5d8face3b7594984198d04cef9783a8b2ef213961a6eb44211fd9144d3f06
+  data.tar.gz: fdf8774b97c605f1a1ade9ce50bbc4ce43c86a94d0aa361afe30b6438face5b9
 SHA512:
-  metadata.gz: 1b430133c1e930e1cd730e51ae6f87658f62901021e1a02215d6a05550a600e82c5d24399e7a148730334a56cc01cd9cdc49693d3f97f9b8655ba80fa34db224
-  data.tar.gz: 6a6250a620a86a714aa6cf72b0b5433dbe4fc27c7e603452623d1d1d799335c9570af37a9452c1ef381263eab50aef7cffbc7059897f35d942590478484f7863
+  metadata.gz: a4b3921d316db733b60c841a4ebb9e16fe64ddd9e0581d832fd376feb5badf6e94e0aff348c0f3c11abb61e1dbda21f79fbe3a6f957dc9bcf958c4a9e86467dc
+  data.tar.gz: 80ca7cd637ca444b74a76af17bc682f96cf446ebe4cac043dc677d8e5b24d81a0e0721afee3455c7d2af942a6374ad8599f056f7f055fce72606f00e8765ca88

data/app/controllers/pay/payments_controller.rb

@@ -2,9 +2,18 @@ module Pay
   class PaymentsController < ApplicationController
     layout "pay/application"
 
+    before_action :set_redirect_to
+
     def show
-      @redirect_to = params[:back].presence || root_path
       @payment = Payment.from_id(params[:id])
     end
+
+    private
+
+    # Ensure the back parameter is a valid path
+    # This safely handles XSS or external redirects
+    def set_redirect_to
+      @redirect_to = URI.parse(params[:back].to_s).path || root_path
+    end
   end
 end

data/app/models/pay/customer.rb

@@ -13,8 +13,6 @@ module Pay
     validates :processor, presence: true
     validates :processor_id, allow_blank: true, uniqueness: {scope: :processor, case_sensitive: true}
 
-    attribute :plan, :string
-    attribute :quantity, :integer
     attribute :payment_method_token, :string
 
     # Account(s) for marketplace payments

data/app/models/pay/subscription.rb

@@ -83,12 +83,13 @@ module Pay
       trial_ends_at?
     end
 
+    # Does not include the last second of the trial
     def on_trial?
-      trial_ends_at? && trial_ends_at.after?(Time.current)
+      trial_ends_at? && trial_ends_at > Time.current
     end
 
     def trial_ended?
-      trial_ends_at? && trial_ends_at.before?(Time.current)
+      trial_ends_at? && trial_ends_at <= Time.current
     end
 
     def canceled?
@@ -100,11 +101,11 @@ module Pay
     end
 
     def ended?
-      ends_at? && Time.current.after?(ends_at)
+      ends_at? && ends_at <= Time.current
     end
 
     def on_grace_period?
-      (ends_at? && Time.current < ends_at) ||
+      (ends_at? && ends_at > Time.current) ||
         ((status == "paused" || pause_behavior == "void") && will_pause?)
     end
 
@@ -162,7 +163,7 @@ module Pay
 
     def swap_and_invoice(plan)
       swap(plan)
-      owner.invoice!(subscription_id: processor_id)
+      customer.invoice!(subscription: processor_id)
     end
 
     def processor_subscription(**options)

data/app/views/pay/payments/show.html.erb

@@ -54,7 +54,7 @@
         </div>
       <% end %>
 
-      <%= link_to t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg" %>
+      <%= sanitize link_to(t("pay.back"), @redirect_to, class: "inline-block w-full px-4 py-3 bg-gray-100 hover:bg-gray-200 text-center text-gray-600 rounded-lg") %>
     </div>
 
     <p class="text-center text-gray-500 text-sm">
@@ -66,7 +66,7 @@
 <script type="module">
   window.stripe = Stripe('<%= Pay::Stripe.public_key %>');
 
-  import { Application, Controller } from 'https://cdn.skypack.dev/@hotwired/stimulus'
+  import { Application, Controller } from 'https://unpkg.com/@hotwired/stimulus'
   const application = Application.start()
 
   application.register('payment-intent', class extends Controller {

data/lib/pay/env.rb

@@ -11,6 +11,14 @@ module Pay
     # 1. Check environment variable
     # 2. Check environment scoped credentials, then secrets
     # 3. Check unscoped credentials, then secrets
+    #
+    # For example, find_value_by_name("stripe", "private_key") will check the following in order until it finds a value:
+    #
+    #   ENV["STRIPE_PRIVATE_KEY"]
+    #   Rails.application.credentials.dig(:production, :stripe, :private_key)
+    #   Rails.application.secrets.dig(:production, :stripe, :private_key)
+    #   Rails.application.credentials.dig(:stripe, :private_key)
+    #   Rails.application.secrets.dig(:stripe, :private_key)
     def find_value_by_name(scope, name)
       ENV["#{scope.upcase}_#{name.upcase}"] ||
         credentials&.dig(env, scope, name) ||

data/lib/pay/fake_processor/billable.rb

@@ -19,8 +19,9 @@ module Pay
         pay_customer
       end
 
-      def update_customer!
-        # pass
+      def update_customer!(**attributes)
+        # return customer to fake an update
+        customer
       end
 
       def charge(amount, options = {})
@@ -56,6 +57,8 @@ module Pay
           attributes[:trial_ends_at] = trial_period_days.to_i.days.from_now
         end
 
+        attributes.delete(:promotion_code)
+
         pay_customer.subscriptions.create!(attributes)
       end
 

data/lib/pay/stripe/subscription.rb

@@ -257,7 +257,7 @@ module Pay
             proration_behavior: proration_behavior,
             trial_end: (on_trial? ? trial_ends_at.to_i : "now"),
             quantity: quantity
-          }.merge(expand_options),
+          }.merge(expand_options).merge(options),
           stripe_options
         )
 

data/lib/pay/version.rb

@@ -1,3 +1,3 @@
 module Pay
-  VERSION = "6.3.1"
+  VERSION = "6.3.3"
 end

data/lib/pay.rb

@@ -3,7 +3,8 @@ require "pay/engine"
 require "pay/errors"
 require "pay/adapter"
 
-require "active_support/dependencies"
+require "action_mailer"
+require "active_support"
 
 module Pay
   autoload :Attributes, "pay/attributes"
@@ -38,7 +39,7 @@ module Pay
   mattr_accessor :support_email
 
   def self.support_email=(value)
-    @@support_email = value.is_a?(Mail::Address) ? value : Mail::Address.new(value)
+    @@support_email = value.is_a?(::Mail::Address) ? value : ::Mail::Address.new(value)
   end
 
   mattr_accessor :automount_routes
@@ -95,10 +96,10 @@ module Pay
   # Should return String or Array of email recipients
   mattr_accessor :mail_to
   @@mail_to = -> {
-    if ActionMailer::Base.respond_to?(:email_address_with_name)
-      ActionMailer::Base.email_address_with_name(params[:pay_customer].email, params[:pay_customer].customer_name)
+    if ::ActionMailer::Base.respond_to?(:email_address_with_name)
+      ::ActionMailer::Base.email_address_with_name(params[:pay_customer].email, params[:pay_customer].customer_name)
     else
-      Mail::Address.new.tap do |builder|
+      ::Mail::Address.new.tap do |builder|
         builder.address = params[:pay_customer].email
         builder.display_name = params[:pay_customer].customer_name.presence
       end.to_s

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pay
 version: !ruby/object:Gem::Version
-  version: 6.3.1
+  version: 6.3.3
 platform: ruby
 authors:
 - Jason Charnes
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-13 00:00:00.000000000 Z
+date: 2023-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -168,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.3
+rubygems_version: 3.4.12
 signing_key:
 specification_version: 4
 summary: Payments engine for Ruby on Rails