solidus_stripe 4.3.0 → 5.0.0.alpha.1

data/app/models/solidus_stripe/gateway.rb

@@ -0,0 +1,231 @@
+# frozen_string_literal: true
+
+require 'stripe'
+require "solidus_stripe/money_to_stripe_amount_converter"
+require "solidus_stripe/refunds_synchronizer"
+
+module SolidusStripe
+  # @see https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=checkout#auth-and-capture
+  # @see https://stripe.com/docs/charges/placing-a-hold
+  # @see https://guides.solidus.io/advanced-solidus/payments-and-refunds/#custom-payment-gateways
+  #
+  # ## About fractional amounts
+  #
+  # All methods in the Gateway class will have `amount_in_cents` arguments representing the
+  # fractional amount as defined by Spree::Money and will be translated to the fractional expected
+  # by Stripe, although for most currencies it's cents some will have a different multiplier and
+  # that is already took into account.
+  #
+  # @see SolidusStripe::MoneyToStripeAmountConverter
+  class Gateway
+    include SolidusStripe::MoneyToStripeAmountConverter
+    include SolidusStripe::LogEntries
+
+    def initialize(options)
+      # Cannot use kwargs because of how the Gateway is initialized by Solidus.
+      @client = Stripe::StripeClient.new(
+        api_key: options.fetch(:api_key, nil),
+      )
+      @options = options
+    end
+
+    attr_reader :client
+
+    # Authorizes a certain amount on the provided payment source.
+    #
+    # We create and confirm the Stripe payment intent in two steps. That's to
+    # guarantee that we associate a Solidus payment on the creation, and we can
+    # fetch it after the webhook event is published on confirmation.
+    #
+    # The Stripe payment intent id is copied over the Solidus payment
+    # `response_code` field.
+    def authorize(amount_in_cents, _source, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+
+      stripe_payment_intent_options = {
+        amount: to_stripe_amount(amount_in_cents, options[:originator].currency),
+        confirm: false,
+        capture_method: "manual",
+      }
+
+      stripe_payment_intent = SolidusStripe::PaymentIntent.prepare_for_payment(
+        options[:originator],
+        **stripe_payment_intent_options,
+      )
+
+      confirm_stripe_payment_intent(stripe_payment_intent.stripe_intent_id)
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed successfully",
+        response_code: stripe_payment_intent.stripe_intent_id,
+        data: stripe_payment_intent.stripe_intent
+      )
+    rescue Stripe::StripeError => e
+      build_payment_log(
+        success: false,
+        message: e.message,
+        data: e.response
+      )
+    end
+
+    # Captures a certain amount from a previously authorized transaction.
+    #
+    # @see https://stripe.com/docs/api/payment_intents/capture#capture_payment_intent
+    # @see https://stripe.com/docs/payments/capture-later
+    #
+    # @todo add support for capturing custom amounts
+    def capture(amount_in_cents, payment_intent_id, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+      check_payment_intent_id(payment_intent_id)
+
+      payment_intent = capture_stripe_payment_intent(payment_intent_id)
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed successfully",
+        response_code: payment_intent.id,
+        data: payment_intent,
+      )
+    rescue Stripe::InvalidRequestError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Authorizes and captures a certain amount on the provided payment source.
+    #
+    # See `#authorize` for how the confirmation step is performed.
+    #
+    # @todo add support for purchasing custom amounts
+    def purchase(amount_in_cents, _source, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+
+      stripe_payment_intent_options = {
+        amount: to_stripe_amount(amount_in_cents, options[:originator].currency),
+        confirm: false,
+        capture_method: "automatic",
+      }
+
+      stripe_payment_intent = SolidusStripe::PaymentIntent.prepare_for_payment(
+        options[:originator],
+        **stripe_payment_intent_options,
+      )
+
+      confirm_stripe_payment_intent(stripe_payment_intent.stripe_intent_id)
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed and captured successfully",
+        response_code: stripe_payment_intent.stripe_intent_id,
+        data: stripe_payment_intent.stripe_intent,
+      )
+    rescue Stripe::StripeError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Voids a previously authorized transaction, releasing the funds that are on hold.
+    def void(payment_intent_id, _options = {})
+      check_payment_intent_id(payment_intent_id)
+
+      payment_intent = request do
+        Stripe::PaymentIntent.cancel(payment_intent_id)
+      end
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was canceled successfully",
+        response_code: payment_intent_id,
+        data: payment_intent,
+      )
+    rescue Stripe::InvalidRequestError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Refunds the provided amount on a previously captured transaction.
+    #
+    # Notice we're adding `solidus_skip_sync: 'true'` to the metadata to avoid a
+    # duplicated refund after the generated webhook event. See
+    # {RefundsSynchronizer}.
+    #
+    # TODO: check this method params twice.
+    def credit(amount_in_cents, payment_intent_id, options = {})
+      check_payment_intent_id(payment_intent_id)
+
+      payment = options[:originator].payment
+      currency = payment.currency
+
+      stripe_refund = request do
+        Stripe::Refund.create(
+          amount: to_stripe_amount(amount_in_cents, currency),
+          payment_intent: payment_intent_id,
+          metadata: {
+            RefundsSynchronizer::SKIP_SYNC_METADATA_KEY => RefundsSynchronizer::SKIP_SYNC_METADATA_VALUE
+          }
+        )
+      end
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was refunded successfully",
+        response_code: stripe_refund.id,
+        data: stripe_refund,
+      )
+    end
+
+    # Send a request to stripe using the current api keys but ignoring
+    # the response object.
+    #
+    # @yield Allows to use the `Stripe` gem using the credentials attached
+    #   to the current payment method
+    #
+    # @example Retrieve a payment intent
+    #   request { Stripe::PaymentIntent.retrieve(intent_id) }
+    #
+    # @return forwards the result of the block
+    def request(&block)
+      result, _response = client.request(&block)
+      result
+    end
+
+    private
+
+    def confirm_stripe_payment_intent(stripe_payment_intent_id)
+      request { Stripe::PaymentIntent.confirm(stripe_payment_intent_id) }
+    end
+
+    def capture_stripe_payment_intent(stripe_payment_intent_id)
+      request { Stripe::PaymentIntent.capture(stripe_payment_intent_id) }
+    end
+
+    def check_given_amount_matches_payment_intent(amount_in_cents, options)
+      payment = options[:originator] or
+        raise ArgumentError, "please provide a payment with the :originator option"
+
+      return if amount_in_cents == payment.display_amount.cents
+
+      raise \
+        "Using a custom amount is not supported yet, " \
+        "tried #{amount_in_cents} but can only accept #{payment.display_amount.cents}."
+    end
+
+    def check_payment_intent_id(payment_intent_id)
+      unless payment_intent_id
+        raise ArgumentError, "missing payment_intent_id"
+      end
+
+      return if payment_intent_id.start_with?('pi_')
+
+      raise ArgumentError, "the payment intent id has the wrong format"
+    end
+  end
+end

data/app/models/solidus_stripe/payment_intent.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  class PaymentIntent < ApplicationRecord
+    belongs_to :order, class_name: 'Spree::Order'
+    belongs_to :payment_method, class_name: 'SolidusStripe::PaymentMethod'
+
+    def self.prepare_for_payment(payment, **stripe_intent_options)
+      # Find or create the intent for the payment.
+      intent =
+        retrieve_last_usable_intent(payment) ||
+          new(payment_method: payment.payment_method, order: payment.order)
+            .tap { _1.update!(stripe_intent_id: _1.create_stripe_intent(**stripe_intent_options).id) }
+
+      # Update the intent with the previously acquired payment method.
+      intent.payment_method.gateway.request {
+        Stripe::PaymentIntent.update(intent.stripe_intent_id, payment_method: payment.source.stripe_payment_method_id)
+      }
+
+      # Attach the payment intent to the payment.
+      payment.update!(response_code: intent.stripe_intent.id)
+
+      intent
+    end
+
+    def self.retrieve_last_usable_intent(payment)
+      intent = where(payment_method: payment.payment_method, order: payment.order).last
+      intent if intent&.usable?
+    end
+
+    def usable?
+      stripe_intent_id &&
+      stripe_intent.status == 'requires_payment_method'
+      stripe_intent.amount == stripe_order_amount
+    end
+
+    def stripe_order_amount
+      payment_method.gateway.to_stripe_amount(
+        order.display_order_total_after_store_credit.money.fractional,
+        order.currency,
+      )
+    end
+
+    def process_payment
+      payment = order.payments.valid.find_by!(
+        payment_method: payment_method,
+        response_code: stripe_intent.id,
+      )
+
+      payment.started_processing!
+
+      case stripe_intent.status
+      when 'requires_capture'
+        payment.pend! unless payment.pending?
+        successful = true
+      when 'succeeded'
+        payment.complete! unless payment.completed?
+        successful = true
+      else
+        payment.failure!
+        successful = false
+      end
+
+      SolidusStripe::LogEntries.payment_log(
+        payment,
+        success: successful,
+        message: I18n.t("solidus_stripe.intent_status.#{stripe_intent.status}"),
+        data: stripe_intent,
+      )
+
+      if successful
+        order.complete!
+        order.user.wallet.add(payment.source) if order.user && stripe_intent.setup_future_usage.present?
+      else
+        order.payment_failed!
+      end
+
+      successful
+    end
+
+    def stripe_intent
+      @stripe_intent ||= payment_method.gateway.request do
+        Stripe::PaymentIntent.retrieve(stripe_intent_id)
+      end
+    end
+
+    def reload(...)
+      @stripe_intent = nil
+      super
+    end
+
+    def create_stripe_intent(**stripe_intent_options)
+      stripe_customer_id = SolidusStripe::Customer.retrieve_or_create_stripe_customer_id(
+        payment_method: payment_method,
+        order: order
+      )
+
+      payment_method.gateway.request do
+        Stripe::PaymentIntent.create({
+          amount: stripe_order_amount,
+          currency: order.currency,
+          capture_method: payment_method.auto_capture? ? 'automatic' : 'manual',
+          setup_future_usage: payment_method.preferred_setup_future_usage.presence,
+          customer: stripe_customer_id,
+          metadata: { solidus_order_number: order.number },
+          **stripe_intent_options,
+        })
+      end
+    end
+  end
+end

data/app/models/solidus_stripe/payment_method.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  class PaymentMethod < ::Spree::PaymentMethod
+    preference :api_key, :string
+    preference :publishable_key, :string
+    preference :setup_future_usage, :string, default: ''
+
+    # @attribute [rw] preferred_webhook_endpoint_signing_secret The webhook endpoint signing secret
+    #  for this payment method.
+    # @see https://stripe.com/docs/webhooks/signatures
+    preference :webhook_endpoint_signing_secret, :string
+
+    validates :preferred_setup_future_usage, inclusion: { in: ['', 'on_session', 'off_session'] }
+
+    has_one :slug_entry, class_name: 'SolidusStripe::SlugEntry', inverse_of: :payment_method, dependent: :destroy
+
+    after_create :assign_slug
+
+    delegate :slug, to: :slug_entry
+
+    # @return [Spree::RefundReason] the reason used for refunds
+    #   generated from Stripe.
+    # @see SolidusStripe::Configuration.refund_reason_name
+    def self.refund_reason
+      Spree::RefundReason.find_by!(
+        name: SolidusStripe.configuration.refund_reason_name
+      )
+    end
+
+    def partial_name
+      "stripe"
+    end
+
+    alias cart_partial_name partial_name
+    alias product_page_partial_name partial_name
+    alias risky_partial_name partial_name
+
+    def source_required?
+      true
+    end
+
+    def payment_source_class
+      PaymentSource
+    end
+
+    def gateway_class
+      Gateway
+    end
+
+    def payment_profiles_supported?
+      # We actually support them, but not in the way expected by Solidus and its ActiveMerchant legacy.
+      false
+    end
+
+    def self.with_slug(slug)
+      where(id: SlugEntry.where(slug: slug).select(:payment_method_id))
+    end
+
+    # TODO: re-evaluate the need for this and think of ways to always go throught the intent classes.
+    def self.intent_id_for_payment(payment)
+      return unless payment
+
+      payment.transaction_id || SolidusStripe::PaymentIntent.where(
+        order: payment.order, payment_method: payment.payment_method
+      )&.pick(:stripe_intent_id)
+    end
+
+    def stripe_dashboard_url(intent_id)
+      path_prefix = '/test' if preferred_test_mode
+
+      case intent_id
+      when /^pi_/
+        "https://dashboard.stripe.com#{path_prefix}/payments/#{intent_id}"
+      end
+    end
+
+    def assign_slug
+      # If there's only one payment method, we can use a default slug.
+      slug = preferred_test_mode ? 'test' : 'live' if self.class.count == 1
+      slug = SecureRandom.hex(16) while SlugEntry.exists?(slug: slug) || slug.nil?
+
+      create_slug_entry!(slug: slug)
+    end
+
+    # The method that should be used is "Spree::PaymentMethod#reusable_sources".
+    # However, in the dedicated partial source form, the reusable_sources are
+    # assigned to "previous_cards":
+    # https://github.com/solidusio/solidus/blob/e9debb976e2228bb0b7a8eff4894e0556fc15cc8/backend/app/views/spree/admin/payments/_form.html.erb#L31
+    # This name is inaccurate and too specific because, in our case, a
+    # payment-source/stripe-payment-method have many different possible types:
+    # https://stripe.com/docs/api/payment_methods/object#payment_method_object-type
+    #
+    # For more details:
+    # https://github.com/solidusio/solidus/issues/5014
+    #
+    # @todo Start using the correct method to get a user's previous sources
+    def previous_sources(order)
+      if order.user_id
+        order.user.wallet.wallet_payment_sources.map(&:payment_source)
+      else
+        []
+      end
+    end
+  end
+end

data/app/models/solidus_stripe/payment_source.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'stripe'
+
+module SolidusStripe
+  class PaymentSource < ::Spree::PaymentSource
+    def stripe_payment_method
+      return if stripe_payment_method_id.blank?
+
+      @stripe_payment_method ||= payment_method.gateway.request do
+        Stripe::PaymentMethod.retrieve(stripe_payment_method_id)
+      end
+    end
+
+    def actions
+      %w[capture void credit]
+    end
+
+    def can_capture?(payment)
+      payment.pending?
+    end
+
+    def can_void?(payment)
+      payment.pending?
+    end
+
+    def can_credit?(payment)
+      payment.completed? && payment.credit_allowed > 0
+    end
+  end
+end

data/app/models/solidus_stripe/slug_entry.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  # Represents a webhook endpoint for a {SolidusStripe::PaymentMethod}.
+  #
+  # A Stripe webhook endpoint is a URL that Stripe will send events to. A store
+  # could have multiple Stripe payment methods (e.g., a marketplace), so we need
+  # to differentiate which one a webhook request targets.
+  #
+  # This model associates a slug with a payment method. The slug is appended
+  # to the endpoint URL (`.../webhooks/:slug`) so that we can fetch the
+  # correct payment method from the database and bind it to the generated
+  # `Spree::Bus` event.
+  #
+  # We use a slug instead of the payment method ID to be resilient to
+  # database changes and to avoid guessing about valid endpoint URLs.
+  class SlugEntry < ::Spree::Base
+    belongs_to :payment_method, class_name: 'SolidusStripe::PaymentMethod'
+  end
+end

data/app/models/solidus_stripe.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  def self.table_name_prefix
+    "solidus_stripe_"
+  end
+end

data/app/subscribers/solidus_stripe/webhook/charge_subscriber.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "solidus_stripe/refunds_synchronizer"
+
+module SolidusStripe
+  module Webhook
+    # Handlers for Stripe charge events.
+    class ChargeSubscriber
+      include Omnes::Subscriber
+      include MoneyToStripeAmountConverter
+
+      handle :"stripe.charge.refunded", with: :sync_refunds
+
+      # Syncs Stripe refunds with Solidus refunds.
+      #
+      # @param event [SolidusStripe::Webhook::Event]
+      # @see SolidusStripe::RefundsSynchronizer
+      def sync_refunds(event)
+        payment_method = event.spree_payment_method
+        payment_intent_id = event.data.object.payment_intent
+
+        RefundsSynchronizer
+          .new(payment_method)
+          .call(payment_intent_id)
+      end
+    end
+  end
+end

data/app/subscribers/solidus_stripe/webhook/payment_intent_subscriber.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "solidus_stripe/refunds_synchronizer"
+
+module SolidusStripe
+  module Webhook
+    # Handlers for Stripe payment_intent events.
+    class PaymentIntentSubscriber
+      include Omnes::Subscriber
+      include SolidusStripe::MoneyToStripeAmountConverter
+
+      handle :"stripe.payment_intent.succeeded", with: :capture_payment
+      handle :"stripe.payment_intent.payment_failed", with: :fail_payment
+      handle :"stripe.payment_intent.canceled", with: :void_payment
+
+      # Captures a payment.
+      #
+      # Marks a Solidus payment associated to a Stripe payment intent as
+      # completed, adding a log entry about the event.
+      #
+      # In the case of a partial capture, it also synchronizes the refunds.
+      #
+      # @param event [SolidusStripe::Webhook::Event]
+      # @see SolidusStripe::RefundsSynchronizer
+      def capture_payment(event)
+        payment = extract_payment_from_event(event)
+        payment.with_lock do
+          break false if payment.completed?
+
+          complete_payment(payment)
+        end && sync_refunds(event)
+      end
+
+      # Fails a payment.
+      #
+      # Marks a Solidus payment associated to a Stripe payment intent as
+      # failed, adding a log entry about the event.
+      #
+      # @param event [SolidusStripe::Webhook::Event]
+      def fail_payment(event)
+        payment = extract_payment_from_event(event)
+
+        payment.with_lock do
+          break if payment.failed?
+
+          payment.failure!.tap do
+            SolidusStripe::LogEntries.payment_log(
+              payment,
+              success: false,
+              message: "Payment was marked as failed after payment_intent.failed webhook"
+            )
+          end
+        end
+      end
+
+      # Voids a payment.
+      #
+      # Voids a Solidus payment associated to a Stripe payment intent, adding a
+      # log entry about the event.
+      #
+      # @param event [SolidusStripe::Webhook::Event]
+      def void_payment(event)
+        payment = extract_payment_from_event(event)
+        reason = event.data.object.cancellation_reason
+
+        payment.with_lock do
+          break if payment.void?
+
+          payment.void!.tap do
+            SolidusStripe::LogEntries.payment_log(
+              payment,
+              success: true,
+              message: "Payment was voided after payment_intent.voided webhook (#{reason})"
+            )
+          end
+        end
+      end
+
+      private
+
+      def extract_payment_from_event(event)
+        payment_intent_id = event.data.object.id
+        Spree::Payment.find_by!(response_code: payment_intent_id)
+      end
+
+      def complete_payment(payment)
+        payment.complete!.tap do
+          SolidusStripe::LogEntries.payment_log(
+            payment,
+            success: true,
+            message: "Capture was successful after payment_intent.succeeded webhook"
+          )
+        end
+      end
+
+      def sync_refunds(event)
+        event.data.object.to_hash => {
+          id: payment_intent_id,
+          amount: stripe_amount,
+          amount_received: stripe_amount_received,
+          currency:
+        }
+        return if stripe_amount == stripe_amount_received
+
+        payment_method = event.spree_payment_method
+        RefundsSynchronizer
+          .new(payment_method)
+          .call(payment_intent_id)
+      end
+    end
+  end
+end

data/app/views/spree/admin/payments/source_forms/_stripe.html.erb

@@ -0,0 +1,29 @@
+<fieldset>
+  <legend><%= payment_method.name %></legend>
+
+  <% previous_sources = payment_method.previous_sources(@order) %>
+
+  <ul>
+    <% previous_sources.each do |payment_source| %>
+      <% default = payment_source == previous_sources.first %>
+      <% stripe_payment_method = payment_source.stripe_payment_method %>
+
+      <li>
+        <label>
+          <%= radio_button_tag(
+            :card,
+            payment_source.id,
+            default
+          ) %>
+          <%= stripe_payment_method.type.humanize %>
+        </label>
+        <fieldset>
+          <%= render(
+            "spree/admin/payments/source_forms/existing_payment/#{payment_method.partial_name}",
+            stripe_payment_method: stripe_payment_method,
+          ) %>
+        </fieldset>
+      </li>
+    <% end %>
+  </ul>
+</fieldset>

data/app/views/spree/admin/payments/source_forms/existing_payment/_stripe.html.erb

@@ -0,0 +1,14 @@
+<%
+  # https://stripe.com/docs/api/payment_methods/object#payment_method_object-type
+  partial_base = "spree/admin/payments/source_forms/existing_payment/stripe"
+  payment_type = stripe_payment_method.type
+
+  # Fallback on the default partial if a specialized partial is not available.
+  payment_type = 'default' if lookup_context.find_all("#{partial_base}/_#{payment_type}").none?
+%>
+
+<div>
+  <label>
+    <%= render "#{partial_base}/#{payment_type}", stripe_payment_method: stripe_payment_method %>
+  </label>
+</div>