RubyGems - solidus_stripe - Versions diffs - 4.4.0 → 5.0.0.rc.1 - Mend

solidus_stripe 4.4.0 → 5.0.0.rc.1

Files changed (148) hide show

data/README.md CHANGED Viewed

@@ -1,260 +1,242 @@
 # Solidus Stripe
 [![CircleCI](https://circleci.com/gh/solidusio/solidus_stripe.svg?style=shield)](https://circleci.com/gh/solidusio/solidus_stripe)
-[![codecov](https://codecov.io/gh/solidusio/solidus_stripe/branch/master/graph/badge.svg)](https://codecov.io/gh/solidusio/solidus_stripe)
+[![codecov](https://codecov.io/gh/solidusio/solidus_stripe/branch/main/graph/badge.svg)](https://codecov.io/gh/solidusio/solidus_stripe)
+[![yardoc](https://img.shields.io/badge/docs-rubydoc.info-informational)](https://rubydoc.info/gems/solidus_stripe)
-Stripe Payment Method for Solidus. It works as a wrapper for the ActiveMerchant Stripe gateway.
+<!-- Explain what your extension does. -->
 ## Installation
-Run from the command line:
+Add solidus_stripe to your bundle and run the installation generator:
 ```shell
 bundle add solidus_stripe
-bundle exec rails g solidus_stripe:install
+bin/rails generate solidus_stripe:install
 ```
-Usage
------
+Then set the following environment variables both locally and in production in order
+to setup the `solidus_stripe_env_credentials` static preference as defined in the initializer:
-Navigate to *Settings > Payments > Payment Methods* in the admin panel.
-You can now create a new payment method that uses Stripe by selecting
-`Stripe credit card` under Type in the New Payment Method form and saving.
-The Stripe payment method's extra fields will be now shown in the form.
+```shell
+SOLIDUS_STRIPE_API_KEY                # will prefill the `api_key` preference
+SOLIDUS_STRIPE_PUBLISHABLE_KEY        # will prefill the `publishable_key` preference
+SOLIDUS_STRIPE_WEBHOOK_SIGNING_SECRET # will prefill the `webhook_signing_secret` preference
+```
-**Configure via database configuration**
+Once those are available you can create a new Stripe payment method in the /admin interface
+and select the `solidus_stripe_env_credentials` static preference.
-If you want to store your Stripe credentials in the database just
-fill the new fields in the form, selecting `custom` (default) in the
-Preference Source field.
+⚠️ Be sure to set the enviroment variables to the values for test mode in your development environment.
-**Configure via static configuration**
+### Webhooks setup
-If you want to store your credentials into your codebase or use ENV
-variables you can create the following static configuration:
+The webhooks URLs are automatically generated based on the enviroment,
+by default it will be scoped to `live` in production and `test` everywhere else.
-```ruby
-# config/initializers/spree.rb
-Rails.application.config.to_prepare do
-  Spree::Config.static_model_preferences.add(
-    Spree::PaymentMethod::StripeCreditCard,
-    'stripe_env_credentials',
-    secret_key: ENV['STRIPE_SECRET_KEY'],
-    publishable_key: ENV['STRIPE_PUBLISHABLE_KEY'],
-    stripe_country: 'US',
-    v3_elements: false,
-    v3_intents: false
-  )
-end
+#### Production enviroment
+Before going to production, you'll need to [register the webhook endpoint with
+Stripe](https://stripe.com/docs/webhooks/go-live), and make sure to subscribe
+to the events listed in [the `SolidusStripe::Webhook::Event::CORE`
+constant](https://github.com/solidusio/solidus_stripe/blob/main/lib/solidus_stripe/webhook/event.rb).
+So in your Stripe dashboard you'll need to set the webhook URL to:
+    https://store.example.com/solidus_stripe/live/webhooks
+#### Non-production enviroments
+While for development [you should use the stripe CLI to forward the webhooks to your local server](https://stripe.com/docs/webhooks/test#webhook-test-cli):
+```shell
+# Please refer to `stripe listen --help` for more options
+stripe listen --forward-to http://localhost:3000/solidus_stripe/test/webhooks
 ```
-Once your server has been restarted, you can select in the Preference
-Source field a new entry called `stripe_env_credentials`. After saving,
-your  application will start using the static configuration to process
-Stripe payments.
+### Supporting `solidus_frontend`
+If you need support for `solidus_frontend` please refer to the [README of solidus_stripe v4](https://github.com/solidusio/solidus_stripe/tree/v4#readme).
+### Installing on a custom frontend
+If you're using a custom frontend you'll need to adjust the code copied to your application by the installation generator. Given frontend choices can vary wildly, we can't provide a one-size-fits-all solution, but we are providing this simple integration with `solidus_starter_frontend` as a reference implementation. The amount of code is intentionally kept to a minimum, so you can easily adapt it to your needs.
+## Caveats
+### Authorization and capture and checkout finalization
+Stripe supports two different flows for payments: [authorization and capture](https://stripe.com/docs/payments/capture-later) and immediate payment.
+Both flows are supported by this extension, but you should be aware that they will happen before the order finalization, just before the final confirmation. At that moment if the payment method of choice will require additional authentication (e.g. 3D Secure) the extra authentication will be shown to the user.
+### Upgrading from v4
+This extension is a complete rewrite of the previous version, and it's not generally compatible with v4.
+That being said, if you're upgrading from v4 you can check out this guide to help you with the transition
+from payment tokens to payment intents: https://stripe.com/docs/payments/payment-intents/migration.
+## Usage
+### Showing reusable sources in the checkout
+When saving stripe payment methods for future usage the checkout requires
+a partial for each supported payment method type.
+For the full list of types see: https://stripe.com/docs/api/payment_methods/object#payment_method_object-type.
+The extension will only install a partial for the `card` type, located in `app/views/checkouts/existing_payment/stripe/_card.html.erb`,
+and fall back to a `default` partial otherwise (see `app/views/checkouts/existing_payment/stripe/_default.html.erb`).
+As an example, in order to show a wallet source connected to a
+[SEPA Debit payment method](https://stripe.com/docs/api/payment_methods/object#payment_method_object-sepa_debit)
+the following partial should be added:
+`app/views/checkouts/existing_payment/stripe/_sepa_debit.html.erb`
+```erb
+<% sepa_debit = stripe_payment_method.sepa_debit %>
+🏦 <%= sepa_debit.bank_code %> / <%= sepa_debit.branch_code %><br>
+IBAN: **** **** **** **** **** <%= sepa_debit.last4 %>
+```
-Using Stripe Payment Intents API
---------------------------------
+### Showing reusable sources in the admin interface
-If you want to use the new SCA-ready Stripe Payment Intents API you need
-to change the `v3_intents` preference from the code above to true.
+Refer to the previous section for information on how to set up a new payment method type.
+However, it's important to note that if you have to display a wallet source connected to a
+Stripe Payment Method other than "card" on the admin interface, you must include the partial in:
-Also, if you want to allow Apple Pay and Google Pay payments using the
-Stripe  payment request button API, you only need to set the `stripe_country`
-preference, which represents the two-letter country code of your Stripe
-account. Conversely, if you need to disable the button you can simply remove
-the `stripe_country` preference.
+`app/views/spree/admin/payments/source_forms/existing_payment/stripe/`
-Please refer to Stripe official
-[documentation](https://stripe.com/docs/payments/payment-intents)
-for further instructions on how to make this work properly.
+### Customizing Webhooks
-The following configuration will use both Payment Intents and the
-payment request button API on the store payment page:
+Solidus Stripe comes with support for a few [webhook events](https://stripe.com/docs/webhooks), to which there's a default handler. You can customize the behavior of those handlers by or add to their behavior by replacing or adding subscribers in the internal Solidus event bus.
+Each event will have the original Stripe name, prefixed by `stripe.`. For example, the `payment_intent.succeeded` event will be published as `stripe.payment_intent.succeeded`.
+Here's the list of events that are supported by default:
+        payment_intent.succeeded
+        payment_intent.payment_failed
+        payment_intent.canceled
+        charge.refunded
+#### Adding a new event handler
+In order to add a new handler you need to register the event you want to listen to,
+both [in Stripe](https://stripe.com/docs/webhooks/go-live) and in your application:
 ```ruby
-Spree.config do |config|
-  # ...
-  config.static_model_preferences.add(
-    Spree::PaymentMethod::StripeCreditCard,
-    'stripe_env_credentials',
-    secret_key: ENV['STRIPE_SECRET_KEY'],
-    publishable_key: ENV['STRIPE_PUBLISHABLE_KEY'],
-    stripe_country: 'US',
-    v3_elements: false,
-    v3_intents: true
-  )
+# config/initializers/solidus_stripe.rb
+SolidusStripe.configure do |config|
+  config.webhook_events = %i[charge.succeeded]
 end
 ```
-When using the Payment Intents API, be aware that the charge flow will be a bit
-different than when using the old V2 API or Elements. It's advisable that all
-Payment Intents charges are captured only by using the Solidus backend, as it is
-the final source of truth in regards of Solidus orders payments.
-A Payment Intent is created as soon as the customer enters their credit card
-data. A tentative charge will be created on Stripe, easily recognizable by its
-description: `Solidus Order ID: R987654321 (pending)`. As soon as the credit
-card is confirmed (ie. when the customer passes the 3DSecure authorization, when
-required) then the charge description gets updated to include the Solidus payment
-number: `Solidus Order ID: R987654321-Z4VYUDB3`.
-These charges are created `uncaptured` and will need to be captured in Solidus
-backend later, after the customer confirms the order. If the customer never
-completes the checkout, that charge must remain uncaptured. If the customer
-decides to change their payment method after creating a Payment Request, then
-that Payment Request charge will be canceled.
-Apple Pay and Google Pay
------------------------
-The Payment Intents API now supports also Apple Pay and Google Pay via
-the [payment request button API](https://stripe.com/docs/stripe-js/elements/payment-request-button).
-Check the Payment Intents section for setup details. Also, please
-refer to the official Stripe documentation for configuring your
-Stripe account to receive payments via Apple Pay.
-It's possible to pay with Apple Pay and Google Pay directly from the cart
-page. The functionality is self-contained in the view partial
-`_stripe_payment_request_button.html.erb`. In order to use it, you need
-to render that partial in the `orders#edit` frontend page, and pass it the
-payment method configured for Stripe via the local variable
-`cart_checkout_payment_method`:
+That will register a new `:"stripe.charge.succeeded"` event in the [Solidus
+bus](https://guides.solidus.io/customization/subscribing-to-events). The
+Solidus event will be published whenever a matching incoming webhook event is
+received. You can subscribe to it [as usual](https://guides.solidus.io/customization/subscribing-to-events):
 ```ruby
-<%= render 'stripe_payment_request_button', cart_checkout_payment_method: Spree::PaymentMethod::StripeCreditCard.first %>
-```
+# app/subscribers/update_account_balance_subscriber.rb
+class UpdateAccountBalanceSubscriber
+  include Omnes::Subscriber
-Of course, the rules listed in the Payment Intents section (adding the stripe
-country config value, for example) apply also for this feature.
-Customizing the V3 API javascript
----------------------------------
-Stripe V3 JS code is now managed via Sprockets. If you need to customize the JS,
-you can simply override or/and add new methods to the relevant object prototype.
-Make sure you load your customizations after Stripe initalization code from
-`spree/frontend/solidus_stripe`.
-For example, the following code adds a callback method in order to print a debug
-message on the console:
-```js
-SolidusStripe.CartPageCheckout.prototype.onPrButtonMounted = function(id, result) {
-  if (result) {
-    $('#' + id).parent().show();
-    console.log('Payment request button is now mounted on element with id #' + id);
-  } else {
-    console.log('Payment request button failed initalization.');
-  }
-}
-```
+  handle :"stripe.charge.succeeded", with: :call
-Customizing Stripe Elements
------------------------
-### Styling input fields
-The default style this gem provides for Stripe Elements input fields is defined in `SolidusStripe.Elements.prototype.baseStyle`. You can override this method to return your own custom style (make sure it returns a valid [Stripe Style](https://stripe.com/docs/js/appendix/style)
-object):
-```js
-SolidusStripe.Elements.prototype.baseStyle = function () {
-  return {
-    base: {
-      iconColor: '#c4f0ff',
-      color: '#fff',
-      fontWeight: 500,
-      fontFamily: 'Roboto, Open Sans, Segoe UI, sans-serif',
-      fontSize: '16px',
-      fontSmoothing: 'antialiased',
-      ':-webkit-autofill': {
-        color: '#fce883',
-      },
-      '::placeholder': {
-        color: '#87BBFD',
-      },
-    },
-    invalid: {
-      iconColor: '#FFC7EE',
-      color: '#FFC7EE',
-    }
-  }
-};
-```
+  def call(event)
+    # Please refere to the Stripe gem and API documentation for more details on the
+    # structure of the event object. All methods called on `event` will be forwarded
+    # to the Stripe event object:
+    # - https://www.rubydoc.info/gems/stripe/Stripe/Event
+    # - https://stripe.com/docs/webhooks/stripe-events
-You can also style your element containers directly by using CSS rules like this:
+    Rails.logger.info "Charge succeeded: #{event.data.to_json}"
+  end
+end
-```css
-  .StripeElement {
-    border: 1px solid transparent;
-  }
+# config/initializers/solidus_stripe.rb
+# ...
+Rails.application.config.to_prepare do
+  UpdateAccountBalanceSubscriber.new.subscribe_to(Spree::Bus)
+end
+```
+The passed event object is a thin wrapper around the [Stripe
+event](https://www.rubydoc.info/gems/stripe/Stripe/Event) and the associated
+Solidus Stripe payment method. It will delegate all unknown methods to the
+underlying stripe event object. It can also be used in async [
+adapters](https://github.com/nebulab/omnes#adapters), which is recommended as
+otherwise the response to Stripe will be delayed until subscribers are done.
-  .StripeElement--focus {
-    box-shadow: 0 1px 3px 0 #cfd7df;
-  }
+#### Configuring the webhook signature tolerance
-  .StripeElement--invalid {
-    border-color: #fa755a;
-  }
+You can also configure the signature verification tolerance in seconds (it
+defaults to the [same value as Stripe
+default](https://stripe.com/docs/webhooks/signatures#replay-attacks)):
-  .StripeElement--webkit-autofill {
-    background-color: #fefde5 !important;
-  }
+```ruby
+# config/initializers/solidus_stripe.rb
+SolidusStripe.configure do |config|
+  config.webhook_signature_tolerance = 150
+end
 ```
-### Customizing individual input fields
+### Customizing the list of available Stripe payment methods
-If you want to customize individual input fields, you can override these methods
+By default, the extension will show all the payment methods that are supported by Stripe in the current currency and for the merchant country.
-* `SolidusStripe.Elements.prototype.cardNumberElementOptions`
-* `SolidusStripe.Elements.prototype.cardExpiryElementOptions`
-* `SolidusStripe.Elements.prototype.cardCvcElementOptions`
+You can customize the list of available payment methods by overriding the `payment_method_types` option in the `app/views/checkouts/payment/_stripe.html.erb` partial. Please refer to the [Stripe documentation](https://stripe.com/docs/payments/payment-methods) for the full list of supported payment methods.
-and return a valid [options object](https://stripe.com/docs/js/elements_object/create_element?type=cardNumber) for the corresponding field type. For example, this code sets a custom placeholder and enables the credit card icon for the card number field
+### Non-card payment methods and "auto_capture"
-```js
-SolidusStripe.Elements.prototype.cardNumberElementOptions = function () {
-  return {
-    style: this.baseStyle(),
-    showIcon: true,
-    placeholder: "I'm a custom placeholder!"
-  }
-}
-```
+Solidus payment methods are configured with a `auto_capture` option, which is used to determine if the payment should be captured immediately or not. If you intend to use a non-card payment method, it's likely that you'll need to set `auto_capture` to `true` in the payment method configuration. Please refer to the [Stripe documentation](https://stripe.com/docs/payments/payment-methods/integration-options#additional-api-supportability) for more details.
-### Passing options to the Stripe Elements instance
+## Implementation
-By overriding the `SolidusStripe.Payment.prototype.elementsBaseOptions` method and returning a [valid options object](https://stripe.com/docs/js/elements_object/create), you can pass custom options to the Stripe Elements instance.
+### Payment state-machine vs. PaymentIntent statuses
-Note that in order to use web fonts with Stripe Elements, you must specify the fonts when creating the Stripe Elements instance. Here's an example specifying a custom web font and locale:
+When compared to the Payment state machine, Stripe payment intents have different set of states and transitions.
+The most important difference is that on Stripe a failure is not a final state, rather just a way to start over.
-```js
-SolidusStripe.Payment.prototype.elementsBaseOptions = function () {
-  return {
-    locale: 'de',
-    fonts: [
-      {
-        cssSrc: 'https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,600'
-      }
-    ]
-  };
-};
-```
+In order to map these concepts SolidusStripe will match states in a slightly unexpected way, as shown below.
+| Stripe PaymentIntent Status | Solidus Payment State |
+| --------------------------- | --------------------- |
+| requires_payment_method     | checkout              |
+| requires_action             | checkout              |
+| processing                  | processing            |
+| requires_confirmation       | checkout              |
+| requires_capture            | pending               |
+| succeeded                   | completed             |
+Reference:
+- https://stripe.com/docs/payments/intents?intent=payment
+- https://github.com/solidusio/solidus/blob/master/core/lib/spree/core/state_machines/payment.rb
-## Migrating from solidus_gateway
+### Deferred payment confirmation
-If you were previously using `solidus_gateway` gem you might want to
-check out our [Wiki page](https://github.com/solidusio/solidus_stripe/wiki/Migrating-from-solidus_gateway)
-that describes how to handle this migration.
+This extensions is using the [two-step payment confirmation](https://stripe.com/docs/payments/build-a-two-step-confirmation) flow. This means that at the payment step the payment form will just collect the basic payment information (e.g. credit card details) and any additional confirmation is deferred to the confirmation step.
 ## Development
+Retrieve your API Key and Publishable Key from your [Stripe testing dashboard](https://stripe.com/docs/testing). You can
+get your webhook signing secret executing the `stripe listen` command.
+Set `SOLIDUS_STRIPE_API_KEY`, `SOLIDUS_STRIPE_PUBLISHABLE_KEY` and `SOLIDUS_STRIPE_WEBHOOK_SIGNING_SECRET` environment
+variables (e.g. via `direnv`), this will trigger the default initializer to create a static preference for SolidusStripe.
+Run `bin/dev` to start both the sandbox rail server and the file watcher through Foreman. That will update the sandbox whenever
+a file is changed. When using `bin/dev` you can safely add `debugger` statements, even if Foreman won't provide a TTY, by connecting
+to the debugger session through `rdbg --attach` from another terminal.
+Visit `/admin/payments` and create a new Stripe payment using the static preferences.
+See the [Webhooks section](#webhooks) to learn how to configure Stripe webhooks.
 ### Testing the extension
 First bundle your dependencies, then run `bin/rake`. `bin/rake` will default to building the dummy
@@ -301,21 +283,11 @@ $ bin/rails server
 Use Ctrl-C to stop
 ```
-### Updating the changelog
-Before and after releases the changelog should be updated to reflect the up-to-date status of
-the project:
-```shell
-bin/rake changelog
-git add CHANGELOG.md
-git commit -m "Update the changelog"
-```
 ### Releasing new versions
 Please refer to the dedicated [page](https://github.com/solidusio/solidus/wiki/How-to-release-extensions) on Solidus wiki.
 ## License
 Copyright (c) 2014 Spree Commerce Inc., released under the New BSD License
-Copyright (c) 2021 Solidus Team, released under the New BSD License
+Copyright (c) 2021 Solidus Team, released under the New BSD License.

data/Rakefile CHANGED Viewed

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
-# Don't build a dummy app with solidus_bolt enabled
-ENV['SKIP_SOLIDUS_BOLT'] = 'true'
+require 'bundler/gem_tasks'
-require 'solidus_dev_support/rake_tasks'
-SolidusDevSupport::RakeTasks.install
-task default: 'extension:specs'
+task :default do
+  require 'bundler'
+  Bundler.with_unbundled_env do
+    sh 'bin/rspec'
+  end
+end

data/app/assets/javascripts/spree/backend/solidus_stripe.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // Placeholder manifest file.
2	+ // the installer will append this file to the app vendored assets here: vendor/assets/javascripts/spree/backend/all.js'

data/app/assets/stylesheets/spree/backend/solidus_stripe.css ADDED Viewed

@@ -0,0 +1,4 @@
+/*
+Placeholder manifest file.
+the installer will append this file to the app vendored assets here: 'vendor/assets/stylesheets/spree/backend/all.css'
+*/

data/app/controllers/solidus_stripe/intents_controller.rb CHANGED Viewed

@@ -1,66 +1,50 @@
 # frozen_string_literal: true
-module SolidusStripe
-  class IntentsController < Spree::BaseController
-    include Spree::Core::ControllerHelpers::Order
+require 'stripe'
-    def create_intent
-      @intent = create_payment_intent
-      generate_payment_response
-    end
+class SolidusStripe::IntentsController < Spree::BaseController
+  include Spree::Core::ControllerHelpers::Order
-    def create_payment
-      create_payment_service = SolidusStripe::CreateIntentsPaymentService.new(
-        params[:stripe_payment_intent_id],
-        stripe,
-        self
-      )
+  before_action :load_payment_method
-      if create_payment_service.call
-        render json: { success: true }
-      else
-        render json: { error: "Could not create payment" }, status: :internal_server_error
-      end
+  def after_confirmation
+    unless params[:payment_intent]
+      return head :unprocessable_entity
     end
-    private
-    def stripe
-      @stripe ||= Spree::PaymentMethod::StripeCreditCard.find(params[:spree_payment_method_id])
+    unless current_order.confirm?
+      redirect_to main_app.checkout_state_path(current_order.state)
+      return
     end
-    def generate_payment_response
-      response = @intent.params
-      # Note that if your API version is before 2019-02-11, 'requires_action'
-      # appears as 'requires_source_action'.
-      if %w[requires_source_action requires_action].include?(response['status']) && response['next_action']['type'] == 'use_stripe_sdk'
-        render json: {
-          requires_action: true,
-          stripe_payment_intent_client_secret: response['client_secret']
-        }
-      elsif response['status'] == 'requires_capture'
-        render json: {
-          success: true,
-          requires_capture: true,
-          stripe_payment_intent_id: response['id']
-        }
-      else
-        render json: { error: response['error']['message'] }, status: :internal_server_error
-      end
-    end
+    intent = SolidusStripe::PaymentIntent.find_by!(
+      payment_method: @payment_method,
+      order: current_order,
+      stripe_intent_id: params[:payment_intent],
+    )
+    if intent.process_payment
+      flash.notice = t('spree.order_processed_successfully')
-    def create_payment_intent
-      stripe.create_intent(
-        (current_order.total * 100).to_i,
-        params[:stripe_payment_method_id],
-        description: "Solidus Order ID: #{current_order.number} (pending)",
-        currency: current_order.currency,
-        confirmation_method: 'automatic',
-        capture_method: 'manual',
-        confirm: true,
-        setup_future_usage: 'off_session',
-        metadata: { order_id: current_order.id }
+      flash['order_completed'] = true
+      redirect_to(
+        spree_current_user ?
+          main_app.order_path(current_order) :
+          main_app.token_order_path(current_order, current_order.guest_token)
       )
+    else
+      flash[:error] = params[:error_message] || t('spree.payment_processing_failed')
+      redirect_to(main_app.checkout_state_path(:payment))
     end
   end
+  private
+  def load_payment_method
+    @payment_method = current_order(create_order_if_necessary: true)
+      .available_payment_methods
+      .merge(SolidusStripe::PaymentMethod.with_slug(params[:slug]))
+      .first!
+  end
 end

data/app/controllers/solidus_stripe/webhooks_controller.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require "solidus_stripe/webhook/event"
+require "stripe"
+module SolidusStripe
+  class WebhooksController < Spree::BaseController
+    SIGNATURE_HEADER = "HTTP_STRIPE_SIGNATURE"
+    skip_before_action :verify_authenticity_token, only: :create
+    respond_to :json
+    def create
+      event = Webhook::Event.from_request(payload: request.body.read, signature_header: signature_header,
+        slug: params[:slug])
+      return head(:bad_request) unless event
+      Spree::Bus.publish(event) && head(:ok)
+    end
+    private
+    def signature_header
+      request.headers[SIGNATURE_HEADER]
+    end
+  end
+end