solidus_stripe 4.4.0 → 5.0.0.rc.1

data/app/models/concerns/solidus_stripe/log_entries.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module SolidusStripe::LogEntries
+  extend ActiveSupport::Concern
+  extend self
+
+  # Builds an ActiveMerchant::Billing::Response
+  #
+  # @option [true,false] :success
+  # @option [String] :message
+  # @option [String] :response_code
+  # @option [#to_json] :data
+  #
+  # @return [return type] return description
+  def build_payment_log(success:, message:, response_code: nil, data: nil)
+    ActiveMerchant::Billing::Response.new(
+      success,
+      message,
+      { 'data' => data.to_json },
+      { authorization: response_code },
+    )
+  end
+
+  def payment_log(payment, **options)
+    payment.log_entries.create!(details: YAML.safe_dump(
+      build_payment_log(**options),
+      permitted_classes: Spree::LogEntry.permitted_classes,
+      aliases: Spree::Config.log_entry_allow_aliases,
+    ))
+  end
+end

data/app/models/solidus_stripe/customer.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  class Customer < ApplicationRecord
+    belongs_to :payment_method
+
+    # Source is supposed to be a user or an order and needs to respond to #email
+    belongs_to :source, polymorphic: true
+
+    def self.retrieve_or_create_stripe_customer_id(payment_method:, order:)
+      instance = find_or_initialize_by(payment_method: payment_method, source: order.user || order)
+
+      instance.stripe_id ||
+        instance.create_stripe_customer.tap { instance.update!(stripe_id: _1.id) }.id
+    end
+
+    def create_stripe_customer
+      payment_method.gateway.request { Stripe::Customer.create(email: source.email) }
+    end
+  end
+end

data/app/models/solidus_stripe/gateway.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+require 'stripe'
+require "solidus_stripe/money_to_stripe_amount_converter"
+require "solidus_stripe/refunds_synchronizer"
+
+module SolidusStripe
+  # @see https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=checkout#auth-and-capture
+  # @see https://stripe.com/docs/charges/placing-a-hold
+  # @see https://guides.solidus.io/advanced-solidus/payments-and-refunds/#custom-payment-gateways
+  #
+  # ## About fractional amounts
+  #
+  # All methods in the Gateway class will have `amount_in_cents` arguments representing the
+  # fractional amount as defined by Spree::Money and will be translated to the fractional expected
+  # by Stripe, although for most currencies it's cents some will have a different multiplier and
+  # that is already took into account.
+  #
+  # @see SolidusStripe::MoneyToStripeAmountConverter
+  class Gateway
+    include SolidusStripe::MoneyToStripeAmountConverter
+    include SolidusStripe::LogEntries
+
+    def initialize(options)
+      # Cannot use kwargs because of how the Gateway is initialized by Solidus.
+      @client = Stripe::StripeClient.new(
+        api_key: options.fetch(:api_key, nil),
+      )
+      @options = options
+    end
+
+    attr_reader :client
+
+    # Authorizes a certain amount on the provided payment source.
+    #
+    # We create and confirm the Stripe payment intent in two steps. That's to
+    # guarantee that we associate a Solidus payment on the creation, and we can
+    # fetch it after the webhook event is published on confirmation.
+    #
+    # The Stripe payment intent id is copied over the Solidus payment
+    # `response_code` field.
+    def authorize(amount_in_cents, _source, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+
+      stripe_payment_intent_options = {
+        amount: to_stripe_amount(amount_in_cents, options[:originator].currency),
+        confirm: false,
+        capture_method: "manual",
+      }
+
+      stripe_payment_intent = SolidusStripe::PaymentIntent.prepare_for_payment(
+        options[:originator],
+        **stripe_payment_intent_options,
+      )
+
+      confirm_stripe_payment_intent(stripe_payment_intent.stripe_intent_id)
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed successfully",
+        response_code: stripe_payment_intent.stripe_intent_id,
+        data: stripe_payment_intent.stripe_intent
+      )
+    rescue Stripe::StripeError => e
+      build_payment_log(
+        success: false,
+        message: e.message,
+        data: e.response
+      )
+    end
+
+    # Captures a certain amount from a previously authorized transaction.
+    #
+    # @see https://stripe.com/docs/api/payment_intents/capture#capture_payment_intent
+    # @see https://stripe.com/docs/payments/capture-later
+    #
+    # @todo add support for capturing custom amounts
+    def capture(amount_in_cents, stripe_payment_intent_id, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+      check_stripe_payment_intent_id(stripe_payment_intent_id)
+
+      stripe_payment_intent = capture_stripe_payment_intent(stripe_payment_intent_id, amount_in_cents)
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed successfully",
+        response_code: stripe_payment_intent.id,
+        data: stripe_payment_intent,
+      )
+    rescue Stripe::InvalidRequestError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Authorizes and captures a certain amount on the provided payment source.
+    #
+    # See `#authorize` for how the confirmation step is performed.
+    #
+    # @todo add support for purchasing custom amounts
+    def purchase(amount_in_cents, _source, options = {})
+      check_given_amount_matches_payment_intent(amount_in_cents, options)
+
+      stripe_payment_intent_options = {
+        amount: to_stripe_amount(amount_in_cents, options[:originator].currency),
+        confirm: false,
+        capture_method: "automatic",
+      }
+
+      stripe_payment_intent = SolidusStripe::PaymentIntent.prepare_for_payment(
+        options[:originator],
+        **stripe_payment_intent_options,
+      )
+
+      confirm_stripe_payment_intent(stripe_payment_intent.stripe_intent_id)
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was confirmed and captured successfully",
+        response_code: stripe_payment_intent.stripe_intent_id,
+        data: stripe_payment_intent.stripe_intent,
+      )
+    rescue Stripe::StripeError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Voids a previously authorized transaction, releasing the funds that are on hold.
+    def void(stripe_payment_intent_id, _options = {})
+      check_stripe_payment_intent_id(stripe_payment_intent_id)
+
+      stripe_payment_intent = request do
+        Stripe::PaymentIntent.cancel(stripe_payment_intent_id)
+      end
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was canceled successfully",
+        response_code: stripe_payment_intent_id,
+        data: stripe_payment_intent,
+      )
+    rescue Stripe::InvalidRequestError => e
+      build_payment_log(
+        success: false,
+        message: e.to_s,
+        data: e.response,
+      )
+    end
+
+    # Refunds the provided amount on a previously captured transaction.
+    #
+    # Notice we're adding `solidus_skip_sync: 'true'` to the metadata to avoid a
+    # duplicated refund after the generated webhook event. See
+    # {RefundsSynchronizer}.
+    #
+    # TODO: check this method params twice.
+    def credit(amount_in_cents, stripe_payment_intent_id, options = {})
+      check_stripe_payment_intent_id(stripe_payment_intent_id)
+
+      payment = options[:originator].payment
+      currency = payment.currency
+
+      stripe_refund = request do
+        Stripe::Refund.create(
+          amount: to_stripe_amount(amount_in_cents, currency),
+          payment_intent: stripe_payment_intent_id,
+          metadata: RefundsSynchronizer.skip_sync_metadata
+        )
+      end
+
+      build_payment_log(
+        success: true,
+        message: "PaymentIntent was refunded successfully",
+        response_code: stripe_refund.id,
+        data: stripe_refund,
+      )
+    end
+
+    # Send a request to stripe using the current api keys but ignoring
+    # the response object.
+    #
+    # @yield Allows to use the `Stripe` gem using the credentials attached
+    #   to the current payment method
+    #
+    # @example Retrieve a payment intent
+    #   request { Stripe::PaymentIntent.retrieve(intent_id) }
+    #
+    # @return forwards the result of the block
+    def request(&block)
+      result, _response = client.request(&block)
+      result
+    end
+
+    private
+
+    def confirm_stripe_payment_intent(stripe_payment_intent_id)
+      request { Stripe::PaymentIntent.confirm(stripe_payment_intent_id) }
+    end
+
+    def capture_stripe_payment_intent(stripe_payment_intent_id, amount)
+      request { Stripe::PaymentIntent.capture(stripe_payment_intent_id, amount: amount) }
+    end
+
+    def check_given_amount_matches_payment_intent(amount_in_cents, options)
+      payment = options[:originator] or
+        raise ArgumentError, "please provide a payment with the :originator option"
+
+      return if amount_in_cents == payment.display_amount.cents
+
+      raise \
+        "Using a custom amount is not supported yet, " \
+        "tried #{amount_in_cents} but can only accept #{payment.display_amount.cents}."
+    end
+
+    def check_stripe_payment_intent_id(stripe_payment_intent_id)
+      unless stripe_payment_intent_id
+        raise ArgumentError, "missing stripe_payment_intent_id"
+      end
+
+      return if stripe_payment_intent_id.start_with?('pi_')
+
+      raise ArgumentError, "the payment intent id has the wrong format"
+    end
+  end
+end

data/app/models/solidus_stripe/payment_intent.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  class PaymentIntent < ApplicationRecord
+    belongs_to :order, class_name: 'Spree::Order'
+    belongs_to :payment_method, class_name: 'SolidusStripe::PaymentMethod'
+
+    def self.prepare_for_payment(payment, **stripe_creation_options)
+      # Find or create the intent for the payment.
+      intent = retrieve_for_payment(payment) || create_for_payment(payment, **stripe_creation_options)
+
+      # Attach the payment intent to the payment.
+      payment.update!(response_code: intent.stripe_intent.id)
+
+      intent
+    end
+
+    def self.create_for_payment(payment, **stripe_intent_options)
+      new(payment_method: payment.payment_method, order: payment.order)
+        .tap { _1.update!(stripe_intent_id: _1.create_stripe_intent(payment, **stripe_intent_options).id) }
+    end
+
+    def self.retrieve_for_payment(payment)
+      intent = where(payment_method: payment.payment_method, order: payment.order).last
+
+      return unless intent&.usable?
+
+      # Update the intent with the previously acquired payment method.
+      intent.payment_method.gateway.request {
+        Stripe::PaymentIntent.update(
+          intent.stripe_intent_id,
+          payment_method: payment.source.stripe_payment_method_id,
+          payment_method_types: [payment.source.stripe_payment_method.type],
+        )
+      }
+
+      intent
+    end
+
+    def usable?
+      stripe_intent_id &&
+      stripe_intent.status == 'requires_payment_method' &&
+      stripe_intent.amount == stripe_order_amount
+    end
+
+    def stripe_order_amount
+      payment_method.gateway.to_stripe_amount(
+        order.display_order_total_after_store_credit.money.fractional,
+        order.currency,
+      )
+    end
+
+    def process_payment
+      payment = order.payments.valid.find_by!(
+        payment_method: payment_method,
+        response_code: stripe_intent.id,
+      )
+
+      payment.started_processing!
+
+      case stripe_intent.status
+      when 'processing'
+        successful = true
+      when 'requires_capture'
+        payment.pend! unless payment.pending?
+        successful = true
+      when 'succeeded'
+        payment.complete! unless payment.completed?
+        successful = true
+      else
+        payment.failure!
+        successful = false
+      end
+
+      SolidusStripe::LogEntries.payment_log(
+        payment,
+        success: successful,
+        message: I18n.t("solidus_stripe.intent_status.#{stripe_intent.status}"),
+        data: stripe_intent,
+      )
+
+      if successful
+        order.complete!
+        order.user.wallet.add(payment.source) if order.user && stripe_intent.setup_future_usage.present?
+      else
+        order.payment_failed!
+      end
+
+      successful
+    end
+
+    def stripe_intent
+      @stripe_intent ||= payment_method.gateway.request do
+        Stripe::PaymentIntent.retrieve(stripe_intent_id)
+      end
+    end
+
+    def reload(...)
+      @stripe_intent = nil
+      super
+    end
+
+    def create_stripe_intent(payment, **stripe_intent_options)
+      stripe_customer_id = SolidusStripe::Customer.retrieve_or_create_stripe_customer_id(
+        payment_method: payment_method,
+        order: order
+      )
+
+      payment_method.gateway.request do
+        Stripe::PaymentIntent.create({
+          amount: stripe_order_amount,
+          currency: order.currency,
+          capture_method: payment_method.auto_capture? ? 'automatic' : 'manual',
+          setup_future_usage: payment_method.preferred_setup_future_usage.presence,
+          customer: stripe_customer_id,
+          payment_method: payment.source.stripe_payment_method_id,
+          payment_method_types: [payment.source.stripe_payment_method.type],
+          metadata: { solidus_order_number: order.number },
+          **stripe_intent_options,
+        })
+      end
+    end
+  end
+end

data/app/models/solidus_stripe/payment_method.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  class PaymentMethod < ::Spree::PaymentMethod
+    preference :api_key, :string
+    preference :publishable_key, :string
+    preference :setup_future_usage, :string, default: ''
+
+    # @attribute [rw] preferred_webhook_endpoint_signing_secret The webhook endpoint signing secret
+    #  for this payment method.
+    # @see https://stripe.com/docs/webhooks/signatures
+    preference :webhook_endpoint_signing_secret, :string
+
+    validates :preferred_setup_future_usage, inclusion: { in: ['', 'on_session', 'off_session'] }
+
+    has_one :slug_entry, class_name: 'SolidusStripe::SlugEntry', inverse_of: :payment_method, dependent: :destroy
+
+    after_create :assign_slug
+
+    delegate :slug, to: :slug_entry
+
+    # @return [Spree::RefundReason] the reason used for refunds
+    #   generated from Stripe.
+    # @see SolidusStripe::Configuration.refund_reason_name
+    def self.refund_reason
+      Spree::RefundReason.find_by!(
+        name: SolidusStripe.configuration.refund_reason_name
+      )
+    end
+
+    def partial_name
+      "stripe"
+    end
+
+    alias cart_partial_name partial_name
+    alias product_page_partial_name partial_name
+    alias risky_partial_name partial_name
+
+    def source_required?
+      true
+    end
+
+    def payment_source_class
+      PaymentSource
+    end
+
+    def gateway_class
+      Gateway
+    end
+
+    def payment_profiles_supported?
+      # We actually support them, but not in the way expected by Solidus and its ActiveMerchant legacy.
+      false
+    end
+
+    def self.with_slug(slug)
+      where(id: SlugEntry.where(slug: slug).select(:payment_method_id))
+    end
+
+    # TODO: re-evaluate the need for this and think of ways to always go throught the intent classes.
+    def self.intent_id_for_payment(payment)
+      return unless payment
+
+      payment.transaction_id || SolidusStripe::PaymentIntent.where(
+        order: payment.order, payment_method: payment.payment_method
+      )&.pick(:stripe_intent_id)
+    end
+
+    def stripe_dashboard_url(intent_id)
+      path_prefix = '/test' if preferred_test_mode
+
+      case intent_id
+      when /^pi_/
+        "https://dashboard.stripe.com#{path_prefix}/payments/#{intent_id}"
+      end
+    end
+
+    def assign_slug
+      # If there's only one payment method, we can use a default slug.
+      slug = preferred_test_mode ? 'test' : 'live' if self.class.count == 1
+      slug = SecureRandom.hex(16) while SlugEntry.exists?(slug: slug) || slug.nil?
+
+      create_slug_entry!(slug: slug)
+    end
+
+    # The method that should be used is "Spree::PaymentMethod#reusable_sources".
+    # However, in the dedicated partial source form, the reusable_sources are
+    # assigned to "previous_cards":
+    # https://github.com/solidusio/solidus/blob/e9debb976e2228bb0b7a8eff4894e0556fc15cc8/backend/app/views/spree/admin/payments/_form.html.erb#L31
+    # This name is inaccurate and too specific because, in our case, a
+    # payment-source/stripe-payment-method have many different possible types:
+    # https://stripe.com/docs/api/payment_methods/object#payment_method_object-type
+    #
+    # For more details:
+    # https://github.com/solidusio/solidus/issues/5014
+    #
+    # @todo Start using the correct method to get a user's previous sources
+    def previous_sources(order)
+      if order.user_id
+        order.user.wallet.wallet_payment_sources.map(&:payment_source)
+      else
+        []
+      end
+    end
+  end
+end

data/app/models/solidus_stripe/payment_source.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'stripe'
+
+module SolidusStripe
+  class PaymentSource < ::Spree::PaymentSource
+    def stripe_payment_method
+      return if stripe_payment_method_id.blank?
+
+      @stripe_payment_method ||= payment_method.gateway.request do
+        Stripe::PaymentMethod.retrieve(stripe_payment_method_id)
+      end
+    end
+
+    def actions
+      %w[capture void credit]
+    end
+
+    def can_capture?(payment)
+      payment.pending?
+    end
+
+    def can_void?(payment)
+      payment.pending?
+    end
+
+    def can_credit?(payment)
+      payment.completed? && payment.credit_allowed > 0
+    end
+  end
+end

data/app/models/solidus_stripe/slug_entry.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  # Represents a webhook endpoint for a {SolidusStripe::PaymentMethod}.
+  #
+  # A Stripe webhook endpoint is a URL that Stripe will send events to. A store
+  # could have multiple Stripe payment methods (e.g., a marketplace), so we need
+  # to differentiate which one a webhook request targets.
+  #
+  # This model associates a slug with a payment method. The slug is appended
+  # to the endpoint URL (`.../webhooks/:slug`) so that we can fetch the
+  # correct payment method from the database and bind it to the generated
+  # `Spree::Bus` event.
+  #
+  # We use a slug instead of the payment method ID to be resilient to
+  # database changes and to avoid guessing about valid endpoint URLs.
+  class SlugEntry < ::Spree::Base
+    belongs_to :payment_method, class_name: 'SolidusStripe::PaymentMethod'
+  end
+end

data/app/models/solidus_stripe.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  def self.table_name_prefix
+    "solidus_stripe_"
+  end
+end

data/app/subscribers/solidus_stripe/webhook/charge_subscriber.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "solidus_stripe/refunds_synchronizer"
+
+module SolidusStripe
+  module Webhook
+    # Handlers for Stripe charge events.
+    class ChargeSubscriber
+      include Omnes::Subscriber
+      include MoneyToStripeAmountConverter
+
+      handle :"stripe.charge.refunded", with: :sync_refunds
+
+      # Syncs Stripe refunds with Solidus refunds.
+      #
+      # @param event [SolidusStripe::Webhook::Event]
+      # @see SolidusStripe::RefundsSynchronizer
+      def sync_refunds(event)
+        payment_method = event.payment_method
+        stripe_payment_intent_id = event.data.object.payment_intent
+
+        RefundsSynchronizer
+          .new(payment_method)
+          .call(stripe_payment_intent_id)
+      end
+    end
+  end
+end