solidus_stripe 4.4.1 → 5.0.0.alpha.1

data/spec/support/solidus_stripe/checkout_test_helper.rb

@@ -0,0 +1,339 @@
+# frozen_string_literal: true
+
+require 'solidus_starter_frontend_spec_helper'
+
+module SolidusStripe::CheckoutTestHelper
+  include SolidusStarterFrontend::SystemHelpers
+  def self.included(base)
+    base.include Devise::Test::IntegrationHelpers
+  end
+
+  # Setup methods
+  #
+  # These are methods that are used specifically for setting up the
+  # environment for testing.
+
+  def assign_guest_token(guest_token)
+    # rubocop:disable RSpec/AnyInstance
+    allow_any_instance_of(ActionDispatch::Cookies::SignedKeyRotatingCookieJar).tap do |allow_cookie_jar|
+      # Retrieve all other cookies from the original jar.
+      allow_cookie_jar.to receive(:[]).and_call_original
+      allow_cookie_jar.to receive(:[]).with(:guest_token).and_return(guest_token)
+    end
+    # rubocop:enable RSpec/AnyInstance
+  end
+
+  def create_payment_method(setup_future_usage: 'off_session', auto_capture: false)
+    @payment_method = create(
+      :stripe_payment_method,
+      preferred_setup_future_usage: setup_future_usage,
+      auto_capture: auto_capture
+    )
+  end
+
+  def payment_method
+    # Memoize the payment method id to avoid fetching it multiple times
+    @payment_method ||= SolidusStripe::PaymentMethod.first!
+  end
+
+  def current_order
+    @current_order ||= Spree::Order.last!
+  end
+
+  def last_stripe_payment
+    current_order.payments.reorder(id: :desc).find_by(source_type: "SolidusStripe::PaymentSource")
+  end
+
+  def capture_last_valid_payment
+    payment = current_order.payments.valid.last
+    payment.capture!
+    expect(payment.payment_method.type).to eq('SolidusStripe::PaymentMethod')
+    intent = payment.payment_method.gateway.request do
+      Stripe::PaymentIntent.retrieve(payment.response_code)
+    end
+    expect(intent.status).to eq('succeeded')
+  end
+
+  # Stripe form methods
+  #
+  # These are methods that are used specifically for interacting with
+  # the Stripe payment form.
+
+  def fill_stripe_form(
+    number: 4242_4242_4242_4242, # rubocop:disable Style/NumericLiterals
+    expiry_month: 12,
+    expiry_year: Time.current.year + 1,
+    date: nil,
+    cvc: '123',
+    country: 'United States',
+    zip: '90210'
+  )
+    fill_in_stripe_cvc(cvc)
+    fill_in_stripe_expiry_date(year: expiry_year, month: expiry_month, date: date)
+    fill_in_stripe_card(number)
+    fill_in_stripe_country(country)
+    fill_in_stripe_zip(zip) if zip # not shown for every country
+  end
+
+  def fill_in_stripe_card(number)
+    fills_in_stripe_input 'number', with: number
+  end
+
+  def fill_in_stripe_expiry_date(year: nil, month: nil, date: nil)
+    date ||= begin
+      month = month.to_s.rjust(2, '0') unless month.is_a? String
+      year = year.to_s[2..3] unless year.is_a? String
+      "#{month}#{year}"
+    end
+
+    fills_in_stripe_input 'expiry', with: date.to_s[0..3]
+  end
+
+  def fill_in_stripe_cvc(cvc)
+    fills_in_stripe_input 'cvc', with: cvc.to_s[0..2].to_s
+  end
+
+  def fill_in_stripe_country(country_name)
+    using_wait_time(10) do
+      within_frame(find_stripe_iframe) do
+        find(%{select[name="country"]}).select(country_name)
+      end
+    end
+  end
+
+  def fill_in_stripe_zip(zip)
+    fills_in_stripe_input 'postalCode', with: zip
+  end
+
+  def fills_in_stripe_input(name, with:)
+    using_wait_time(10) do
+      within_frame(find_stripe_iframe) do
+        with.to_s.chars.each { find(%{input[name="#{name}"]}).send_keys(_1) }
+      end
+    end
+  end
+
+  def clear_stripe_form
+    %w[number expiry cvc postalCode].each do |name|
+      using_wait_time(10) do
+        within_frame(find_stripe_iframe) do
+          field = find(%{input[name="#{name}"]})
+          field.value.length.times { field.send_keys [:backspace] }
+        end
+      end
+    end
+  end
+
+  def find_stripe_iframe
+    fieldset = find_payment_fieldset(payment_method.id)
+    expect(fieldset).to have_css('iframe', wait: 15) # trigger waiting if the frame is not yet there
+    fieldset.find("iframe")
+  end
+
+  # 3D Secure methods
+  #
+  # These are methods that are used specifically for handling 3D Secure (3DS) payment
+  # authorizations.
+  #
+  # However, it's important to note that this process may require an additional step,
+  # (currently not fully supported), which is indicated by the "next_action" property
+  # of the Stripe PaymentIntent object.
+  #
+  # More information on this property can be found in the Stripe API documentation:
+  # PaymentIntent objects : https://stripe.com/docs/api/payment_intents/object#payment_intent_object-next_action
+
+  def authorize_3d_secure_payment(authenticate: true)
+    find_frame('body > div > iframe') do
+      find_frame('#challengeFrame') do
+        find_frame("iframe[name='acsFrame']") do
+          click_on authenticate ? 'Complete authentication' : 'Fail authentication'
+        end
+      end
+    end
+  end
+
+  def authorize_3d_secure_2_payment(authenticate: true)
+    find_frame('body > div > iframe') do
+      find_frame('#challengeFrame') do
+        click_on authenticate ? 'Complete' : 'Fail'
+      end
+    end
+  end
+
+  def find_frame(selector, &block)
+    using_wait_time(15) do
+      frame = find(selector)
+      within_frame(frame, &block)
+    end
+  end
+
+  # Checkout methods
+  #
+  # These are methods that are used specifically for interacting with
+  # the checkout process.
+
+  def visit_payment_step(user: nil)
+    @current_order = Spree::TestingSupport::OrderWalkthrough.up_to(:delivery, user: user)
+
+    if user
+      sign_in current_order.user
+    else
+      assign_guest_token current_order.guest_token
+    end
+
+    visit '/checkout/payment'
+  end
+
+  def choose_new_stripe_payment
+    choose(option: payment_method.id)
+  end
+
+  def submit_payment
+    click_button("Save and Continue")
+  end
+
+  def check_terms_of_service
+    expect(page).to have_content("Agree to Terms of Service")
+    check "Agree to Terms of Service"
+  end
+
+  def confirm_order
+    click_button("Place Order")
+  end
+
+  def complete_order
+    check_terms_of_service
+    confirm_order
+    expect(page).to have_content('Your order has been processed successfully')
+  end
+
+  def expects_page_and_order_to_be_in_payment_step
+    expect(page).to have_current_path('/checkout/payment')
+    expect(current_order.state).to eq('payment')
+  end
+
+  def expects_payment_to_be_failed
+    expect(last_stripe_payment.state).to eq('failed')
+  end
+
+  def expects_page_to_not_display_wallet_payment_sources
+    expect(page).to have_no_selector("[name='order[wallet_payment_source_id]']")
+  end
+
+  def expects_to_have_specific_authorized_amount_on_stripe(amount)
+    stripe_payment_intent = payment_method.gateway.request do
+      Stripe::PaymentIntent.retrieve(last_stripe_payment.response_code)
+    end
+    expect(stripe_payment_intent.amount).to eq(amount * 100)
+  end
+
+  # Test methods
+  #
+  # These are methods that are used specifically for testing the Stripe
+  # checkout process.
+
+  def payment_intent_is_created_with_required_capture
+    intent = SolidusStripe::PaymentIntent.where(
+      payment_method: payment_method,
+      order: current_order
+    ).last.stripe_intent
+    expect(intent.status).to eq('requires_capture')
+  end
+
+  def payment_intent_is_created_and_successfully_captured
+    order = Spree::Order.last
+    intent = SolidusStripe::PaymentIntent.where(
+      payment_method: payment_method,
+      order: order
+    ).last.stripe_intent
+    expect(intent.status).to eq('succeeded')
+  end
+
+  def payment_intent_is_created_with_required_action
+    intent = SolidusStripe::PaymentIntent.where(
+      payment_method: payment_method,
+      order: current_order
+    ).last.stripe_intent
+    expect(intent.status).to eq('requires_action')
+  end
+
+  def invalid_data_are_notified
+    fill_in_stripe_country('United States')
+
+    [
+      [{ number: '4242424242424241' }, 'Your card number is invalid'],  # incorrect_number
+      [{ date: '1110' }, "Your card's expiration year is in the past"], # invalid_expiry_year
+      [{ cvc: 99 }, "Your card's security code is incomplete"]          # invalid_cvc
+    ].each do |args, text|
+      clear_stripe_form
+      fill_stripe_form(**args)
+      submit_payment
+      using_wait_time(10) do
+        within_frame(find_stripe_iframe) do
+          expect(page).to have_content(text)
+        end
+      end
+    end
+  end
+
+  def incomplete_cards_are_notified
+    # In order to have a complete Stripe form,
+    # it's essential to have a Postal Code field that will only be displayed
+    # when the user selects United States as their country.
+    fill_in_stripe_country('United States')
+
+    clear_stripe_form
+    submit_payment
+    [
+      "Your card number is incomplete",
+      "Your card's expiration date is incomplete",
+      "Your card's security code is incomplete",
+      "Your postal code is incomplete"
+    ].each do |text|
+      within_frame(find_stripe_iframe) do
+        expect(page).to have_content(text)
+      end
+    end
+  end
+
+  def declined_cards_at_intent_creation_are_notified
+    [
+      # Decline codes
+      # https://stripe.com/docs/declines/codes
+      ['4000000000000002', 'Your card has been declined.'],                  # Generic decline
+      ['4000000000009995', 'Your card has insufficient funds.'],             # Insufficient funds decline
+      ['4000000000009987', 'Your card has been declined.'],                  # Lost card decline
+      ['4000000000009979', 'Your card has been declined.'],                  # Stolen card decline
+      ['4000000000000069', 'Your card has expired.'],                        # Expired card decline
+      ['4000000000000127', "Your card's security code is incorrect."],       # Incorrect CVC decline
+      ['4000000000000119', 'An error occurred while processing your card.'], # Processing error decline
+
+      # Fraudulent cards
+      # https://stripe.com/docs/testing#fraud-prevention
+      ['4100000000000019', 'Your card has been declined.'],                  # Always blocked
+    ].each do |number, text|
+      fill_in_stripe_country('United States')
+      fill_stripe_form(number: number)
+      submit_payment
+      check_terms_of_service
+      confirm_order
+      expect(page).to have_content(text, wait: 15)
+    end
+  end
+
+  def successfully_creates_a_payment_intent(user: nil, auto_capture: false)
+    visit_payment_step(user: user)
+    choose_new_stripe_payment
+    fill_stripe_form
+
+    submit_payment
+
+    complete_order
+
+    if auto_capture
+      payment_intent_is_created_and_successfully_captured
+    else
+      payment_intent_is_created_with_required_capture
+    end
+  end
+end

data/spec/support/solidus_stripe/factories.rb

@@ -0,0 +1,5 @@
+FactoryBot.definition_file_paths << SolidusStripe::Engine.root.join(
+  'lib/solidus_stripe/testing_support/factories'
+).to_s
+
+FactoryBot.reload

data/spec/support/solidus_stripe/webhook/data_fixtures.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  module Webhook
+    # Fixtures for Stripe webhook events represented as a Ruby hash.
+    #
+    # Consume with `SolidusStripe::Webhook::EventWithContextFactory.from_data`.
+    module DataFixtures
+      def self.charge_succeeded(with_webhook: true)
+        {
+          "id" => "evt_3MRUo1JvEPu9yc7w091rP2XV",
+          "type" => "charge.succeeded",
+          "object" => "event",
+          "api_version" => "2022-11-15",
+          "created" => 1_674_022_050,
+          "data" => {
+            "object" => {
+              "id" => "ch_3MRUo1JvEPu9yc7w0BglRG7L",
+              "object" => "charge",
+              "amount" => 2000,
+              "amount_captured" => 2000,
+              "amount_refunded" => 0,
+              "application" => nil,
+              "application_fee" => nil,
+              "application_fee_amount" => nil,
+              "balance_transaction" => "txn_3MRUo1JvEPu9yc7w0aaUukiY",
+              "billing_details" => {
+                "address" => { "city" => nil, "country" => nil, "line1" => nil, "line2" => nil, "postal_code" => nil,
+                               "state" => nil },
+                "email" => nil,
+                "name" => nil,
+                "phone" => nil
+              },
+              "calculated_statement_descriptor" => "NEBULAB SRL",
+              "captured" => true,
+              "created" => 1_674_022_049,
+              "currency" => "usd",
+              "customer" => nil,
+              "description" => "(created by Stripe CLI)",
+              "destination" => nil,
+              "dispute" => nil,
+              "disputed" => false,
+              "failure_balance_transaction" => nil,
+              "failure_code" => nil,
+              "failure_message" => nil,
+              "fraud_details" => {},
+              "invoice" => nil,
+              "livemode" => false,
+              "metadata" => {},
+              "on_behalf_of" => nil,
+              "order" => nil,
+              "outcome" => { "network_status" => "approved_by_network", "reason" => nil, "risk_level" => "normal",
+                             "risk_score" => 1, "seller_message" => "Payment complete.", "type" => "authorized" },
+              "paid" => true,
+              "payment_intent" => "pi_3MRUo1JvEPu9yc7w0ldPcSpn",
+              "payment_method" => "pm_1MRUo0JvEPu9yc7wVFMdYurf",
+              "payment_method_details" => {
+                "card" => { "brand" => "visa",
+                            "checks" => { "address_line1_check" => nil, "address_postal_code_check" => nil,
+                                          "cvc_check" => nil },
+                            "country" => "US",
+                            "exp_month" => 1,
+                            "exp_year" => 2024,
+                            "fingerprint" => "pUfqdtmzdaOnI2SE",
+                            "funding" => "credit",
+                            "installments" => nil,
+                            "last4" => "4242",
+                            "mandate" => nil,
+                            "network" => "visa",
+                            "three_d_secure" => nil,
+                            "wallet" => nil },
+                "type" => "card"
+              },
+              "receipt_email" => nil,
+              "receipt_number" => nil,
+              "receipt_url" => "https://pay.stripe.com/receipts/payment/CAcaFwoVYWNjdF8xN21MdGJKdkVQdTl5Yzd3KKKZnp4GMgahzL5hXx86LBYPolrU9mdbq37sokiWbp-wT-NGJrXXxmipTFzS_AG1Wp1Rg6HWN1F2-9ek",
+              "refunded" => false,
+              "refunds" => { "object" => "list", "data" => [], "has_more" => false, "total_count" => 0,
+                             "url" => "/v1/charges/ch_3MRUo1JvEPu9yc7w0BglRG7L/refunds" },
+              "review" => nil,
+              "shipping" => {
+                "address" => { "city" => "San Francisco", "country" => "US",
+                               "line1" => "510 Townsend St", "line2" => nil,
+                               "postal_code" => "94103", "state" => "CA" },
+                "carrier" => nil, "name" => "Jenny Rosen", "phone" => nil,
+                "tracking_number" => nil
+              },
+              "source" => nil,
+              "source_transfer" => nil,
+              "statement_descriptor" => nil,
+              "statement_descriptor_suffix" => nil,
+              "status" => "succeeded",
+              "transfer_data" => nil,
+              "transfer_group" => nil
+            }
+          },
+          "livemode" => false,
+          "pending_webhooks" => 3,
+          "request" => "req_CAHWxuQdLQukn0"
+        }.tap do |data|
+          data["webhook"] = charge_succeeded(with_webhook: false) if with_webhook
+        end
+      end
+    end
+  end
+end

data/spec/support/solidus_stripe/webhook/event_with_context_factory.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "solidus_stripe/webhook/event"
+require "stripe"
+
+module SolidusStripe
+  module Webhook
+    # Factory to create a webhook event along with its context.
+    #
+    # It allows to create Stripe webhook from different sources (hash, stripe
+    # object) in different representations (json, stripe event object, solidus
+    # stripe object, header).
+    #
+    # The context for a event is composed by the timestamp and its secret, which
+    # in turn affect the header representation.
+    class EventWithContextFactory
+      def self.from_data(data:, payment_method:, timestamp: Time.zone.now)
+        new(data: data, timestamp: timestamp, payment_method: payment_method)
+      end
+
+      def self.from_object(object:, type:, payment_method:, timestamp: Time.zone.now)
+        data_base = data_base(object, type)
+        data = data_base.merge("webhook" => data_base)
+        new(data: data, timestamp: timestamp, payment_method: payment_method)
+      end
+
+      def self.data_base(object, type)
+        {
+          "id" => "evt_3MRUo1JvEPu9yc7w091rP2XV",
+          "object" => "event",
+          "api_version" => "2022-11-15",
+          "created" => 1_674_022_050,
+          "data" => {
+            "object" => object.as_json
+          },
+          "livemode" => false,
+          "pending_webhooks" => 0,
+          "request" => {
+            "id" => "req_3MRUo1JvEPu9yc7w0",
+            "idempotency_key" => "idempotency_key"
+          },
+          "type" => type
+        }
+      end
+      private_class_method :data_base
+
+      attr_reader :data, :timestamp, :secret, :payment_method
+
+      def initialize(data:, payment_method:, timestamp: Time.zone.now)
+        @data = data
+        @timestamp = timestamp
+        @payment_method = payment_method
+        @secret = payment_method.preferred_webhook_endpoint_signing_secret
+      end
+
+      def stripe_object
+        @stripe_object ||= Stripe::Event.construct_from(data)
+      end
+
+      def solidus_stripe_object
+        @solidus_stripe_object = SolidusStripe::Webhook::Event.new(stripe_event: stripe_object,
+          spree_payment_method: @payment_method)
+      end
+
+      def json
+        @json ||= JSON.generate(data)
+      end
+
+      def signature_header(timestamp: self.timestamp)
+        @signature_header ||= Stripe::Webhook::Signature.generate_header(timestamp, signature)
+      end
+
+      def signature
+        @signature ||= Stripe::Webhook::Signature.compute_signature(timestamp, json, secret)
+      end
+
+      def slug
+        @payment_method.slug
+      end
+    end
+  end
+end

data/spec/support/solidus_stripe/webhook/request_helper.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module SolidusStripe
+  module Webhook
+    # Helpers to simulate incoming Stripe webhook from request specs.
+    #
+    # It's a lightweight alternative to configuring `stripe-cli` in the automated tests.
+    module RequestHelper
+      # @param context [SolidusStripe::Webhook::EventWithContextFactory]
+      # @param payment_method [SolidusStripe::PaymentMethod]
+      # @param timestamp [Time] It allows to override the timestamp in the context
+      #   to simulate an invalid request.
+      # @param slug [String] It allows to override the slug in the payment
+      #   method to simulate an invalid request.
+      def webhook_request(context, timestamp: context.timestamp)
+        post "/solidus_stripe/#{context.slug}/webhooks",
+          params: context.json,
+          headers: { webhook_signature_header_key => webhook_signature_header(context, timestamp: timestamp) }
+      end
+
+      private
+
+      def webhook_signature_header_key
+        SolidusStripe::WebhooksController::SIGNATURE_HEADER
+      end
+
+      def webhook_signature_header(context, timestamp:)
+        context.signature_header(timestamp: timestamp)
+      end
+    end
+  end
+end

data/spec/system/backend/solidus_stripe/orders/payments_spec.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'solidus_stripe_spec_helper'
+
+RSpec.describe 'SolidusStripe Orders Payments', :js do
+  include SolidusStripe::BackendTestHelper
+  stub_authorization!
+
+  context 'with successful payment operations' do
+    it 'navigates to the payments page' do
+      payment = create_authorized_payment
+      visit_payments_page
+
+      expects_page_to_display_payment(payment)
+    end
+
+    it 'displays log entries for a payment' do
+      payment = create(:stripe_payment, :captured, order: order, payment_method: payment_method)
+
+      visit_payment_page(payment)
+
+      expects_page_to_display_log_messages(["PaymentIntent was confirmed and captured successfully"])
+    end
+
+    it 'captures an authorized payment successfully' do
+      payment = create_authorized_payment
+      visit_payments_page
+
+      capture_payment
+
+      expects_page_to_display_successfully_captured_payment(payment)
+      expects_payment_to_have_correct_capture_amount_on_stripe(payment, payment.amount)
+    end
+
+    it 'voids a payment from an order' do
+      payment = create_authorized_payment
+      visit_payments_page
+
+      void_payment
+
+      expects_page_to_display_successfully_voided_payment(payment)
+      expects_payment_to_be_voided_on_stripe(payment)
+    end
+
+    it 'refunds a payment from an order' do
+      payment = create_captured_payment
+      visit_payments_page
+
+      refund_payment
+
+      expects_page_to_display_successfully_refunded_payment(payment)
+      expects_payment_to_be_refunded_on_stripe(payment, payment.amount)
+    end
+
+    it 'partially refunds a payment from an order' do
+      payment = create_captured_payment
+      visit_payments_page
+
+      refund_reason = create(:refund_reason)
+      partial_refund_amount = 25
+      partially_refund_payment(refund_reason, partial_refund_amount)
+
+      expects_page_to_display_successfully_partially_refunded_payment(payment, partial_refund_amount)
+      expects_payment_to_be_refunded_on_stripe(payment, partial_refund_amount)
+    end
+
+    it 'cancels an order with captured payment' do
+      payment = create_captured_payment
+      visit_payments_page
+
+      cancel_order
+
+      # https://github.com/solidusio/solidus/blob/ab59d6435239b50db79d73b9a974af057ad56b52/core/app/models/spree/payment_method.rb#L169-L181
+      pending "needs to implement try_void method to handle voiding payments on order cancellation"
+
+      expects_page_to_display_successfully_canceled_order_payment(payment)
+      expects_payment_to_be_voided_on_stripe(payment)
+    end
+
+    it 'cancels an order with authorized payment' do
+      payment = create_authorized_payment
+      visit_payments_page
+
+      cancel_order
+
+      # https://github.com/solidusio/solidus/blob/ab59d6435239b50db79d73b9a974af057ad56b52/core/app/models/spree/payment_method.rb#L169-L181
+      # Note that for this specific case, the test is pending also because there is an issue
+      # with locating the user who canceled the order.
+      pending "needs to implement try_void method to handle voiding payments on order cancellation"
+
+      expects_page_to_display_successfully_canceled_order_payment(payment)
+      expects_payment_to_be_voided_on_stripe(payment)
+    end
+
+    it 'creates new authorized payment and captures it with existing source successfully' do
+      create_payment_method
+      create_order_with_existing_payment_source
+      complete_order_with_existing_payment_source
+      visit_payments_page
+      capture_payment
+      payment = last_valid_payment
+
+      expects_page_to_display_successfully_captured_payment(payment)
+      expects_payment_to_have_correct_capture_amount_on_stripe(payment, payment.amount)
+    end
+  end
+
+  context 'with failed payment operations' do
+    it 'fails to capture a payment due to incomplete 3D Secure authentication' do
+      payment = create_authorized_payment(card_number: '4000000000003220')
+      visit_payments_page
+
+      capture_payment
+
+      expects_page_to_display_capture_fail_message(payment,
+        'This PaymentIntent could not be captured because it has a status of requires_action.')
+    end
+  end
+end