Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-24 18:43:51 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-subscriptions/app/controllers/discourse_subscriptions/hooks_controller.rb
David Taylor cd688ed19b FIX: Gate checkout provisioning on payment_status and handle async payments 
When a Stripe Checkout session uses a delayed payment method (e.g., bank transfers, SEPA debits), Stripe fires [`checkout.session.completed`](https://docs.stripe.com/api/events/types#event_types-checkout.session.completed) with [`payment_status: "unpaid"` rather than `"paid"`](https://docs.stripe.com/api/checkout/sessions/object#checkout_session_object-payment_status). The discourse-subscriptions plugin previously ignored this field entirely, provisioning group membership and creating customer/subscription records as soon as the checkout completed.

This meant users could gain access to subscription-gated groups without having paid, and the plugin had no handler for the follow-up [`checkout.session.async_payment_succeeded`](https://docs.stripe.com/api/events/types#event_types-checkout.session.async_payment_succeeded) event that Stripe sends once the delayed payment clears.

This commit adds a `payment_status` guard to the `checkout.session.completed` handler so sessions with unpaid status return early without provisioning. It also introduces a `checkout.session.async_payment_succeeded` handler that provisions access once the delayed payment succeeds.

https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g
2026-05-19 00:26:04 +01:00

156 lines
5 KiB
Ruby
Vendored
Raw Permalink Blame History

# frozen_string_literal: true
module DiscourseSubscriptions
class HooksController < ::ApplicationController
include DiscourseSubscriptions::Group
include DiscourseSubscriptions::Stripe
requires_plugin PLUGIN_NAME
layout false
skip_before_action :check_xhr
skip_before_action :redirect_to_login_if_required
skip_before_action :verify_authenticity_token, only: [:create]
def create
begin
payload = request.body.read
sig_header = request.env["HTTP_STRIPE_SIGNATURE"]
webhook_secret = SiteSetting.discourse_subscriptions_webhook_secret
return head :forbidden if webhook_secret.blank?
event = ::Stripe::Webhook.construct_event(payload, sig_header, webhook_secret)
rescue JSON::ParserError => e
return render_json_error e.message
rescue ::Stripe::SignatureVerificationError => e
return render_json_error e.message
end
case event[:type]
when "checkout.session.completed", "checkout.session.async_payment_succeeded"
checkout_session = event[:data][:object]
return head :ok if checkout_session[:status] != "complete"
return head :ok if checkout_session[:payment_status] != "paid"
if SiteSetting.discourse_subscriptions_enable_verbose_logging
Rails.logger.warn("#{event[:type]} data: #{checkout_session}")
end
email = checkout_session[:customer_email]
return render_json_error "email not found" if !email
if checkout_session[:customer].nil?
customer = ::Stripe::Customer.create({ email: email }, stripe_request_opts)
customer_id = customer[:id]
else
customer_id = checkout_session[:customer]
end
if SiteSetting.discourse_subscriptions_enable_verbose_logging
Rails.logger.warn("Looking up user with email: #{email}")
end
user = ::User.find_by_username_or_email(email)
return render_json_error "user not found" if !user
discourse_customer = Customer.create(user_id: user.id, customer_id: customer_id)
subscription = checkout_session[:subscription]
if subscription.present?
Subscription.create(customer_id: discourse_customer.id, external_id: subscription)
end
line_items =
::Stripe::Checkout::Session.list_line_items(
checkout_session[:id],
{ limit: 1 },
stripe_request_opts,
)
item = line_items[:data].first
group = plan_group(item[:price])
group.add(user) unless group.nil?
if SiteSetting.discourse_subscriptions_enable_verbose_logging
Rails.logger.warn("Line item with group name meta data: #{item[:price]}")
if group.nil?
Rails.logger.warn("Group not found or not listed in metadata!")
else
Rails.logger.warn("Group: #{group.name}")
end
end
discourse_customer.product_id = item[:price][:product]
discourse_customer.save!
if !subscription.nil?
::Stripe::Subscription.update(
subscription,
{ metadata: { user_id: user.id, username: user.username } },
stripe_request_opts,
)
end
when "customer.subscription.created"
when "customer.subscription.updated"
subscription = event[:data][:object]
status = subscription[:status]
return head :ok if !%w[complete active].include?(status)
customer = find_active_customer(subscription[:customer], subscription[:plan][:product])
return render_json_error "customer not found" if !customer
update_status(customer.id, subscription[:id], status)
user = ::User.find_by(id: customer.user_id)
return render_json_error "user not found" if !user
if group = plan_group(subscription[:plan])
group.add(user)
end
when "customer.subscription.deleted"
subscription = event[:data][:object]
customer = find_active_customer(subscription[:customer], subscription[:plan][:product])
return render_json_error "customer not found" if !customer
update_status(customer.id, subscription[:id], subscription[:status])
user = ::User.find(customer.user_id)
return render_json_error "user not found" if !user
if group = plan_group(subscription[:plan])
group.remove(user)
end
end
head :ok
end
private
def update_status(customer_id, subscription_id, status)
discourse_subscription =
Subscription.find_by(customer_id: customer_id, external_id: subscription_id)
discourse_subscription.update(status: status) if discourse_subscription
end
def find_active_customer(customer_id, product_id)
Customer
.joins(:subscriptions)
.where(customer_id: customer_id, product_id: product_id)
.where(
Subscription.arel_table[:status].eq(nil).or(
Subscription.arel_table[:status].not_eq("canceled"),
),
)
.first
end
end
end
View git blame Copy permalink