Fixed Stripe charges requiring manual review shouldn't confirm payment

[Liam W]

Affected version

2.0.x

Stripe allows you to create rules as to when a payment goes to a review queue.

Currently, when XenForo receives the charge.successful webhook, it doesn't check to see if the payment is pending a manual review, and marks the purchasable as paid.

This seems highly incorrect, as purchasable's are digital goods, and therefore access shouldn't be given if there's a chance the amount will be refunded after the review.

Liam

 

[Chris D]

Just so I'm on the right page, could you please provide an example of the received webhook? At least an excerpt of the part which indicates it is held.

 

[Liam W]

Yeah, the charge.succeded event has an outcome.type field of manual_review (it also has a non-empty review field):



A review event is then sent after the review is dealt with:

 

[Chris D]

Ah, thanks.

And how exactly is that configured in Stripe, so I can have a play, and ensure we cover all eventualities?

 

[Liam W]

Ah, thanks.

And how exactly is that configured in Stripe, so I can have a play, and ensure we cover all eventualities?

Through 'radar' in the dashboard.

 

[Chris D]

That's about the only page I didn't click on Thanks.

 

[Chris D]

Let me know if you feel this logic should work:

$state = new CallbackState();
$state->transactionId = $charge->id;
$state->requestKey = $purchaseRequest->request_key;

if ($charge->outcome->type === 'authorized')
{
   $state->paymentResult = CallbackState::PAYMENT_RECEIVED;
   $this->completeTransaction($state);
}
else
{
   $state->logType = 'info';
   $state->logMessage = 'Stripe charge outcome was not authorized. Payment may be declined or require review within your Stripe Dashboard.';
}

Despite what the log message states, I'm fairly sure that the user wouldn't get that far if the transaction was outright declined (that would be when the paid flag in the charge object is false).

 

[Liam W]

That looks good to me. I'm assuming there's something else there as well to catch the review event after it's been reviewed?

Liam

 

[Chris D]

Not yet... but getting there

 

[Liam W]

Yeah, I should've said 'there'll be' rather than 'there's'

 

[Chris D]

This should be sorted for the next release now, thanks

 

[Liam W]

@Chris D just a note re your post in the other Stripe bug thread, this bug has also been partially re-introduced. Payments marked for review aren't processed by XF, but the webhook sent when the review is closed is ignored by XF, so the payment is never processed by XF.