search

laravel / cashier-paddle

Cashier Paddle provides an expressive, fluent interface to Paddle's subscription billing services.
https://laravel.com/docs/cashier-paddle
MIT License
238 stars 57 forks source link

Changing email on the payment screen #257

Closed makssein closed 3 months ago

makssein commented 4 months ago

Cashier Paddle Version

2.0.4

Laravel Version

10.37.3

PHP Version

8.1

Database Driver & Version

MySQL

Description

My user changed the email on the payment screen to one that does not have an account on my site. After the purchase, a subscription was created, but it went into emptiness because the paddle sent a webhook with an email that had nothing attached to it. What to do in such a situation? Is it possible to prohibit changing the email on the payment screen, or make sure that the email does not affect the linking to the account and the linking is strictly based on the ID?

Steps To Reproduce

Open the payment screen -> change your email to any one that does not have an account on the site

driesvints commented 4 months ago

Hi @makssein. This shouldn't be possible because a Paddle customer is created whenever you invoke the payment screen. Can you share the code that gotten you in this situation?

makssein commented 4 months ago

@driesvints all I do is simply redirect the user to the payment screen

$user = Auth::user();
$checkout = $user->subscribe(123, 123)
                ->returnTo(route('checkout.status'));

return view('checkout', [
      'checkout' => $checkout,
]);

I no longer have any idea how a user could subscribe to an account that is not in the database

mediagroupapp commented 4 months ago

Hi @makssein, @driesvints,

I just encountered the issue. It seems that if the information sent via Paddle.Checkout.open(@json($options())); is not complete, they display the first step with pre-filled information. For example, I needed to enter the postal code, but as a result, I could also change the email address, which created a new customer on Paddle. In Paddle’s documentation, we have the following:

Paddle.Checkout.open({
  settings: {
    displayMode: "overlay",
    theme: "light",
    locale: "en",
    allowLogout: false
  },
  items: itemsList,
  customer: {
    id: "ctm_01gm82kny0ad1tk358gxmsq87m",
    address: {
      id: "add_01gm82v81g69n9hdb0v9sw6j40"
    },
    business: {
      id: "biz_01gnymqsj1etmestb4yhemdavm"
    }
  }
});

But Cashier only sends the customer's ID. I also tested sending the address ID, and then I arrived directly on the payment page. Does Cashier really manage addresses in this case to avoid this issue?

mycroftsk commented 3 months ago

I think the attribute data-allow-logout='false' is missing from cashier/components/button.blade.php. Adding it will disable changing information on the first step of the checkout page."

driesvints commented 3 months ago

I managed to reproduce this one. Thanks all for reporting. I sent in a fix for this one.