search

mage2pro / stripe

Stripe integration with Magento 2
https://upwork.com/fl/mage2pro
61 stars 8 forks source link

The 3D Secure verification is not applied for a bank card with an optional 3D Secure support ("three_d_secure": "optional") even been enabled in the Magento 2 backend for all customers when `redirect/status` is `not_required` #48

Closed dmitrii-fediuk closed 7 years ago

dmitrii-fediuk commented 7 years ago

01

1. An initial reusable source for a card with an optional 3D Secure support ("three_d_secure": "optional")

{
  "object": {
    "id": "src_1BNt5mFzKb8aMux1TxtRtHEN",
    "object": "source",
    "amount": null,
    "client_secret": "src_client_secret_BlPv7LrthYboKKDEc4dx1Trp",
    "created": 1510622398,
    "currency": null,
    "flow": "none",
    "livemode": false,
    "metadata": {
    },
    "owner": {
      "address": {
        "city": "Sydney",
        "country": "AU",
        "line1": "72 Liverpool St",
        "line2": null,
        "postal_code": "2000",
        "state": null
      },
      "email": "dfediuk@gmail.com",
      "name": "DMITRY FEDYUK",
      "phone": "+61282688888",
      "verified_address": null,
      "verified_email": null,
      "verified_name": null,
      "verified_phone": null
    },
    "statement_descriptor": null,
    "status": "chargeable",
    "type": "card",
    "usage": "reusable",
    "card": {
      "exp_month": 7,
      "exp_year": 2021,
      "address_line1_check": "unchecked",
      "address_zip_check": "unchecked",
      "brand": "Visa",
      "country": "US",
      "cvc_check": "unchecked",
      "fingerprint": "slrGvOFRzFPq9wGq",
      "funding": "credit",
      "last4": "4242",
      "three_d_secure": "optional",
      "tokenization_method": null,
      "dynamic_last4": null
    }
  },
  "previous_attributes": null
}

2. The derived single-use 3D Secure source

{
  "object": {
    "id": "src_1BNt5rFzKb8aMux1wrGBra5u",
    "object": "source",
    "amount": 12700,
    "client_secret": "src_client_secret_BlPvYxsByORoyQ43jLY8LCdI",
    "created": 1510622403,
    "currency": "usd",
    "flow": "redirect",
    "livemode": false,
    "metadata": {
    },
    "owner": {
      "address": {
        "city": "Sydney",
        "country": "AU",
        "line1": "72 Liverpool St",
        "line2": null,
        "postal_code": "2000",
        "state": null
      },
      "email": "dfediuk@gmail.com",
      "name": "DMITRY FEDYUK",
      "phone": "+61282688888",
      "verified_address": null,
      "verified_email": null,
      "verified_name": null,
      "verified_phone": null
    },
    "redirect": {
      "failure_reason": null,
      "return_url": "https://mage2.pro/sandbox/dfe-stripe/customerReturn",
      "status": "not_required",
      "url": "https://hooks.stripe.com/redirect/authenticate/src_1BNt5rFzKb8aMux1wrGBra5u?client_secret=src_client_secret_BlPvYxsByORoyQ43jLY8LCdI"
    },
    "statement_descriptor": null,
    "status": "chargeable",
    "type": "three_d_secure",
    "usage": "single_use",
    "three_d_secure": {
      "card": "src_1BNt5mFzKb8aMux1TxtRtHEN",
      "customer": null,
      "authenticated": false
    }
  },
  "previous_attributes": null
}
dmitrii-fediuk commented 7 years ago

It is because the derived single-use 3D Secure source has redirect/status: not_required:

    "redirect": {
      "failure_reason": null,
      "return_url": "https://mage2.pro/sandbox/dfe-stripe/customerReturn",
      "status": "not_required",
      "url": "https://hooks.stripe.com/redirect/authenticate/src_1BNt5rFzKb8aMux1wrGBra5u?client_secret=src_client_secret_BlPvYxsByORoyQ43jLY8LCdI"
    },

The Stripe API Reference says:

status string The status of the redirect, either `pending` (ready to be used by your customer to authenticate the transaction), `succeeded` (succesful authentication, cannot be reused) or `not_required` (redirect should not be used) or `failed` (failed authentication, cannot be reused).

02

stripe.com/docs/api#source_object-redirect-status

It looks like the phrase «should not be used» is incorrect here, and we can use the 3D Secure verification, because it is optionally supported by the bank card: three_d_secure: optional (see the initial source).

dmitrii-fediuk commented 7 years ago

I tried to enforce the 3D Secure verification when redirect/status is not_required (redirect the customer to the redirect/url), but Stripe did not allow it: it just redirected the customer back to the redirect/return_url. So the phrase «should not be used» is true.

dmitrii-fediuk commented 6 years ago

I support THE PAYING CUSTOMERS ONLY.