Users can have access to the VPN even if they paid with a card not issues in the US

[bsurd]

Affected versions:

• All Firefox

Affected Platforms:

• Ubuntu 19.04 (x64)
• Windows 10 (x64)

Preconditions

• Have a FxA account without a subscriptions

Steps to reproduce

1. Open the VPN page and
2. Click on the Subscribe Now button and complete the subscription process using a credit card number outside of the US. (eg. 6200-0000-0000-0005)
3. Go back to the VPN page and click on the subscribe now button.

Expected result:

• The payment page is displayed.

Actual result:

• You are redirected to the "Your subscription is ready" page. (this is an ongoing loop until you click on the "No thanks, just take me to my product." hyperlink because you are signed out after reloading the page).
• After clicking the "No thanks, just take me to my product." hyperlink you have access to download the VPN even if the card used was outside of US.

┆Issue is synchronized with this Jira Bug ┆Issue Number: FXA-1012

[data-sync-user]

➤ Wil Clouser commented:

The staging server doesn't have the radar rules in it.  Let's try checking this on the production test account.  Ben will help with that process.

[bsurd]

Another issue noticed here is that if the user never clicks on the No thanks, just take me to my product. hyperlink, the Subscribe Now is still displayed in the FPN page. After clicking the hyperlink the Download Now button is displayed.

This should also be checked in production.

[lmorchard]

Another issue noticed here is that if the user never clicks on the No thanks, just take me to my product. hyperlink, the Subscribe Now is still displayed in the FPN page

That's really weird - the "no thanks" link shouldn't actively do anything. Doesn't submit any data or change any state. It's just a link to a page.

[data-sync-user]

➤ Benjamin Bangert commented:

The credit card number you entered is a US test card. I tested locally and verified that the test cards from other regions are not allowed. The international test numbers are here:

https://stripe.com/docs/testing#international-cards

[data-sync-user]

➤ Benjamin Bangert commented:

To follow up, I have reproduced this behavior. The UX shows that the card didn't work properly, but when refreshing it, the page says the subscription is active.

[johngruen]

Is this coming from our staging stripe instance? I can add the radar rule there to retest?

[data-sync-user]

➤ Benjamin Bangert commented:

It's not a radar rule issue, the radar rule is properly handled. The issue is that when a subscription is denied in this manner, it leaves a fairly complete appearance of a subscription in Stripe (marked as incomplete). The page-load is apparently recognizing this incomplete subscription as a valid one and then bouncing the user back saying they're active, when they're actually not active.

[bsurd]

This issue has been verified and is no longer reproducing in the latest environment.

@bbangert Could we change the 6200 0000 0000 0005 test card to appear as it's issued in the US? This is technically used to test that payments from UnionPay are possible and have no other card listed in the https://stripe.com/docs/testing#cards for this brand/type of card.

[lmorchard]

Could we change the 6200 0000 0000 0005 test card to appear as it's issued in the US?

I don't think we have any ability to alter test cards - those are defined by Stripe themselves, we don't manage them or their effects