search

openfoodfoundation / openfoodnetwork

Connect suppliers, distributors and consumers to trade local produce.
https://www.openfoodnetwork.org
GNU Affero General Public License v3.0
1.12k stars 724 forks source link

Update backend payment collection page to use Payment Intents API #4173

Closed kristinalim closed 4 years ago

kristinalim commented 5 years ago

What is the problem we are solving

Setting new credit card info for Stripe payment method should use the Payment Method and Setup Intents API and support SCA. The off-session mode would be applicable. (Maybe Payment Intents and on-session mode is more appropriate for checkout that will not save the card? Needs to be checked.)

Do this for the following pages:

  1. Customer checkout page
  2. Customer saved cards page
  3. Admin new payment page for order

Support for non-authenticated cards for the following should remain intact and should be tested:

  1. Checkout
  2. Capturing of payment from admin section
  3. Subscriptions

Gist of Setup Intents:

A SetupIntent guides you through the process of setting up a customer's payment credentials for future payments. For example, you could use a SetupIntent to set up your customer's card without immediately collecting a payment.

Gist of Payment Intents:

A PaymentIntent guides you through the process of collecting a payment from your customer. We recommend that you create exactly one PaymentIntent for each order or customer session in your system. You can reference the PaymentIntent later to see the history of payment attempts for a particular session.

Success factors = expected outcome

1) Shopper Checkout - The shopper does not wish to save the card: For devs:

For testers:

2) Shopper Checkout - If the shopper DOES wish to save the card For devs:

For testers:

3) The shopper adds a new saved card in Account -> Cards For devs:

For testers:

4) The admin attempts to make a take a payment in Admin -> Orders -> New Payment For devs:

For testers:

5) Standard release testing on Subscriptions specifically using Stripe payments

lin-d-hop commented 5 years ago

I think we need to figure out the work flow for taking payments by the Admin screen.

Context: If the bank decides this is a high risk transaction it will request SCA. The Hub manager may decide to get around this by asking the shopper to come and pay in person on collection or another time, meaning they want to be able to do this from the Admin screen with the shopper present.

So in the third case above: Admin new payment page for order :we have two options. We can: a) give an error in the case of 3D secure auth required such that an admin will just not be able to take payment from here if the bank requests auth. b) display the 3D secure pop-up regardless, meaning that the hub manager will need the shopper present or able to answer the questions to fill this in. And if they cannot they cancel on the payment.

I think b is a good answer.. However it leaves the question of how to take a payment for an order in the case the someone decides to pay by card AFTER they place the order. I think we need to make sure we have a flow for that.

kristinalim commented 5 years ago

Hmm... For #4181 which would support asking customers to authenticate payment for subscriptions with pre-existing saved cards on Stripe, we would already have some code for having a partially captured Stripe payment that still needs SCA authentication.

So, for the third case, maybe we can apply a similar workflow:

  1. Admin sets up a partially or fully completed Stripe payment.
  2. If only partial and it needs further action, the customer could log in on the website and then click a button where they could then start authenticating the payment if the payment has not yet been voided on the OFN side.
  3. Or the admin can do above from the admin section, which is Option B also.

Actually, as far as I understand, we can also email the Stripe link to authenticate the payment straight from the user's inbox. But this flow sounds similar to phishing attempts, and it might be bad to ask users to do this...

kristinalim commented 5 years ago

I'm not entirely convinced that you could make this functional without also doing the work for #4180, or if it could be done without wasting a lot of effort on code which would be removed in #4373

The developer who will work on this issue would find out if #4180 needs to be done in the same PR as this one. :slightly_smiling_face:

luisramos0 commented 4 years ago

There are 2 parts to this issue:

4672 and #4719 already make the admin collection of payments work with the payment intents API. So I am going to mark #4672 as closing this issue.

We then need to handle further authentications required by communicating with the customer. That will be handled in #4181 (I added this scope to it, we can split that issue later if we want)