search

openfoodfoundation / openfoodnetwork

Connect suppliers, distributors and consumers to trade local produce.
https://www.openfoodnetwork.org
GNU Affero General Public License v3.0
1.1k stars 717 forks source link

Stripe Payments: orders created despite condition of order total > $0.5 not fulfilled (and/or card declined) #5803

Open filipefurtad0 opened 4 years ago

filipefurtad0 commented 4 years ago

Description

Stripe imposes a minimal an maximum amounts for orders to be placed: https://stripe.com/docs/currencies#minimum-and-maximum-charge-amounts

In production-AU it was observed that attempting to pay orders below the limit (apparently $0.5 for AU) with Stripe results in different errors 404 and 402, as observed by @kirstenalarsen, in here.

This appears to be a combination of different errors, one of them being the "card declined" error, so this may relate to bug #5785 . However, it appears that despite those errors, and the limit imposed by stripe, an order was created - with a due payment (pic taken from here):

image

Expected Behavior

A warning should appear, when attempting to pay orders below the limit imposed by Stripe. Checking out should not be possible.

Actual Behaviour

The warning appears, but apparently the order was created, with a due payment.

Steps to Reproduce

See discussion on bug. Reproducing the issue should involve:

As a customer:

  1. Placing items in the cart with a value under $0.5.
  2. Pay with a stripe method.
  3. Checking out should not be possible, a warning should appear informing the minimal limit was not reached.

Hub admin

  1. Check that the order was not created.

Animated Gif/Screenshot

See the issue.

Workaround

Use a different payment method.

Severity

So far verified for very low amounts. Maybe S3?

Your Environment

Possible Fix

filipefurtad0 commented 4 years ago

I tried to reproduce in staging, but all looks good. If a valid card is used for orders < 0.5 eur, the warnings appear:

Using the test-card 4000000000000002 (Charge is declined with a card_declined code) does not change the outcome: the same warnings appear, as if the validity of the card is not being verified.

These payment-attempts don't appear in the Stripe dashboard, but in both cases a bad request (error 400) appears in the console: image

Which are different from the one you observed, as seen in your pics - Errors 404 and 402. Also, none of these attempts were successful, no order confirmation, and no new order entry under /orders. So I can't seem to reproduce this behavior.

This was tested on staging-UK, with a German Stripe test-account: it is not possible to set Australian test-accounts, i.e., all test-account numbers are European. Not sure this plays a role but it's useful to recon I guess.