Pending payment (on payment failure) signs up WP account

[robin-scott]

Affected ticket(s)

NA

What I expected

WooCommerce set to "Enable customer registration on the "Checkout" page."

Unless payment completes, user account should not be signed up.

What happened instead

In live mode, WooCommerce Stripe 4.0.1 (4.0.3 too) signed up a user account on a failed payment attempt (incorrect zip code), which was a "pending payment" order. This user saw payment fail, but a user account was setup (along with relevant transactional and login emails) and therefore was not sure if payment had worked and hit support.

Steps to reproduce the issue

• Setup WooCommerce and Stripe plugin.
• Set WC to only allow registration on checkout.
• Complete checkout in live, as a new user, but use a bad card (say out of date)

CARD DECLINED it says - but, the user account has been created.

User has been sent all the usual new account stuff. Which in our case also includes login stuff for the LMS. Now, we can change this part, but this feels like it may not be ever desirable?

NOTE - I am aware this is edge case and normally "why does that matter?!" would be the question. In this case, user completing payment and gaining access to WordPress and an LMS is a part of the initial order process. The new user account should only be signed up after the payment is completed - with this gateway - I feel.

Whether that makes it a bug or an enhancement... hmm.

For sure, it would be "nice to have" if the user account did not get signed up when payment just failed, as [in our and many other cases] this triggers a confusing email to customer with their new login details, and this contradicts for them with the message showing payment failed.

Will be able to dig into this a bit with a PR later this week.

---

• [ ] Issue assigned to next milestone.
• [ ] Issue assigned a priority (will be assessed by maintainers).

[robin-scott]

So to summarise: the card should be validated before the user account is created.

[roykho]

Sure I understand the situation however this is not isolated to Stripe. Even if you use the default PayPal that comes with WooCommerce, you will experience the same behavior.

[robin-scott]

@roykho yeah I did have a feeling this was the case, and actually raised the question along these lines my notes about if it was Stripe or a wider issue!! Its never raised with me in this context - and I'm wondering if its feasible to change the order of these events & where we'd be looking? (btw its fine to say "not sure" as will be doing some digging on a solution here!).

For our part, we may workaround, by delaying the initial mails unless order is completed (they auto complete in this use-case). Just feels like things are maybe due for reorganisation here.

I did think, in some of cases, the account being signed up has some advantages in "ordinary" retail situations - assuming the mail is not actually sent - but not if this relates to access to (say) private sections of members only bits and pieces, as technically, user is actually logged in to their new account after this failed checkout.

Actually with paypal - at least using standard (off site) - if the payment fails, this does not occur. I wonder if switching to use the Stripe checkout may have a similar impact? Will test. At present, a good enough for now solution will be... good enough for now :)

[roykho]

Actually with paypal - at least using standard (off site) - if the payment fails, this does not occur.

Actually not. As soon as you click "place order", when you redirect to PP, the account is already created whether you go through using PP or not.

[robin-scott]

Sorry - scrub that. It was written in our log that "doesn't happen with paypal". I have not tested that.

[robin-scott]

I think what was meant by this (our side) was the issue never raised before with PayPal - because of the checkout process... or just blind luck.

[robin-scott]

Just to clarify, the issue in Stripe checkout is user receiving the account setup emails at same time as "payment failed" notifications are showing up. They then hit support saying "hey did this pay!?" because they see on screen the "payment failed" but they get a ping through their phone (or whatever). They don't want to pay twice, so they hit support. Avoiding that. This is my goal!

[roykho]

Right again, WC creates the account and at the same time will trigger the email to be sent. This is not related to Stripe specifically.

[robin-scott]

yeah will have a look if we can change something. I know this sits in a context specific area. Its kind of gateway specific - because if user goes to paypal, there's a delay which appears to mean clients don't experience confusion on it; at least there have been no reports of issues. We have 18,000 users here, btw, so its pretty well used.

[roykho]

Perhaps this should be raised over on WC core? To say something like if there are any errors in the checkout process, don't create the account?

[robin-scott]

Yeah that's what I was thinking - wanted to quietly flag it this side to see where it lived. Actually the "not happening with PayPal" made me fall on this side... so that's just an inaccurate description here.

[robin-scott]

Am happy enough to close this one on this basis. Thanks for help @roykho

[lkraav]

Hi @robin-scott @roykho I'm looking to solve the exact same problem.

Did a WC core issue ever get filed?

[audetcameron]

was this ever addressed? Currently failed transactions are creating wp accounts and sending users notification emails on their new account.

[lkraav]

Zero action as far as I know of. I also haven't had the bandwidth, as the problem volume is simply not that high. Crowdfunding some kind of a WooCommerce core issue / PR development could work, but even that needs somebody motivated in the driver seat.

[robin-scott]

It was entirely possible to work around this one - by delaying the account registration to take place later. It's more edge case than bug, and I would suggest posting a new issue on it in WooCommerce core if this issue is one you can't work around. It's not a Stripe issue.

[lkraav]

We just got attacked by a botnet and here we are again with the same problem.

Even though Cloudflare super bot fight mode seems to help enough to stop the spam account flood (they still made ~10,000 (ten thousand)), they're still somehow able to continue sending card validation requests to POST /v1/sources where Stripe Logs show Origin https://js.stripe.com/, and IP is something other than our server.