woocommerce / woocommerce-gateway-stripe

The official Stripe Payment Gateway for WooCommerce
https://wordpress.org/plugins/woocommerce-gateway-stripe/
235 stars 206 forks source link

Pending payment (on payment failure) signs up WP account #479

Closed robin-scott closed 6 years ago

robin-scott commented 6 years ago

Affected ticket(s)

NA

What I expected

WooCommerce set to "Enable customer registration on the "Checkout" page."

Unless payment completes, user account should not be signed up.

What happened instead

In live mode, WooCommerce Stripe 4.0.1 (4.0.3 too) signed up a user account on a failed payment attempt (incorrect zip code), which was a "pending payment" order. This user saw payment fail, but a user account was setup (along with relevant transactional and login emails) and therefore was not sure if payment had worked and hit support.

Steps to reproduce the issue

image

CARD DECLINED it says - but, the user account has been created.

image

User has been sent all the usual new account stuff. Which in our case also includes login stuff for the LMS. Now, we can change this part, but this feels like it may not be ever desirable?

NOTE - I am aware this is edge case and normally "why does that matter?!" would be the question. In this case, user completing payment and gaining access to WordPress and an LMS is a part of the initial order process. The new user account should only be signed up after the payment is completed - with this gateway - I feel.

Whether that makes it a bug or an enhancement... hmm.

For sure, it would be "nice to have" if the user account did not get signed up when payment just failed, as [in our and many other cases] this triggers a confusing email to customer with their new login details, and this contradicts for them with the message showing payment failed.

Will be able to dig into this a bit with a PR later this week.


robin-scott commented 6 years ago

So to summarise: the card should be validated before the user account is created.

roykho commented 6 years ago

Sure I understand the situation however this is not isolated to Stripe. Even if you use the default PayPal that comes with WooCommerce, you will experience the same behavior.

robin-scott commented 6 years ago

@roykho yeah I did have a feeling this was the case, and actually raised the question along these lines my notes about if it was Stripe or a wider issue!! Its never raised with me in this context - and I'm wondering if its feasible to change the order of these events & where we'd be looking? (btw its fine to say "not sure" as will be doing some digging on a solution here!).

For our part, we may workaround, by delaying the initial mails unless order is completed (they auto complete in this use-case). Just feels like things are maybe due for reorganisation here.

I did think, in some of cases, the account being signed up has some advantages in "ordinary" retail situations - assuming the mail is not actually sent - but not if this relates to access to (say) private sections of members only bits and pieces, as technically, user is actually logged in to their new account after this failed checkout.

Actually with paypal - at least using standard (off site) - if the payment fails, this does not occur. I wonder if switching to use the Stripe checkout may have a similar impact? Will test. At present, a good enough for now solution will be... good enough for now :)

roykho commented 6 years ago

Actually with paypal - at least using standard (off site) - if the payment fails, this does not occur.

Actually not. As soon as you click "place order", when you redirect to PP, the account is already created whether you go through using PP or not.

robin-scott commented 6 years ago

Sorry - scrub that. It was written in our log that "doesn't happen with paypal". I have not tested that.

robin-scott commented 6 years ago

I think what was meant by this (our side) was the issue never raised before with PayPal - because of the checkout process... or just blind luck.

robin-scott commented 6 years ago

Just to clarify, the issue in Stripe checkout is user receiving the account setup emails at same time as "payment failed" notifications are showing up. They then hit support saying "hey did this pay!?" because they see on screen the "payment failed" but they get a ping through their phone (or whatever). They don't want to pay twice, so they hit support. Avoiding that. This is my goal!

roykho commented 6 years ago

Right again, WC creates the account and at the same time will trigger the email to be sent. This is not related to Stripe specifically.

robin-scott commented 6 years ago

yeah will have a look if we can change something. I know this sits in a context specific area. Its kind of gateway specific - because if user goes to paypal, there's a delay which appears to mean clients don't experience confusion on it; at least there have been no reports of issues. We have 18,000 users here, btw, so its pretty well used.

roykho commented 6 years ago

Perhaps this should be raised over on WC core? To say something like if there are any errors in the checkout process, don't create the account?

robin-scott commented 6 years ago

Yeah that's what I was thinking - wanted to quietly flag it this side to see where it lived. Actually the "not happening with PayPal" made me fall on this side... so that's just an inaccurate description here.

robin-scott commented 6 years ago

Am happy enough to close this one on this basis. Thanks for help @roykho

lkraav commented 5 years ago

Hi @robin-scott @roykho I'm looking to solve the exact same problem.

Did a WC core issue ever get filed?

audetcameron commented 5 years ago

was this ever addressed? Currently failed transactions are creating wp accounts and sending users notification emails on their new account.

lkraav commented 5 years ago

Zero action as far as I know of. I also haven't had the bandwidth, as the problem volume is simply not that high. Crowdfunding some kind of a WooCommerce core issue / PR development could work, but even that needs somebody motivated in the driver seat.

robin-scott commented 5 years ago

It was entirely possible to work around this one - by delaying the account registration to take place later. It's more edge case than bug, and I would suggest posting a new issue on it in WooCommerce core if this issue is one you can't work around. It's not a Stripe issue.

lkraav commented 1 year ago

We just got attacked by a botnet and here we are again with the same problem.

Even though Cloudflare super bot fight mode seems to help enough to stop the spam account flood (they still made ~10,000 (ten thousand)), they're still somehow able to continue sending card validation requests to POST /v1/sources where Stripe Logs show Origin https://js.stripe.com/, and IP is something other than our server.