Openfoodnetwork: Stripe checkout issues

Possibly related to: https://github.com/openfoodfoundation/openfoodnetwork/pull/7286

The first thing to determine is why Stripe thinks we're using an API version April 2015 - 2015-04-07 - both the platform account and hub account have been updated to a more recent one in the dashboard, and even the older version of the ActiveMerchant gem is more recent than that.

Indeed Andy showed me where to look, and when I mimic the hub's profile I can see:

Stripe was contacted. Waiting for their answer.

Just to clarify; is this just for one hub?

@Matt-Yorkley only one hub contacted us yes. But FR users are not speaking a lot, so I don't know how spread this is. Adding the bloked label because we are still waiting for Stripe's feedback.

Okay so as usual the day you complain they haven't answered, they do :D

Here's Stripe answer:

_My apologies, the 2015 version and 2018 code reported in my first email were for the integration used for your payment on March 10th. After more research, I see indeed that this has been updated as of March 23rd:
https://dashboard.stripe.com/logs?created%5Bgte%5D=1616367600&created%5Blte%5D=1616540399&method%5B%5D=post&method%5B%5D=delete&direction%5B%5D=self&direction%5B%5D=c_

Did we really do that kind of jump? @openfoodfoundation/core-devs

_The API version is now 2019-05-16 and the code version is 1.107.4 (2020-06-02):
https://github.com/activemerchant/active_merchant/blob/master/CHANGELOG
Although newer versions exist, this integration currently conforms to PSD2 standards and should not cause complications with the 3DSecure stream._

@openfoodfoundation/core-devs I think this part of the issue can be closed. Can anyone advise on the second part of their first email around capturing payments (see issue description)? Again I'm not looking to have this fixed, but more looking for an answer to give the hub who doesn't understand why there is a "manual" payment capture done by OFN.

Also FYI in their answer today they give a bit more information on where to check for API versions:

_Note the difference between the version of the API established on your Dashboard and the one of your Stripe directory:
-The API version of your Dashboard defines the version used for requests generated from the Dashboard. On your account, this is the most recent (2020-08-27):
https://dashboard.stripe.com/developers
-The API version of the Stripe directory defines the version used for requests generated from your integration. This is the one I alluded to above.
https://stripe.com/docs/libraries#server-side-libraries
Your directory version is typically larger than your Dashboard version, with the majority of your queries coming from your site / integration rather than being initiated manually from your Stripe account._

Do we need to have an issue somewhere around this (maybe we already do?).

That's useful to know about the API version on the Dashboard being unrelated to the version being used by the code (and it makes sense now that I think about it).

We updated the API version in this release, but that would have been after March 23, and it was from ActiveMerchant 1.107.4 to 1.119. So I'm not really sure where Stripe is getting the API version that we're using.

As far as the second part goes, we use the "manual" capture parameter when we authorize the payment. It sounds like Stripe is pointing out that we end up immediately capturing the payment anyway, and therefore could simply pass the "automatic" capture parameter? We definitely could investigate whether the first call is unnecessary. Is there a specific problem that this hub is having with payments, though? The original issue description doesn't give details on what the issues are.

@andrewpbrett thanks for the investigation!

Is there a specific problem that this hub is having with payments, though? The original issue description doesn't give details on what the issues are.

Yes I've tried to translate that part but it wasn't clear sorry about that: if we do not capture the payment, Stripe releases the funds and cancels the order. This has happened quite a few times, so the hub would like us to capture automatically. I can open an issue? What I'm unclear about is how spread this problem is: the hub has given us some examples of uncapture payments, but I don't know how often this happens, or if there is any particular good reason that we do sometimes fail to capture them...

Do you know if all of the orders were created through the standard checkout, or maybe through the backoffice? That would be a good first step to narrowing it down, if we can. I do see that when we create a payment in the backoffice, we call authorize which uses the capture_method = manual parameter.

I think there's a good chance that this is fixed by https://github.com/openfoodfoundation/openfoodnetwork/pull/7497

thanks @andrewpbrett ! As we are waiting for the hub to get back to us re admin issues I'm closing this, and we will reopen if the fix does not work for this case :thumbsup:

I just had the client who's confirming that all the orders were created through the standard checkout and not through the back office.

all the orders were created through the standard checkout

In that case, yes, I think we should keep this open, #7497 deals with charges where the customer is not in the standard checkout.

I had the chance to get acquainted with another Stripe SCA integration at Coopdevs and we always capture payments as the last step of the flow so funds go to the seller. I don't understand why payments aren't captured in OFN just sometimes.

On that particular payment that's mentioned, we got a response from Stripe saying that the transaction required additional (SCA) authorization. Since it was during the checkout flow, the customer should have been redirected to their bank to authorize the transaction, and then back to OFN once they had. It looks like something went wrong during that process. It's possible that the customer just never completed authorization, but if we're seeing this same pattern happen frequently, there's probably something else going on. I'll keep investigating.

we might need to log the state of the process either in logs or updating DB records, or both? it should be straightforward to find out at which step the process died. I don't know if it is already.

The Stripe logs are actually pretty good at indicating what steps were completed, but you have to look pretty carefully through them and be familiar with this part of our codebase. The logs for this payment are actually consistent with the customer being sent to the SCA auth step, confirming the payment, and then something going wrong when we confirm the payment intent...

@sauloperez made some fixes for that step where we handle the payment intent in https://github.com/openfoodfoundation/openfoodnetwork/pull/7562, so it's possible that those changes will fix this issue as well. Could we follow up with the hub a week or two after that release is deployed (it's scheduled for 11 May 2021) and "snooze" this issue until then @RachL?

sure, I'm closing and we can reopen if they still face the problem. ping @Cecilia-Hn