From 314b74e33bc697be0d75743bef41aebc9649badd Mon Sep 17 00:00:00 2001 From: forest Date: Thu, 14 May 2020 12:41:12 -0500 Subject: [PATCH] fix a bug that would allow users to cheat the stripe checkout system --- capsulflask/payment_stripe.py | 44 +++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/capsulflask/payment_stripe.py b/capsulflask/payment_stripe.py index c9e6b87..4a6081d 100644 --- a/capsulflask/payment_stripe.py +++ b/capsulflask/payment_stripe.py @@ -1,8 +1,8 @@ import stripe import json +import time import decimal - from flask import Blueprint from flask import request from flask import current_app @@ -80,23 +80,35 @@ def success(): print("/stripe/success returned 400: missing required URL parameter session_id") abort(400, "missing required URL parameter session_id") else: - checkout_session = stripe.checkout.Session.retrieve(stripe_checkout_session_id) - if checkout_session and 'display_items' in checkout_session: - cents = checkout_session['display_items'][0]['amount'] - dollars = decimal.Decimal(cents)/100 + checkout_session_completed_events = stripe.Event.list( + type='checkout.session.completed', + created={ + # Check for events created in the last half hour + 'gte': int(time.time() - (30 * 60)), + }, + ) - #consume_stripe_checkout_session deletes the checkout session row and inserts a payment row - # its ok to call consume_stripe_checkout_session more than once because it only takes an action if the session exists - success_account = get_model().consume_stripe_checkout_session(stripe_checkout_session_id, dollars) - if success_account: - print(f"{success_account} paid ${dollars} successfully (stripe_checkout_session_id={stripe_checkout_session_id})") + for event in checkout_session_completed_events.auto_paging_iter(): + checkout_session = event['data']['object'] - return redirect(url_for("console.account_balance")) + if checkout_session and 'id' in checkout_session and checkout_session['id'] == stripe_checkout_session_id: + cents = checkout_session['display_items'][0]['amount'] + dollars = decimal.Decimal(cents)/100 -# I don't think the webhook is needed + #consume_stripe_checkout_session deletes the checkout session row and inserts a payment row + # its ok to call consume_stripe_checkout_session more than once because it only takes an action if the session exists + success_account = get_model().consume_stripe_checkout_session(stripe_checkout_session_id, dollars) + + if success_account: + print(f"{success_account} paid ${dollars} successfully (stripe_checkout_session_id={stripe_checkout_session_id})") + + return redirect(url_for("console.account_balance")) + + abort(400, "this checkout session is not paid yet") + +# webhook is not needed # @bp.route("/webhook", methods=("POST",)) # def webhook(): - # request_data = json.loads(request.data) # signature = request.headers.get('stripe-signature') # try: @@ -111,8 +123,10 @@ def success(): # #consume_stripe_checkout_session deletes the checkout session row and inserts a payment row # # its ok to call consume_stripe_checkout_session more than once because it only takes an action if the session exists -# get_model().consume_stripe_checkout_session(stripe_checkout_session_id, dollars) - +# success_account = get_model().consume_stripe_checkout_session(stripe_checkout_session_id, dollars) +# if success_account: +# print(f"{success_account} paid ${dollars} successfully (stripe_checkout_session_id={stripe_checkout_session_id})") + # return jsonify({'status': 'success'}) # except ValueError as e: # print("/stripe/webhook returned 400: bad request", e)