Removing the confirm step causes stripe failed payments (due to 3DS) to show up as paid #313
Description
If you remove the checkout confirmation step and a 3D secure is needed, the order will be completed with payment status "paid" without the 3D secure popup appearing, but in Stripe dashboard the payment will have the status "requires_action".
Solidus Version: 4.0.0
To Reproduce
- Setup a new store with the starter front end and stripe
- Remove the confirmation step from the checkout flow, as suggested in the guides
#app/overrides/my_app/spree/order/remove_checkout_step.rb
# frozen_string_literal: true
module MyApp
module Spree
module Order
module RemoveCheckoutStep
def self.prepended(base)
base.remove_checkout_step :confirm
end
::Spree::Order.prepend self
end
end
end
end- Create an order and pay using a stripe test card that requires a 3DS Challenge.
Current behavior
The order will be completed with payment status "paid" even if the 3D secure challenge has never been presented.
Expected behavior
Ideally, a 3DS pop-up should appear when the users tries to advance from the payment step. Since removing the confirm step could be considered a significant modification of the default/supported checkout flow, it might be reasonable to expect developers to handle presenting the 3DS challenge themselves, but, displaying a payment as paid when this was never the case on stripe's side is probably a bug.
Screenshots
Screenshot of expected pop-up:
Additional context
Currently, due to the acceptable transitions in the order state machine, removing the confirmation step will also raise an exception if a payment fails, as the order will attempt to transition from payment to payment_failed, which is not currently allowed.