Fix Add Payment Method page and required Stripe customer field validation (#4489)

* Require only email for Add Payment Method requests

* Prevent logged out users from proceeding in Add Payment Method

* Add unit tests

* Use separate param

* Add changelog and readme entries

* Fix comment typo

Co-authored-by: Malith Senaweera <[email protected]>

* Fix unit tests

* Remove error logs

---------

Co-authored-by: Malith Senaweera <[email protected]>

Author: annemirasol

changelog.txt

@@ -18,6 +18,7 @@
 * Fix - No such customer error when creating a payment method with a new Stripe account
 * Fix - Validate create customer payload against required billing fields before sending to Stripe
 * Update - Enhanced logging system with support for all log levels and improved context handling
+* Fix - Require email address only for Stripe customer validation when request is from the Add Payment Method page
 * Fix - Set default values for custom field options
 * Fix - Enforce rate limiter for failed add payment method attempts
 * Update - Add the number of pending webhooks to the Account status section

includes/class-wc-stripe-customer.php

@@ -203,55 +203,18 @@ protected function generate_customer_request( $args = [] ) {
 	 * Validate that we have valid data before we try to create a customer.
 	 *
 	 * @param array $create_customer_request
+	 * @param bool  $is_add_payment_method_page
 	 *
 	 * @throws WC_Stripe_Exception
 	 */
-	private function validate_create_customer_request( $create_customer_request ) {
-		$checkout_billing_fields = WC_Checkout::instance()->get_checkout_fields( 'billing' );
-		$required_billing_fields = array_filter(
-			$checkout_billing_fields,
-			function ( $field_data ) {
-				return $field_data['required'] ?? false;
-			}
-		);
-
-		$required_fields = [];
-
-		if ( isset( $required_billing_fields['billing_email'] ) ) {
-			$required_fields['email'] = true;
-		}
-
-		if ( isset( $required_billing_fields['billing_first_name'] ) || isset( $required_billing_fields['billing_last_name'] ) ) {
-			$required_fields['name'] = true;
-		}
-
-		$required_address_fields = [];
-		$address_field_mapping = [
-			'billing_address_1' => 'line1',
-			'billing_address_2' => 'line2',
-			'billing_city'      => 'city',
-			'billing_country'   => 'country',
-			'billing_postcode'  => 'postal_code',
-			'billing_state'     => 'state',
-		];
-
-		foreach ( $address_field_mapping as $field => $stripe_field_name ) {
-			if ( isset( $required_billing_fields[ $field ] ) ) {
-				$required_address_fields[ $stripe_field_name ] = true;
-			}
-		}
-
-		if ( [] !== $required_address_fields ) {
-			$required_fields['address'] = $required_address_fields;
-		}
-
+	private function validate_create_customer_request( $create_customer_request, $is_add_payment_method_page = false ) {
 		/**
 		 * Filters the required customer fields when creating a customer in Stripe.
 		 *
 		 * @since 9.7.0
 		 * @param array $required_fields The required customer fields as derived from the required billing fields in checkout.
 		 */
-		$required_fields = apply_filters( 'wc_stripe_create_customer_required_fields', $required_fields );
+		$required_fields = apply_filters( 'wc_stripe_create_customer_required_fields', $this->get_create_customer_required_fields( $is_add_payment_method_page ) );
 
 		foreach ( $required_fields as $field => $field_requirements ) {
 			if ( true === $field_requirements ) {
@@ -285,6 +248,62 @@ function ( $field_data ) {
 		}
 	}
 
+	/**
+	 * Get the list of required fields for the create customer request.
+	 *
+	 * @param bool $is_add_payment_method_page
+	 *
+	 * @return array
+	 */
+	private function get_create_customer_required_fields( $is_add_payment_method_page = false ) {
+		// If we are on the add payment method page, we need to check just for the email field.
+		if ( $is_add_payment_method_page ) {
+			return [
+				'email' => true,
+			];
+		}
+
+		$checkout_billing_fields = WC_Checkout::instance()->get_checkout_fields( 'billing' );
+		$required_billing_fields = array_filter(
+			$checkout_billing_fields,
+			function ( $field_data ) {
+				return $field_data['required'] ?? false;
+			}
+		);
+
+		$required_fields = [];
+
+		if ( isset( $required_billing_fields['billing_email'] ) ) {
+			$required_fields['email'] = true;
+		}
+
+		if ( isset( $required_billing_fields['billing_first_name'] ) || isset( $required_billing_fields['billing_last_name'] ) ) {
+			$required_fields['name'] = true;
+		}
+
+		$required_address_fields = [];
+		$address_field_mapping   = [
+			'billing_address_1' => 'line1',
+			'billing_address_2' => 'line2',
+			'billing_city'      => 'city',
+			'billing_country'   => 'country',
+			'billing_postcode'  => 'postal_code',
+			'billing_state'     => 'state',
+		];
+
+		foreach ( $address_field_mapping as $field => $stripe_field_name ) {
+			if ( isset( $required_billing_fields[ $field ] ) ) {
+				$required_address_fields[ $stripe_field_name ] = true;
+			}
+		}
+
+		if ( [] !== $required_address_fields ) {
+			$required_fields['address'] = $required_address_fields;
+		}
+
+		return $required_fields;
+	}
+
 	/**
 	 * Get value of billing data field, either from POST or order object.
 	 *
@@ -396,11 +415,12 @@ public function get_existing_customer( $email, $name ) {
 	 * Create a customer via API.
 	 *
 	 * @param array $args
+	 * @param bool  $is_add_payment_method_page Whether the request is for the add payment method page.
 	 * @return WP_Error|int
 	 *
 	 * @throws WC_Stripe_Exception
 	 */
-	public function create_customer( $args = [] ) {
+	public function create_customer( $args = [], $is_add_payment_method_page = false ) {
 		$args = $this->generate_customer_request( $args );
 
 		// For guest users, check if a customer already exists with the same email and name in Stripe account before creating a new one.
@@ -418,15 +438,15 @@ public function create_customer( $args = [] ) {
 			 */
 			$create_customer_args = apply_filters( 'wc_stripe_create_customer_args', $args );
 
-			$this->validate_create_customer_request( $create_customer_args );
+			$this->validate_create_customer_request( $create_customer_args, $is_add_payment_method_page );
 
 			$response = WC_Stripe_API::request( $create_customer_args, 'customers' );
 		} else {
 			/**
 			 * This filter is documented in includes/class-wc-stripe-customer.php.
 			 */
 			$update_customer_args = apply_filters( 'wc_stripe_update_customer_args', $args );
-			$response = WC_Stripe_API::request( $update_customer_args, 'customers/' . $response->id );
+			$response             = WC_Stripe_API::request( $update_customer_args, 'customers/' . $response->id );
 		}
 
 		if ( ! empty( $response->error ) ) {
@@ -501,9 +521,9 @@ public function update_customer( $args = [], $is_retry = false ) {
 	 *
 	 * @throws WC_Stripe_Exception
 	 */
-	public function update_or_create_customer( $args = [] ) {
+	public function update_or_create_customer( $args = [], $is_add_payment_method_page = false ) {
 		if ( empty( $this->get_id() ) ) {
-			return $this->recreate_customer( $args );
+			return $this->recreate_customer( $args, $is_add_payment_method_page );
 		} else {
 			return $this->update_customer( $args );
 		}
@@ -858,12 +878,13 @@ public function delete_id_from_meta() {
 	 * Recreates the customer for this user.
 	 *
 	 * @param array $args Additional arguments for the request (optional).
+	 * @param bool  $is_add_payment_method_page Whether the request is for the add payment method page.
 	 *
 	 * @return string ID of the new Customer object.
 	 */
-	private function recreate_customer( $args = [] ) {
+	private function recreate_customer( $args = [], $is_add_payment_method_page = false ) {
 		$this->delete_id_from_meta();
-		return $this->create_customer( $args );
+		return $this->create_customer( $args, $is_add_payment_method_page );
 	}
 
 	/**

includes/class-wc-stripe-intent-controller.php

@@ -1138,13 +1138,17 @@ public function create_and_confirm_setup_intent_ajax() {
 			}
 
 			// Determine the customer managing the payment methods, create one if we don't have one already.
-			$user     = wp_get_current_user();
+			$user = wp_get_current_user();
+			// This page is only accessible to logged in users.
+			if ( ! $user->ID ) {
+				throw new WC_Stripe_Exception( 'User not found.', __( "We're not able to add this payment method. Please refresh the page and try again.", 'woocommerce-gateway-stripe' ) );
+			}
 			$customer = new WC_Stripe_Customer( $user->ID );
 
 			// Manually create the payment information array to create & confirm the setup intent.
 			$payment_information = [
 				'payment_method'        => $payment_method,
-				'customer'              => $customer->update_or_create_customer(),
+				'customer'              => $customer->update_or_create_customer( [], true ),
 				'selected_payment_type' => $payment_type,
 				'return_url'            => wc_get_account_endpoint_url( 'payment-methods' ),
 				'use_stripe_sdk'        => 'true', // We want the user to complete the next steps via the JS elements. ref https://docs.stripe.com/api/setup_intents/create#create_setup_intent-use_stripe_sdk

readme.txt

@@ -128,6 +128,7 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Fix - No such customer error when creating a payment method with a new Stripe account
 * Fix - Validate create customer payload against required billing fields before sending to Stripe
 * Update - Enhanced logging system with support for all log levels and improved context handling
+* Fix - Require email address only for Stripe customer validation when request is from the Add Payment Method page
 * Fix - Set default values for custom field options
 * Fix - Enforce rate limiter for failed add payment method attempts
 * Update - Add the number of pending webhooks to the Account status section

tests/phpunit/WC_Stripe_Customer_Test.php

@@ -46,38 +46,38 @@ public function provide_test_validate_create_customer_request_cases(): array {
 				'expected_exception_message' => null,
 				'expected_exception_string'  => null,
 			],
-			'email is empty string' => [
+			'email is empty string'             => [
 				'billing_fields'             => [ 'email' => '' ],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
 				'expected_exception_message' => 'missing_required_customer_field: email',
 				'expected_exception_string'  => 'Missing required customer field: email',
 			],
-			'email is whitespace string' => [
+			'email is whitespace string'        => [
 				'billing_fields'             => [ 'email' => '   	  ' ],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
 				'expected_exception_message' => 'missing_required_customer_field: email',
 				'expected_exception_string'  => 'Missing required customer field: email',
 			],
-			'name is null' => [
+			'name is null'                      => [
 				'billing_fields'             => [
 					'first_name' => null,
-					'last_name' => '',
+					'last_name'  => '',
 				],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
 				'expected_exception_message' => 'missing_required_customer_field: name',
 				'expected_exception_string'  => 'Missing required customer field: name',
 			],
-			'address line1 is empty string' => [
+			'address line1 is empty string'     => [
 				'billing_fields'             => [ 'address_1' => '' ],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
 				'expected_exception_message' => 'missing_required_customer_field: address->line1',
 				'expected_exception_string'  => 'Missing required customer field: address->line1',
 			],
-			'address city is empty string' => [
+			'address city is empty string'      => [
 				'billing_fields'             => [ 'city' => '' ],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
@@ -91,30 +91,66 @@ public function provide_test_validate_create_customer_request_cases(): array {
 				'expected_exception_message' => 'missing_required_customer_field: address->city',
 				'expected_exception_string'  => 'Missing required customer field: address->city',
 			],
-			'address country is empty string' => [
+			'address country is empty string'   => [
 				'billing_fields'             => [ 'country' => '' ],
 				'woo_billing_fields'         => null,
 				'stripe_billing_fields'      => null,
 				'expected_exception_message' => 'missing_required_customer_field: address->country',
 				'expected_exception_string'  => 'Missing required customer field: address->country',
 			],
+			'add payment method page, all fields present and required, no overrides' => [
+				'billing_fields'             => [], // only email is required
+				'woo_billing_fields'         => null,
+				'stripe_billing_fields'      => null,
+				'expected_exception_message' => null,
+				'expected_exception_string'  => null,
+				'is_add_payment_method_page' => true,
+			],
+			'add payment method page, email is empty string' => [
+				'billing_fields'             => [ 'email' => '' ],
+				'woo_billing_fields'         => null,
+				'stripe_billing_fields'      => null,
+				'expected_exception_message' => 'missing_required_customer_field: email',
+				'expected_exception_string'  => 'Missing required customer field: email',
+				'is_add_payment_method_page' => true,
+			],
 		];
 	}
 
 	/**
 	 * @dataProvider provide_test_validate_create_customer_request_cases
 	 */
-	public function test_validate_create_customer_request( array $billing_fields = [], ?array $woo_billing_fields = null, ?array $stripe_billing_fields = null, ?string $expected_exception_message = null, ?string $expected_exception_string = null ) {
-		$default_billing_data = [
-			'email'      => '[email protected]',
-			'first_name' => 'John',
-			'last_name'  => 'Doe',
-			'address_1'  => '123 Main St',
-			'city'       => 'Anytown',
-			'state'      => 'CA',
-			'postcode'   => '12345',
-			'country'    => 'US',
-		];
+	public function test_validate_create_customer_request(
+		array $billing_fields = [],
+		?array $woo_billing_fields = null,
+		?array $stripe_billing_fields = null,
+		?string $expected_exception_message = null,
+		?string $expected_exception_string = null,
+		?bool $is_add_payment_method_page = false
+	) {
+		if ( $is_add_payment_method_page ) {
+			$default_billing_data = [
+				'email'      => '[email protected]',
+				'first_name' => '',
+				'last_name'  => '',
+				'address_1'  => '',
+				'city'       => '',
+				'state'      => '',
+				'postcode'   => '',
+				'country'    => '',
+			];
+		} else {
+			$default_billing_data = [
+				'email'      => '[email protected]',
+				'first_name' => 'John',
+				'last_name'  => 'Doe',
+				'address_1'  => '123 Main St',
+				'city'       => 'Anytown',
+				'state'      => 'CA',
+				'postcode'   => '12345',
+				'country'    => 'US',
+			];
+		}
 
 		$billing_data = wp_parse_args( $billing_fields, $default_billing_data );
 
@@ -193,7 +229,7 @@ public function test_validate_create_customer_request( array $billing_fields = [
 		$mock_order->method( 'get_billing_postcode' )->willReturn( $billing_data['postcode'] );
 		$mock_order->method( 'get_billing_state' )->willReturn( $billing_data['state'] );
 
-		$args = [
+		$args     = [
 			'order' => $mock_order,
 		];
 		$customer = new \WC_Stripe_Customer();
@@ -242,7 +278,7 @@ public function test_validate_create_customer_request( array $billing_fields = [
 		}
 
 		try {
-			$customer->create_customer( $args );
+			$customer->create_customer( $args, $is_add_payment_method_page );
 		} catch ( \WC_Stripe_Exception $stripe_exception ) {
 			$was_exception_thrown = true;