user upgrades: upgrade to new Stripe checkout system.

This upgrades from the legacy version of Stripe's checkout system to the new version: > The legacy version of Checkout presented customers with a modal dialog > that collected card information, and returned a token or a source to > your website. In contrast, the new version of Checkout is a smart > payment page hosted by Stripe that creates payments or subscriptions. It > supports Apple Pay, Dynamic 3D Secure, and many other features. Basic overview of the new system: * We send the user to a checkout page on Stripe. * Stripe collects payment and sends us a webhook notification when the order is complete. * We receive the webhook notification and upgrade the user. Docs: * https://stripe.com/docs/payments/checkout * https://stripe.com/docs/payments/checkout/migration#client-products * https://stripe.com/docs/payments/handling-payment-events * https://stripe.com/docs/payments/checkout/fulfill-orders
2020-12-23 05:15:08 -06:00
parent c17678d509
commit 7762489d7d
18 changed files with 536 additions and 175 deletions
--- a/app/controllers/user_upgrades_controller.rb
+++ b/app/controllers/user_upgrades_controller.rb
@@ -1,11 +1,12 @@
 class UserUpgradesController < ApplicationController
  helper_method :user
-  skip_before_action :verify_authenticity_token, only: [:create]
+  respond_to :js, :html

  def create
-    if params[:stripeToken]
-      create_stripe
-    end
+    @user_upgrade = UserUpgrade.new(recipient: user, purchaser: CurrentUser.user, level: params[:level].to_i)
+    @checkout = @user_upgrade.create_checkout
+
+    respond_with(@user_upgrade)
  end

  def new
@@ -22,38 +23,4 @@ class UserUpgradesController < ApplicationController
      CurrentUser.user
    end
  end
-
-  private
-
-  def create_stripe
-    @user = user
-
-    if params[:desc] == "Upgrade to Gold"
-      level = User::Levels::GOLD
-      cost = UserUpgrade.gold_price
-    elsif params[:desc] == "Upgrade to Platinum"
-      level = User::Levels::PLATINUM
-      cost = UserUpgrade.platinum_price
-    elsif params[:desc] == "Upgrade Gold to Platinum" && @user.level == User::Levels::GOLD
-      level = User::Levels::PLATINUM
-      cost = UserUpgrade.upgrade_price
-    else
-      raise "Invalid desc"
-    end
-
-    begin
-      charge = Stripe::Charge.create(amount: cost, currency: "usd", source: params[:stripeToken], description: params[:desc])
-      @user.promote_to!(level, User.system, is_upgrade: true)
-      flash[:success] = true
-    rescue Stripe::StripeError => e
-      DanbooruLogger.log(e)
-      flash[:error] = e.message
-    end
-
-    if @user == CurrentUser.user
-      redirect_to user_upgrade_path
-    else
-      redirect_to user_upgrade_path(user_id: params[:user_id])
-    end
-  end
 end
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -0,0 +1,13 @@
+class WebhooksController < ApplicationController
+  skip_forgery_protection only: :receive
+  rescue_with Stripe::SignatureVerificationError, status: 400
+
+  def receive
+    if params[:source] == "stripe"
+      UserUpgrade.receive_webhook(request)
+      head 200
+    else
+      head 400
+    end
+  end
+end
--- a/app/helpers/user_upgrades_helper.rb
+++ b/app/helpers/user_upgrades_helper.rb
@@ -1,24 +1,4 @@
 module UserUpgradesHelper
-  def stripe_button(desc, cost, user)
-    html = %{
-      <form action="#{user_upgrade_path}" method="POST" class="stripe">
-        <input type="hidden" name="authenticity_token" value="#{form_authenticity_token}">
-        #{hidden_field_tag(:desc, desc)}
-        #{hidden_field_tag(:user_id, user.id)}
-        <script
-          src="https://checkout.stripe.com/checkout.js" class="stripe-button"
-          data-key="#{Danbooru.config.stripe_publishable_key}"
-          data-name="#{Danbooru.config.canonical_app_name}"
-          data-description="#{desc}"
-          data-label="#{desc}"
-          data-amount="#{cost}">
-        </script>
-      </form>
-    }
-
-    raw(html)
-  end
-
  def cents_to_usd(cents)
    number_to_currency(cents / 100, precision: 0)
  end
--- a/app/logical/user_upgrade.rb
+++ b/app/logical/user_upgrade.rb
@@ -1,13 +1,145 @@
 class UserUpgrade
+  attr_reader :recipient, :purchaser, :level
+
+  def self.stripe_publishable_key
+    Danbooru.config.stripe_publishable_key
+  end
+
+  def self.stripe_webhook_secret
+    Danbooru.config.stripe_webhook_secret
+  end
+
  def self.gold_price
    2000
  end

  def self.platinum_price
-    4000
+    2 * gold_price
  end

-  def self.upgrade_price
-    2000
+  def self.gold_to_platinum_price
+    platinum_price - gold_price
+  end
+
+  def initialize(recipient:, purchaser:, level:)
+    @recipient, @purchaser, @level = recipient, purchaser, level.to_i
+  end
+
+  def upgrade_type
+    if level == User::Levels::GOLD && recipient.level == User::Levels::MEMBER
+      :gold_upgrade
+    elsif level == User::Levels::PLATINUM && recipient.level == User::Levels::MEMBER
+      :platinum_upgrade
+    elsif level == User::Levels::PLATINUM && recipient.level == User::Levels::GOLD
+      :gold_to_platinum_upgrade
+    else
+      raise ArgumentError, "Invalid upgrade"
+    end
+  end
+
+  def upgrade_price
+    case upgrade_type
+    when :gold_upgrade
+      UserUpgrade.gold_price
+    when :platinum_upgrade
+      UserUpgrade.platinum_price
+    when :gold_to_platinum_upgrade
+      UserUpgrade.gold_to_platinum_price
+    end
+  end
+
+  def upgrade_description
+    case upgrade_type
+    when :gold_upgrade
+      "Upgrade to Gold"
+    when :platinum_upgrade
+      "Upgrade to Platinum"
+    when :gold_to_platinum_upgrade
+      "Upgrade Gold to Platinum"
+    end
+  end
+
+  def is_gift?
+    recipient != purchaser
+  end
+
+  def process_upgrade!
+    recipient.with_lock do
+      upgrade_recipient!
+    end
+  end
+
+  def upgrade_recipient!
+    recipient.promote_to!(level, User.system, is_upgrade: true)
+  end
+
+  concerning :StripeMethods do
+    def create_checkout
+      Stripe::Checkout::Session.create(
+        mode: "payment",
+        success_url: Routes.user_upgrade_url(user_id: recipient.id),
+        cancel_url: Routes.new_user_upgrade_url(user_id: recipient.id),
+        client_reference_id: "user_#{purchaser.id}",
+        customer_email: recipient.email_address&.address,
+        payment_method_types: ["card"],
+        line_items: [{
+          price_data: {
+            unit_amount: upgrade_price,
+            currency: "usd",
+            product_data: {
+              name: upgrade_description,
+            },
+          },
+          quantity: 1,
+        }],
+        metadata: {
+          purchaser_id: purchaser.id,
+          recipient_id: recipient.id,
+          purchaser_name: purchaser.name,
+          recipient_name: recipient.name,
+          upgrade_type: upgrade_type,
+          is_gift: is_gift?,
+          level: level,
+        },
+      )
+    end
+
+    class_methods do
+      def register_webhook
+        webhook = Stripe::WebhookEndpoint.create({
+          url: Routes.webhook_user_upgrade_url(source: "stripe"),
+          enabled_events: [
+            "payment_intent.created",
+            "payment_intent.payment_failed",
+            "checkout.session.completed",
+          ],
+        })
+
+        webhook.secret
+      end
+
+      def receive_webhook(request)
+        event = build_event(request)
+
+        if event.type == "checkout.session.completed"
+          checkout_session_completed(event)
+        end
+      end
+
+      def build_event(request)
+        payload = request.body.read
+        signature = request.headers["Stripe-Signature"]
+        Stripe::Webhook.construct_event(payload, signature, stripe_webhook_secret)
+      end
+
+      def checkout_session_completed(event)
+        recipient = User.find(event.data.object.metadata.recipient_id)
+        purchaser = User.find(event.data.object.metadata.purchaser_id)
+        level = event.data.object.metadata.level
+
+        user_upgrade = UserUpgrade.new(recipient: recipient, purchaser: purchaser, level: level)
+        user_upgrade.process_upgrade!
+      end
+    end
  end
 end
--- a/app/views/user_upgrades/_stripe_payment.html.erb
+++ b/app/views/user_upgrades/_stripe_payment.html.erb
@@ -1,10 +0,0 @@
-<div class="section">
-  <p>You can pay with a credit or debit card. Safebooru uses <a href="https://www.stripe.com">Stripe</a> as a payment intermediary so none of your personal information will be stored on the site.</p>
-
-  <% if user.level < User::Levels::GOLD %>
-    <%= stripe_button("Upgrade to Gold", UserUpgrade.gold_price, user) %>
-    <%= stripe_button("Upgrade to Platinum", UserUpgrade.platinum_price, user) %>
-  <% elsif user.level < User::Levels::PLATINUM %>
-    <%= stripe_button("Upgrade Gold to Platinum", UserUpgrade.upgrade_price, user) %>
-  <% end %>
-</div>
--- a/app/views/user_upgrades/_stripe_payment_safebooru.html.erb
+++ b/app/views/user_upgrades/_stripe_payment_safebooru.html.erb
@@ -1,3 +0,0 @@
-<div class="section">
-  <p>You can pay with a credit or debit card on <%= link_to "Safebooru", new_user_upgrade_url(host: "safebooru.donmai.us", protocol: "https") %>. Your account will then also be upgraded on Danbooru. You can login to Safebooru with the same username and password you use on Danbooru.</p>
-</div>
--- a/app/views/user_upgrades/create.js.erb
+++ b/app/views/user_upgrades/create.js.erb
@@ -0,0 +1,2 @@
+var stripe = Stripe("<%= j UserUpgrade.stripe_publishable_key %>");
+stripe.redirectToCheckout({ sessionId: "<%= j @checkout.id %>" });
--- a/app/views/user_upgrades/new.html.erb
+++ b/app/views/user_upgrades/new.html.erb
@@ -1,5 +1,6 @@
 <% page_title "Account Upgrade" %>
-<% meta_description "Upgrade to a Gold or Platinum account on #{Danbooru.config.app_name}." %>
+<% meta_description "Upgrade to a Gold or Platinum account." %>
+<script src="https://js.stripe.com/v3/"></script>

 <%= render "users/secondary_links" %>

@@ -96,9 +97,24 @@
      <% if CurrentUser.is_anonymous? %>
        <p><%= link_to "Sign up", new_user_path %> or <%= link_to "login", login_path(url: new_user_upgrade_path) %> first to upgrade your account.</p>
      <% elsif CurrentUser.safe_mode? %>
-        <%= render "stripe_payment" %>
+        <div class="section">
+          <p>You can pay with a credit or debit card. Safebooru uses <a href="https://www.stripe.com">Stripe</a>
+          as a payment intermediary so none of your personal information will be stored on the site.</p>
+
+          <% if user.level < User::Levels::GOLD %>
+            <p><%= button_to "Upgrade to Gold", user_upgrade_path(user_id: user.id, level: User::Levels::GOLD), remote: true, disable_with: "Redirecting..." %></p>
+            <p><%= button_to "Upgrade to Platinum", user_upgrade_path(user_id: user.id, level: User::Levels::PLATINUM), remote: true, disable_with: "Redirecting..." %></p>
+          <% elsif user.level < User::Levels::PLATINUM %>
+            <p><%= button_to "Upgrade Gold to Platinum", user_upgrade_path(user_id: user.id, level: User::Levels::PLATINUM), remote: true, disable_with: "Redirecting..." %></p>
+          <% end %>
+        </div>
      <% else %>
-        <%= render "stripe_payment_safebooru" %>
+        <div class="section">
+          <p>You can pay with a credit or debit card on
+          <%= link_to "Safebooru", new_user_upgrade_url(user_id: user.id, host: "safebooru.donmai.us", protocol: "https") %>.
+          Your account will then also be upgraded on Danbooru. You can login to
+          Safebooru with the same username and password you use on Danbooru.</p>
+        </div>
      <% end %>
    <% end %>
  </div>