Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: set email when creating new session for trial days #2710

Merged
merged 2 commits into from
Nov 19, 2024
Merged

fix: set email when creating new session for trial days #2710

merged 2 commits into from
Nov 19, 2024

Conversation

pavelbrm
Copy link
Contributor

@pavelbrm pavelbrm commented Nov 12, 2024
edited
Loading

Summary

This PR improves handling of the customer email on a Stripe checkout session when setting trial days on an order and session.

#2698 improved handling, but that was not enough. When we're setting trial days on a session, the caller already has the correct email. SKUs attempts to work out the email based on the old session. Because the two calls (the creation of the initial session and setting trial days) happen very close to each other, the customer record might not be ready yet or miss information.

This PR makes use of the passed email address, and falls back to the old behaviour (i.e. takes the email from on old session) only if it was not passed.

This should address the majority of cases where the checkout page for products with trial might be shown without a pre-filled email address.

Type of Change

  • Product feature
  • Bug fix
  • Performance improvement
  • Refactor
  • Other

Tested Environments

  • Development
  • Staging
  • Production

Before Requesting Review

  • Does your code build cleanly without any errors or warnings?
  • Have you used auto closing keywords?
  • Have you added tests for new functionality?
  • Have validated query efficiency for new database queries?
  • Have documented new functionality in README or in comments?
  • Have you squashed all intermediate commits?
  • Is there a clear title that explains what the PR does?
  • Have you used intuitive function, variable and other naming?
  • Have you requested security and/or privacy review if needed
  • Have you performed a self review of this PR?

Manual Test Plan

@pavelbrm pavelbrm force-pushed the improve-email-checkout-02 branch from 440b911 to 8ea83b9 Compare November 12, 2024 10:51
pavelbrm
pavelbrm commented Nov 13, 2024
View reviewed changes
services/skus/controllers.go
Comment on lines -327 to -330
if err := svc.validateOrderMerchantAndCaveats(ctx, orderID); err != nil {
return handlers.ValidationError("merchant and caveats", map[string]interface{}{"orderMerchantAndCaveats": err.Error()})
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not do anything useful for Premium orders. The endpoint is already authenticated. The merchant is always the same, it's brave.com, and we set it ourselves. And it seems like caveats for Premium are not populated at all, so the check is useless at least, and it also wastes two queries to the database to fetch the order.

@pavelbrm pavelbrm force-pushed the improve-email-checkout-02 branch from 8ea83b9 to 177d15c Compare November 13, 2024 07:06
@pavelbrm pavelbrm self-assigned this Nov 13, 2024
@pavelbrm pavelbrm marked this pull request as ready for review November 13, 2024 07:51
@pavelbrm pavelbrm requested a review from clD11 November 13, 2024 07:51
@github-actions GitHub Actions
Copy link

[puLL-Merge] - brave-intl/bat-go@2710

Description

This PR refactors the handling of trial days for orders in the BAT-Go project. It introduces changes to improve the process of setting trial days and creating Stripe sessions for orders, particularly focusing on the setOrderTrialDays functionality.

Changes

Changes

  1. services/skus/controllers.go:

    • Removed setTrialDaysRequest struct and replaced it with model.SetTrialDaysRequest.
    • Updated handleSetOrderTrialDays to use the new setOrderTrialDays method.
    • Added time.Now().UTC() to get the current time for consistency.

  2. services/skus/datastore.go:

    • Removed SetOrderTrialDays method from the Datastore interface.
    • Removed SetTrialDays method from the orderStore interface.

  3. services/skus/instrumented_datastore.go:

    • Removed SetOrderTrialDays method implementation.

  4. services/skus/mockdatastore.go:

    • Removed mock implementations for SetOrderTrialDays and SetTrialDays.

  5. services/skus/model/model.go:

    • Added SetTrialDaysRequest struct with Email and TrialDays fields.
    • Updated ShouldSetTrialDays to ShouldCreateTrialSessionStripe.
    • Added IsPaidAt method to check if an order is paid at a specific time.

  6. services/skus/model/model_test.go:

    • Updated tests for ShouldCreateTrialSessionStripe and IsPaidAt.

  7. services/skus/service.go:

    • Added SetTrialDays method to orderStoreSvc interface.
    • Implemented setOrderTrialDays and setOrderTrialDaysTx methods.
    • Updated recreateStripeSession to handle email parameter.

  8. services/skus/service_nonint_test.go:

    • Added tests for setOrderTrialDaysTx.

  9. services/skus/storage/repository/mock.go:

    • Added FnSetTrialDays to MockOrder struct.

  10. services/skus/storage/repository/repository.go:

    • Updated SetTrialDays method to use execUpdate.

  11. services/skus/storage/repository/repository_test.go:

    • Updated tests for SetTrialDays.

Possible Issues

  1. The Email field in SetTrialDaysRequest is marked as TODO to make it required, which might lead to inconsistencies if not addressed soon.
  2. The removal of validateOrderMerchantAndCaveats in handleSetOrderTrialDays might potentially bypass some important validations.

Security Hotspots

  1. The io.ReadAll function in handleSetOrderTrialDays reads the entire request body into memory, which could potentially be exploited for a Denial of Service attack if not properly limited.

@pavelbrm
Copy link
Contributor Author

  1. The io.ReadAll function in handleSetOrderTrialDays reads the entire request body into memory, which could potentially be exploited for a Denial of Service attack if not properly limited.

Wrong. The body is being read with a limit.

clD11
clD11 approved these changes Nov 18, 2024
View reviewed changes
Copy link
Contributor

@clD11 clD11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM approved.

@pavelbrm pavelbrm merged commit 36136d6 into master Nov 19, 2024
13 checks passed
@pavelbrm pavelbrm deleted the improve-email-checkout-02 branch November 19, 2024 04:25
@pavelbrm pavelbrm mentioned this pull request Nov 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clD11 clD11 clD11 approved these changes

Assignees

@pavelbrm pavelbrm

Labels
puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pavelbrm @clD11