Matt11 | Stripe Developers | Page 1

spring gulchBOT Apr 7, 2023, 12:24 PM

#

ocean ridge Apr 7, 2023, 12:24 PM

#

inside my checkout page I have this implementation:
stripe.confirmSetup({ elements, redirect: "if_required" }) .then(function(result) { form.submit(); } });
but in this SI seti_1MrQuEApMCw5clA31sX628sr I don't have any payment method attached.
But inside my application the form was submitted.
How is possible?

cursive sandal Apr 7, 2023, 12:25 PM

#

Hi! Let me help you with this.

#

I don't see any actions on this SI after creation.

#

the form was submitted
What do you mean by this? What form?

ocean ridge Apr 7, 2023, 12:27 PM

#

my own checkout form

#

I have a form where inside there is the payment element mounted

#

and I submit it only when the confirmSetup is done

cursive sandal Apr 7, 2023, 12:31 PM

#

Are you getting any error?

ocean ridge Apr 7, 2023, 12:32 PM

#

nope but an user was able to submit the form bypassing the stripe JS check on the card

#

this is the full code: form.addEventListener('submit', async (event) => { event.preventDefault(); stripe.confirmSetup({ elements, redirect: "if_required" }) .then(function(result) { console.log('result', result) if (result.error) { // print errors } else { form.submit(); } }); });
there's a listener on the submit action of the form, I do the confirmSetup and, if everything is ok, I do the real submit

#

So right now I have a customer that was able to submit the form, so it means that confirmSetup was successful, is it possible?

cursive sandal Apr 7, 2023, 12:37 PM

#

I don't think so. But I also don't have the full context.
This is not a good flow because as you see redirect: "if_required", means that in some cases the redirect will still happen, so your form.submit() will never be executed.

#

Why do you need to submit the form after the payment?

ocean ridge Apr 7, 2023, 12:39 PM

#

because inside my form I also have other fields to submit to my application (eg: a coupon code). So I basically want to get the card infos, trigger the 3DS if needed and, if everything is ok, submit the form as a POST request to do some other logic

cursive sandal Apr 7, 2023, 12:41 PM

#

This might fail if the Customer closes the browser after the payment is processed but before the form is submitted. Therefore it's better to rely on webhooks to execute your backend logic: https://stripe.com/docs/webhooks

ocean ridge Apr 7, 2023, 12:43 PM

#

but this is not my case. the form was submitted and the following logic was executed, so the user stayed in session.
So the user was able to submit the form without any card numbers because on this SI I don't have any payment method

#

in my implementation of payment element, there's a way to skip the confirmSetup without any card infos?

cursive sandal Apr 7, 2023, 12:46 PM

#

That's not possible.

#

Could you please share more code around this?

ocean ridge Apr 7, 2023, 12:47 PM

#

`var stripe = Stripe('#{Rails.configuration.stripe[:publishable_key]}');
const elements = stripe.elements({
clientSecret: "#{@setup_intent['client_secret'] rescue ''}",
appearance: {
theme: 'stripe',
variables: {
colorPrimary: '#32325d',
fontFamily: '"Helvetica Neue", Helvetica, sans-serif',
fontSmooth: 'antialiased',
fontSizeBase: '16px',
}
}
});

// Create and mount the Payment Element
const paymentElement = elements.create("payment");
paymentElement.mount('#payment-element');

const form = document.getElementById('payment-form');

form.addEventListener('submit', async (event) => {
  event.preventDefault();
  if ($('#payment_payment_method').val() == 'stripe') {
    stripe.confirmSetup({
      elements,
      redirect: "if_required"
    })
    .then(function(result) {
      console.log('result', result)
      if (result.error) {
        const messageContainer = document.querySelector('#error-message');
        messageContainer.textContent = result.error.message;
        $('#payment-form input[type="submit"]').attr('disabled', false);
        setTimeout(function () {
          $("button[form='payment-form']").text($("button[form='payment-form']").first().data('originalLabel'))
          $("button[form='payment-form']").attr('disabled', false)
        }, 500);
      } else {
        ga('send', 'pageview', 'registration_all_#{@plan.slug}');
        // Your customer will be redirected to your `return_url`. For some payment
        // methods like iDEAL, your customer will be redirected to an intermediate
        // site first to authorize the payment, then redirected to the `return_url`.
        form.submit();
      }
    });
  } else {
    form.submit();
  }
});`

#

this is the entire JS of the checkout page

cursive sandal Apr 7, 2023, 12:53 PM

#

I see that if this is not true: $('#payment_payment_method').val() == 'stripe'
The form will just be submitted. Maybe that's what happened?

#

I mean this

...
} else {
   form.submit();
}

ocean ridge Apr 7, 2023, 12:54 PM

#

If is not 'stripe' is another payment method without the stripe flow

cursive sandal Apr 7, 2023, 12:56 PM

#

Your initial question was how a customer submitted a form without going through stripe.confirmSetup()
Isn't this what happened?

ocean ridge Apr 7, 2023, 12:57 PM

#

I don't think so because the after submit logic written in out database was the stripe one

#

this is why I asked if someone can skip the confirmSetup

cursive sandal Apr 7, 2023, 12:59 PM

#

That's not possible, so we need to look for the issue elsewhere.

ocean ridge Apr 7, 2023, 12:59 PM

#

ok thanks @cursive sandal !

cursive sandal Apr 7, 2023, 12:59 PM

#

Please, let me know if you have any other questions.

ocean ridge Apr 7, 2023, 1:00 PM

#

not for now thanks!

loud peak Apr 7, 2023, 1:03 PM

#

Hi there 👋 out of curiosity, have you spoken with the user who was able to do this? Did they start executing javascript straight from their browser dev tools to submit your form without executing your code?

#Matt11