#honkhonk_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1391894535780696086

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

The account in question is cus_HRvNJC6pCf6lm5.

Hello! Sorry about the delay was answering some other quetions

Yea no problem, thanks for your time

From the UI I can see that we can adjust the users customer invoice balance, presumably that is how we can clear the invoice, but im not too sure why this happened.

I'm also a little worried about this issue because this seems like it might be slightly exploitable?

Is there an easy way to pull account balances from the UI aside from Sigma? I pulled everything from the API, but its not super clear to me what the difference between a balance and a cash balance is in the context of what this user has received

I believe this is because the invoice is still open and expecting payment and thus it's re-imbursed them for the unused time with the expectation they will still pay the original invoice in full.

Doing some testing to confirm if the invoice is voided if it will negate the balance

I'm seeing that automatic collection has fallen off on this invoice and it is marked as failed in the system though

hello! fyi i'm taking over this thread

Hey thanks, sorry hope I didnt scare Mossy off, haha

i know other users have run into similar concerns in the past, i'm digging around some old conversations to see what i turn up

nah you're good, we have a schedule and it's just my turn to take over the discord 🙂

right on! Alright let me know if you find anything, I appreciate your help

how are customers accessing the portal currently? are you creating a session for them using the API or using the no-code portal?

This is an older legacy site that is using the API

oooo gotcha, so you're updating subscriptions directly right?

Correct yes

this is the update in question?
https://dashboard.stripe.com/logs/req_DB9KWnfVhRvJyZ

Yes that is when the user swapped to the gold plan

In every other case this provides the behavior we expect, its just if they have a pending, failing invoice that we end up with this situation

yep... ok, so the advice here remains pretty much the same. this is an unfortunate side effect of how we currently generate prorations. we assume that outstanding invoices have or will be paid at some point. so if you want to prevent credits from accruing via prorations, you need to check the current status of the most recent invoice, and if it's still unpaid, update your logic to disable prorations on the invoice update request

Right ok, I understand

Is there a way we can pull a report of our users that have an outstanding balance or is that behind Sigma at this point?

i (and our team generally) aren't super well versed in reporting unforunately... let me see if i can think of another way to get that data

when you say outstanding balance are you referring to unpaid invoices? or positive invoice balances?

I'd like to find a quick way to give the owner a way to find out who has a positive value -- to whom we owe money to, or may have taken advantage of this

def get_all_customers() -> List[Dict[str, Any]]:
    """
    Retrieve all customers from Stripe.

    Returns:
        List of customer objects
    """
    customers = []
    has_more = True
    starting_after = None

    # Paginate through all customers
    while has_more:
        params = {
            "limit": 100,
            "expand": [
                "data.cash_balance"
            ]
        }

        if starting_after:
            params["starting_after"] = starting_after

        response = stripe.Customer.list(**params)

        customers.extend(response.data)
        has_more = response.has_more

        if has_more and customers:
            starting_after = customers[-1]["id"]

        time.sleep(1)


    return customers

I used this to download the stripe user list, I'm unclear if I'm looking for balance or cash balance

Also, sorry, one last thing, how do I undo this? Should I just adjust this fellas account balance in the UI? Is that the appropriate way to reset this proration?

it should be balance

and yeah i think just adjusting the balance manually is the way to go

(no worries for asking more questions, i was actually going to get to that myself 🙂 )

you can see the event where the customer's balance was adjusted here
https://dashboard.stripe.com/events/evt_1RfKXvFiKnP5OgWM9UaMzVAb

Alright cheers, cool beans. At the very least I can just give them that API report if there isnt anything in the UI for them to easily download this, but it would be really great to just have a button that says "you owe these people money", I havent been able to find it in the UI

we're generally more familiar with the APIs than the dashboard since we're developer focused, but i can poke around for a bit to see if i can find anything

you can also check with our support team to see if there's a UI or report for this:
https://support.stripe.com/

Right, ok, thanks for your and Mossy's help

yep of course!

Hello I'm sorry I just gave this a think. I dont think we can actually disable prorations here. If we did, and then that invoice cleared, it would not be correct.

I think you are correct that Stripe should assume that this user owes us this money, the proration for the subscription change should clear that invoice though. Stripe is marking it as uncollected and voiding it, they are no longer expecting the user to pay, but the account credit they received should have cleared the invoice

Im sorry that is a bad explanation, but, basically, you would expect the user to have switched, received a proration, which paid that previous invoice off, since stripe said we owed that amount

If we disable proration and it clears, the user is double charged, if we keep proration on, it would be correct if the user paid, but the user didnt. When the payment fails, Stripe is missing a step of clearing the account balance with that invoice when it fails.

If we implemented that, it would be on the webhook for invoice_failed, where we remove the account balance, from our side, but from an accounting perspective, shouldnt stripe have also done that?

good question, let me have a think of my own

Does Stripe have a bug bounty?

we do actually! see this page on our docs:
https://docs.stripe.com/security#disclosure-and-reward-program

I think from an accounting perspective this is actually a legitimate bug I cannot make it balance on my end, and if I sell physical goods, this person just received free money.

Is it possible to delete this thread? I am about 99.99% sure now this is a legitimate bug that deserves going through the proper channels

i'm still running through a few tests on my own side to confirm things

thinking through other best possible ways to handle this, i think disabling customer's ability to edit subscriptions entirely if their last invoice is still unpaid feels like the most thorough way to prevent this

That would make sense I agree

i agree that having this as common knowledge feels like a pretty bad idea so i will look into if it's possible to delete the thread

(i think it should be but i haven't had to do it before so i need to make sure there aren't weird side effects)

I'll be upfront in that I've never gone through Hackerone here, I'm submitting a ticket right now

Its going to come through incorrectly filed but itll be there in a few minutes

ah haaaah, i found the place in our public docs where this behavior is documented:
https://docs.stripe.com/billing/subscriptions/prorations#prorations-and-unpaid-invoices

so options here include:

1. disable updating the subscription
2. disable prorations and void the old invoice when a subscription is updated

That works but this is a side note in a documentation, which, the documentation correctly points out, will lead to double payment and requires users to cancel an existing invoice. There is no way people are doing this. Any site that isnt doing this effectively has an infinite money glitch

I could put 99999 items into my cart, fail the payment, get prorated, and effectively rob people that have automation setup, this needs to be fixed on Stripes side I think

We need to delete this thread guys

Hi! I am taking over the thread. Give me a moment to catch up.

Godspeed, Sam

Sorry to keep you waiting! I'm checking internally if we can delete threads as this is a public platform. Will update you soon!

I have submitted a Hackerone bug report for this on Stripe's bug bounty program here:
ID: 3240221

Title:
Incorrect allocation of account credits

I have referenced this thread, if you could explain to someone internally what this means I would greatly appreciate it, I will fill in additional details as I can

Thanks for waiting! As this is a public platform, we're unable to delete the thread. Also the team responsible for managing bug reports is separate, and I don't have access to the details sent to them. We will need you to update the details to the report.?

I've updated it with the conversation here where Solanum was able to (I believe?) replicate the issue. I will include a video, I am setting up a sandbox. I have confirmed via the account linked that this is possible in live-mode though. What other details will help with the bug report?

I'm going to delete the OP and various details here.

Edit: I cannot 😦

Yeap, I think this should be sufficient. I'm sure they'll reach out to you if they need more details.