Deleted payment source isn’t removed from Stripe

[bwlng]

Description

When deleting a payment source from a front-end form, the payment source is removed from Craft, but not from the customer on Stripe.

Steps to reproduce

1. Submit form to commerce/payment-sources/delete

    removePayment() {
      var _self = this
      var params = new URLSearchParams()

      params.append('action', 'commerce/payment-sources/delete')
      params.append('id', _self.paymentSource.id);
      axios.post('', params, {
        headers: {
          "X-CSRF-Token" : window.csrfTokenValue,
          "X-Requested-With": 'XMLHttpRequest',
        },
      })
      .then(function (response) {
        console.log(response);
        _self.removed = true
      })
      .catch(function (error) {
        console.log(error);
      });
    }

2. Payment is removed from craft_commerce_paymentsources table, but customer info is not updated at Stripe and no request appears in the developer logs in the Stripe dashboard

Additional info

• Craft version: 3.0.27.1
• Plugins & versions: Commerce 2.0.0-beta.11, Commerce Stripe 1.0.7

[andris-sevcenko]

Are you confusing the environments on Stripe, perhaps? Make sure you're checking the same (test/live) logs that your gateway is set to.

[bwlng]

The log was being filtered out in the default view in my Stripe dashboard. It's showing a GET request to GET /v1/sources/src_xxxxx. The log on stripe shows no response body or request params and the card remains attached to the customer.

Using the Stripe API reference and CURL I'm able to remove the card using the following:

curl https://api.stripe.com/v1/customers/cus_xxx/sources/src_xxx \
   -u sk_test_xxx: \
   -X DELETE

Which then logs a DELETE request to DELETE /v1/customers/cus_xxx/sources/src_xxx and the card is removed from the customer in Stripe.

[andris-sevcenko]

Huh. Can you make sure that the GET request appears when you're attempting to delete a source?

Assuming that this is on a server where it's impossible to provide access - can you check somehow if an exception is being thrown here: https://github.com/craftcms/commerce-stripe/blob/develop/src/gateways/Gateway.php#L363 and if so, what's the message?

[bwlng]

There is an error thrown there: This source object does not appear to be currently attached to a customer object.

The source was added using commerce/payment-sources/add

The logs in Stripe show the source being created then set to the default card for the user. I can verify that the source is attached to the customer in Stripe.

Then when I remove the card using commerce/payment-sources/delete the timestamp in the Craft logs for the above exception corresponds with the GET request timestamp to the sources endpoint in Stripe's logs.

I don't have this on a public server yet, but I will in the next day or so.

[andris-sevcenko]

Okay, so Stripe fetches the source and tries to detach it. And it complains that it's not attached to a customer object.

When you check in the dashboard, can you see that the source is still attached to the customer? That's strange.

Is this all in Stripe test mode? Can you check that the customer id corresponds to the customer found in your stripe_customers database table?

[bwlng]

This is in Stripe test mode. I started logging the token so I could make sure it matched up the with src_ attached to the customer in Stripe and it does.

The userId in the commerce_paymentsources table matches the userId in stripe_customers and the reference in stripe_customers matches the customer's ID in Stripe.

Below is the source logged in deletePaymentSource. It looks like detach() in vendor/stripe/stripe-php/lib/Source.php is expecting the source to have a customer key — which is missing from the source being passed through.

Still working on getting this on a server.

{
  "id": "src_xxx",
  "object": "source",
  "amount": null,
  "card": {
    "exp_month": 12,
    "exp_year": 2042,
    "brand": "Visa",
    "country": "US",
    "cvc_check": "pass",
    "funding": "credit",
    "last4": "4242",
    "three_d_secure": "optional",
    "name": null,
    "address_line1_check": null,
    "address_zip_check": null,
    "tokenization_method": null,
    "dynamic_last4": null
  },
  "client_secret": "src_client_secret_xxx",
  "created": 1539748788,
  "currency": null,
  "flow": "none",
  "livemode": false,
  "metadata": [],
  "owner": {
    "address": null,
    "email": null,
    "name": "Stephen Bowling",
    "phone": null,
    "verified_address": null,
    "verified_email": null,
    "verified_name": null,
    "verified_phone": null
  },
  "statement_descriptor": null,
  "status": "chargeable",
  "type": "card",
  "usage": "reusable"
}

[andris-sevcenko]

Any updates on this? Is this still happening?

[bwlng]

Yes, this is still happening. I have it on a dev server now. I can also recreate by adding a card using the default shop templates that come with Commerce and adding a card and then removing it.

Additional info

• Craft version: 3.0.27.1
• Plugins & versions: Commerce 2.0.0-beta.13.1, Commerce Stripe 1.0.8

[andris-sevcenko]

Is it possible to send over CP and FTP access to [email protected]? Unable to reproduce this at all on my end. Should be able to query Stripe's end of things just by using the test keys set up for the Stripe gateway.

[bwlng]

Yes, not a problem! Just sent it over with links to test templates and steps to reproduce.

[bwlng]

It appears my issue was caused by using a restricted key w/ the Stripe API. Even with all permissions available it appears there are some areas of the API that are unavailable.

Replacing the restricted key with a secret key allows payment sources to be deleted from customers as expected.