Allowing additional arguments to get passed when creating a subscription

[nateiler]

No description provided.

[nateiler]

Not sure how crazy to get with adding all of the arguments, but it would provide a lot of flexibility for developers. This is just a start (and serves our current and most common needs).

[AugustMiller]

@nateiler I'm curious about the impact of exposing more of these params via the SubscriptionForm class… granted it's populated automatically from request data, it seems like there is a potential attack vector here, for circumventing actual payment, i.e. by setting a form input to trial_period_days to 9999999? Maybe there's a system in place for this?

I came here looking for an opportunity to customize the request a bit (say, via Events), without exposing any/all model + request params directly to the new subscriber.

@andris-sevcenko, should I/we be concerned about expanding the scope of this?

Secondarily, would you also welcome a solution that used Events to make adjustments to this functionality (i.e. so each implementing developer could decide which params to expose or customize)?

[AugustMiller]

Oh, I'm sorry—I thought this had been merged, but it was closed! Nevermind!

[andris-sevcenko]

@AugustMiller Stripe 1.1.0 added support for plugins modifying the payment requests using the craft\commerce\stripe\events\BuildGatewayRequestEvent event.

As far as the security implications - all subscription form parameters expect to be hashed in the form of planuid:value to ensure it's not really possible to figure out the hash for 5 trial days.

It's strongly encouraged, thouh, to use subscription events for that - https://docs.craftcms.com/commerce/v2/events.html#subscription-related-events