Add 3DS support to Stripe plugin

src/pretix/plugins/stripe/views.py

@@ -1,19 +1,25 @@
+import hashlib
 import json
 import logging
 
 import stripe
 from django.contrib import messages
 from django.db import transaction
-from django.http import HttpResponse
+from django.http import Http404, HttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
+from django.utils.decorators import method_decorator
+from django.utils.functional import cached_property
 from django.utils.translation import ugettext_lazy as _
+from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
 
 from pretix.base.models import Order, Quota, RequiredAction
+from pretix.base.payment import PaymentException
 from pretix.base.services.orders import mark_order_paid, mark_order_refunded
 from pretix.control.permissions import event_permission_required
+from pretix.multidomain.urlreverse import eventreverse
 from pretix.plugins.stripe.payment import Stripe
 from pretix.presale.utils import event_view
 
@@ -32,12 +38,16 @@ def webhook(request, *args, **kwargs):
     # come from anywhere.
 
     if event_json['data']['object']['object'] == "charge":
-        charge_id = event_json['data']['object']['id']
+        return charge_webhook(request, event_json, event_json['data']['object']['id'])
     elif event_json['data']['object']['object'] == "dispute":
-        charge_id = event_json['data']['object']['charge']
+        return charge_webhook(request, event_json, event_json['data']['object']['charge'])
+    elif event_json['data']['object']['object'] == "source":
+        return source_webhook(request, event_json, event_json['data']['object']['id'])
     else:
         return HttpResponse("Not interested in this data type", status=200)
 
+
+def charge_webhook(request, event_json, charge_id):
     prov = Stripe(request.event)
     prov._init_api()
     try:
@@ -75,7 +85,9 @@ def webhook(request, *args, **kwargs):
             if not RequiredAction.objects.filter(event=request.event, action_type='pretix.plugins.stripe.overpaid',
                                                  data__icontains=order.code).exists():
                 RequiredAction.objects.create(
-                    event=request.event, action_type='pretix.plugins.stripe.overpaid', data=json.dumps({
+                    event=request.event,
+                    action_type='pretix.plugins.stripe.overpaid',
+                    data=json.dumps({
                         'order': order.code,
                         'charge': charge.id
                     })
@@ -84,6 +96,40 @@ def webhook(request, *args, **kwargs):
     return HttpResponse(status=200)
 
 
+def source_webhook(request, event_json, source_id):
+    prov = Stripe(request.event)
+    prov._init_api()
+    try:
+        src = stripe.Source.retrieve(source_id)
+    except stripe.error.StripeError:
+        logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))
+        return HttpResponse('Charge not found', status=500)
+
+    metadata = src['metadata']
+    if 'event' not in metadata:
+        return HttpResponse('Event not given in charge metadata', status=200)
+
+    if int(metadata['event']) != request.event.pk:
+        return HttpResponse('Not interested in this event', status=200)
+
+    with transaction.atomic():
+        try:
+            order = request.event.orders.get(id=metadata['order'], payment_provider='stripe')
+        except Order.DoesNotExist:
+            return HttpResponse('Order not found', status=200)
+
+        order.log_action('pretix.plugins.stripe.event', data=event_json)
+        go = (event_json['type'] == 'source.chargeable' and order.status == Order.STATUS_PENDING and
+              src.status == 'chargeable')
+        if go:
+            try:
+                prov._charge_source(source_id, order)
+            except PaymentException:
+                logger.exception('Webhook error')
+
+    return HttpResponse(status=200)
+
+
 @event_permission_required('can_view_orders')
 @require_POST
 def refund(request, **kwargs):
@@ -108,3 +154,64 @@ def refund(request, **kwargs):
         'event': request.event.slug,
         'code': data['order']
     }))
+
+
+class StripeOrderView:
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            self.order = request.event.orders.get(code=kwargs['order'])
+            if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():
+                raise Http404('')
+        except Order.DoesNotExist:
+            # Do a hash comparison as well to harden timing attacks
+            if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():
+                raise Http404('')
+            else:
+                raise Http404('')
+        return super().dispatch(request, *args, **kwargs)
+
+    @cached_property
+    def pprov(self):
+        return self.request.event.get_payment_providers()[self.order.payment_provider]
+
+
+@method_decorator(event_view, name='dispatch')
+class ReturnView(StripeOrderView, View):
+    def get(self, request, *args, **kwargs):
+        prov = Stripe(request.event)
+        prov._init_api()
+        src = stripe.Source.retrieve(request.GET.get('source'))
+        if src.client_secret != request.GET.get('client_secret'):
+            messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '
+                                           'in your emails to continue.'))
+            return redirect(eventreverse(self.request.event, 'presale:event.index'))
+
+        with transaction.atomic():
+            self.order.refresh_from_db()
+            if self.order.status == Order.STATUS_PAID:
+                del request.session['payment_stripe_token']
+                return self._redirect_to_order()
+
+            if src.status == 'chargeable':
+                try:
+                    prov._charge_source(src.id, self.order)
+                except PaymentException as e:
+                    messages.error(request, str(e))
+                    return self._redirect_to_order()
+                finally:
+                    del request.session['payment_stripe_token']
+            else:
+                messages.error(self.request, _('We had trouble authorizing your card payment. Please try again and '
+                                               'get in touch with us if this problem persists.'))
+        return self._redirect_to_order()
+
+    def _redirect_to_order(self):
+        if self.request.session.get('payment_stripe_order_secret') != self.order.secret:
+            messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '
+                                           'in your emails to continue.'))
+            return redirect(eventreverse(self.request.event, 'presale:event.index'))
+
+        return redirect(eventreverse(self.request.event, 'presale:event.order', kwargs={
+            'order': self.order.code,
+            'secret': self.order.secret
+        }) + ('?paid=yes' if self.order.status == Order.STATUS_PAID else ''))