Fix: fresh-pending reuse shows stale Stripe amount when fee changed #479

New issue

Closed

opened 2026-04-14 02:28:59 +00:00 by forgejo_admin · 1 comment

forgejo_admin commented 2026-04-14 02:28:59 +00:00

Owner

Copy link

Type

Bug

Lineage

Regression from forgejo_admin/basketball-api#473 (first-payment 409 fix). The "reuse existing Stripe session for fresh pending orders" branch blindly reuses the old session amount, causing a bait-and-switch when the admin adjusts a player's monthly_fee between clicks.

Repo

forgejo_admin/basketball-api

What Broke

Email shows one amount; Stripe checkout shows a different amount.

Reproduced end-to-end Apr 13:

1. Test Queens Player monthly_fee=$200 → email sent showing "Pay $165 Now"
2. Parent clicks → creates pending order #78 at $165, Stripe session at $165
3. Admin changes fee to $4 → email resent showing "Pay $5 Now"
4. Parent clicks the new "$5" link → endpoint sees fresh pending <30min, redirects to old $165 Stripe session
5. Parent sees $165 on Stripe despite the email promising $5

Repro Steps

1. Set Player.monthly_fee = 200 for any signed player
2. Hit GET /checkout/first-payment?token={player.contract_token} → creates pending order at $165
3. UPDATE players SET monthly_fee = 4 WHERE id = ... via DB (simulates admin fee change)
4. Hit the same endpoint within 30 min
5. Observe: 307 redirect to the old Stripe session URL showing $165, not $5

Expected Behavior

When the parent clicks and a fresh pending order exists but its amount no longer matches the currently-computed prorated amount, the old order/session is canceled and a new one is created at the correct amount. Email amount must always equal Stripe checkout amount.

Environment

• Cluster/namespace: prod / basketball-api
• Service version/commit: 44aef6d (main)
• Stripe Checkout Sessions are immutable after creation — fixing this requires canceling the old session and creating a new one; Stripe has no "update amount" API

File Targets

Files to modify:

• src/basketball_api/routes/checkout.py — lines 360-380 (first_payment_checkout). In the fresh-pending branch, add an amount comparison: if existing_order.amount_cents != amount_cents, cancel and fall through to create new.
• tests/test_first_payment.py — add a test asserting the fee-change-mid-flight case produces a new order at the new amount.

Files to NOT touch:

• src/basketball_api/services/email.py — email rendering is correct, uses fresh fee
• Anything else

Acceptance Criteria

• When a fresh pending order exists with an amount matching the currently-computed amount, still redirect to the existing session (preserves idempotency for repeat clicks).
• When a fresh pending order exists with a different amount from the currently-computed amount, cancel it and create a new session at the correct amount.
• When a stale pending order exists (>30 min), behavior unchanged (cancel + new).
• When a paid order exists, still return 409 (unchanged).
• Email amount always equals Stripe checkout amount at click time.

Test Expectations

• New test: test_first_payment_fresh_pending_amount_changed — pending at $165, fee drops to $4, new click creates new order at $5 and redirects to the new Stripe session (not the old $165 one)
• Existing test_first_payment_fresh_pending_returns_redirect still passes (same amount = reuse)
• Existing test_first_payment_stale_pending_replaced still passes
• Existing test_first_payment_paid_still_blocked still passes
• Run command: pytest tests/test_first_payment.py -v

Related

• westside-basketball — project this affects
• forgejo_admin/basketball-api#473 — the fix that introduced this regression

### Type Bug ### Lineage Regression from `forgejo_admin/basketball-api#473` (first-payment 409 fix). The "reuse existing Stripe session for fresh pending orders" branch blindly reuses the old session amount, causing a bait-and-switch when the admin adjusts a player's `monthly_fee` between clicks. ### Repo `forgejo_admin/basketball-api` ### What Broke Email shows one amount; Stripe checkout shows a different amount. Reproduced end-to-end Apr 13: 1. Test Queens Player `monthly_fee=$200` → email sent showing "Pay $165 Now" 2. Parent clicks → creates pending order #78 at $165, Stripe session at $165 3. Admin changes fee to $4 → email resent showing "Pay $5 Now" 4. Parent clicks the new "$5" link → endpoint sees fresh pending <30min, **redirects to old $165 Stripe session** 5. Parent sees $165 on Stripe despite the email promising $5 ### Repro Steps 1. Set `Player.monthly_fee = 200` for any signed player 2. Hit `GET /checkout/first-payment?token={player.contract_token}` → creates pending order at $165 3. `UPDATE players SET monthly_fee = 4 WHERE id = ...` via DB (simulates admin fee change) 4. Hit the same endpoint within 30 min 5. Observe: 307 redirect to the old Stripe session URL showing $165, not $5 ### Expected Behavior When the parent clicks and a fresh pending order exists but its amount no longer matches the currently-computed prorated amount, the old order/session is canceled and a new one is created at the correct amount. Email amount must always equal Stripe checkout amount. ### Environment - Cluster/namespace: prod / `basketball-api` - Service version/commit: `44aef6d` (main) - Stripe Checkout Sessions are immutable after creation — fixing this requires canceling the old session and creating a new one; Stripe has no "update amount" API ### File Targets Files to modify: - `src/basketball_api/routes/checkout.py` — lines 360-380 (`first_payment_checkout`). In the fresh-pending branch, add an amount comparison: if `existing_order.amount_cents != amount_cents`, cancel and fall through to create new. - `tests/test_first_payment.py` — add a test asserting the fee-change-mid-flight case produces a new order at the new amount. Files to NOT touch: - `src/basketball_api/services/email.py` — email rendering is correct, uses fresh fee - Anything else ### Acceptance Criteria - [ ] When a fresh pending order exists with an amount matching the currently-computed amount, still redirect to the existing session (preserves idempotency for repeat clicks). - [ ] When a fresh pending order exists with a different amount from the currently-computed amount, cancel it and create a new session at the correct amount. - [ ] When a stale pending order exists (>30 min), behavior unchanged (cancel + new). - [ ] When a paid order exists, still return 409 (unchanged). - [ ] Email amount always equals Stripe checkout amount at click time. ### Test Expectations - [ ] New test: `test_first_payment_fresh_pending_amount_changed` — pending at $165, fee drops to $4, new click creates new order at $5 and redirects to the new Stripe session (not the old $165 one) - [ ] Existing `test_first_payment_fresh_pending_returns_redirect` still passes (same amount = reuse) - [ ] Existing `test_first_payment_stale_pending_replaced` still passes - [ ] Existing `test_first_payment_paid_still_blocked` still passes - Run command: `pytest tests/test_first_payment.py -v` ### Related - `westside-basketball` — project this affects - `forgejo_admin/basketball-api#473` — the fix that introduced this regression

forgejo_admin commented 2026-04-14 02:33:03 +00:00

Author

Owner

Copy link

Scope Review: READY

Review note: review-1006-2026-04-13

Scope is tight and verified against origin/main. File targets exist, line references are close (actual fresh-pending branch is 358-374 vs ticket's 360-380 — same region). Existing tests referenced in AC all present. Pattern is isolated to first_payment_checkout only — no blast radius to jersey/tournament flows. Traceability: story:WS-S11 verified, arch:basketball-api labeled (arch note itself is missing as a pre-existing gap — tracked separately, does not block this fix). No decomposition needed (2 files, 1 repo, 5 AC, ~5 LOC + 1 test).

Ready to move backlog → todo.

## Scope Review: READY Review note: `review-1006-2026-04-13` Scope is tight and verified against `origin/main`. File targets exist, line references are close (actual fresh-pending branch is 358-374 vs ticket's 360-380 — same region). Existing tests referenced in AC all present. Pattern is isolated to `first_payment_checkout` only — no blast radius to jersey/tournament flows. Traceability: story:WS-S11 verified, arch:basketball-api labeled (arch note itself is missing as a pre-existing gap — tracked separately, does not block this fix). No decomposition needed (2 files, 1 repo, 5 AC, ~5 LOC + 1 test). Ready to move backlog → todo.

forgejo_admin referenced this issue from a commit 2026-04-14 02:33:32 +00:00

fix: require amount match when reusing fresh pending Stripe session

forgejo_admin referenced this issue from a pull request that will close it, 2026-04-14 02:33:48 +00:00

fix: require amount match when reusing fresh pending Stripe session #480

forgejo_admin referenced this issue from a pull request that will close it, 2026-04-14 02:34:52 +00:00

fix: require amount match when reusing fresh pending Stripe session #480

forgejo_admin 2026-04-14 02:34:54 +00:00

• closed this issue
• added the
  status:approved
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

510-grant-tournament-tables-to-ro-role

458-skip-proration-v2

458-skip-proration

466-cherry-pick-first-payment

458-merge-first-payment-blast

369-first-payment-email-blast

408-player-nickname

313-local-first-week-email

320-mjml-sponsor-outreach-template

270-contract-reminder-email

205-clean-test-data-from-production-db-playe

114-email-verification

147-feat-add-get-jersey-player-info-endpoint

124-feat-many-to-many-player-team-assignment

125-feat-add-new-players-manually-seydou-gou

126-feat-team-placement-congratulations-emai

121-admin-teams-spa-endpoints

70-add-graduating-class-to-roster-api-respo

59-fix-auth-test

62-phase-4l-sveltekit-dashboard-wkq-tailsca

11-phase-1a-fix-ci-pipeline-venv-in-test-st

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/basketball-api#479

No description provided.