2025-09-16 14:35:23 +00:00
1 changed files with 322 additions and 0 deletions
--- a/docs/checkout-handle.md
+++ b/docs/checkout-handle.md
@@ -0,0 +1,322 @@
 # Backend Checkout Handling Improvements
 Based on your current Stripe integration, here are key improvements for robust checkout handling:
 ## 1. Enhanced Inventory Management with Concurrency Protection
 The current implementation doesn't prevent overselling during concurrent purchases.
 Add database-level concurrency protection:
 ```ruby
 # app/controllers/events_controller.rb
 def checkout
  cart_data = JSON.parse(params[:cart] || "{}")
  if cart_data.empty?
    redirect_to event_path(@event.slug, @event), alert: "Veuillez sélectionner au moins un billet"
    return
  end
  # Use transaction with row-level locking for inventory protection
  ActiveRecord::Base.transaction do
    line_items = []
    order_items = []
    cart_data.each do |ticket_type_id, item|
      # Lock the ticket type row to prevent race conditions
      ticket_type = @event.ticket_types.lock.find_by(id: ticket_type_id)
      next unless ticket_type
      quantity = item["quantity"].to_i
      next if quantity <= 0
      # Check real-time availability with locked row
      sold_count = ticket_type.tickets.count
      available = ticket_type.quantity - sold_count
      if quantity > available
        redirect_to event_path(@event.slug, @event), alert: "Plus que #{available} billets disponibles pour #{ticket_type.name}"
        return
      end
      # Create line items and order data
      line_items << {
        price_data: {
          currency: "eur",
          product_data: {
            name: "#{@event.name} - #{ticket_type.name}",
            description: ticket_type.description
          },
          unit_amount: ticket_type.price_cents
        },
        quantity: quantity
      }
      order_items << {
        ticket_type_id: ticket_type.id,
        ticket_type_name: ticket_type.name,
        quantity: quantity,
        price_cents: ticket_type.price_cents
      }
    end
    if order_items.empty?
      redirect_to event_path(@event.slug, @event), alert: "Commande invalide"
      return
    end
    # Create Stripe session only after inventory validation
    session = Stripe::Checkout::Session.create({
      payment_method_types: ["card"],
      line_items: line_items,
      mode: "payment",
      success_url: payment_success_url(event_id: @event.id, session_id: "{CHECKOUT_SESSION_ID}"),
      cancel_url: event_url(@event.slug, @event),
      customer_email: current_user.email,
      metadata: {
        event_id: @event.id,
        user_id: current_user.id,
        order_items: order_items.to_json
      }
    })
    redirect_to session.url, allow_other_host: true
  end
 rescue ActiveRecord::RecordNotFound
  redirect_to event_path(@event.slug, @event), alert: "Type de billet introuvable"
 rescue Stripe::StripeError => e
  redirect_to event_path(@event.slug, @event), alert: "Erreur de traitement du paiement : #{e.message}"
 end
 ```
 ## 2. Webhook Handler for Reliable Payment Confirmation
 Create a dedicated webhook endpoint for more reliable payment processing:
 ### Routes Configuration
 ```ruby
 # config/routes.rb
 post '/webhooks/stripe', to: 'webhooks#stripe'
 ```
 ### Webhooks Controller
 ```ruby
 # app/controllers/webhooks_controller.rb
 class WebhooksController < ApplicationController
  skip_before_action :verify_authenticity_token
  before_action :verify_stripe_signature
  def stripe
    case @event.type
    when 'checkout.session.completed'
      handle_successful_payment(@event.data.object)
    when 'payment_intent.payment_failed'
      handle_failed_payment(@event.data.object)
    end
    head :ok
  end
  private
  def handle_successful_payment(session)
    # Process ticket creation in background job for reliability
    CreateTicketsJob.perform_later(session.id)
  end
  def handle_failed_payment(session)
    Rails.logger.error "Payment failed for session: #{session.id}"
    # Add any additional handling for failed payments
  end
  def verify_stripe_signature
    payload = request.body.read
    sig_header = request.env['HTTP_STRIPE_SIGNATURE']
    begin
      @event = Stripe::Webhook.construct_event(
        payload, sig_header, ENV['STRIPE_WEBHOOK_SECRET']
      )
    rescue JSON::ParserError, Stripe::SignatureVerificationError => e
      Rails.logger.error "Stripe webhook signature verification failed: #{e.message}"
      head :bad_request
    end
  end
 end
 ```
 ## 3. Background Job for Ticket Creation
 Use background jobs to prevent timeouts and improve reliability:
 ```ruby
 # app/jobs/create_tickets_job.rb
 class CreateTicketsJob < ApplicationJob
  queue_as :default
  retry_on StandardError, wait: :exponentially_longer, attempts: 5
  def perform(session_id)
    session = Stripe::Checkout::Session.retrieve(session_id)
    return unless session.payment_status == 'paid'
    # Prevent duplicate processing
    return if Ticket.exists?(stripe_session_id: session_id)
    order_items = JSON.parse(session.metadata['order_items'])
    user = User.find(session.metadata['user_id'])
    event = Event.find(session.metadata['event_id'])
    ActiveRecord::Base.transaction do
      order_items.each do |item|
        ticket_type = TicketType.find(item['ticket_type_id'])
        item['quantity'].times do
          ticket = Ticket.create!(
            user: user,
            ticket_type: ticket_type,
            status: 'active',
            stripe_session_id: session_id, # Prevent duplicates
            price_cents: item['price_cents'] # Store historical price
          )
          # Send email asynchronously
          TicketMailer.purchase_confirmation(ticket).deliver_later
        end
      end
    end
  end
 end
 ```
 ## 4. Enhanced Error Handling & Recovery in Payment Success
 Improve the payment success handler with better error recovery:
 ```ruby
 # app/controllers/events_controller.rb - Enhanced payment_success method
 def payment_success
  session_id = params[:session_id]
  event_id = params[:event_id]
  # Validate parameters
  unless session_id.present? && event_id.present?
    redirect_to dashboard_path, alert: "Paramètres de confirmation manquants"
    return
  end
  begin
    @tickets = Ticket.includes(:ticket_type, :event)
                   .where(stripe_session_id: session_id, user: current_user)
    if @tickets.any?
      # Tickets already created (webhook processed first)
      @event = @tickets.first.event
      render 'payment_success'
    else
      # Fallback: create tickets synchronously if webhook failed
      session = Stripe::Checkout::Session.retrieve(session_id)
      if session.payment_status == 'paid'
        CreateTicketsJob.perform_now(session_id)
        redirect_to payment_success_path(session_id: session_id, event_id: event_id)
      else
        redirect_to dashboard_path, alert: "Le paiement n'est pas encore confirmé"
      end
    end
  rescue Stripe::StripeError => e
    logger.error "Stripe error in payment_success: #{e.message}"
    redirect_to dashboard_path, alert: "Erreur de confirmation de paiement"
  rescue => e
    logger.error "Unexpected error in payment_success: #{e.message}"
    redirect_to dashboard_path, alert: "Une erreur inattendue s'est produite"
  end
 end
 ```
 ## 5. Database Schema Improvements
 Add migration for better payment tracking:
 ```ruby
 # db/migrate/xxx_add_payment_tracking_to_tickets.rb
 class AddPaymentTrackingToTickets < ActiveRecord::Migration[7.0]
  def change
    add_column :tickets, :stripe_session_id, :string
    add_column :tickets, :purchased_at, :timestamp, default: -> { 'CURRENT_TIMESTAMP' }
    add_index :tickets, :stripe_session_id, unique: true
    add_index :tickets, [:user_id, :purchased_at]
  end
 end
 ```
 ## 6. Security Considerations
 1. **Rate Limiting**: Add rate limiting to checkout endpoints
 2. **CSRF Protection**: Already implemented ✅
 3. **Input Validation**: Validate all cart data thoroughly
 4. **Audit Logging**: Log all payment attempts and outcomes
 5. **PCI Compliance**: Never store card data (Stripe handles this) ✅
 ## 7. Monitoring & Observability
 Add metrics tracking to monitor checkout performance:
 ```ruby
 # Add to ApplicationController or EventsController
 around_action :track_checkout_metrics, only: [:checkout]
 private
 def track_checkout_metrics
  start_time = Time.current
  begin
    yield
    # Log successful checkout
    Rails.logger.info("Checkout completed", {
      event_id: @event&.id,
      user_id: current_user&.id,
      duration: Time.current - start_time
    })
  rescue => e
    # Log failed checkout
    Rails.logger.error("Checkout failed", {
      event_id: @event&.id,
      user_id: current_user&.id,
      error: e.message,
      duration: Time.current - start_time
    })
    raise
  end
 end
 ```
 ## Summary of Improvements
 Your ticket checkout system is already well-implemented with Stripe integration! The enhancements above will make it production-ready:
 ### Critical Improvements
 1. Add database row locking to prevent overselling during concurrent purchases
 2. Implement Stripe webhooks for reliable payment processing
 3. Use background jobs for ticket creation to prevent timeouts
 4. Add duplicate prevention with stripe_session_id tracking
 ### Security & Reliability
 5. Enhanced error recovery with fallback ticket creation
 6. Comprehensive logging for debugging and monitoring
 7. Database schema improvements for better payment tracking
 ### Key Files to Modify
 - `app/controllers/events_controller.rb` - Add inventory locking
 - `app/controllers/webhooks_controller.rb` - New webhook handler
 - `app/jobs/create_tickets_job.rb` - Background ticket creation
 - Migration for `stripe_session_id` field
 These enhancements will make your checkout system robust for high-traffic scenarios and edge cases.