fix issue where subs would be applied multiple times

2025-12-14 13:17:24 +01:00 · 2022-11-02 16:36:09 +01:00
parent cf75d941fa
commit 0dd25b6431
2 changed files with 68 additions and 18 deletions
--- a/test/api/unit/libs/payments/apple.test.js
+++ b/test/api/unit/libs/payments/apple.test.js
@@ -415,6 +415,7 @@ describe('Apple Payments', () => {
      }
    });

+    describe('does not apply multiple times', async () => {
      it('errors when a user is using the same subscription', async () => {
        payments.createSubscription.restore();
        iap.getPurchaseData.restore();
@@ -435,6 +436,51 @@ describe('Apple Payments', () => {
            message: applePayments.constants.RESPONSE_ALREADY_USED,
          });
      });
+
+      it('errors when a user is using a rebill of the same subscription', async () => {
+        payments.createSubscription.restore();
+        iap.getPurchaseData.restore();
+        iapGetPurchaseDataStub = sinon.stub(iap, 'getPurchaseData')
+          .returns([{
+            expirationDate: moment.utc().add({ day: 1 }).toDate(),
+            productId: sku,
+            transactionId: token + 'renew',
+            originalTransactionId: token,
+          }]);
+
+        await applePayments.subscribe(sku, user, receipt, headers, nextPaymentProcessing);
+
+        await expect(applePayments.subscribe(sku, user, receipt, headers, nextPaymentProcessing))
+          .to.eventually.be.rejected.and.to.eql({
+            httpCode: 401,
+            name: 'NotAuthorized',
+            message: applePayments.constants.RESPONSE_ALREADY_USED,
+          });
+      });
+
+      it('errors when a different user is using the subscription', async () => {
+        payments.createSubscription.restore();
+        iap.getPurchaseData.restore();
+        iapGetPurchaseDataStub = sinon.stub(iap, 'getPurchaseData')
+          .returns([{
+            expirationDate: moment.utc().add({ day: 1 }).toDate(),
+            productId: sku,
+            transactionId: token,
+            originalTransactionId: token,
+          }]);
+
+        await applePayments.subscribe(sku, user, receipt, headers, nextPaymentProcessing);
+
+        const secondUser = new User();
+        await expect(applePayments.subscribe(sku, secondUser, receipt, headers, nextPaymentProcessing))
+          .to.eventually.be.rejected.and.to.eql({
+            httpCode: 401,
+            name: 'NotAuthorized',
+            message: applePayments.constants.RESPONSE_ALREADY_USED,
+          });
+      });
+    });
+
  });

  describe('cancelSubscribe ', () => {
--- a/website/server/libs/payments/apple.js
+++ b/website/server/libs/payments/apple.js
@@ -124,12 +124,16 @@ api.subscribe = async function subscribe (sku, user, receipt, headers, nextPayme
        throw new NotAuthorized(this.constants.RESPONSE_ALREADY_USED);
      }
      existingSub = shared.content.subscriptionBlocks[user.purchased.plan.planId];
+      if (existingSub === sub) {
+        throw new NotAuthorized(this.constants.RESPONSE_ALREADY_USED);
+      }
    }
    const existingUser = await User.findOne({
      'purchased.plan.customerId': originalTransactionId,
    }).exec();
    if (existingUser
-      && (originalTransactionId === newTransactionId || existingUser._id !== user._id)) {
+      && (originalTransactionId === newTransactionId
+        || existingUser._id !== user._id)) {
      throw new NotAuthorized(this.constants.RESPONSE_ALREADY_USED);
    }