Upgrade to stripe v3 to achieve SAQ A PCI compliance

This is great! Patch looks good.

Is this ready for use in production? I don't actually use the country field in my address forms.

I haven't been able to get this patch to work.

What version did you patch against? There seems to be a lot of inconsistencies patching 7x-2.2

I have finally managed to get this working. I have attached my version of uc_stripe.js but had to rename it to uc_strip.txt

I had to change a lot of the token variables as they are in a different hierarchy to the ones in your patch. I'm not sure where the wires got crossed with versions.

I still need to do a lot of cleaning up, but should be able to sort a patch for this when I get the time.

Is this patch working for you in production? If so, any chance that uc_stripe might be updated and officially merge this patch into the current dev or even released 7 branch, or is there a reason to delay it? Many thanks for this very useful module.

Putting this in "Needs review", where it should have been at the first patch. If people review it, it might move forward. If somebody reviews and tests adequately to get it to RTBC, it might get committed. That's the patch process. Unfortunately, D7 is in its ending years, Ubercart is in its ending years, and apparently none of the official maintainers are using this any more. If there's anybody out there *using* this module, that has any creds at all in the Drupal community, I'll give them privs as maintainer.

I am happy to test it, as our business runs on D7 and Ubercart and will remain so for another 2 years at least. We use Stripe, too. I will ping back when I have test feedback. Thank you, very much, for your work and regards from Ireland.

@AndraeRay, you mentioned in #6 that you have found another error with the patch but that you have fixed it. Could you share your fix and any more info as to what the issue was? I am putting time into this issue at the moment, and I would like to make sure I do not replicate your work. Perhaps you could share your uc_stripe.js? Many thanks.

I have combined #2 and #5 into a new patch, as both changes were required, whilst #5 was supplied as a file, rather than a patch. Unfortunately, this still requires more work, as the issue referred to in #2 is still present: changing country makes the card number field disappear. I am not sure if I have the resources to troubleshoot it soon, so if any of the earlier posters have fixed it, please chime in, many thanks.

Thank you, @AndraeRay, for your updated uc_stripe.js. I will have a look at it and incorporate your changes into the latest patch. Thanks for suggesting the ajax workaround. Hopefully something more in-depth can be done to solve the issue. Have you had your version in production for a while without any further issues?

Out of interest, do you accept payments from European customers, and have you considered the upcoming SCA requirement, see #3040854: Implement Stripe PaymentIntents for SCA (Strong Customer Authentication)?

Thanks, @AndraeRay, let's pool our time and input together to make it easier. Please follow my other issue #3040854: Implement Stripe PaymentIntents for SCA (Strong Customer Authentication), too, as that one specifically caters to SCA compliance. This current issue, however, is the prerequisite to the other one.

From what I can see this implements Stripes elements format

I also will be working on this upgrade. The API is up to 6.31 - has anyone tried the latest API ??

Currently I am on 4.12 (6-5-2017) so this will be a big culture shock because of https://www.drupal.org/project/uc_stripe/issues/3040854 I will have no choice

I will be tying with the current api or better

We need to merge the two issues really, if we are going to use the latest API, we might as well do SCA at the same time.

I just ran this without upgrading my API - I do not know if my API will or does support Stripe js v3

I ran it in test mode (on both ends - stripe and my server) and what came back was the error I entered an invalid credit card number - but nothing showed up as a failed charge or token request in the Stripe Dashboard and it did not crash

It ran but I think I have the "missing county" bug in number 2 impacting this

My site calls on the fly shipping quotes based on package size and weight automatically from USPS, FedEX and UPS - so ajax is absolutely involved no matter what

It will trigger if any checkout info is changed like the address or zip code etc . . . and it triggers for a new customer automatically when they enter a full address to call shipping quotes after they enter the destination address

I also have "extra panes" enabled to collect optional data, so my JS file calls the panes differently and it reports the entire customer entry details or address etc as part of the token which shows in the Stripe dashboard where the old JS file did not - I re-coded it that way

the new JS file patches also blows past the order review page and there is a long "waiting" time before the catch error page returns

This is live site which works and calls to Stripe so I can only be in test mode for so long.

When I put it all back like it was with the v2 JS file the testmode sale ran properly and showed up in the Stripe Dashboard

According to https://stripe.com/docs/payments/payment-intents/quickstart and https://stripe.com/docs/stripe-js/reference#stripe-function and https://stripe.com/docs/stripe-js/reference#stripe-create-token the way my JS file works it is what Stripe recommends as to token creation and to get towards using the Payment Intent API and thus SCA (Strong Customer Authentication) using the https://stripe.com/docs/payments/payment-intents API

I think I need to revamp BACK to what my JS file does to create the token and that may solve a lot of this - it is largely the same but instead of (card) as stripe.createToken(card).then(function(result) { it uses actual data as => Stripe.createToken(params, function (status, response) { where "params" are the actual values and names of the fields to pass and then goes on to the "catch" errors

That is the problem might be at => var card = elements.create('card', {style: style}); because if ajax goes off in eh meantime - those variable components of the "card" are lost from the form as where the current JS file states

// We must find the various fields again, because they may have been swapped
// in by ajax action of the form.

and . . . it does . . . because ajax is always live even if it does change anything you can see - but the way I call Stripe createToken it takes the actual text input of the from - sitting in the form - not a variable

I have a message I am waiting to hear back on from into Stripe about the lowest API which supports v3

It could be my API does not support stripe js v3

if the JS file does not run I am not going to upgrade the API unless I MUST

My current JS file is made to work by calling the live input values to call Stripe createtoken - not from instance data (card)

I did not try re-coding the JS file yet the way I call Stripe createToken

I never could get the customer details to pass to Stripe in the create token without sending it direct as input info from the form itself - I would get a token with no customer details at Stripe showing in the Dashboard. This would not work for recurring or subscription products - so I had to fix it

Stripes API numbering is a bit wonky at least where PHP libraries for Drupal is concerned

My Stripe dashboard lists 3-14-19 as the current latest api I am on - but does not give a version number

Github lists stripe-php v6.31.0 as released by remi-stripe released this 17 days ago - which would be around March 14th

and but lists version stripe-php v6.30.5 @ob-stripe ob-stripe released this 24 days ago who is listed as an engineer at Stripe as Olivier
Bellone

The github changelog lists these dates - 6.31.0 - 2019-03-18 and for 6.30.5 - 2019-03-11

My dashboard says a default of 4.11.0 - 2017-06-05 - but my version file says 5.1.2 and 5.1.2 at github shows released 2017-08-01

So my question to Stripe is - which is the correct API ??

and I also asked

What is the lowest API which will work on v3 without needing to upgrade the API libraries so i can test the JS file first before an API upgrade ??

The API is not the problem . . . from Stripe . . .

On your stripe.js v3 question, due to PCI compliance reason, the new Element will prevent users to get the raw credit card number and cvc number out directly from the control using something like

number: cc_num.val(),
cvc: cc_cvv.val(),

The way to create token now is to stripe.createToken(card) function [0]. You will no longer need to pass the RAW credit card number anymore.

Due to AJAX I do not have a solution at this time . . . because the credit card info also cannot be "pre-filled" and v3 will reject it with a credit card error

Hi AndraeRay,

Thanks for your work on this - but before it goes too far, are you working with the Stripe Payment Intents API? It seems like the required migration to payment intents for https://www.drupal.org/project/uc_stripe/issues/3040854 needs to be considered at this stage too.

https://stripe.com/docs/payments/payment-intents/migration

Great Thanks @AndraeRay patch from #21 working fine with 7.x-2.x-dev and v6.5.0 stripe PHP library.