Risk analysis box update#4883
Merged
kennyadsl merged 7 commits intosolidusio:masterfrom Feb 3, 2023
Merged
Conversation
github-actions
Bot
added
changelog:solidus_backend
Contributor
waiting-for-dev
left a comment
waiting-for-dev
left a comment
There was a problem hiding this comment.
Thanks, @elia; I left some comments to understand it better and a non-blocking suggestion about moving the query up.
elia
force-pushed
the
elia+kennyadsl/risky-business
branch
from
4510546 to
ed88c13
Compare
elia
commented
Jan 27, 2023
Member
Author
elia
left a comment
elia
left a comment
There was a problem hiding this comment.
@waiting-for-dev did a few changes, mostly pushing details of the risk analysis to the partial that is specific to the payment method, so we can stop assuming all payments will have AVS and CVV informations returned by payment providers.
elia
force-pushed
the
elia+kennyadsl/risky-business
branch
from
ed88c13 to
fcb58ac
Compare
waiting-for-dev
approved these changes
Jan 30, 2023
Contributor
waiting-for-dev
left a comment
waiting-for-dev
left a comment
There was a problem hiding this comment.
@elia, it looks cohesive now 👍 Please, see my comment, I'm not sure if there's a line that is commented by error.
kennyadsl
reviewed
Jan 31, 2023
Member
kennyadsl
left a comment
kennyadsl
left a comment
There was a problem hiding this comment.
Left a couple of questions, but overall this change works for me, thanks Elia.
elia
force-pushed
the
elia+kennyadsl/risky-business
branch
from
fcb58ac to
384fafc
Compare
Member
gsmendoza
reviewed
Feb 2, 2023
gsmendoza
reviewed
Feb 2, 2023
gsmendoza
reviewed
Feb 2, 2023
There's no point in providing the latest payment from outside when the partial is accessing `@order` directly.
`Order#is_risky?` is currently based on whether a payment is risky, but over time the API could be expanded and allow customization.
Should not be false when a CVV message is present; that's just a field to collect descriptions from the payment gateway, the code is what matters This makes it consistent with both Payment.risky and OrdersHelper#cvv_response_code.
Use AR and existing scopes to build the query instead of SQL. Add a spec ensuring failed payments are considered risky.
Match the behavior of Payment.risky.
AVS and CVV are a legacy coming from an age in which everything could be done with ActiveMerchant and PCI compliance didn't exist. Moving away from specific risk checks paves the way for payment-method specific risky checks and display, although the underlying tables didn't change.
elia
force-pushed
the
elia+kennyadsl/risky-business
branch
from
384fafc to
8f8a331
Compare
gsmendoza
reviewed
Feb 3, 2023
| <fieldset class="no-border-bottom" id="risk_analysis"> | ||
| <legend><%= "#{t('spree.risk_analysis')}: #{t('spree.not') unless @order.is_risky?} #{t('spree.risky')}" %></legend> | ||
| <details id="risk_analysis"> | ||
| <summary><%= t('spree.risk_analysis') %>: <%= t('spree.risky') %></summary> |
Contributor
There was a problem hiding this comment.
As a side note, if you say the translation very fast, it sounds like "spreeesky" 😆
gsmendoza
approved these changes
Feb 3, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
While investigating how an order and its payments are marked as risky as part of the solidus_stripe rewrite I bumped into AVS/CCV codes.
Any modern payment provider and risk analysis tool will probably provide some structured data and a score (with thresholds) as the outcome of a risk analysis.
This is a first step toward distancing ourselves from the ruins of solidus_gateway toward per payment-method and per-order risk analysis tools.
Changes
Spree::Order#is_risky?was based on having any of the payments to be considered risky → now it lists information for all risky paymentsbefore
Checklist
Check out our PR guidelines for more details.
The following are mandatory for all PRs:
The following are not always needed (
cross them outif they are not):