Replaces Stripe stubs with the account and customer IDs

Adds STRIPE_ACCOUNT as sensitive data to VCR setup

Rubocop fixes and re-recording of cassettes

Adds bogus client_id to local test file - for CI to run

.env.test

@@ -4,6 +4,8 @@
 SECRET_TOKEN="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 STRIPE_SECRET_TEST_API_KEY="bogus_key"
 STRIPE_CUSTOMER="bogus_customer"
+STRIPE_ACCOUNT="bogus_account"
+STRIPE_CLIENT_ID="bogus_client_id"
 
 SITE_URL="test.host"
 

spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_fails/destroys_the_record_and_notifies_Bugsnag.yml

@@ -0,0 +1,125 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://connect.stripe.com/oauth/deauthorize
+    body:
+      encoding: UTF-8
+      string: stripe_user_id=<HIDDEN_ACCOUNT>&client_id=bogus_client_id
+    headers:
+      User-Agent:
+      - Stripe/v1 RubyBindings/10.3.0
+      Authorization:
+      - Bearer <HIDDEN_KEY>
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Stripe-Version:
+      - '2023-10-16'
+      X-Stripe-Client-User-Agent:
+      - '{"bindings_version":"10.3.0","lang":"ruby","lang_version":"3.1.4 p223 (2023-03-30)","platform":"x86_64-linux","engine":"ruby","publisher":"stripe","uname":"Linux
+        version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11
+        (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38)
+        #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2","hostname":"ff-LAT"}'
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 401
+      message: Unauthorized
+    headers:
+      Server:
+      - nginx
+      Date:
+      - Tue, 19 Dec 2023 12:55:29 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '96'
+      Connection:
+      - keep-alive
+      Cache-Control:
+      - max-age=0, no-cache, no-store, must-revalidate
+      Content-Security-Policy:
+      - report-uri /csp-report?p=%2Foauth%2Fdeauthorize;block-all-mixed-content;default-src
+        'none' 'report-sample';base-uri 'none';form-action 'none';style-src 'unsafe-inline';frame-ancestors
+        'self';connect-src 'self';img-src 'self' https://b.stripecdn.com
+      Cross-Origin-Opener-Policy-Report-Only:
+      - same-origin; report-to=https://q.stripe.com/coop-report
+      Expires:
+      - '0'
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - strict-origin-when-cross-origin
+      Request-Id:
+      - req_1v8IG0ihHAhDnR
+      Set-Cookie:
+      - __Host-session=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT;
+        secure; SameSite=None
+      - __stripe_orig_props=%7B%22referrer%22%3A%22%22%2C%22landing%22%3A%22https%3A%2F%2Fconnect.stripe.com%2Foauth%2Fdeauthorize%22%7D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure;
+        HttpOnly; SameSite=Lax
+      - machine_identifier=nsadMhesm4x1GYVPmQcxGxkwOEHT0uGESxaoxop6tgOLhu%2BvkqpSkkKcxxRvqqlpa%2BQ%3D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure;
+        HttpOnly; SameSite=Lax
+      - private_machine_identifier=5MctxMzB3oEJsWQPiwovzvt6vy1pHt5g4lYzkFr0hY3jCZZPQz%2F6jU71Ye8gqtUCUkE%3D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:29 GMT; secure;
+        HttpOnly; SameSite=None
+      - site-auth=; domain=stripe.com; path=/; max-age=0; expires=Thu, 01 Jan 1970
+        00:00:00 GMT; secure
+      - stripe.csrf=ivC9DH1gR7jYwuuHUpqqkApanZ79wswQZMBVKfzfaLr1n5rf_HwKb4sv66YdBNDs03Zq1H_JeHyOjBZ1rENh4jw-AYTZVJxQjKfvlBDZNhjvEvPk5QdyiiBil-k2Op8FixB9Mw4lkg%3D%3D;
+        domain=stripe.com; path=/; secure; HttpOnly; SameSite=None
+      Strict-Transport-Security:
+      - max-age=63072000; includeSubDomains; preload
+      - max-age=63072000; includeSubDomains; preload
+      Stripe-Kill-Route:
+      - "[]"
+      Stripe-Parent-Id:
+      - '0000000000000000'
+      Stripe-Span-Id:
+      - 1317edffcd8f0941
+      Www-Authenticate:
+      - Bearer realm="Stripe"
+      X-Apiori-Intentional-Latency:
+      - 0s
+      X-Apiori-Reqid:
+      - dub2DISD22ogqObCRqkyYRE
+      X-Apiori-Server-Duration-Ms:
+      - '126'
+      X-Apiori-Upstream-Duration:
+      - 126.447763ms
+      X-Apiori-Upstream-Name:
+      - manage-srv
+      X-Apiori-Upstream-Region:
+      - northwest
+      X-Content-Type-Options:
+      - nosniff
+      X-Envoy-Attempt-Count:
+      - '1'
+      X-Envoy-Upstream-Service-Time:
+      - '248'
+      X-Robots-Tag:
+      - none
+      X-Stripe-Bg-Intended-Route-Color:
+      - green
+      X-Stripe-C-Cost:
+      - '2'
+      X-Stripe-Client-Envoy-Start-Time-Us:
+      - '1702990529582694'
+      X-Stripe-Rpc-C-Cost-Report:
+      - Cg0IARIJY2VsbF8wMDA3Cg8IARILZ2xvYmFsX2NlbGw=
+      X-Stripe-Server-Envoy-Start-Time-Us:
+      - '1702990529583695'
+      X-Stripe-Server-Envoy-Upstream-Service-Time-Ms:
+      - '123'
+    body:
+      encoding: UTF-8
+      string: |-
+        {
+          "error": "invalid_client",
+          "error_description": "No such application: 'bogus_client_id'"
+        }
+  recorded_at: Tue, 19 Dec 2023 12:55:29 GMT
+recorded_with: VCR 6.2.0

spec/fixtures/vcr_cassettes/Stripe-v10.3.0/StripeAccount/deauthorize_and_destroy/when_the_Stripe_API_disconnect_succeeds/destroys_the_record.yml

@@ -0,0 +1,125 @@
+---
+http_interactions:
+- request:
+    method: post
+    uri: https://connect.stripe.com/oauth/deauthorize
+    body:
+      encoding: UTF-8
+      string: stripe_user_id=<HIDDEN_ACCOUNT>&client_id=ca_MzG1xs6tZFDztUlak7uFxoUM36G6307W
+    headers:
+      User-Agent:
+      - Stripe/v1 RubyBindings/10.3.0
+      Authorization:
+      - Bearer <HIDDEN_KEY>
+      Content-Type:
+      - application/x-www-form-urlencoded
+      Stripe-Version:
+      - '2023-10-16'
+      X-Stripe-Client-User-Agent:
+      - '{"bindings_version":"10.3.0","lang":"ruby","lang_version":"3.1.4 p223 (2023-03-30)","platform":"x86_64-linux","engine":"ruby","publisher":"stripe","uname":"Linux
+        version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11
+        (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38)
+        #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2","hostname":"ff-LAT"}'
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 401
+      message: Unauthorized
+    headers:
+      Server:
+      - nginx
+      Date:
+      - Tue, 19 Dec 2023 12:55:30 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Content-Length:
+      - '164'
+      Connection:
+      - keep-alive
+      Cache-Control:
+      - max-age=0, no-cache, no-store, must-revalidate
+      Content-Security-Policy:
+      - report-uri /csp-report?p=%2Foauth%2Fdeauthorize;block-all-mixed-content;default-src
+        'none' 'report-sample';base-uri 'none';form-action 'none';style-src 'unsafe-inline';frame-ancestors
+        'self';connect-src 'self';img-src 'self' https://b.stripecdn.com
+      Cross-Origin-Opener-Policy-Report-Only:
+      - same-origin; report-to=https://q.stripe.com/coop-report
+      Expires:
+      - '0'
+      Pragma:
+      - no-cache
+      Referrer-Policy:
+      - strict-origin-when-cross-origin
+      Request-Id:
+      - req_pGBBuPOXb6xMly
+      Set-Cookie:
+      - __Host-session=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT;
+        secure; SameSite=None
+      - __stripe_orig_props=%7B%22referrer%22%3A%22%22%2C%22landing%22%3A%22https%3A%2F%2Fconnect.stripe.com%2Foauth%2Fdeauthorize%22%7D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure;
+        HttpOnly; SameSite=Lax
+      - machine_identifier=JJUOdPN1UTC9yKxG3Cief9mNanXTKM9y3VmUcEzfmFXEB%2FViV5jXpnxq0kFsEjoKyyg%3D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure;
+        HttpOnly; SameSite=Lax
+      - private_machine_identifier=qnLLWHsR2kIkVnuEZbUabBmPGOMmgoa%2B2t%2Bt82Sn41uVMChBI%2FF%2FmVlhmFtmb9%2Fnd70%3D;
+        domain=stripe.com; path=/; expires=Wed, 18 Dec 2024 12:55:30 GMT; secure;
+        HttpOnly; SameSite=None
+      - site-auth=; domain=stripe.com; path=/; max-age=0; expires=Thu, 01 Jan 1970
+        00:00:00 GMT; secure
+      - stripe.csrf=aIL_e_YV7LaxFPnsyZHeK9DsuQ7sm4bYeawhyIBlivow1bC0KAoKCaoR0E-WklLxlvDMXwX1_tY7Aa5l_gJ-zzw-AYTZVJwtl69iWowmC5Gcjqp-_ni03g1Mcx1Hbz6xqEXSGCKfKg%3D%3D;
+        domain=stripe.com; path=/; secure; HttpOnly; SameSite=None
+      Strict-Transport-Security:
+      - max-age=63072000; includeSubDomains; preload
+      - max-age=63072000; includeSubDomains; preload
+      Stripe-Kill-Route:
+      - "[]"
+      Stripe-Parent-Id:
+      - '0000000000000000'
+      Stripe-Span-Id:
+      - abaf119f94aa71c4
+      Www-Authenticate:
+      - Bearer realm="Stripe"
+      X-Apiori-Intentional-Latency:
+      - 0s
+      X-Apiori-Reqid:
+      - dub1DISD299L0WxB0Akf1uq
+      X-Apiori-Server-Duration-Ms:
+      - '138'
+      X-Apiori-Upstream-Duration:
+      - 137.918128ms
+      X-Apiori-Upstream-Name:
+      - manage-srv
+      X-Apiori-Upstream-Region:
+      - northwest
+      X-Content-Type-Options:
+      - nosniff
+      X-Envoy-Attempt-Count:
+      - '1'
+      X-Envoy-Upstream-Service-Time:
+      - '257'
+      X-Robots-Tag:
+      - none
+      X-Stripe-Bg-Intended-Route-Color:
+      - green
+      X-Stripe-C-Cost:
+      - '4'
+      X-Stripe-Client-Envoy-Start-Time-Us:
+      - '1702990530466139'
+      X-Stripe-Rpc-C-Cost-Report:
+      - Cg0IAxIJY2VsbF8wMDA3Cg8IARILZ2xvYmFsX2NlbGw=
+      X-Stripe-Server-Envoy-Start-Time-Us:
+      - '1702990530466931'
+      X-Stripe-Server-Envoy-Upstream-Service-Time-Ms:
+      - '135'
+    body:
+      encoding: UTF-8
+      string: |-
+        {
+          "error": "invalid_client",
+          "error_description": "This application is not connected to stripe account <HIDDEN_ACCOUNT>, or that account does not exist."
+        }
+  recorded_at: Tue, 19 Dec 2023 12:55:30 GMT
+recorded_with: VCR 6.2.0

spec/models/stripe_account_spec.rb

@@ -4,27 +4,24 @@ require 'spec_helper'
 require 'stripe/oauth'
 
 describe StripeAccount do
-  describe "deauthorize_and_destroy" do
+  describe "deauthorize_and_destroy", :vcr, :stripe_version do
     let!(:enterprise) { create(:enterprise) }
     let!(:enterprise2) { create(:enterprise) }
-    let(:client_id) { 'ca_abc123' }
-    let(:stripe_user_id) { 'acct_abc123' }
+    let(:client_id) { ENV.fetch('STRIPE_CLIENT_ID', nil) }
+    let(:stripe_user_id) { ENV.fetch('STRIPE_ACCOUNT', nil) }
+
     let!(:stripe_account) {
       create(:stripe_account, enterprise:, stripe_user_id:)
     }
 
+    let(:secret) { ENV.fetch('STRIPE_SECRET_TEST_API_KEY', nil) }
+
     before do
-      Stripe.api_key = "sk_test_12345"
-      Stripe.client_id = client_id
+      Stripe.api_key = secret
     end
 
     context "when the Stripe API disconnect fails" do
-      before do
-        stub_request(:post, "https://connect.stripe.com/oauth/deauthorize").
-          with(body: { "client_id" => client_id, "stripe_user_id" => stripe_user_id }).
-          to_return(status: 400, body: JSON.generate(error: 'invalid_grant',
-                                                     error_description: "Some Message"))
-      end
+      before { Stripe.client_id = "bogus_client_id" }
 
       it "destroys the record and notifies Bugsnag" do
         expect(Bugsnag).to receive(:notify)
@@ -34,11 +31,7 @@ describe StripeAccount do
     end
 
     context "when the Stripe API disconnect succeeds" do
-      before do
-        stub_request(:post, "https://connect.stripe.com/oauth/deauthorize").
-          with(body: { "client_id" => client_id, "stripe_user_id" => stripe_user_id }).
-          to_return(status: 200, body: JSON.generate(stripe_user_id:))
-      end
+      before { Stripe.client_id = client_id }
 
       it "destroys the record" do
         stripe_account.deauthorize_and_destroy

spec/support/vcr_setup.rb

@@ -9,5 +9,6 @@ VCR.configure do |config|
   config.configure_rspec_metadata!
   config.filter_sensitive_data('<HIDDEN_KEY>') { ENV.fetch('STRIPE_SECRET_TEST_API_KEY', nil) }
   config.filter_sensitive_data('<HIDDEN_CUSTOMER>') { ENV.fetch('STRIPE_CUSTOMER', nil) }
+  config.filter_sensitive_data('<HIDDEN_ACCOUNT>') { ENV.fetch('STRIPE_ACCOUNT', nil) }
   config.ignore_hosts('localhost', '127.0.0.1', '0.0.0.0', 'api.knapsackpro.com')
 end