pretix-stripe2/pretix_stripe2/views.py

import hashlib
import json
import logging

import requests
import stripe
from django.contrib import messages
from django.core import signing
from django.db import transaction
from django.http import Http404, HttpResponse, HttpResponseBadRequest
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse
from django.utils.decorators import method_decorator
from django.utils.functional import cached_property
from django.utils.translation import gettext_lazy as _
from django.views import View
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.http import require_POST
from django.views.generic import FormView
from django_scopes import scopes_disabled

from pretix.base.models import Event, Order, OrderPayment, Organizer, Quota
from pretix.base.payment import PaymentException
from pretix.base.services.locking import LockTimeoutException
from pretix.base.settings import GlobalSettingsObject
from pretix.control.permissions import (
    AdministratorPermissionRequiredMixin, event_permission_required,
)
from pretix.control.views.event import DecoupleMixin
from pretix.control.views.organizer import OrganizerDetailViewMixin
from pretix.multidomain.urlreverse import eventreverse
from pretix_stripe2.forms import OrganizerStripeSettingsForm
from pretix_stripe2.models import ReferencedStripe2Object
from pretix_stripe2.payment import StripeCC, StripeSettingsHolder
from pretix_stripe2.tasks import (
    get_domain_for_event, stripe_verify_domain,
)

logger = logging.getLogger('pretix_stripe2')


@xframe_options_exempt
def redirect_view(request, *args, **kwargs):
    signer = signing.Signer(salt='safe-redirect')
    try:
        url = signer.unsign(request.GET.get('url', ''))
    except signing.BadSignature:
        return HttpResponseBadRequest('Invalid parameter')

    r = render(request, 'pretixplugins/stripe2/redirect.html', {
        'url': url,
    })
    r._csp_ignore = True
    return r


@scopes_disabled()
def oauth_return(request, *args, **kwargs):
    raise Exception('Unexpected OAuth')


@csrf_exempt
@require_POST
@scopes_disabled()
def webhook(request, *args, **kwargs):
    event_json = json.loads(request.body.decode('utf-8'))

    # We do not check for the event type as we are not interested in the event it self,
    # we just use it as a trigger to look the charge up to be absolutely sure.
    # Another reason for this is that stripe events are not authenticated, so they could
    # come from anywhere.

    if event_json['data']['object']['object'] == "charge":
        func = charge_webhook
        objid = event_json['data']['object']['id']
    elif event_json['data']['object']['object'] == "dispute":
        func = charge_webhook
        objid = event_json['data']['object']['charge']
    elif event_json['data']['object']['object'] == "source":
        func = source_webhook
        objid = event_json['data']['object']['id']
    elif event_json['data']['object']['object'] == "payment_intent":
        func = paymentintent_webhook
        objid = event_json['data']['object']['id']
    else:
        return HttpResponse("Not interested in this data type", status=200)

    try:
        rso = ReferencedStripe2Object.objects.select_related('order', 'order__event').get(reference=objid)
        return func(rso.order.event, event_json, objid, rso)
    except ReferencedStripe2Object.DoesNotExist:
        if event_json['data']['object']['object'] == "charge" and 'payment_intent' in event_json['data']['object']:
            # If we receive a charge webhook *before* the payment intent webhook, we don't know the charge ID yet
            # and can't match it -- but we know the payment intent ID!
            try:
                rso = ReferencedStripe2Object.objects.select_related('order', 'order__event').get(
                    reference=event_json['data']['object']['payment_intent']
                )
                return func(rso.order.event, event_json, objid, rso)
            except ReferencedStripe2Object.DoesNotExist:
                return HttpResponse("Unable to detect event", status=200)
        elif hasattr(request, 'event') and func != paymentintent_webhook:
            # This is a legacy integration from back when didn't have ReferencedStripe2Object. This can't happen for
            # payment intents or charges connected with payment intents since they didn't exist back then. Our best
            # hope is to go for request.event and see if we can find the order ID.
            return func(request.event, event_json, objid, None)
        else:
            # Okay, this is probably not an event that concerns us, maybe other applications talk to the same stripe
            # account
            return HttpResponse("Unable to detect event", status=200)


SOURCE_TYPES = {
    'sofort': 'stripe_sofort',
    'three_d_secure': 'stripe',
    'card': 'stripe',
    'giropay': 'stripe_giropay',
    'ideal': 'stripe_ideal',
    'alipay': 'stripe_alipay',
    'bancontact': 'stripe_bancontact',
}


def charge_webhook(event, event_json, charge_id, rso):
    prov = StripeCC(event)
    prov._init_api()

    try:
        charge = stripe.Charge.retrieve(charge_id, expand=['dispute'], **prov.api_kwargs)
    except stripe.error.StripeError:
        logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))
        return HttpResponse('Charge not found', status=500)

    metadata = charge['metadata']
    if 'event' not in metadata:
        return HttpResponse('Event not given in charge metadata', status=200)

    if int(metadata['event']) != event.pk:
        return HttpResponse('Not interested in this event', status=200)

    if rso and rso.payment:
        order = rso.payment.order
        payment = rso.payment
    elif rso:
        order = rso.order
        payment = None
    else:
        try:
            order = event.orders.get(id=metadata['order'])
        except Order.DoesNotExist:
            return HttpResponse('Order not found', status=200)
        payment = None

    with transaction.atomic():
        if not payment:
            payment = order.payments.filter(
                info__icontains=charge['id'],
                provider__startswith='stripe',
                amount=prov._amount_to_decimal(charge['amount']),
            ).select_for_update().last()
        if not payment:
            payment = order.payments.create(
                state=OrderPayment.PAYMENT_STATE_CREATED,
                provider=SOURCE_TYPES.get(charge['source'].get('type', charge['source'].get('object', 'card')), 'stripe'),
                amount=prov._amount_to_decimal(charge['amount']),
                info=str(charge),
            )

        if payment.provider != prov.identifier:
            prov = payment.payment_provider
            prov._init_api()

        order.log_action('pretix_stripe2.event', data=event_json)

        is_refund = charge['refunds']['total_count'] or charge['dispute']
        if is_refund:
            known_refunds = [r.info_data.get('id') for r in payment.refunds.all()]
            migrated_refund_amounts = [r.amount for r in payment.refunds.all() if not r.info_data.get('id')]
            for r in charge['refunds']['data']:
                a = prov._amount_to_decimal(r['amount'])
                if r['status'] in ('failed', 'canceled'):
                    continue

                if a in migrated_refund_amounts:
                    migrated_refund_amounts.remove(a)
                    continue

                if r['id'] not in known_refunds:
                    payment.create_external_refund(
                        amount=a,
                        info=str(r)
                    )
            if charge['dispute']:
                if charge['dispute']['status'] != 'won' and charge['dispute']['id'] not in known_refunds:
                    a = prov._amount_to_decimal(charge['dispute']['amount'])
                    if a in migrated_refund_amounts:
                        migrated_refund_amounts.remove(a)
                    else:
                        payment.create_external_refund(
                            amount=a,
                            info=str(charge['dispute'])
                        )
        elif charge['status'] == 'succeeded' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING,
                                                                   OrderPayment.PAYMENT_STATE_CREATED,
                                                                   OrderPayment.PAYMENT_STATE_CANCELED,
                                                                   OrderPayment.PAYMENT_STATE_FAILED):
            try:
                payment.confirm()
            except LockTimeoutException:
                return HttpResponse("Lock timeout, please try again.", status=503)
            except Quota.QuotaExceededException:
                pass
        elif charge['status'] == 'failed' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):
            payment.fail(info=str(charge))

    return HttpResponse(status=200)


def source_webhook(event, event_json, source_id, rso):
    prov = StripeCC(event)
    prov._init_api()
    try:
        src = stripe.Source.retrieve(source_id, **prov.api_kwargs)
    except stripe.error.StripeError:
        logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))
        return HttpResponse('Charge not found', status=500)

    metadata = src['metadata']
    if 'event' not in metadata:
        return HttpResponse('Event not given in charge metadata', status=200)

    if int(metadata['event']) != event.pk:
        return HttpResponse('Not interested in this event', status=200)

    with transaction.atomic():
        if rso and rso.payment:
            order = rso.payment.order
            payment = rso.payment
        elif rso:
            order = rso.order
            payment = None
        else:
            try:
                order = event.orders.get(id=metadata['order'])
            except Order.DoesNotExist:
                return HttpResponse('Order not found', status=200)
            payment = None

        if not payment:
            payment = order.payments.filter(
                info__icontains=src['id'],
                provider__startswith='stripe',
                amount=prov._amount_to_decimal(src['amount']) if src['amount'] is not None else order.total,
            ).last()
        if not payment:
            payment = order.payments.create(
                state=OrderPayment.PAYMENT_STATE_CREATED,
                provider=SOURCE_TYPES.get(src['type'], 'stripe'),
                amount=prov._amount_to_decimal(src['amount']) if src['amount'] is not None else order.total,
                info=str(src),
            )

        if payment.provider != prov.identifier:
            prov = payment.payment_provider
            prov._init_api()

        order.log_action('pretix_stripe2.event', data=event_json)
        go = (event_json['type'] == 'source.chargeable' and
              payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED) and
              src.status == 'chargeable')
        if go:
            try:
                prov._charge_source(None, source_id, payment)
            except PaymentException:
                logger.exception('Webhook error')

        elif src.status == 'failed':
            payment.fail(info=str(src))
        elif src.status == 'canceled' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):
            payment.info = str(src)
            payment.state = OrderPayment.PAYMENT_STATE_CANCELED
            payment.save()

    return HttpResponse(status=200)


def paymentintent_webhook(event, event_json, paymentintent_id, rso):
    prov = StripeCC(event)
    prov._init_api()

    try:
        paymentintent = stripe.PaymentIntent.retrieve(paymentintent_id, **prov.api_kwargs)
    except stripe.error.StripeError:
        logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))
        return HttpResponse('Charge not found', status=500)

    for charge in paymentintent.charges.data:
        ReferencedStripe2Object.objects.get_or_create(
            reference=charge.id,
            defaults={'order': rso.payment.order, 'payment': rso.payment}
        )

    return HttpResponse(status=200)


@event_permission_required('can_change_event_settings')
@require_POST
def oauth_disconnect(request, **kwargs):
    raise Exception('Unexpected OAuth')


@xframe_options_exempt
def applepay_association(request, *args, **kwargs):
    r = render(request, 'pretixplugins/stripe2/apple-developer-merchantid-domain-association')
    r._csp_ignore = True
    return r


class StripeOrderView:
    def dispatch(self, request, *args, **kwargs):
        try:
            self.order = request.event.orders.get(code=kwargs['order'])
            if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():
                raise Http404('')
        except Order.DoesNotExist:
            # Do a hash comparison as well to harden timing attacks
            if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():
                raise Http404('')
            else:
                raise Http404('')
        return super().dispatch(request, *args, **kwargs)

    @cached_property
    def payment(self):
        return get_object_or_404(self.order.payments,
                                 pk=self.kwargs['payment'],
                                 provider__startswith='stripe')

    @cached_property
    def pprov(self):
        return self.request.event.get_payment_providers()[self.payment.provider]

    def _redirect_to_order(self):
        if self.request.session.get('payment_stripe_order_secret') != self.order.secret and self.payment.provider != 'stripe_ideal':
            messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '
                                           'in your emails to continue.'))
            return redirect(eventreverse(self.request.event, 'presale:event.index'))

        return redirect(eventreverse(self.request.event, 'presale:event.order', kwargs={
            'order': self.order.code,
            'secret': self.order.secret
        }) + ('?paid=yes' if self.order.status == Order.STATUS_PAID else ''))


@method_decorator(xframe_options_exempt, 'dispatch')
class ReturnView(StripeOrderView, View):
    def get(self, request, *args, **kwargs):
        prov = self.pprov
        prov._init_api()
        try:
            src = stripe.Source.retrieve(request.GET.get('source'), **prov.api_kwargs)
        except stripe.error.InvalidRequestError:
            logger.exception('Could not retrieve source')
            messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '
                                           'in your emails to continue.'))
            return redirect(eventreverse(self.request.event, 'presale:event.index'))

        if src.client_secret != request.GET.get('client_secret'):
            messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '
                                           'in your emails to continue.'))
            return redirect(eventreverse(self.request.event, 'presale:event.index'))

        with transaction.atomic():
            self.order.refresh_from_db()
            self.payment.refresh_from_db()
            if self.payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:
                if 'payment_stripe_token' in request.session:
                    del request.session['payment_stripe_token']
                return self._redirect_to_order()

            if src.status == 'chargeable':
                try:
                    prov._charge_source(request, src.id, self.payment)
                except PaymentException as e:
                    messages.error(request, str(e))
                    return self._redirect_to_order()
                finally:
                    if 'payment_stripe_token' in request.session:
                        del request.session['payment_stripe_token']
            elif src.status == 'consumed':
                # Webhook was faster, wow! ;)
                if 'payment_stripe_token' in request.session:
                    del request.session['payment_stripe_token']
                return self._redirect_to_order()
            elif src.status == 'pending':
                self.payment.state = OrderPayment.PAYMENT_STATE_PENDING
                self.payment.info = str(src)
                self.payment.save()
            else:  # failed or canceled
                self.payment.fail(info=str(src))
                messages.error(self.request, _('We had trouble authorizing your card payment. Please try again and '
                                               'get in touch with us if this problem persists.'))
        return self._redirect_to_order()


@method_decorator(xframe_options_exempt, 'dispatch')
class ScaView(StripeOrderView, View):

    def get(self, request, *args, **kwargs):
        prov = self.pprov
        prov._init_api()

        if self.payment.state in (OrderPayment.PAYMENT_STATE_CONFIRMED,
                                  OrderPayment.PAYMENT_STATE_CANCELED,
                                  OrderPayment.PAYMENT_STATE_FAILED):
            return self._redirect_to_order()

        payment_info = json.loads(self.payment.info)

        if 'id' in payment_info:
            try:
                intent = stripe.PaymentIntent.retrieve(
                    payment_info['id'],
                    **prov.api_kwargs
                )
            except stripe.error.InvalidRequestError:
                logger.exception('Could not retrieve payment intent')
                messages.error(self.request, _('Sorry, there was an error in the payment process.'))
                return self._redirect_to_order()
        else:
            messages.error(self.request, _('Sorry, there was an error in the payment process.'))
            return self._redirect_to_order()

        if intent.status == 'requires_action' and intent.next_action.type in ['use_stripe_sdk', 'redirect_to_url']:
            ctx = {
                'order': self.order,
                'stripe_settings': StripeSettingsHolder(self.order.event).settings,
            }
            if intent.next_action.type == 'use_stripe_sdk':
                ctx['payment_intent_client_secret'] = intent.client_secret
            elif intent.next_action.type == 'redirect_to_url':
                ctx['payment_intent_next_action_redirect_url'] = intent.next_action.redirect_to_url['url']

            r = render(request, 'pretixplugins/stripe2/sca.html', ctx)
            r._csp_ignore = True
            return r
        else:
            try:
                prov._handle_payment_intent(request, self.payment, intent)
            except PaymentException as e:
                messages.error(request, str(e))

            return self._redirect_to_order()


@method_decorator(xframe_options_exempt, 'dispatch')
class ScaReturnView(StripeOrderView, View):
    def get(self, request, *args, **kwargs):
        prov = self.pprov

        try:
            prov._handle_payment_intent(request, self.payment)
        except PaymentException as e:
            messages.error(request, str(e))

        self.order.refresh_from_db()

        return render(request, 'pretixplugins/stripe2/sca_return.html', {'order': self.order})


class OrganizerSettingsFormView(DecoupleMixin, OrganizerDetailViewMixin, AdministratorPermissionRequiredMixin, FormView):
    model = Organizer
    permission = 'can_change_organizer_settings'
    form_class = OrganizerStripeSettingsForm
    template_name = 'pretixplugins/stripe2/organizer_stripe.html'

    def get_success_url(self):
        return reverse('plugins:pretix_stripe2:settings.connect', kwargs={
            'organizer': self.request.organizer.slug,
        })

    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
        kwargs['obj'] = self.request.organizer
        return kwargs

    @transaction.atomic
    def post(self, request, *args, **kwargs):
        form = self.get_form()
        if form.is_valid():
            form.save()
            if form.has_changed():
                self.request.organizer.log_action(
                    'pretix.organizer.settings', user=self.request.user, data={
                        k: form.cleaned_data.get(k) for k in form.changed_data
                    }
                )
            messages.success(self.request, _('Your changes have been saved.'))
            return redirect(self.get_success_url())
        else:
            messages.error(self.request, _('We could not save your changes. See below for details.'))
            return self.get(request)
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`import hashlib`
			`import json`
			`import logging`

			`import requests`
			`import stripe`
			`from django.contrib import messages`
			`from django.core import signing`
			`from django.db import transaction`
			`from django.http import Http404, HttpResponse, HttpResponseBadRequest`
			`from django.shortcuts import get_object_or_404, redirect, render`
			`from django.urls import reverse`
			`from django.utils.decorators import method_decorator`
			`from django.utils.functional import cached_property`
			`from django.utils.translation import gettext_lazy as _`
			`from django.views import View`
			`from django.views.decorators.clickjacking import xframe_options_exempt`
			`from django.views.decorators.csrf import csrf_exempt`
			`from django.views.decorators.http import require_POST`
			`from django.views.generic import FormView`
			`from django_scopes import scopes_disabled`

			`from pretix.base.models import Event, Order, OrderPayment, Organizer, Quota`
			`from pretix.base.payment import PaymentException`
			`from pretix.base.services.locking import LockTimeoutException`
			`from pretix.base.settings import GlobalSettingsObject`
			`from pretix.control.permissions import (`
			`AdministratorPermissionRequiredMixin, event_permission_required,`
			`)`
			`from pretix.control.views.event import DecoupleMixin`
			`from pretix.control.views.organizer import OrganizerDetailViewMixin`
			`from pretix.multidomain.urlreverse import eventreverse`
Initial implementation 2020-09-04 17:58:25 +10:00			`from pretix_stripe2.forms import OrganizerStripeSettingsForm`
			`from pretix_stripe2.models import ReferencedStripe2Object`
			`from pretix_stripe2.payment import StripeCC, StripeSettingsHolder`
			`from pretix_stripe2.tasks import (`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`get_domain_for_event, stripe_verify_domain,`
			`)`

Initial implementation 2020-09-04 17:58:25 +10:00			`logger = logging.getLogger('pretix_stripe2')`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00

			`@xframe_options_exempt`
			`def redirect_view(request, args, *kwargs):`
			`signer = signing.Signer(salt='safe-redirect')`
			`try:`
			`url = signer.unsign(request.GET.get('url', ''))`
			`except signing.BadSignature:`
			`return HttpResponseBadRequest('Invalid parameter')`

Initial implementation 2020-09-04 17:58:25 +10:00			`r = render(request, 'pretixplugins/stripe2/redirect.html', {`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`'url': url,`
			`})`
			`r._csp_ignore = True`
			`return r`


			`@scopes_disabled()`
			`def oauth_return(request, args, *kwargs):`
Initial implementation 2020-09-04 17:58:25 +10:00			`raise Exception('Unexpected OAuth')`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00

			`@csrf_exempt`
			`@require_POST`
			`@scopes_disabled()`
			`def webhook(request, args, *kwargs):`
			`event_json = json.loads(request.body.decode('utf-8'))`

			`# We do not check for the event type as we are not interested in the event it self,`
			`# we just use it as a trigger to look the charge up to be absolutely sure.`
			`# Another reason for this is that stripe events are not authenticated, so they could`
			`# come from anywhere.`

			`if event_json['data']['object']['object'] == "charge":`
			`func = charge_webhook`
			`objid = event_json['data']['object']['id']`
			`elif event_json['data']['object']['object'] == "dispute":`
			`func = charge_webhook`
			`objid = event_json['data']['object']['charge']`
			`elif event_json['data']['object']['object'] == "source":`
			`func = source_webhook`
			`objid = event_json['data']['object']['id']`
			`elif event_json['data']['object']['object'] == "payment_intent":`
			`func = paymentintent_webhook`
			`objid = event_json['data']['object']['id']`
			`else:`
			`return HttpResponse("Not interested in this data type", status=200)`

			`try:`
Initial implementation 2020-09-04 17:58:25 +10:00			`rso = ReferencedStripe2Object.objects.select_related('order', 'order__event').get(reference=objid)`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`return func(rso.order.event, event_json, objid, rso)`
Initial implementation 2020-09-04 17:58:25 +10:00			`except ReferencedStripe2Object.DoesNotExist:`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`if event_json['data']['object']['object'] == "charge" and 'payment_intent' in event_json['data']['object']:`
			`# If we receive a charge webhook before the payment intent webhook, we don't know the charge ID yet`
			`# and can't match it -- but we know the payment intent ID!`
			`try:`
Initial implementation 2020-09-04 17:58:25 +10:00			`rso = ReferencedStripe2Object.objects.select_related('order', 'order__event').get(`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`reference=event_json['data']['object']['payment_intent']`
			`)`
			`return func(rso.order.event, event_json, objid, rso)`
Initial implementation 2020-09-04 17:58:25 +10:00			`except ReferencedStripe2Object.DoesNotExist:`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`return HttpResponse("Unable to detect event", status=200)`
			`elif hasattr(request, 'event') and func != paymentintent_webhook:`
Initial implementation 2020-09-04 17:58:25 +10:00			`# This is a legacy integration from back when didn't have ReferencedStripe2Object. This can't happen for`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`# payment intents or charges connected with payment intents since they didn't exist back then. Our best`
			`# hope is to go for request.event and see if we can find the order ID.`
			`return func(request.event, event_json, objid, None)`
			`else:`
			`# Okay, this is probably not an event that concerns us, maybe other applications talk to the same stripe`
			`# account`
			`return HttpResponse("Unable to detect event", status=200)`


			`SOURCE_TYPES = {`
			`'sofort': 'stripe_sofort',`
			`'three_d_secure': 'stripe',`
			`'card': 'stripe',`
			`'giropay': 'stripe_giropay',`
			`'ideal': 'stripe_ideal',`
			`'alipay': 'stripe_alipay',`
			`'bancontact': 'stripe_bancontact',`
			`}`


			`def charge_webhook(event, event_json, charge_id, rso):`
			`prov = StripeCC(event)`
			`prov._init_api()`

			`try:`
			`charge = stripe.Charge.retrieve(charge_id, expand=['dispute'], **prov.api_kwargs)`
			`except stripe.error.StripeError:`
			`logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))`
			`return HttpResponse('Charge not found', status=500)`

			`metadata = charge['metadata']`
			`if 'event' not in metadata:`
			`return HttpResponse('Event not given in charge metadata', status=200)`

			`if int(metadata['event']) != event.pk:`
			`return HttpResponse('Not interested in this event', status=200)`

			`if rso and rso.payment:`
			`order = rso.payment.order`
			`payment = rso.payment`
			`elif rso:`
			`order = rso.order`
			`payment = None`
			`else:`
			`try:`
			`order = event.orders.get(id=metadata['order'])`
			`except Order.DoesNotExist:`
			`return HttpResponse('Order not found', status=200)`
			`payment = None`

			`with transaction.atomic():`
			`if not payment:`
			`payment = order.payments.filter(`
			`info__icontains=charge['id'],`
			`provider__startswith='stripe',`
			`amount=prov._amount_to_decimal(charge['amount']),`
			`).select_for_update().last()`
			`if not payment:`
			`payment = order.payments.create(`
			`state=OrderPayment.PAYMENT_STATE_CREATED,`
			`provider=SOURCE_TYPES.get(charge['source'].get('type', charge['source'].get('object', 'card')), 'stripe'),`
			`amount=prov._amount_to_decimal(charge['amount']),`
			`info=str(charge),`
			`)`

			`if payment.provider != prov.identifier:`
			`prov = payment.payment_provider`
			`prov._init_api()`

Initial implementation 2020-09-04 17:58:25 +10:00			`order.log_action('pretix_stripe2.event', data=event_json)`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00
			`is_refund = charge['refunds']['total_count'] or charge['dispute']`
			`if is_refund:`
			`known_refunds = [r.info_data.get('id') for r in payment.refunds.all()]`
			`migrated_refund_amounts = [r.amount for r in payment.refunds.all() if not r.info_data.get('id')]`
			`for r in charge['refunds']['data']:`
			`a = prov._amount_to_decimal(r['amount'])`
			`if r['status'] in ('failed', 'canceled'):`
			`continue`

			`if a in migrated_refund_amounts:`
			`migrated_refund_amounts.remove(a)`
			`continue`

			`if r['id'] not in known_refunds:`
			`payment.create_external_refund(`
			`amount=a,`
			`info=str(r)`
			`)`
			`if charge['dispute']:`
			`if charge['dispute']['status'] != 'won' and charge['dispute']['id'] not in known_refunds:`
			`a = prov._amount_to_decimal(charge['dispute']['amount'])`
			`if a in migrated_refund_amounts:`
			`migrated_refund_amounts.remove(a)`
			`else:`
			`payment.create_external_refund(`
			`amount=a,`
			`info=str(charge['dispute'])`
			`)`
			`elif charge['status'] == 'succeeded' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING,`
			`OrderPayment.PAYMENT_STATE_CREATED,`
			`OrderPayment.PAYMENT_STATE_CANCELED,`
			`OrderPayment.PAYMENT_STATE_FAILED):`
			`try:`
			`payment.confirm()`
			`except LockTimeoutException:`
			`return HttpResponse("Lock timeout, please try again.", status=503)`
			`except Quota.QuotaExceededException:`
			`pass`
			`elif charge['status'] == 'failed' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):`
			`payment.fail(info=str(charge))`

			`return HttpResponse(status=200)`


			`def source_webhook(event, event_json, source_id, rso):`
			`prov = StripeCC(event)`
			`prov._init_api()`
			`try:`
			`src = stripe.Source.retrieve(source_id, **prov.api_kwargs)`
			`except stripe.error.StripeError:`
			`logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))`
			`return HttpResponse('Charge not found', status=500)`

			`metadata = src['metadata']`
			`if 'event' not in metadata:`
			`return HttpResponse('Event not given in charge metadata', status=200)`

			`if int(metadata['event']) != event.pk:`
			`return HttpResponse('Not interested in this event', status=200)`

			`with transaction.atomic():`
			`if rso and rso.payment:`
			`order = rso.payment.order`
			`payment = rso.payment`
			`elif rso:`
			`order = rso.order`
			`payment = None`
			`else:`
			`try:`
			`order = event.orders.get(id=metadata['order'])`
			`except Order.DoesNotExist:`
			`return HttpResponse('Order not found', status=200)`
			`payment = None`

			`if not payment:`
			`payment = order.payments.filter(`
			`info__icontains=src['id'],`
			`provider__startswith='stripe',`
			`amount=prov._amount_to_decimal(src['amount']) if src['amount'] is not None else order.total,`
			`).last()`
			`if not payment:`
			`payment = order.payments.create(`
			`state=OrderPayment.PAYMENT_STATE_CREATED,`
			`provider=SOURCE_TYPES.get(src['type'], 'stripe'),`
			`amount=prov._amount_to_decimal(src['amount']) if src['amount'] is not None else order.total,`
			`info=str(src),`
			`)`

			`if payment.provider != prov.identifier:`
			`prov = payment.payment_provider`
			`prov._init_api()`

Initial implementation 2020-09-04 17:58:25 +10:00			`order.log_action('pretix_stripe2.event', data=event_json)`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`go = (event_json['type'] == 'source.chargeable' and`
			`payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED) and`
			`src.status == 'chargeable')`
			`if go:`
			`try:`
			`prov._charge_source(None, source_id, payment)`
			`except PaymentException:`
			`logger.exception('Webhook error')`

			`elif src.status == 'failed':`
			`payment.fail(info=str(src))`
			`elif src.status == 'canceled' and payment.state in (OrderPayment.PAYMENT_STATE_PENDING, OrderPayment.PAYMENT_STATE_CREATED):`
			`payment.info = str(src)`
			`payment.state = OrderPayment.PAYMENT_STATE_CANCELED`
			`payment.save()`

			`return HttpResponse(status=200)`


			`def paymentintent_webhook(event, event_json, paymentintent_id, rso):`
			`prov = StripeCC(event)`
			`prov._init_api()`

			`try:`
			`paymentintent = stripe.PaymentIntent.retrieve(paymentintent_id, **prov.api_kwargs)`
			`except stripe.error.StripeError:`
			`logger.exception('Stripe error on webhook. Event data: %s' % str(event_json))`
			`return HttpResponse('Charge not found', status=500)`

			`for charge in paymentintent.charges.data:`
Initial implementation 2020-09-04 17:58:25 +10:00			`ReferencedStripe2Object.objects.get_or_create(`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`reference=charge.id,`
			`defaults={'order': rso.payment.order, 'payment': rso.payment}`
			`)`

			`return HttpResponse(status=200)`


			`@event_permission_required('can_change_event_settings')`
			`@require_POST`
			`def oauth_disconnect(request, **kwargs):`
Initial implementation 2020-09-04 17:58:25 +10:00			`raise Exception('Unexpected OAuth')`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00

			`@xframe_options_exempt`
			`def applepay_association(request, args, *kwargs):`
Initial implementation 2020-09-04 17:58:25 +10:00			`r = render(request, 'pretixplugins/stripe2/apple-developer-merchantid-domain-association')`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`r._csp_ignore = True`
			`return r`


			`class StripeOrderView:`
			`def dispatch(self, request, args, *kwargs):`
			`try:`
			`self.order = request.event.orders.get(code=kwargs['order'])`
			`if hashlib.sha1(self.order.secret.lower().encode()).hexdigest() != kwargs['hash'].lower():`
			`raise Http404('')`
			`except Order.DoesNotExist:`
			`# Do a hash comparison as well to harden timing attacks`
			`if 'abcdefghijklmnopq'.lower() == hashlib.sha1('abcdefghijklmnopq'.encode()).hexdigest():`
			`raise Http404('')`
			`else:`
			`raise Http404('')`
			`return super().dispatch(request, args, *kwargs)`

			`@cached_property`
			`def payment(self):`
			`return get_object_or_404(self.order.payments,`
			`pk=self.kwargs['payment'],`
			`provider__startswith='stripe')`

			`@cached_property`
			`def pprov(self):`
			`return self.request.event.get_payment_providers()[self.payment.provider]`

			`def _redirect_to_order(self):`
			`if self.request.session.get('payment_stripe_order_secret') != self.order.secret and self.payment.provider != 'stripe_ideal':`
			`messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '`
			`'in your emails to continue.'))`
			`return redirect(eventreverse(self.request.event, 'presale:event.index'))`

			`return redirect(eventreverse(self.request.event, 'presale:event.order', kwargs={`
			`'order': self.order.code,`
			`'secret': self.order.secret`
			`}) + ('?paid=yes' if self.order.status == Order.STATUS_PAID else ''))`


			`@method_decorator(xframe_options_exempt, 'dispatch')`
			`class ReturnView(StripeOrderView, View):`
			`def get(self, request, args, *kwargs):`
			`prov = self.pprov`
			`prov._init_api()`
			`try:`
			`src = stripe.Source.retrieve(request.GET.get('source'), **prov.api_kwargs)`
			`except stripe.error.InvalidRequestError:`
			`logger.exception('Could not retrieve source')`
			`messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '`
			`'in your emails to continue.'))`
			`return redirect(eventreverse(self.request.event, 'presale:event.index'))`

			`if src.client_secret != request.GET.get('client_secret'):`
			`messages.error(self.request, _('Sorry, there was an error in the payment process. Please check the link '`
			`'in your emails to continue.'))`
			`return redirect(eventreverse(self.request.event, 'presale:event.index'))`

			`with transaction.atomic():`
			`self.order.refresh_from_db()`
			`self.payment.refresh_from_db()`
			`if self.payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:`
			`if 'payment_stripe_token' in request.session:`
			`del request.session['payment_stripe_token']`
			`return self._redirect_to_order()`

			`if src.status == 'chargeable':`
			`try:`
			`prov._charge_source(request, src.id, self.payment)`
			`except PaymentException as e:`
			`messages.error(request, str(e))`
			`return self._redirect_to_order()`
			`finally:`
			`if 'payment_stripe_token' in request.session:`
			`del request.session['payment_stripe_token']`
			`elif src.status == 'consumed':`
			`# Webhook was faster, wow! ;)`
			`if 'payment_stripe_token' in request.session:`
			`del request.session['payment_stripe_token']`
			`return self._redirect_to_order()`
			`elif src.status == 'pending':`
			`self.payment.state = OrderPayment.PAYMENT_STATE_PENDING`
			`self.payment.info = str(src)`
			`self.payment.save()`
			`else: # failed or canceled`
			`self.payment.fail(info=str(src))`
			`messages.error(self.request, _('We had trouble authorizing your card payment. Please try again and '`
			`'get in touch with us if this problem persists.'))`
			`return self._redirect_to_order()`


			`@method_decorator(xframe_options_exempt, 'dispatch')`
			`class ScaView(StripeOrderView, View):`

			`def get(self, request, args, *kwargs):`
			`prov = self.pprov`
			`prov._init_api()`

			`if self.payment.state in (OrderPayment.PAYMENT_STATE_CONFIRMED,`
			`OrderPayment.PAYMENT_STATE_CANCELED,`
			`OrderPayment.PAYMENT_STATE_FAILED):`
			`return self._redirect_to_order()`

			`payment_info = json.loads(self.payment.info)`

			`if 'id' in payment_info:`
			`try:`
			`intent = stripe.PaymentIntent.retrieve(`
			`payment_info['id'],`
			`**prov.api_kwargs`
			`)`
			`except stripe.error.InvalidRequestError:`
			`logger.exception('Could not retrieve payment intent')`
			`messages.error(self.request, _('Sorry, there was an error in the payment process.'))`
			`return self._redirect_to_order()`
			`else:`
			`messages.error(self.request, _('Sorry, there was an error in the payment process.'))`
			`return self._redirect_to_order()`

			`if intent.status == 'requires_action' and intent.next_action.type in ['use_stripe_sdk', 'redirect_to_url']:`
			`ctx = {`
			`'order': self.order,`
			`'stripe_settings': StripeSettingsHolder(self.order.event).settings,`
			`}`
			`if intent.next_action.type == 'use_stripe_sdk':`
			`ctx['payment_intent_client_secret'] = intent.client_secret`
			`elif intent.next_action.type == 'redirect_to_url':`
			`ctx['payment_intent_next_action_redirect_url'] = intent.next_action.redirect_to_url['url']`

Initial implementation 2020-09-04 17:58:25 +10:00			`r = render(request, 'pretixplugins/stripe2/sca.html', ctx)`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`r._csp_ignore = True`
			`return r`
			`else:`
			`try:`
			`prov._handle_payment_intent(request, self.payment, intent)`
			`except PaymentException as e:`
			`messages.error(request, str(e))`

			`return self._redirect_to_order()`


			`@method_decorator(xframe_options_exempt, 'dispatch')`
			`class ScaReturnView(StripeOrderView, View):`
			`def get(self, request, args, *kwargs):`
			`prov = self.pprov`

			`try:`
			`prov._handle_payment_intent(request, self.payment)`
			`except PaymentException as e:`
			`messages.error(request, str(e))`

			`self.order.refresh_from_db()`

Initial implementation 2020-09-04 17:58:25 +10:00			`return render(request, 'pretixplugins/stripe2/sca_return.html', {'order': self.order})`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00

			`class OrganizerSettingsFormView(DecoupleMixin, OrganizerDetailViewMixin, AdministratorPermissionRequiredMixin, FormView):`
			`model = Organizer`
			`permission = 'can_change_organizer_settings'`
			`form_class = OrganizerStripeSettingsForm`
Initial implementation 2020-09-04 17:58:25 +10:00			`template_name = 'pretixplugins/stripe2/organizer_stripe.html'`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00
			`def get_success_url(self):`
Initial implementation 2020-09-04 17:58:25 +10:00			`return reverse('plugins:pretix_stripe2:settings.connect', kwargs={`
Per Pretix 3.10 2020-09-04 17:56:10 +10:00			`'organizer': self.request.organizer.slug,`
			`})`

			`def get_form_kwargs(self):`
			`kwargs = super().get_form_kwargs()`
			`kwargs['obj'] = self.request.organizer`
			`return kwargs`

			`@transaction.atomic`
			`def post(self, request, args, *kwargs):`
			`form = self.get_form()`
			`if form.is_valid():`
			`form.save()`
			`if form.has_changed():`
			`self.request.organizer.log_action(`
			`'pretix.organizer.settings', user=self.request.user, data={`
			`k: form.cleaned_data.get(k) for k in form.changed_data`
			`}`
			`)`
			`messages.success(self.request, _('Your changes have been saved.'))`
			`return redirect(self.get_success_url())`
			`else:`
			`messages.error(self.request, _('We could not save your changes. See below for details.'))`
			`return self.get(request)`