How can I test subscription renewal flows in stripe?

integration-testing stripe-payments
pkaeding picture pkaeding · Apr 24, 2015 · Viewed 11.7k times · Source

I want to test my application's handling of webhook events from stripe when a subscription payment has been made (or failed). Here is what I've tried so far:

  • Set up a new subscription
  • Update user's credit card to be the one that can be added to an account, but will fail to actually be charged
  • Change the trial end date to be in one second
  • Wait a few seconds expecting the webhook to be sent

However, According to the documentation:

If you have configured webhooks, the invoice will wait until one hour after the last webhook is successfully sent (or the last webhook times out after failing).

One hour is a long time to wait, since I am trying to do this as part of an automated integration test suite.

One suggestion (from IRC) is to fake out the webhook request, so that my integration test sends the event, instead of Stripe sending it. However, since Stripe doesn't include any sort of HMAC in the webhooks, I can't trust the data in the payload. So, my application just takes the event ID from the webhook payload and fetches the event from the Stripe API:

If security is a concern, or if it's important to confirm that Stripe sent the webhook, you should only use the ID sent in your webhook and should request the remaining details from the API directly.

This will obviously not work if I am trying to inject fake events for my test (by design).

What are the best practices for testing this sort of scenario?

Answer

pkaeding picture pkaeding · Apr 27, 2015

It seems there isn't a perfect way to do this. As suggested by @koopajah in a comment, I added a configuration value in my application that will disable fetching the event from Stripe, and instead just trust the event data in the webhook. This allows me to test my flow in almost the same way as it would work on production, since the event data in the webhook and the event fetched from Stripe are identical (assuming it is an authentic webhook request :)

Unless/until Stripe includes an HMAC signature in the webhook request to authenticate that it came from them, I think this is the best way to solve the problem.

Related questions

What's the difference between unit tests and integration tests?

What's the difference between unit tests and integration tests? Are there different names for these tests? Like some people calling unit tests functional tests, etc?

Read More
Testing Spring's @RequestBody using Spring MockMVC

I am trying to test a method that posts an object to the database using Spring's MockMVC framework. I've constructed the test as follows: @Test public void testInsertObject() throws Exception { String url = BASE_URL + "/object"; ObjectBean anObject = new ObjectBean(); anObject.…

Read More
How do I add a new sourceset to Gradle?

I want to add integration tests to my Gradle build (Version 1.0). They should run separately from my normal tests because they require a webapp to be deployed to localhost (they test that webapp). The tests should be able to use …

Read More