Duplicate subscription created with same ID

Created on 12 December 2022, about 2 years ago
Updated 14 September 2024, 3 months ago

Hi,

Im seeing an odd issue where an attempt to create the subscription happens twice for the same subscription ID, the second one doesnt complete payment and the the role is removed from the user.

In the logs I see:

Created local subscription #172 with remote ID sub_1BE3P7KJv5VGZg4KgAaw4k70

Created local subscription #173 with remote ID sub_1BE3P7KJv5VGZg4KgAaw4k70

Removing role subscriber from user testusername for subscription #173 because its status is incomplete

Both the entries in the log for "Created local subscription" are at the same time (or at least the same minute).

There is a valid subscription with payment complete for this subscription ID in the Stripe dashboard, but because that second local subscription was created and didnt complete the role was removed.

Any ideas how this would happen?

🐛 Bug report
Status

Active

Version

3.0

Component

Code

Created by

🇬🇧United Kingdom problue solutions Northern Ireland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇬🇧United Kingdom problue solutions Northern Ireland

    I have re-visited this as I've had to do some work on an older project.

    I have encountered this bug again while doing some testing for a seperate issue and I'm pretty sure this is caused by not handling idempotency (basically duplicate requests):

    https://docs.stripe.com/api/idempotent_requests

    Sometimes, but not always, the stripe event customer.subscription.updated is triggered at the same time as customer.subscription.created. This seems to happen more in the case of a wallet payment, but I have also seen it occasionally happen with a standard credit card payments, it seems in this case there is some kind of glitch where Stripe cant access the endpoint at that moment in time and then a second later sends an update event. The important point though is that the idempotency_key property for both webhook events is the same (meaning it's the same request), and this module does not check for, or handle that. This means a duplicate 'local subscription' is created.

    From the documenation on the link above, there is an assumption that you already have that idempotency_key value when interacting with the API so it seems to me that it needs to be stored on the subscription entity when its initially created, so it can be checked to prevent a duplicate local subscription?

    Does this make sense to the maintainers?

  • 🇬🇧United Kingdom problue solutions Northern Ireland
  • 🇬🇧United Kingdom problue solutions Northern Ireland

    A workaround (or fix I'm not sure) is to simply not react to the customer.subscription.created event in WebHookSubscriber and only react to customer.subscription.updated as it's always sent when the subscription is created anyway. Not sure of other implications but works in all scenarios for me.

Production build 0.71.5 2024