From 48566ca877514fc879f09004430f84b559c11e76 Mon Sep 17 00:00:00 2001 From: Juraj Uhlar Date: Thu, 26 Sep 2024 10:15:46 +0400 Subject: [PATCH] Chore: refactor and migrate Payment fraud to `app` router INTER-911, INTER-459 (#160) * chore: move payment fraud * chore: refactor payment fraud * chore: fix bugs, build * chore: self review fixes * chore: fix demo --- e2e/payment-fraud.spec.ts | 2 +- .../payment-fraud/PaymentFraud.tsx} | 83 ++++--- .../payment-fraud/api/place-order}/copy.ts | 0 .../payment-fraud/api/place-order/database.ts | 34 +++ .../payment-fraud/api/place-order/route.ts | 102 ++++++++ src/app/payment-fraud/embed/page.tsx | 9 + src/app/payment-fraud/page.tsx | 9 + .../payment-fraud/paymentFraud.module.scss | 0 src/pages/api/admin/reset.ts | 8 +- src/pages/api/payment-fraud/place-order.ts | 221 ------------------ src/pages/payment-fraud/embed.tsx | 13 -- 11 files changed, 201 insertions(+), 280 deletions(-) rename src/{pages/payment-fraud/index.tsx => app/payment-fraud/PaymentFraud.tsx} (66%) rename src/{server/paymentFraud => app/payment-fraud/api/place-order}/copy.ts (100%) create mode 100644 src/app/payment-fraud/api/place-order/database.ts create mode 100644 src/app/payment-fraud/api/place-order/route.ts create mode 100644 src/app/payment-fraud/embed/page.tsx create mode 100644 src/app/payment-fraud/page.tsx rename src/{pages => app}/payment-fraud/paymentFraud.module.scss (100%) delete mode 100644 src/pages/api/payment-fraud/place-order.ts delete mode 100644 src/pages/payment-fraud/embed.tsx diff --git a/e2e/payment-fraud.spec.ts b/e2e/payment-fraud.spec.ts index 4341681d..17b4bfdc 100644 --- a/e2e/payment-fraud.spec.ts +++ b/e2e/payment-fraud.spec.ts @@ -1,7 +1,7 @@ import { Page, test } from '@playwright/test'; import { blockGoogleTagManager, resetScenarios } from './e2eTestUtils'; import { TEST_IDS } from '../src/client/testIDs'; -import { PAYMENT_FRAUD_COPY } from '../src/server/paymentFraud/copy'; +import { PAYMENT_FRAUD_COPY } from '../src/app/payment-fraud/api/place-order/copy'; const submit = (page: Page) => page.getByTestId(TEST_IDS.paymentFraud.submitPayment).click(); diff --git a/src/pages/payment-fraud/index.tsx b/src/app/payment-fraud/PaymentFraud.tsx similarity index 66% rename from src/pages/payment-fraud/index.tsx rename to src/app/payment-fraud/PaymentFraud.tsx index cb36d9e0..889d50d2 100644 --- a/src/pages/payment-fraud/index.tsx +++ b/src/app/payment-fraud/PaymentFraud.tsx @@ -1,3 +1,5 @@ +'use client'; + import { useState } from 'react'; import { UseCaseWrapper } from '../../client/components/common/UseCaseWrapper/UseCaseWrapper'; import React from 'react'; @@ -7,14 +9,14 @@ import Button from '../../client/components/common/Button/Button'; import styles from './paymentFraud.module.scss'; import formStyles from '../../styles/forms.module.scss'; import { Alert } from '../../client/components/common/Alert/Alert'; -import { CustomPageProps } from '../_app'; import classNames from 'classnames'; import { useVisitorData } from '@fingerprintjs/fingerprintjs-pro-react'; import { TEST_IDS } from '../../client/testIDs'; -import { Severity } from '../../server/checks'; +import { PaymentPayload, PaymentResponse } from './api/place-order/route'; +import { useMutation } from 'react-query'; -export default function Index({ embed }: CustomPageProps) { - const { getData } = useVisitorData( +export function PaymentFraud() { + const { getData: getVisitorData } = useVisitorData( { ignoreCache: true }, { immediate: false, @@ -25,51 +27,45 @@ export default function Index({ embed }: CustomPageProps) { const [cardNumber, setCardNumber] = useState('4242 4242 4242 4242'); const [cardCvv, setCardCvv] = useState('123'); const [cardExpiration, setCardExpiration] = useState('04/28'); - - const [orderStatusMessage, setOrderStatusMessage] = useState(); - const [applyChargeback, setApplyChargeback] = useState(false); + const [filedChargeback, setFiledChargeback] = useState(false); const [usingStolenCard, setUsingStolenCard] = useState(false); - const [severity, setSeverity] = useState(); - const [isWaitingForResponse, setIsWaitingForResponse] = useState(false); - const [httpResponseStatus, setHttpResponseStatus] = useState(); + + const { + mutate: submitPayment, + isLoading: isLoadingPayment, + data: paymentResponse, + error: paymentNetworkError, + } = useMutation, unknown>({ + mutationKey: ['request loan'], + mutationFn: async (payment) => { + const { requestId } = await getVisitorData({ ignoreCache: true }); + const response = await fetch('/payment-fraud/api/place-order', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ + ...payment, + requestId, + } satisfies PaymentPayload), + }); + return await response.json(); + }, + }); async function handleSubmit(e: React.FormEvent) { e.preventDefault(); - setIsWaitingForResponse(true); - - const fpData = await getData(); - const { requestId, visitorId } = fpData; - - const orderData = { - cardNumber, - cardCvv, - cardExpiration, - applyChargeback, + submitPayment({ + filedChargeback: filedChargeback, usingStolenCard, - visitorId, - requestId, - }; - - // Server-side handler for this route is located in api/payment-fraud/place-order.js file. - const response = await fetch('/api/payment-fraud/place-order', { - method: 'POST', - body: JSON.stringify(orderData), - headers: { - 'Content-Type': 'application/json', - Accept: 'application/json', + card: { + number: cardNumber, + cvv: cardCvv, + expiration: cardExpiration, }, }); - - const responseJson = await response.json(); - const responseStatus = response.status; - setOrderStatusMessage(responseJson.message); - setSeverity(responseJson.severity); - setHttpResponseStatus(responseStatus); - setIsWaitingForResponse(false); } return ( - +
@@ -116,7 +112,7 @@ export default function Index({ embed }: CustomPageProps) { setApplyChargeback(event.target.checked)} + onChange={(event) => setFiledChargeback(event.target.checked)} data-testid={TEST_IDS.paymentFraud.askForChargeback} /> Ask for chargeback after purchase @@ -135,14 +131,15 @@ export default function Index({ embed }: CustomPageProps) {
- {httpResponseStatus ? {orderStatusMessage} : null} + {paymentNetworkError ? {paymentNetworkError.message} : null} + {paymentResponse ? {paymentResponse.message} : null} diff --git a/src/server/paymentFraud/copy.ts b/src/app/payment-fraud/api/place-order/copy.ts similarity index 100% rename from src/server/paymentFraud/copy.ts rename to src/app/payment-fraud/api/place-order/copy.ts diff --git a/src/app/payment-fraud/api/place-order/database.ts b/src/app/payment-fraud/api/place-order/database.ts new file mode 100644 index 00000000..da9b59b6 --- /dev/null +++ b/src/app/payment-fraud/api/place-order/database.ts @@ -0,0 +1,34 @@ +import { Model, InferAttributes, InferCreationAttributes, DataTypes, Attributes } from 'sequelize'; +import { sequelize } from '../../../../server/server'; + +interface PaymentAttemptAttributes + extends Model, InferCreationAttributes> { + visitorId: string; + filedChargeback: boolean; + usingStolenCard: boolean; + wasSuccessful: boolean; + timestamp: number; +} + +export const PaymentAttemptDbModel = sequelize.define('payment-attempt', { + visitorId: { + type: DataTypes.STRING, + }, + filedChargeback: { + type: DataTypes.BOOLEAN, + }, + usingStolenCard: { + type: DataTypes.BOOLEAN, + }, + wasSuccessful: { + type: DataTypes.BOOLEAN, + }, + timestamp: { + type: DataTypes.DATE, + }, +}); + +export type PaymentAttempt = Attributes; +export type PaymentAttemptData = Omit; + +PaymentAttemptDbModel.sync({ force: false }); diff --git a/src/app/payment-fraud/api/place-order/route.ts b/src/app/payment-fraud/api/place-order/route.ts new file mode 100644 index 00000000..d12ed5c1 --- /dev/null +++ b/src/app/payment-fraud/api/place-order/route.ts @@ -0,0 +1,102 @@ +import { NextResponse } from 'next/server'; +import { getAndValidateFingerprintResult, Severity } from '../../../../server/checks'; +import { PaymentAttemptData, PaymentAttemptDbModel } from './database'; +import { PAYMENT_FRAUD_COPY } from './copy'; +import { Op } from 'sequelize'; +import { sequelize } from '../../../../server/server'; + +type Card = { + number: string; + expiration: string; + cvv: string; +}; + +// Mocked credit card details. +const mockedCard: Card = { + number: '4242 4242 4242 4242', + expiration: '04/28', + cvv: '123', +}; + +function areCardDetailsCorrect(card: Card) { + return card.number === mockedCard.number && card.expiration === mockedCard.expiration && card.cvv === mockedCard.cvv; +} + +async function savePaymentAttempt(paymentAttempt: PaymentAttemptData) { + await PaymentAttemptDbModel.create({ + ...paymentAttempt, + timestamp: new Date().getTime(), + }); + await sequelize.sync(); +} + +export type PaymentPayload = { + requestId: string; + filedChargeback: boolean; + usingStolenCard: boolean; + card: Card; +}; + +export type PaymentResponse = { + message: string; + severity: Severity; +}; + +export async function POST(req: Request): Promise> { + const { requestId, filedChargeback, usingStolenCard, card } = (await req.json()) as PaymentPayload; + + // Get the full Identification result from Fingerprint Server API and validate its authenticity + const fingerprintResult = await getAndValidateFingerprintResult({ + requestId, + req, + options: { minConfidenceScore: 0.2 }, + }); + if (!fingerprintResult.okay) { + return NextResponse.json({ severity: 'error', message: fingerprintResult.error }, { status: 403 }); + } + + // Get visitorId from the Server API Identification event + const visitorId = fingerprintResult.data.products?.identification?.data?.visitorId; + if (!visitorId) { + return NextResponse.json({ severity: 'error', message: 'Visitor ID not found.' }, { status: 403 }); + } + + // If this visitor ID ever paid with a stolen credit card, do not process the payment + const usedStolenCreditCard = await PaymentAttemptDbModel.findOne({ where: { visitorId, usingStolenCard: true } }); + if (usedStolenCreditCard) { + return NextResponse.json({ severity: 'error', message: PAYMENT_FRAUD_COPY.stolenCard }, { status: 403 }); + } + + // If the visitor ID filed more than 1 chargeback in the last year, do not process the payment. + // (Adjust the numbers for you use case) + const chargebacksFiledPastYear = await PaymentAttemptDbModel.findAndCountAll({ + where: { visitorId, filedChargeback: true, timestamp: { [Op.gt]: new Date().getTime() - 365 * 24 * 60 * 1000 } }, + }); + if (chargebacksFiledPastYear.count > 1) { + return NextResponse.json({ severity: 'error', message: PAYMENT_FRAUD_COPY.previousChargeback }, { status: 403 }); + } + + // If the visitor ID performed 3 or more unsuccessful payments in the past year, do not process the payment + const invalidPaymentsPastYear = await PaymentAttemptDbModel.findAndCountAll({ + where: { + visitorId, + timestamp: { [Op.gt]: new Date().getTime() - 365 * 24 * 60 * 1000 }, + wasSuccessful: false, + }, + }); + if (invalidPaymentsPastYear.count > 2) { + return NextResponse.json( + { severity: 'error', message: PAYMENT_FRAUD_COPY.tooManyUnsuccessfulPayments }, + { status: 403 }, + ); + } + + // Check the card details and perform payment if they are correct, log the payment attempt in either case + if (!areCardDetailsCorrect(card)) { + savePaymentAttempt({ visitorId, filedChargeback, usingStolenCard, wasSuccessful: false }); + return NextResponse.json({ severity: 'error', message: PAYMENT_FRAUD_COPY.incorrectCardDetails }, { status: 403 }); + } else { + savePaymentAttempt({ visitorId, filedChargeback, usingStolenCard, wasSuccessful: true }); + return NextResponse.json({ severity: 'success', message: PAYMENT_FRAUD_COPY.successfulPayment }, { status: 200 }); + } +} diff --git a/src/app/payment-fraud/embed/page.tsx b/src/app/payment-fraud/embed/page.tsx new file mode 100644 index 00000000..fc0fbcf2 --- /dev/null +++ b/src/app/payment-fraud/embed/page.tsx @@ -0,0 +1,9 @@ +import { USE_CASES } from '../../../client/components/common/content'; +import { generateUseCaseMetadata } from '../../../client/components/common/seo'; +import { PaymentFraud } from '../PaymentFraud'; + +export const metadata = generateUseCaseMetadata(USE_CASES.paymentFraud); + +export default function PaymentFraudPage() { + return ; +} diff --git a/src/app/payment-fraud/page.tsx b/src/app/payment-fraud/page.tsx new file mode 100644 index 00000000..794e6287 --- /dev/null +++ b/src/app/payment-fraud/page.tsx @@ -0,0 +1,9 @@ +import { USE_CASES } from '../../client/components/common/content'; +import { generateUseCaseMetadata } from '../../client/components/common/seo'; +import { PaymentFraud } from './PaymentFraud'; + +export const metadata = generateUseCaseMetadata(USE_CASES.paymentFraud); + +export default function PaymentFraudPage() { + return ; +} diff --git a/src/pages/payment-fraud/paymentFraud.module.scss b/src/app/payment-fraud/paymentFraud.module.scss similarity index 100% rename from src/pages/payment-fraud/paymentFraud.module.scss rename to src/app/payment-fraud/paymentFraud.module.scss diff --git a/src/pages/api/admin/reset.ts b/src/pages/api/admin/reset.ts index 76c0a45e..362d2d37 100644 --- a/src/pages/api/admin/reset.ts +++ b/src/pages/api/admin/reset.ts @@ -1,5 +1,4 @@ import { isValidPostRequest } from '../../../server/server'; -import { PaymentAttemptDbModel } from '../payment-fraud/place-order'; import { UserCartItemDbModel, UserPreferencesDbModel, @@ -14,6 +13,7 @@ import { ArticleViewDbModel } from '../../../app/paywall/api/database'; import { SmsVerificationDatabaseModel } from '../../../app/sms-pumping/api/database'; import { syncFirewallRuleset } from '../../../app/bot-firewall/api/block-ip/cloudflareApiHelper'; import { deleteBlockedIp } from '../../../app/bot-firewall/api/get-blocked-ips/blockedIpsDatabase'; +import { PaymentAttemptDbModel } from '../../../app/payment-fraud/api/place-order/database'; export type ResetResponse = { message: string; @@ -36,7 +36,11 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse< const { requestId } = req.body as ResetRequest; // Get the full Identification result from Fingerprint Server API and validate its authenticity - const fingerprintResult = await getAndValidateFingerprintResult({ requestId, req }); + const fingerprintResult = await getAndValidateFingerprintResult({ + requestId, + req, + options: { minConfidenceScore: 0.3 }, + }); if (!fingerprintResult.okay) { res.status(403).send({ severity: 'error', message: fingerprintResult.error }); return; diff --git a/src/pages/api/payment-fraud/place-order.ts b/src/pages/api/payment-fraud/place-order.ts deleted file mode 100644 index d1dd9f4b..00000000 --- a/src/pages/api/payment-fraud/place-order.ts +++ /dev/null @@ -1,221 +0,0 @@ -import { Attributes, DataTypes, InferAttributes, InferCreationAttributes, Model, Op } from 'sequelize'; -import { - ensurePostRequest, - ensureValidRequestIdAndVisitorId, - getIdentificationEvent, - messageSeverity, - reportSuspiciousActivity, - sequelize, -} from '../../../server/server'; -import { CheckResult, checkResultType } from '../../../server/checkResult'; -import { - RuleCheck, - checkConfidenceScore, - checkFreshIdentificationRequest, - checkIpAddressIntegrity, - checkOriginsIntegrity, -} from '../../../server/checks'; -import { sendForbiddenResponse, sendOkResponse } from '../../../server/response'; -import { NextApiRequest, NextApiResponse } from 'next'; -import { PAYMENT_FRAUD_COPY } from '../../../server/paymentFraud/copy'; - -interface PaymentAttemptAttributes - extends Model, InferCreationAttributes> { - visitorId: string; - isChargebacked: boolean; - usedStolenCard: boolean; - checkResult: string; - timestamp: number; -} - -export const PaymentAttemptDbModel = sequelize.define('payment-attempt', { - visitorId: { - type: DataTypes.STRING, - }, - isChargebacked: { - type: DataTypes.BOOLEAN, - }, - usedStolenCard: { - type: DataTypes.BOOLEAN, - }, - checkResult: { - type: DataTypes.STRING, - }, - timestamp: { - type: DataTypes.DATE, - }, -}); - -export type PaymentAttempt = Attributes; - -// Mocked credit card details. -const mockedCard = { - number: '4242 4242 4242 4242', - expiration: '04/28', - cvv: '123', -}; - -PaymentAttemptDbModel.sync({ force: false }); - -export default async function handler(req: NextApiRequest, res: NextApiResponse) { - // This API route accepts only POST requests. - if (!ensurePostRequest(req, res)) { - return; - } - - res.setHeader('Content-Type', 'application/json'); - - return await tryToProcessPayment(req, res, [ - checkFreshIdentificationRequest, - checkConfidenceScore, - checkIpAddressIntegrity, - checkOriginsIntegrity, - checkVisitorIdForStolenCard, - checkVisitorIdForChargebacks, - checkForCardCracking, - processPayment, - ]); -} - -async function tryToProcessPayment(req: NextApiRequest, res: NextApiResponse, ruleChecks: RuleCheck[]) { - // Get requestId and visitorId from the client. - const visitorId = req.body.visitorId; - const requestId = req.body.requestId; - const applyChargeback = req.body.applyChargeback; - const usedStolenCard = req.body.usingStolenCard; - - if (!ensureValidRequestIdAndVisitorId(req, res, visitorId, requestId)) { - return; - } - - // Information from the client side might have been tampered. - // It's best practice to validate provided information with the Server API. - // It is recommended to use the requestId and visitorId pair. - const eventResponse = await getIdentificationEvent(requestId); - - for (const ruleCheck of ruleChecks) { - const result = await ruleCheck(eventResponse, req); - - if (result) { - await logPaymentAttempt(visitorId, applyChargeback, usedStolenCard, result.type); - - switch (result.type) { - case checkResultType.Passed: - case checkResultType.Challenged: - return sendOkResponse(res, result); - default: - reportSuspiciousActivity(req); - return sendForbiddenResponse(res, result); - } - } - } -} - -const checkVisitorIdForStolenCard: RuleCheck = async (eventResponse) => { - // Get all stolen card records for the visitorId - const stolenCardUsedCount = await PaymentAttemptDbModel.findAndCountAll({ - where: { - visitorId: eventResponse.products?.identification?.data?.visitorId, - usedStolenCard: true, - }, - }); - - // If the visitorId performed more than 1 payment with a stolen card during the last 1 year we do not process the payment. - // The time window duration might vary. - if (stolenCardUsedCount.count > 0) { - return new CheckResult(PAYMENT_FRAUD_COPY.stolenCard, messageSeverity.Error, checkResultType.PaidWithStolenCard); - } - - return undefined; -}; - -const checkForCardCracking: RuleCheck = async (eventResponse) => { - // Gets all unsuccessful attempts for the visitor during the last 365 days. - const invalidCardAttemptCountQueryResult = await PaymentAttemptDbModel.findAndCountAll({ - where: { - visitorId: eventResponse.products?.identification?.data?.visitorId, - timestamp: { - [Op.gt]: new Date().getTime() - 365 * 24 * 60 * 1000, - }, - checkResult: { - [Op.not]: checkResultType.Passed, - }, - }, - }); - - // If the visitorId performed 3 unsuccessful payments during the last 365 days we do not process any further payments. - // The count of attempts and time window might vary. - if (invalidCardAttemptCountQueryResult.count > 2) { - return new CheckResult( - PAYMENT_FRAUD_COPY.tooManyUnsuccessfulPayments, - messageSeverity.Error, - checkResultType.TooManyUnsuccessfulPayments, - ); - } - - return undefined; -}; - -const checkVisitorIdForChargebacks: RuleCheck = async (eventResponse) => { - // Gets all unsuccessful attempts during the last 365 days. - const countOfChargebacksForVisitorId = await PaymentAttemptDbModel.findAndCountAll({ - where: { - visitorId: eventResponse.products?.identification?.data?.visitorId, - isChargebacked: true, - timestamp: { - [Op.gt]: new Date().getTime() - 365 * 24 * 60 * 1000, - }, - }, - }); - - // If the visitorId performed more than 1 chargeback during the last 1 year we do not process the payment. - // The count of chargebacks and time window might vary. - if (countOfChargebacksForVisitorId.count > 1) { - return new CheckResult( - PAYMENT_FRAUD_COPY.previousChargeback, - messageSeverity.Error, - checkResultType.TooManyChargebacks, - ); - } - - return undefined; -}; - -const processPayment: RuleCheck = async (_eventResponse, request) => { - // Checks if the provided card details are correct. - if (areCardDetailsCorrect(request)) { - return new CheckResult(PAYMENT_FRAUD_COPY.successfulPayment, messageSeverity.Success, checkResultType.Passed); - } else { - return new CheckResult( - PAYMENT_FRAUD_COPY.incorrectCardDetails, - messageSeverity.Error, - checkResultType.IncorrectCardDetails, - ); - } -}; - -// Dummy action simulating card verification. -function areCardDetailsCorrect(request: NextApiRequest) { - return ( - request.body.cardNumber === mockedCard.number && - request.body.cardExpiration === mockedCard.expiration && - request.body.cardCvv === mockedCard.cvv - ); -} - -// Persists placed order to the database. -async function logPaymentAttempt( - visitorId: string, - isChargebacked: boolean, - usedStolenCard: boolean, - paymentAttemptCheckResult: string, -) { - await PaymentAttemptDbModel.create({ - visitorId, - isChargebacked, - usedStolenCard, - checkResult: paymentAttemptCheckResult, - timestamp: new Date().getTime(), - }); - await sequelize.sync(); -} diff --git a/src/pages/payment-fraud/embed.tsx b/src/pages/payment-fraud/embed.tsx deleted file mode 100644 index 6dd0bb8e..00000000 --- a/src/pages/payment-fraud/embed.tsx +++ /dev/null @@ -1,13 +0,0 @@ -import { GetStaticProps } from 'next'; -import PaymentFraud from './index'; -import { CustomPageProps } from '../_app'; - -export default PaymentFraud; - -export const getStaticProps: GetStaticProps = async () => { - return { - props: { - embed: true, - }, - }; -};