server/checkout: add Stripe limits when validating PWYW price update

polarsource · Dec 20, 2024 · 0d38ff3 · 0d38ff3
1 parent 16f9bc2
commit 0d38ff3
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/server/polar/checkout/schemas.py b/server/polar/checkout/schemas.py
@@ -1,6 +1,7 @@
 from datetime import datetime
 from typing import Annotated, Any, Literal
 
+from annotated_types import Ge, Le
 from pydantic import (
     UUID4,
     AliasChoices,
@@ -51,6 +52,10 @@
     ProductPriceList,
 )
 
+# Ref: https://stripe.com/docs/api/payment_intents/object#payment_intent_object-amount
+MAXIMUM_PRICE_AMOUNT = 99999999
+MINIMUM_PRICE_AMOUNT = 50
+
 Amount = Annotated[
     int,
     Field(
@@ -59,6 +64,8 @@
             "Only useful for custom prices, it'll be ignored for fixed and free prices."
         )
     ),
+    Ge(MINIMUM_PRICE_AMOUNT),
+    Le(MAXIMUM_PRICE_AMOUNT),
 ]
 CustomerName = Annotated[
     str,

diff --git a/server/tests/checkout/test_service.py b/server/tests/checkout/test_service.py
@@ -7,7 +7,7 @@
 import pytest
 import pytest_asyncio
 import stripe as stripe_lib
-from pydantic import HttpUrl
+from pydantic import HttpUrl, ValidationError
 from pytest_mock import MockerFixture
 from sqlalchemy.orm import joinedload
 
@@ -1398,6 +1398,19 @@ async def test_price_from_different_product(
                 ),
             )
 
+    @pytest.mark.parametrize("amount", [10, 20_000_000_000])
+    async def test_amount_update_max_limits(
+        self, amount: int, session: AsyncSession, checkout_one_time_custom: Checkout
+    ) -> None:
+        with pytest.raises(ValidationError):
+            await checkout_service.update(
+                session,
+                checkout_one_time_custom,
+                CheckoutUpdate(
+                    amount=amount,
+                ),
+            )
+
     @pytest.mark.parametrize("amount", [500, 10000])
     async def test_amount_update_invalid_limits(
         self,