Merge branch 'main' into rel

Author: davidfischer

CHANGELOG.rst

@@ -6,6 +6,17 @@ CHANGELOG
 .. This is included by docs/developer/changelog.rst
 
 
+Version v5.27.0
+---------------
+
+This release fixed an error preventing new Publishers from connecting with Stripe for payouts.
+
+:Date: October 2, 2025
+
+ * @dependabot[bot]: Bump django from 5.2.6 to 5.2.7 in /requirements (#1075)
+ * @davidfischer: Update the publisher stripe connect workflow (#1073)
+
+
 Version v5.26.1
 ---------------
 

adserver/forms.py

@@ -1439,9 +1439,7 @@ def __init__(self, *args, **kwargs):
                 )
             )
         elif settings.STRIPE_CONNECT_CLIENT_ID:
-            connect_url = reverse(
-                "publisher_stripe_oauth_connect", args=[self.instance.slug]
-            )
+            connect_url = reverse("publisher_stripe_connect", args=[self.instance.slug])
             stripe_block = HTML(
                 format_html(
                     "<a href='{}' target='_blank' class='btn btn-sm btn-outline-info mb-4'>"

adserver/tests/test_publisher_dashboard.py

@@ -6,6 +6,7 @@
 from django.test.client import RequestFactory
 from django.urls import reverse
 from django_dynamic_fixture import get
+from django.conf import settings
 
 from ..constants import CLICKS
 from ..constants import PAID_CAMPAIGN
@@ -323,7 +324,7 @@ def test_publisher_payout_detail(self):
         self.assertContains(resp, "$2.50")
 
     def test_publisher_stripe_connect(self):
-        url = reverse("publisher_stripe_oauth_connect", args=[self.publisher1.slug])
+        url = reverse("publisher_stripe_connect", args=[self.publisher1.slug])
 
         # Anonymous - redirect to login
         resp = self.client.get(url)
@@ -338,60 +339,63 @@ def test_publisher_stripe_connect(self):
         self.assertContains(resp, "Stripe is not configured")
 
         with override_settings(STRIPE_CONNECT_CLIENT_ID="ca_XXXXXXXXXXX"):
-            resp = self.client.get(url)
-            self.assertEqual(resp.status_code, 302)
-            self.assertTrue(
-                resp["location"].startswith(
-                    "https://connect.stripe.com/express/oauth/authorize"
-                )
-            )
-
-            self.assertTrue("stripe_state" in self.client.session)
-            self.assertTrue("stripe_connect_publisher" in self.client.session)
-            self.assertEqual(
-                self.client.session["stripe_connect_publisher"], self.publisher1.slug
-            )
+            with (
+                mock.patch("stripe.Account.create") as account_create,
+                mock.patch("stripe.AccountLink.create") as account_link_create,
+            ):
+                account_create.return_value = mock.MagicMock()
+                account_create.return_value.stripe_id = "acct_12345"
+                account_link_create.return_value = mock.MagicMock()
+                account_link_create.return_value.url = "http://stripe.com/onboarding"
+
+                resp = self.client.get(url)
+                self.assertEqual(resp.status_code, 302)
+                self.assertEqual(resp["location"], "http://stripe.com/onboarding")
+
 
     def test_publisher_stripe_return(self):
-        connect_url = reverse(
-            "publisher_stripe_oauth_connect", args=[self.publisher1.slug]
-        )
-        url = reverse("publisher_stripe_oauth_return")
+        url = reverse("publisher_stripe_return", args=[self.publisher1.slug])
+
+        # Anonymous - redirect to login
+        resp = self.client.get(url)
+        self.assertEqual(resp.status_code, 302)
+        self.assertTrue(resp["location"].startswith("/accounts/login/"))
 
         self.user.publishers.add(self.publisher1)
         self.client.force_login(self.user)
 
         # Didn't setup state beforehand
         resp = self.client.get(url, follow=True)
         self.assertEqual(resp.status_code, 200)
-        self.assertContains(resp, "There was a problem connecting your Stripe account")
+        self.assertContains(resp, "Stripe is not configured")
 
-        # Do Stripe connect - which sets up session state
         with override_settings(STRIPE_CONNECT_CLIENT_ID="ca_XXXXXXXXXXX"):
-            self.client.get(connect_url)
-
-            self.assertTrue("stripe_state" in self.client.session)
-            self.assertTrue("stripe_connect_publisher" in self.client.session)
-            self.assertEqual(
-                self.client.session["stripe_connect_publisher"], self.publisher1.slug
-            )
-
-        with mock.patch("stripe.OAuth.token") as oauth_token_create:
-            account_id = "uid_XXXXX"
-            oauth_token_create.return_value = {"stripe_user_id": account_id}
-
-            url += "?code=XXXXX&state={}".format(self.client.session["stripe_state"])
-
+            # No account ID
             resp = self.client.get(url, follow=True)
             self.assertEqual(resp.status_code, 200)
-            self.assertContains(resp, "Successfully connected your Stripe account")
-
-            # These get deleted
-            self.assertFalse("stripe_state" in self.client.session)
-            self.assertFalse("stripe_connect_publisher" in self.client.session)
+            self.assertContains(resp, "There was a problem connecting your Stripe account")
+
+            # Update account ID on the session
+            session = self.client.session
+            session["stripe_account_id"] = "acct_12345"
+            session.save()
+            self.client.cookies[settings.SESSION_COOKIE_NAME] = session.session_key
+
+            # Mock out the Stripe account retrieve call
+            with (
+                mock.patch("stripe.Account.retrieve") as account_retrieve,
+                mock.patch("djstripe.models.Account.sync_from_stripe_data") as account_sync,
+                # This is on the redirected settings page after Stripe is connected
+                mock.patch("stripe.Account.create_login_link") as _,
+            ):
+                account_retrieve.return_value = mock.MagicMock()
+                account_retrieve.return_value.details_submitted = True
+                account_sync.return_value = None
+
+                resp = self.client.get(url, follow=True)
+                self.assertEqual(resp.status_code, 200)
+                self.assertContains(resp, "Successfully connected your Stripe account")
 
-            self.publisher1.refresh_from_db()
-            self.assertEqual(self.publisher1.stripe_connected_account_id, account_id)
 
     def test_authorized_users(self):
         url = reverse(

adserver/urls.py

@@ -54,7 +54,8 @@
 from .views import PublisherPlacementReportView
 from .views import PublisherReportView
 from .views import PublisherSettingsView
-from .views import PublisherStripeOauthConnectView
+from .views import PublisherStripeConnectView
+from .views import PublisherStripeReturnView
 from .views import StaffAdvertiserReportView
 from .views import StaffGeoReportView
 from .views import StaffKeywordReportView
@@ -65,7 +66,6 @@
 from .views import dashboard
 from .views import do_not_track
 from .views import do_not_track_policy
-from .views import publisher_stripe_oauth_return
 
 
 urlpatterns = [
@@ -352,14 +352,14 @@
         name="publisher_embed",
     ),
     path(
-        r"publisher/<slug:publisher_slug>/oauth/stripe/connect/",
-        PublisherStripeOauthConnectView.as_view(),
-        name="publisher_stripe_oauth_connect",
+        r"publisher/<slug:publisher_slug>/stripe/connect/",
+        PublisherStripeConnectView.as_view(),
+        name="publisher_stripe_connect",
     ),
     path(
-        r"publisher/oauth/stripe/return/",
-        publisher_stripe_oauth_return,
-        name="publisher_stripe_oauth_return",
+        r"publisher/<slug:publisher_slug>/stripe/return/",
+        PublisherStripeReturnView.as_view(),
+        name="publisher_stripe_return",
     ),
     path(
         r"publisher/<slug:publisher_slug>/fallback-ads/",

adserver/views.py

@@ -35,7 +35,6 @@
 from django.urls import reverse
 from django.urls import reverse_lazy
 from django.utils import timezone
-from django.utils.crypto import get_random_string
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from django.views.generic import CreateView
@@ -2332,7 +2331,7 @@ def get_success_url(self):
         )
 
 
-class PublisherStripeOauthConnectView(
+class PublisherStripeConnectView(
     PublisherAdminAccessMixin, UserPassesTestMixin, RedirectView
 ):
     """Redirect the user to the correct Stripe connect URL for the publisher."""
@@ -2347,92 +2346,92 @@ def get_redirect_url(self, *args, **kwargs):
 
         publisher = self.get_object()
 
-        # Save a state nonce to verify that the Stripe oauth flow can't be replayed or forged
-        stripe_state = get_random_string(30)
-        self.request.session["stripe_state"] = stripe_state
-        self.request.session["stripe_connect_publisher"] = publisher.slug
-
-        params = {
-            "client_id": settings.STRIPE_CONNECT_CLIENT_ID,
-            # "suggested_capabilities[]": "transfers",
-            "stripe_user[email]": self.request.user.email,
-            "state": stripe_state,
-            "redirect_uri": self.request.build_absolute_uri(
-                reverse("publisher_stripe_oauth_return")
-            ),
-        }
-        return f"https://connect.stripe.com/express/oauth/authorize?{urllib.parse.urlencode(params)}"
+        # https://docs.stripe.com/api/accounts/create
+        account = stripe.Account.create(type="express")
+
+        # Users get redirected back to this page if the link expired, etc.
+        refresh_url = self.request.build_absolute_uri(
+            reverse("publisher_settings", args=[publisher.slug])
+        )
+        # Users get redirected back to this page after completing the Stripe onboarding flow
+        # This doesn’t mean that all information has been collected or that there are no outstanding requirements on the account.
+        # This only means the flow was entered and exited properly.
+        # The return URL is also used if the user clicks "back to EthicalAds" in the Stripe flow.
+        self.request.session["stripe_account_id"] = account.stripe_id
+        return_url = self.request.build_absolute_uri(
+            reverse("publisher_stripe_return", args=[publisher.slug])
+        )
+
+        account_link = stripe.AccountLink.create(
+            account=account.stripe_id,
+            refresh_url=refresh_url,
+            return_url=return_url,
+            type="account_onboarding",
+        )
+
+        return account_link.url
 
     def get_object(self, queryset=None):  # pylint: disable=unused-argument
         return get_object_or_404(Publisher, slug=self.kwargs["publisher_slug"])
 
 
-@login_required
-def publisher_stripe_oauth_return(request):
-    """Handle the oauth return flow from Stripe - save the account on the publisher."""
-    # A stripe token we passed when setup started - needs to be double checked
-    state = request.GET.get("state", "")
-    oauth_code = request.GET.get("code", "")
+class PublisherStripeReturnView(
+    PublisherAdminAccessMixin, UserPassesTestMixin, RedirectView
+):
+    """
+    Stripe redirects to here after a publisher goes through the connect flow.
 
-    if request.user.is_staff:
-        publishers = Publisher.objects.all()
-    else:
-        publishers = request.user.publishers.all()
+    Just a note that we still need to check that the user completed the flow successfully.
+    See: https://docs.stripe.com/connect/express-accounts#return-user
+    """
 
-    publisher = publishers.filter(
-        slug=request.session.get("stripe_connect_publisher", "")
-    ).first()
+    model = Publisher
+    permanent = False
 
-    if state == request.session.get("stripe_state") and publisher:
-        response = None
-        log.debug(
-            "Using stripe auth code to connect publisher account. Publisher = [%s]",
-            publisher,
-        )
-        try:
-            response = stripe.OAuth.token(
-                grant_type="authorization_code", code=oauth_code
+    def get_redirect_url(self, *args, **kwargs):
+        if not settings.STRIPE_CONNECT_CLIENT_ID:
+            messages.error(self.request, _("Stripe is not configured"))
+            return reverse("dashboard-home")
+
+        publisher = self.get_object()
+        account_id = self.request.session.get("stripe_account_id", "")
+
+        if not account_id:
+            messages.error(
+                self.request, _("There was a problem connecting your Stripe account")
             )
-        except stripe.oauth_error.OAuthError:
-            log.error("Invalid Stripe authorization code: %s", oauth_code)
-        except Exception:
-            log.error("An unknown Stripe error occurred.")
+            log.error("No account returned from Stripe.")
+            return reverse("dashboard-home")
 
-        if response:
-            connected_account_id = response["stripe_user_id"]
+        # Get the account from Stripe to verify the connect workflow completed
+        account = stripe.Account.retrieve(account_id)
 
-            try:
-                # Retrieve the Stripe connected account and save it on the publisher
-                publisher.djstripe_account = Account.sync_from_stripe_data(
-                    stripe.Account.retrieve(connected_account_id)
-                )
-            except stripe.error.StripeError:
-                log.exception(
-                    "Stripe returned a connected account, but it could not be retrieved."
-                )
+        # This is the field we need to check to see if the account is fully set up
+        # https://docs.stripe.com/connect/express-accounts#return-user
+        if account.details_submitted:
+            publisher.djstripe_account = Account.sync_from_stripe_data(account)
 
             # Deprecated field
-            publisher.stripe_connected_account_id = connected_account_id
+            publisher.stripe_connected_account_id = account_id
 
             publisher.payout_method = PAYOUT_STRIPE
             publisher.save()
-            messages.success(request, _("Successfully connected your Stripe account"))
-
-            # Delete saved stripe state
-            del request.session["stripe_state"]
-            del request.session["stripe_connect_publisher"]
+            messages.success(
+                self.request, _("Successfully connected your Stripe account")
+            )
+        else:
+            messages.warning(
+                self.request,
+                _(
+                    "The Stripe setup wasn't completed. "
+                    "You can resume the process at any time or try a different payout method."
+                ),
+            )
 
-            return redirect(reverse("publisher_main", args=[publisher.slug]))
-    else:
-        log.warning(
-            "Stripe state or publisher do not check out. State = [%s], Publisher = [%s]",
-            state,
-            publisher,
-        )
+        return reverse("publisher_settings", args=[publisher.slug])
 
-    messages.error(request, _("There was a problem connecting your Stripe account"))
-    log.error("There was a problem connecting a Stripe account.")
-    return redirect(reverse("dashboard-home"))
+    def get_object(self, queryset=None):  # pylint: disable=unused-argument
+        return get_object_or_404(Publisher, slug=self.kwargs["publisher_slug"])
 
 
 class PublisherPayoutListView(PublisherAccessMixin, UserPassesTestMixin, ListView):

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "ethical-ad-server",
-  "version": "5.26.1",
+  "version": "5.27.0",
   "description": "",
   "main": "index.js",
   "engines": {

package.json

@@ -54,7 +54,7 @@ cryptography==45.0.6
     # via fido2
 dj-stripe==2.8.4
     # via -r base.in
-django==5.2.6
+django==5.2.7
     # via
     #   -r base.in
     #   crispy-bootstrap4