Set expiresAt on Adyen payment links

The default expiry is 24 hours. That means that if an invoice was due to
be canceled in say 4 hours, and the user clicked the payment link they
would be able to use that one past when the invoice was actually
canceled, thereby causing errors. This happened at least once, where the
user forwarded the Adyen link (instead of the invoice link) to the
person who was supposed to do the payment, and that person made the
payment after the invoice was expired.

So, if the invoice is set to be canceled in <24 hours, we set the
expiresAt flag when creating the payment link, so Adyen will reject that
payment.

Reviewed-By: Daniel Gustafsson

diff --git a/postgresqleu/adyen/views.py b/postgresqleu/adyen/views.py
index 100763c4bcada423fa62b993fc69689931b394c6..6cd99724321e2765f333bc857e16946df5bce229 100644 (file)
--- a/postgresqleu/adyen/views.py
+++ b/postgresqleu/adyen/views.py
@@ -3,8 +3,10 @@ from django.shortcuts import render, get_object_or_404
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.views.decorators.csrf import csrf_exempt
+from django.utils import timezone
 
 import base64
+from datetime import timedelta
 from decimal import Decimal
 import requests
 
@@ -94,6 +96,8 @@ def _invoice_payment(request, methodid, invoice, trailer):
         'allowedPaymentMethods': methods,
         'returnUrl': '{}/invoices/adyenpayment/{}/{}/{}/return/'.format(settings.SITEBASE, methodid, invoice.id, invoice.recipient_secret),
     }
+    if invoice.canceltime and invoice.canceltime < timezone.now() + timedelta(hours=24):
+        p['expiresAt']: invoice.canceltime.isoformat(timespec='seconds')
 
     try:
         r = requests.post(