From 17567e4601317c7f35e1fe1a66a28911359be1e1 Mon Sep 17 00:00:00 2001
From: William Stein <wstein@sagemath.com>
Date: Fri, 17 Jan 2025 18:00:55 +0000
Subject: [PATCH] expire any stripe checkout session after an hour no matter
 what

---
 .../purchases/create-stripe-checkout-session.ts     |  2 ++
 .../server/purchases/stripe/get-checkout-session.ts | 13 +++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/packages/server/purchases/create-stripe-checkout-session.ts b/src/packages/server/purchases/create-stripe-checkout-session.ts
index 5479e41add..0d022b40d3 100644
--- a/src/packages/server/purchases/create-stripe-checkout-session.ts
+++ b/src/packages/server/purchases/create-stripe-checkout-session.ts
@@ -2,6 +2,8 @@
 Create a stripe checkout session for this user.
 
 See https://stripe.com/docs/api/checkout/sessions
+
+!!!!!WARNING!!!!! Maybe this isn't used anymore?!  See also server/purchases/stripe/get-checkout-session.ts !
 */
 
 import getConn from "@cocalc/server/stripe/connection";
diff --git a/src/packages/server/purchases/stripe/get-checkout-session.ts b/src/packages/server/purchases/stripe/get-checkout-session.ts
index 396b1a40e4..d3fc99238b 100644
--- a/src/packages/server/purchases/stripe/get-checkout-session.ts
+++ b/src/packages/server/purchases/stripe/get-checkout-session.ts
@@ -68,12 +68,21 @@ export default async function getCheckoutSession({
     status: "open",
     customer,
   });
+  // cutoff = an hour ago in stripe time.  Restricting only to status='open'
+  // as above should work, but doesn't, since we had many reports of users
+  // with open checkout sessions that didn't work. This might help.
+  const cutoff = Math.floor((Date.now() - 1000 * 60 * 60) / 1000);
   for (const session of openSessions.data) {
     if (session.metadata?.purpose == purpose && session.client_secret) {
-      if (!isEqual(session.metadata?.lineItems, JSON.stringify(lineItems))) {
-        // The line items or description changed, so we can't use it.
+      if (
+        !isEqual(session.metadata?.lineItems, JSON.stringify(lineItems)) ||
+        session.created <= cutoff
+      ) {
+        logger.debug("getCheckoutSession: expiring checkout session");
+        // The line items or description changed or its older than an hour, so don't use it.
         await stripe.checkout.sessions.expire(session.id);
       } else {
+        logger.debug("getCheckoutSession: using existing checkout session");
         // we use it -- same line items
         return { clientSecret: session.client_secret };
       }