This document provides a comprehensive checklist for testing the CodeQual payment integration with Stripe.
- Stripe test API keys configured in
.env - Stripe webhook endpoint configured
- Test database initialized
- Stripe CLI installed (optional but recommended)
- Can create checkout session with valid price ID
- Returns checkout URL
- Creates Stripe customer if not exists
- Links customer to user in database
- Handles missing price ID error
- Requires authentication
- Webhook updates subscription status to 'active'
- Updates user billing tier correctly
- Stores subscription ID
- Sets correct subscription end date
- Logs billing event
- Can retrieve current subscription status
- Shows correct tier and pricing
- Displays renewal date
- Shows payment method on file
- Creates setup intent for card collection
- Returns client secret for Stripe.js
- Creates/retrieves Stripe customer
- Links to user account
- Stores payment method securely (last 4 only)
- Marks as default payment method
- Syncs between Stripe and database
- Handles multiple payment methods
- Charges correct amount ($0.50)
- Creates payment intent
- Confirms payment immediately
- Handles declined cards
- Updates usage tracking
- Validates webhook signatures
- Rejects invalid signatures
- Handles missing signatures
- Uses correct endpoint secret
-
customer.subscription.created- Updates billing -
customer.subscription.updated- Changes tier -
customer.subscription.deleted- Cancels access -
invoice.payment_succeeded- Logs payment -
invoice.payment_failed- Sends notification -
payment_method.attached- Stores method -
payment_method.detached- Removes method -
checkout.session.completed- Activates subscription
- Logs all webhook events
- Returns 200 even on processing errors
- Implements idempotency
- Handles unknown event types
- All endpoints require authentication
- Rate limiting on payment endpoints
- No sensitive data in responses
- CORS configured correctly
- No full card numbers stored
- Payment methods encrypted at rest
- PCI compliance maintained
- Audit trail for all transactions
- No sensitive data in error messages
- Generic errors for payment failures
- Detailed logs server-side only
- Handles Stripe API timeouts
- Retries on network errors
- Graceful degradation
- Handles webhook replay
- Prevents duplicate charges
- Syncs state on mismatch
- Clear error messages
- Loading states during payment
- Success/failure notifications
- Redirect handling
- Multiple concurrent checkouts
- Webhook processing under load
- Database query optimization
- Checkout session < 2s
- Payment method save < 1s
- Billing status < 500ms
- Stripe.js loads correctly
- Card element renders
- 3D Secure handling
- Mobile responsive
- Billing middleware works
- Trial enforcement active
- Usage tracking accurate
- Email notifications sent
- Create account
- View pricing page
- Select Individual plan
- Complete checkout
- Verify subscription active
- Perform scans
- Check usage tracking
- Create account
- Add payment method
- Trigger scan
- Verify charge
- Check scan results
- View billing history
- Declined card
- Expired subscription
- Webhook failure
- Network timeout
- Invalid coupon code
- Success:
4242 4242 4242 4242 - Decline:
4000 0000 0000 0002 - 3D Secure:
4000 0025 0000 3155 - Insufficient funds:
4000 0000 0000 9995
Use Stripe CLI: stripe listen --forward-to localhost:3001/api/stripe/webhook
- ✅ Unit tests for billing routes
- ✅ Integration tests for Stripe service
- ✅ E2E tests for full payment flow
- ✅ Webhook signature verification
- 3D Secure flow
- Subscription upgrade/downgrade
- Refund processing
- Tax calculation
- Remove test customers from Stripe
- Clear test data from database
- Review error logs
- Update documentation