Validate donation amount to prevent Stripe Elements overflow error (#8490)

iHiD · claude · web-flow · commit 6c45bf3a5901 · 2026-02-09T15:17:20.000Z
Large custom amounts (e.g. 10 quintillion) caused currency.js intValue to produce 1e+21 in scientific notation, which Stripe rejects. Add max validation in CustomAmountInput (client-side) and PaymentIntentsController (server-side) capped at Stripe's $999,999.99 limit. Closes #8484 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/app/controllers/api/payments/payment_intents_controller.rb b/app/controllers/api/payments/payment_intents_controller.rb
@@ -1,7 +1,14 @@
 class API::Payments::PaymentIntentsController < API::BaseController
   before_action :authenticate_user!
 
+  MAX_AMOUNT_IN_CENTS = 99_999_999
+
   def create
+    amount_in_cents = params[:amount_in_cents].to_i
+    unless amount_in_cents.between?(1, MAX_AMOUNT_IN_CENTS)
+      return render json: { error: "Amount must be between 1 and #{MAX_AMOUNT_IN_CENTS} cents" }, status: :ok
+    end
+
     payment_intent = ::Payments::Stripe::PaymentIntent::Create.(
       current_user || params[:email],
       params[:type],
diff --git a/app/javascript/components/donations/donation-form/CustomAmountInput.tsx b/app/javascript/components/donations/donation-form/CustomAmountInput.tsx
@@ -1,13 +1,16 @@
 import React, { useCallback } from 'react'
 import currency from 'currency.js'
 
+const MAX_AMOUNT = '999999.99'
+
 export const CustomAmountInput = ({
   onChange,
   selected,
   placeholder,
   defaultValue,
   value,
   min = '0',
+  max = MAX_AMOUNT,
   className = '',
   onBlur,
 }: {
@@ -18,6 +21,7 @@ export const CustomAmountInput = ({
   defaultValue?: currency
   value?: currency | string
   min?: string
+  max?: string
   className?: string
 }): JSX.Element => {
   const handleCustomAmountChange = useCallback(
@@ -34,9 +38,14 @@ export const CustomAmountInput = ({
         return
       }
 
+      if (parseFloat(e.target.value) > parseFloat(max)) {
+        onChange(currency(NaN))
+        return
+      }
+
       onChange(currency(e.target.value))
     },
-    [onChange]
+    [onChange, max]
   )
 
   const classNames = [
@@ -51,6 +60,7 @@ export const CustomAmountInput = ({
       <input
         type="number"
         min={min}
+        max={max}
         step="0.01"
         onBlur={onBlur}
         placeholder={placeholder}
diff --git a/test/controllers/api/payments/payment_intents_controller_test.rb b/test/controllers/api/payments/payment_intents_controller_test.rb
@@ -35,6 +35,36 @@ class API::Payments::PaymentIntentsControllerTest < API::BaseTestCase
     )
   end
 
+  test "rejects amount over maximum" do
+    setup_user
+    post api_payments_payment_intents_path(
+      type: 'payment', amount_in_cents: 100_000_000
+    ), headers: @headers, as: :json
+
+    assert_response :ok
+    assert_includes JSON.parse(response.body)["error"], "Amount must be between"
+  end
+
+  test "rejects zero amount" do
+    setup_user
+    post api_payments_payment_intents_path(
+      type: 'payment', amount_in_cents: 0
+    ), headers: @headers, as: :json
+
+    assert_response :ok
+    assert_includes JSON.parse(response.body)["error"], "Amount must be between"
+  end
+
+  test "rejects negative amount" do
+    setup_user
+    post api_payments_payment_intents_path(
+      type: 'payment', amount_in_cents: -100
+    ), headers: @headers, as: :json
+
+    assert_response :ok
+    assert_includes JSON.parse(response.body)["error"], "Amount must be between"
+  end
+
   test "returns an error if raised" do
     error = "oh dear!!"
     ::Payments::Stripe::PaymentIntent::Create.expects(:call).raises(Stripe::InvalidRequestError.new(error, nil))
