Week 042 — Stripe Was Silently Broken

The delete item bug was a wrong DTO constructor call. The Stripe bug was more expensive.

Week of September 1, 2025

Progress

Delete item was completed Monday. The switch statement failure from last week was a red herring — the actual bug was trying to construct a new ItemDTO from an incomplete POST payload, which was failing silently and making the switch logic look like it wasn't firing. Fixed that, and item deletion now works.

The rest of the week was Stripe. The subscription flow had been coded months ago but never properly tested end-to-end in a condition where everything needed to be correct simultaneously. Testing now revealed a cascade of problems.

Problem 1: 300 redirect. Stripe's webhook CLI was receiving 301 responses from srchParty. Apache was configured to redirect all non-HTTPS requests to HTTPS — and the local Stripe CLI was sending over HTTP. Commented out the redirect rule in the Apache config for the local environment.

Problem 2: Webhook logging silent. The webhook code wasn't producing any output. Grok analyzed the code and added broader error logging. With that in place, the actual error appeared: the webhook was looking up users by their Stripe customer ID, but the customer ID wasn't being saved to the users table during account creation. Every new user had a blank Stripe customer ID.

Problem 3: Subscription session. When a user subscribes and gets redirected back from Stripe, the session variable that marks them as subscribed wasn't being set correctly. Stripe's redirect goes through their domain before returning to the success page, which drops the PHP session in the process. Fixed by removing the session variable approach entirely and instead calling UserService->isSubscribed() directly when the page loads.

Decision Made

Subscription status is checked live at page load time via a service call, not read from a session variable. The session approach looked cleaner but broke across the Stripe redirect cycle in a way that's hard to predict. A service call is one extra query per page load; that's acceptable.

Next Week

Subscription integration is mostly working. A browser permission policy violation related to the Stripe payment element is unresolved and resistant to fixes.