From 220b6f77d67807f7803dc817ffdc184f03f6fd7a Mon Sep 17 00:00:00 2001
From: Reino Muhl <reino.muhl@gmail.com>
Date: Wed, 28 Dec 2022 12:58:48 -0500
Subject: [PATCH] fix(payments): only checkIpOnly if no credentials

Because:

* For the invoice preview endpoint, for logged in users, do not perform
  the customs.checkIpOnly.

This commit:

* Only performs the customs.checkIpOnly check if auth credentials are
  not provided.

Closes FXA-6543
---
 .../fxa-auth-server/lib/routes/subscriptions/stripe.ts   | 3 ++-
 .../test/local/routes/subscriptions/stripe.js            | 9 ++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/fxa-auth-server/lib/routes/subscriptions/stripe.ts b/packages/fxa-auth-server/lib/routes/subscriptions/stripe.ts
index 6cf7890112..2bbb43a91a 100644
--- a/packages/fxa-auth-server/lib/routes/subscriptions/stripe.ts
+++ b/packages/fxa-auth-server/lib/routes/subscriptions/stripe.ts
@@ -415,7 +415,6 @@ export class StripeHandler {
     request: AuthRequest
   ): Promise<invoiceDTO.firstInvoicePreviewSchema> {
     this.log.begin('subscriptions.previewInvoice', request);
-    await this.customs.checkIpOnly(request, 'previewInvoice');
 
     const { promotionCode, priceId } = request.payload as Record<
       string,
@@ -431,6 +430,8 @@ export class StripeHandler {
       } catch (e: any) {
         this.log.error('previewInvoice.fetchCustomer', { error: e, uid });
       }
+    } else {
+      await this.customs.checkIpOnly(request, 'previewInvoice');
     }
 
     const country = request.app.geo.location?.country || 'US';
diff --git a/packages/fxa-auth-server/test/local/routes/subscriptions/stripe.js b/packages/fxa-auth-server/test/local/routes/subscriptions/stripe.js
index eaf416cebb..3b1d75b362 100644
--- a/packages/fxa-auth-server/test/local/routes/subscriptions/stripe.js
+++ b/packages/fxa-auth-server/test/local/routes/subscriptions/stripe.js
@@ -665,8 +665,9 @@ describe('DirectStripeRoutes', () => {
         VALID_REQUEST
       );
       sinon.assert.calledOnceWithExactly(
-        directStripeRoutesInstance.customs.checkIpOnly,
+        directStripeRoutesInstance.customs.check,
         VALID_REQUEST,
+        TEST_EMAIL,
         'previewInvoice'
       );
       sinon.assert.calledOnceWithExactly(
@@ -707,8 +708,9 @@ describe('DirectStripeRoutes', () => {
         VALID_REQUEST
       );
       sinon.assert.calledOnceWithExactly(
-        directStripeRoutesInstance.customs.checkIpOnly,
+        directStripeRoutesInstance.customs.check,
         VALID_REQUEST,
+        TEST_EMAIL,
         'previewInvoice'
       );
       sinon.assert.calledOnceWithExactly(
@@ -747,8 +749,9 @@ describe('DirectStripeRoutes', () => {
       );
 
       sinon.assert.calledOnceWithExactly(
-        directStripeRoutesInstance.customs.checkIpOnly,
+        directStripeRoutesInstance.customs.check,
         VALID_REQUEST,
+        TEST_EMAIL,
         'previewInvoice'
       );
       sinon.assert.calledOnceWithExactly(