Bug Tracker #

Open Bugs #

• [x] Can't Pay with Stripe

  Severity: Critical Reported: 2025-12-08 Fixed: 2025-12-08

  People can't subscribe! On https://envelopebudget.com/subscriptions/founders/ - when clicking Claim Your Lifetime Access, it just throws an error. Here is the console:

  founders/:1004 POST https://envelopebudget.com/api/subscriptions/create-checkout-session 400 (Bad Request)
  claimFoundersAccess @ founders/:1004 await in claimFoundersAccess onclick @ founders/:940
  

  Here is the error I get via email:

  Error Details: 400 - Bad Request Bad request received
  

  Request Information:

  • Method: POST
  • Path: /api/subscriptions/create-checkout-session
  • User: dustin@davis.im (ID: 1)
  • IP Address: 69.163.75.104
  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
  • Referer: https://envelopebudget.com/subscriptions/founders/
  • Stack Trace: No stack trace for client error
  • POST Data: None
  • GET Parameters: None

  Investigation hints:

  • Check the /api/subscriptions/create-checkout-session endpoint in subscriptions app
  • Look at the JavaScript calling this endpoint on the founders page
  • Verify the request body is being sent correctly
  • Check if Stripe API keys are configured properly

  Resolution: Root cause was expired Stripe API key (STRIPE_SECRET_KEY). Improved error handling in subscriptions/api.py to:

  1. Return 503 for Stripe authentication errors (expired key) with user-friendly message
  2. Return 502 for other Stripe errors
  3. Replaced @login_required decorator with Django Ninja's auth=django_auth for consistency
  4. Added unit tests for the subscription API endpoints

  Action Required: Update STRIPE_SECRET_KEY environment variable with a valid API key from Stripe dashboard.

• [x] Can't log in with Google

  Severity: High Reported: 2025-12-08 Fixed: 2025-12-08

  When I try to log in with google, it looks like it works, but then I'm redirected back to the home page. If I click login again, I'm just redirected back to the homescreen. I have to clear cookies in order to see the login page again.

  Investigation hints:

  • Check the OAuth callback handler in authentication app
  • Look at session/cookie handling after successful OAuth
  • Verify the redirect URL configuration
  • Check if user is being logged in but redirect is wrong

  Resolution: Root cause was missing session cookie settings for production HTTPS. When Django runs behind Caddy (reverse proxy) without proper cookie settings, the session cookie wasn't being set correctly for OAuth redirects. Added to budgetapp/settings.py for production:

  1. SECURE_PROXY_SSL_HEADER - tells Django it's behind HTTPS proxy
  2. SESSION_COOKIE_SECURE = True - ensures cookies sent only over HTTPS
  3. CSRF_COOKIE_SECURE = True - same for CSRF tokens
  4. SESSION_COOKIE_SAMESITE = "Lax" - allows cookies during OAuth cross-site redirects
  5. CSRF_COOKIE_SAMESITE = "Lax" - same for CSRF tokens

Completed Bugs #

(None yet)