Deferred from #28 (round 2, P2). When a user starts a Stripe Checkout Session and deletes their account before paying, the open session (and its ephemeral customer) is not proactively expired.
Why it's not a correctness gap (why deferred): Stripe auto-expires open Checkout Sessions (~24h). If a payment completes for an already-deleted user, the webhook's credit_ledger insert fails the user_id FK (the auth user is gone via cascade), so no ghost ledger/data can attach to a deleted account. The account's recorded Stripe customers are already deleted by the erasure path.
Nice-to-have: enumerate and stripe.checkout.sessions.expire the user's open sessions during delete-account for immediate cleanup, rather than relying on Stripe's TTL.
Source: pickforge-platform#28. Severity: low. Suggested owner: backend.
Deferred from #28 (round 2, P2). When a user starts a Stripe Checkout Session and deletes their account before paying, the open session (and its ephemeral customer) is not proactively expired.
Why it's not a correctness gap (why deferred): Stripe auto-expires open Checkout Sessions (~24h). If a payment completes for an already-deleted user, the webhook's credit_ledger insert fails the user_id FK (the auth user is gone via cascade), so no ghost ledger/data can attach to a deleted account. The account's recorded Stripe customers are already deleted by the erasure path.
Nice-to-have: enumerate and
stripe.checkout.sessions.expirethe user's open sessions during delete-account for immediate cleanup, rather than relying on Stripe's TTL.Source: pickforge-platform#28. Severity: low. Suggested owner: backend.