Revert use of static tags for videos

I've temporarily hidden the quote for now.

README.md

@@ -7,7 +7,7 @@ runs [sfconservancy.org](https://sfconservancy.org).
 ## Contributing
 
 The canonical location for this repository is [on Conservancy’s
-Kallithea instance](https://k.sfconservancy.org/website).
+Forgejo instance](https://f.sfconservancy.org/Conservancy/website).
 
 
 ## License

TODO.md

@@ -1,5 +1,6 @@
 # To-do
 
+* rate limiting to prevent abuse - especially on POST requests
 * consider removing `events` and `worldmap` modules
 * ask Denver about why so many license files
 

bin/deploy

@@ -5,7 +5,8 @@ set -e  # Abort on failure
 git push
 ssh debian@hickory.sfconservancy.org 'bash -s' << EOF
 set -x  # Show output
-set -e
+set -e  # Abort on errors
+
 cd /var/www/website
 sudo -u www-data git pull
 sudo chown www-data:www-data .

conservancy/content/about/license/index.html

@@ -11,7 +11,7 @@
   this site</a>, but it may be more interesting to know that the site
   is running on stock Debian 8 with Apache, Django, mod_python,
   and sqlite installed, and that the main sources for the site's code
-  itself are <a href="https://k.sfconservancy.org/website">available in
+  itself are <a href="https://f.sfconservancy.org/Conservancy/website">available in
   a git repository</a>.</p>
 
 <p>The documents on this website are

conservancy/content/copyleft-compliance/vizio.html

@@ -49,10 +49,20 @@ Original Complaint (2021-10-19)</li>
   <li><a href="https://sfconservancy.org/docs/Order_Denying_Vizio_Motion_for_Summary_Judgement_12-29-23.pdf"><strong>Judge's
       ruling denying Vizio's Motion for Summary Judgment</strong></a></li>
 </ul></li>
+<li><a
+href="https://usethesource.sfconservancy.org/tmp_vizio_docs/software-freedom-conservancy-v-vizio-first_amended_complaint-2024-01-10.pdf">SFC's
+First Amended Complaint (2024-01-10)</li>
 <li><h5>SFC's Motion for Summary Adjudication</h5>
 <ul>
   <li><a href="https://sfconservancy.org/docs/software-freedom-conservancy-v-vizio_2023-12-01_SFC-Motion-Summary-Adjudication.pdf">SFC's
-  Motion for Summary Adjudication</a></li></ul></li>
+  Motion for Summary Adjudication</a></li>
+  <li><a href="https://usethesource.sfconservancy.org/tmp_vizio_docs/Vizio_response_to_motion_summary_adjudication.pdf">Vizio's
+  response to SFC's Motion for Summary Adjudication</a></li>
+  <li><a href="https://usethesource.sfconservancy.org/tmp_vizio_docs/SFC_motion_summary_adjudication_reply_brief.pdf">SFC's
+  reply to Vizio's response to SFC's Motion for Summary Adjudication</a></li>
+  <li><a href="https://usethesource.sfconservancy.org/tmp_vizio_docs/order_partially_granting_SFC_motion_summary_adjudication.pdf">Judge's
+  ruling partially granting SFC's Motion for Summary Adjudication</a></li>
+</ul></li>
 </ul>
 
 <h3>MEDIA CONTACT</h3>

conservancy/content/copyleft-compliance/vmware-code-similarity.html

@@ -15,7 +15,7 @@
 <p>Next, we compared the source code of the Linux Kernel 4.5.2 to the LLVM+Clang system, version 3.8.0. These two projects are each a large program that are not known to actively share code. There may be some very minimal similarity simply due to chance, but something much lower than the 3.68% found between Linux and FreeBSD's kernel.</p>
 <p>Indeed, when the same test is run to compare Linux to the LLVM+Clang system, the &quot;ratio of similarity&quot; was 0.075%.</p>
 <h1 id="general-comparison-of-linux-kernel-to-vmware-sources">General Comparison of Linux Kernel to VMware sources</h1>
-<p>With the baseline established, we now begin relevant comparisons. First, we compare the Linux kernel version 2.6.34 to the sources <a href="https://k.sfconservancy.org/vmkdrivers">released by VMware in their (partial) source release</a>. The &quot;ratio of similarity&quot; between Linux 2.6.34 and VMware's partial source release is 20.72%. There is little question that much of VMware's kernel has come from Linux.</p>
+<p>With the baseline established, we now begin relevant comparisons. First, we compare the Linux kernel version 2.6.34 to the sources <a href="https://f.sfconservancy.org/Conservancy/vmkdrivers">released by VMware in their (partial) source release</a>. The &quot;ratio of similarity&quot; between Linux 2.6.34 and VMware's partial source release is 20.72%. There is little question that much of VMware's kernel has come from Linux.</p>
 <h1 id="methodology-of-showing-hellwigs-contributions-in-vmware-esxi-5.5-sources">Methodology Of Showing Hellwig's Contributions in VMware ESXi 5.5 Sources</h1>
 <p>The following describes a methodology to show Hellwig's contributions to Linux, and how they compare to code found in VMware ESXi 5.5.</p>
 <h2 id="extracting-hellwigs-contributions-from-linux-historical-repository">Extracting Hellwig's Contributions From Linux Historical Repository</h2>
@@ -31,7 +31,7 @@ $ ./extract-code-added-in-commits.plx --repository=`pwd`/linux-historical --outp
 $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-current
 $ ./commit-id-list-matching-regex.plx `pwd`/linux-current/.git Hellwig &#39;(Submitted\s+by|original\s+patch|patch\s+(from|by)|originally\s+(from|by)).*&#39; &gt; ./hellwig-current.ids
 $ ./extract-code-added-in-commits.plx --progress --repository=`pwd`/linux-current --output-dir=`pwd`/hellwig-through-2.6.34 --fork-limit=14 --blame-opts=-M  --blame-opts=-M --blame-opts=-C --blame-opts=-C --central-commit e40152ee1e1c7a63f4777791863215e3faa37a86   &lt; hellwig-current.ids </code></pre>
-<p>Note: e40152ee1e1c7a63f4777791863215e3faa37a86 is the 2.6.34 version created by Linus Torvalds <script type="text/javascript">
+<p>Note: e40152ee1e1c7a63f4777791863215e3faa37a86 is the 2.6.34 version created by Linus Torvalds <script>
 <!--
 h='&#108;&#x69;&#110;&#x75;&#120;&#x2d;&#102;&#x6f;&#x75;&#110;&#100;&#x61;&#116;&#x69;&#x6f;&#110;&#46;&#x6f;&#114;&#x67;';a='&#64;';n='&#116;&#x6f;&#114;&#118;&#x61;&#108;&#100;&#x73;';e=n+a+h;
 document.write('<a h'+'ref'+'="ma'+'ilto'+':'+e+'">'+e+'<\/'+'a'+'>');

conservancy/content/privacy-policy/index.html

@@ -14,7 +14,7 @@
 <li>you sign up as a Conservancy Sustainer or otherwise donate to Conservancy;</li>
 <li>you visit any Conservancy web site;</li>
 <li>you use one of Conservancy&rsquo;s Mailman sites or lists, hosted at lists.sfconservancy.org or lists.copyleft.org;</li>
-<li>you use one of Conservancy&rsquo;s Kallithea sites or repositories, hosted at k.sfconservancy.org or k.copyleft.org;</li>
+<li>you use one of Conservancy&rsquo;s Forgejo sites or repositories, hosted at f.sfconservancy.org;</li>
 <li>you use one of Conservancy&rsquo;s Etherpad sites, hosted at pad.sfconservancy.org;</li>
 <li>you use one of Conservancy&rsquo;s wiki sites or partner wiki sites, hosted at npoacct.sfconservancy.org or copyleft.org;</li>
 <li>you use one of Conservancy&rsquo;s project or partner project IRC channels, #npoacct and #copyleft on the Freenode IRC network;</li>

conservancy/content/projects/policies/index.html

@@ -12,6 +12,6 @@
   <li><a href="conservancy-travel-policy.html">Travel and reimbursable expense policy</a></li>
 </ul>
 
-<p>For more background about the policies, including licensing and change requests, please refer to <a href="https://k.sfconservancy.org/policies">their source code in Git</a>.</p>
+<p>For more background about the policies, including licensing and change requests, please refer to <a href="https://f.sfconservancy.org/Conservancy/policies">their source code in Git</a>.</p>
 
 {% endblock %}

conservancy/content/sustainer/original-supporter-appeal.html

@@ -5,7 +5,7 @@
 {% block category %}supporter{% endblock %}
 
 {% block head %}
-<script type="text/javascript" src="{% static 'js/\supporter-page.js' %}" defer></script>
+<script src="{% static 'js/supporter-page.js' %}" defer></script>
 <link href="{% static 'css/forms.css' %}" rel="stylesheet" type="text/css"/>
 {% endblock %}
 

conservancy/fossy/forms.py

@@ -1,9 +1,12 @@
+from captcha.fields import CaptchaField
 from django import forms
 
 from .models import CommunityTrackProposal
 
 
 class CommunityTrackProposalForm(forms.ModelForm):
+    captcha = CaptchaField()
+
     class Meta:
         model = CommunityTrackProposal
         exclude = []

conservancy/fossy/templates/fossy/community_track_proposal_form.html

@@ -3,13 +3,13 @@
   <div class="mw8 center ph2 ph3">
   <h1><abbr title="Free and Open Source Software Yearly">FOSSY</abbr>: Propose a Commmunity Track!</h1>
   <div class="mw7 mb5">
-    <p>SFC will be hosting a community oriented conference this coming summer August 1-4th, 2024 in Portland, Oregon in the United States. Focused on the creation and impact of free and open source software, uplifting contributors of all experience. We plan to have 8 tracks of talks over 4 days and to dedicate a substantial portion of these track to community run tracks, similar to the DevRooms at FOSDEM or the miniconfs at LinuxConfAU. We'd like to invite you to run a track based on a topic you're passionate about. If selected, you will be responsible for inviting speakers, selecting talks and organising the schedule for your track. If that sounds good to you, please fill in the form to tell us more about your idea. If you have any questions please don't hesitate to email us at <a href="mailto:conference@sfconservancy.org">conference@sfconservancy.org</a>.</p>
+    <p>SFC will be hosting a community oriented conference this coming summer July 31st - August 3rd, 2025 in Portland, Oregon in the United States. Focused on the creation and impact of free and open source software, uplifting contributors of all experience. We plan to have 8 tracks of talks over 4 days and to dedicate a substantial portion of these track to community run tracks, similar to the DevRooms at FOSDEM or the miniconfs at LinuxConfAU. We'd like to invite you to run a track based on a topic you're passionate about. If selected, you will be responsible for inviting speakers, selecting talks and organising the schedule for your track. If that sounds good to you, please fill in the form to tell us more about your idea. If you have any questions please don't hesitate to email us at <a href="mailto:conference@sfconservancy.org">conference@sfconservancy.org</a>.</p>
 
     <p><strong>Please understand that organizing a track is a signficant amount of work</strong>, and while we'll be so grateful for your contributions, depending on sponsor sign ups we are unlikely to be able to pay stipends or fund travel for speakers or organizers of your track (please let us know if travel is burdensome for you as an organizer). Given the high work load of organizing a conference track, we expect at least two people to be responsible (see primary and secondary proposer's below). Feel free to include more later, but we need at least two people for the proposal.</p>
 
     <p>Please fill out the questions below to apply. We want the conference to appeal to a wide audience, so are looking for tracks ranging from specific technical topics and people-focused themes, to the collaborative future of free software. We'd like to see a diversity of both niche and general topics that allow people from different backgrounds to participate.</p>
 
-    <p><strong>The deadline for submission is Thursday April 25th 2024.</strong></p>
+    <p><strong>The deadline for submission is Sunday February 16th 2025.</strong></p>
 
     <form action="." method="post" class="mw7">
       {% csrf_token %}

conservancy/settings/base.py

@@ -63,7 +63,12 @@ LOGGING = {
             'handlers': ['console'],
             'level': 'DEBUG',
             'propagate': False,
-        }
+        },
+        'conservancy.supporters': {
+            'handlers': ['console'],
+            'level': 'DEBUG',
+            'propagate': False,
+        },
     },
     'root': {
         'handlers': ['console'],
@@ -93,6 +98,7 @@ INSTALLED_APPS = [
     'conservancy.fossy',
     'conservancy.podjango',
     'conservancy.usethesource.apps.UseTheSourceConfig',
+    'captcha',
 ]
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
@@ -123,12 +129,20 @@ TIME_ZONE = 'America/New_York'
 LANGUAGE_CODE = 'en-us'
 USE_TZ = False
 
+STORAGES = {
+    'default': {
+        'BACKEND': 'django.core.files.storage.FileSystemStorage',
+    },
+    'staticfiles': {
+        'BACKEND': 'django.contrib.staticfiles.storage.ManifestStaticFilesStorage',
+    },
+}
+
 STATIC_URL = '/static/'
 STATIC_ROOT = BASE_DIR.parent / 'collected_static'
 STATICFILES_DIRS = [
     BASE_DIR / 'static',
 ]
-STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.ManifestStaticFilesStorage'
 
 MEDIA_ROOT = BASE_DIR.parent / 'media'
 MEDIA_URL = '/media/'

conservancy/settings/dev.py

@@ -1,3 +1,5 @@
+import os
+
 from .base import *  # NOQA
 
 DEBUG = True
@@ -13,3 +15,6 @@ DATABASES = {
 SECRET_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
 
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
+
+STRIPE_API_KEY = os.getenv('STRIPE_API_KEY', '')
+STRIPE_ENDPOINT_SECRET = os.getenv('STRIPE_ENDPOINT_SECRET', '')

conservancy/settings/prod.py

@@ -37,3 +37,10 @@ def get_secret(secrets, setting):
 SECRET_KEY = get_secret(secrets, 'SECRET_KEY')
 
 SESSION_COOKIE_SECURE = True
+
+STRIPE_API_KEY = get_secret(secrets, 'STRIPE_API_KEY')
+STRIPE_ENDPOINT_SECRET = get_secret(secrets, 'STRIPE_ENDPOINT_SECRET')
+
+CAPTCHA_FLITE_PATH = '/usr/bin/flite'
+CAPTCHA_SOX_PATH = '/usr/bin/sox'
+CAPTCHA_NOISE_FUNCTIONS = ('captcha.helpers.noise_dots',)

conservancy/static/css/conservancy.css

@@ -76,12 +76,6 @@ form[action$="#fixme"]:before {
   text-align: center;
 }
 
-input:focus {
-  z-index: 3;
-  border-color: #86b7fe;
-  box-shadow: 0 0 0 .25rem rgb(236, 99, 67, .5);
-}
-
 video {
     max-width: 100%;
 }

conservancy/supporters/admin.py

@@ -1,6 +1,6 @@
 from django.contrib import admin
 
-from .models import Supporter, SustainerOrder
+from .models import Supporter, SustainerOrder, SustainerPayment
 
 
 @admin.register(Supporter)
@@ -8,11 +8,39 @@ class SupporterAdmin(admin.ModelAdmin):
     list_display = ('display_name', 'display_until_date')
 
 
+class SustainerPaymentInline(admin.TabularInline):
+    model = SustainerPayment
+    fields = [
+        'paid_time',
+        'amount',
+        'stripe_payment_intent_ref',
+        'stripe_invoice_ref',
+    ]
+    can_delete = False
+    readonly_fields = [
+        'paid_time',
+        'amount',
+        'stripe_payment_intent_ref',
+        'stripe_invoice_ref',
+    ]
+
+    def has_add_permission(self, request, obj=None):
+        return False
+
+    def has_change_permission(self, request, obj=None):
+        return False
+
+
+
 @admin.register(SustainerOrder)
 class SustainerOrderAdmin(admin.ModelAdmin):
     fields = [
         'created_time',
         'paid_time',
+        'payment_method',
+        'stripe_customer_ref',
+        'stripe_subscription_ref',
+        'recurring',
         'name',
         'email',
         'amount',
@@ -25,7 +53,21 @@ class SustainerOrderAdmin(admin.ModelAdmin):
         'zip_code',
         'country',
     ]
-
-    readonly_fields = ['created_time', 'paid_time']
-    list_display = ['created_time', 'name', 'email', 'amount', 'paid']
+    inlines = [SustainerPaymentInline]
+    readonly_fields = ['created_time', 'paid_time', 'payment_method', 'stripe_customer_ref', 'stripe_subscription_ref', 'recurring']
+    list_display = ['created_time', 'name', 'email', 'amount', 'recurring', 'paid_time']
+    list_filter = ['paid_time']
+
+
+@admin.register(SustainerPayment)
+class SustainerPaymentAdmin(admin.ModelAdmin):
+    fields = [
+        'order',
+        'paid_time',
+        'amount',
+        'stripe_invoice_ref',
+        'stripe_payment_intent_ref',
+    ]
+    readonly_fields = ['order', 'paid_time', 'amount', 'stripe_invoice_ref', 'stripe_payment_intent_ref']
+    list_display = ['order', 'paid_time', 'amount']
     list_filter = ['paid_time']

conservancy/supporters/forms.py

@@ -1,16 +1,65 @@
 from django import forms
-
 from .models import SustainerOrder
 
+
+class SustainerFormRenderer(forms.renderers.DjangoTemplates):
+    # Customised layout with labels on own row
+    field_template_name = 'supporters/field.html'
+
+
+class ButtonRadioSelect(forms.widgets.RadioSelect):
+    """Radio button styled like a button."""
+
+    # Extra <span> wrappers to support CSS
+    option_template_name = 'supporters/buttonradio_option.html'
+    use_fieldset = False
+
+    class Media:
+        css = {
+            'all': ['css/buttonradio.css'],
+        }
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.attrs['class'] = 'button-select'
+
+
 class SustainerForm(forms.ModelForm):
-    amount_monthly = forms.IntegerField(initial=12, required=False)
+    """Sustainer sign-up
+
+    The logic for this form is somewhat spread between this Django form and the Django
+    template and Alpine JS code in the template.
+
+    Having to define some of the the Alpine JS attributes here in the form and some in
+    the template feels awkward, and I wish there was a better way. Django Crispy Forms
+    is typically a good option, but I really wanted to see if the new Django 5 form
+    improvements could beat that (eg. ".as_field_group"). They certainly help, but put
+    several levels of abstraction between you and the HTML (eg. renderers) and spread
+    your HTML across various template and code files. While I appreciate not having to
+    write code to render checked and unchecked boxes, designing attractive interactive
+    forms shouldn't be this complicated.
+
+    Alpine JS has its own trade-offs here. There's nearly no JavaScript as such, but the
+    "x-.." attributes are meaningless until you read the Alpine docs.
+    """
+
+    # To pre-fill the price option buttons in the case of server-side validation errors.
+    amount_option = forms.CharField(required=False)
+
+    template_name = 'supporters/sustainer_form.html'
+
+    MONTH_OPTIONS = [12, 23, 45, 87]
+    YEAR_OPTIONS = [128, 256, 512, 1024]
+    MONTH_MINIMUM = 10
+    YEAR_MINIMUM = 120
 
     class Meta:
         model = SustainerOrder
         fields = [
+            'recurring',
+            'amount',
             'name',
             'email',
-            'amount',
             'acknowledge_publicly',
             'add_to_mailing_list',
             'tshirt_size',
@@ -20,10 +69,49 @@ class SustainerForm(forms.ModelForm):
             'zip_code',
             'country',
         ]
+        widgets = {
+            'recurring': ButtonRadioSelect(
+                attrs={
+                    'x-model': 'recurring',
+                    # Reset the amount field and option when changing monthly/annually.
+                    'x-on:change': 'amount = ""; amount_option = null',
+                }
+            ),
+            'amount': forms.widgets.NumberInput(
+                # Retaining default widget, just neater to add many attrs here.
+                attrs={
+                    # So we can update the amount field from the amount_option selected.
+                    'x-model': 'amount',
+                    'x-bind:min': 'amount_minimum',
+                    'onblur': 'this.reportValidity()',
+                    'style': 'width: 5rem',
+                }
+            ),
+        }
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.fields['amount'].widget.attrs['style'] = 'width: 5rem'
-        self.fields['amount'].initial = 128
-        self.fields['amount_monthly'].widget.attrs['style'] = 'width: 5rem'
+
+        self.renderer = SustainerFormRenderer()
+
+        self.fields['recurring'].label = ''
+        self.fields['amount'].initial = self.YEAR_OPTIONS[0]
         self.fields['tshirt_size'].widget.attrs['x-model'] = 'tshirt_size'
+
+    def clean(self):
+        super().clean()
+        recurring = self.cleaned_data.get('recurring', '')
+        amount = self.cleaned_data.get('amount', 0)
+        minimum = self.MONTH_MINIMUM if recurring == 'month' else self.YEAR_MINIMUM
+        if amount < minimum:
+            self.add_error('', f'${minimum:d} is a minimum for Conservancy Sustainers.')
+        tshirt_size = self.cleaned_data.get('tshirt_size')
+        address_provided = all(
+            [
+                self.cleaned_data.get('street'),
+                self.cleaned_data.get('city'),
+                self.cleaned_data.get('country'),
+            ]
+        )
+        if tshirt_size and not address_provided:
+            self.add_error('street', 'No address provided')

conservancy/supporters/mail.py

@@ -0,0 +1,17 @@
+from django.core.mail import EmailMessage
+from django.template.loader import render_to_string
+
+
+def make_stripe_email(order) -> EmailMessage:
+    subject = 'Thanks for being a sustainer!'
+    email_body = render_to_string(
+        'supporters/mail/sustainer_thanks.txt',
+        {'order': order},
+    ).strip()
+    message = EmailMessage(
+        subject,
+        email_body,
+        'Software Freedom Conservancy <sustainers@sfconservancy.org>',
+        [order.email],
+    )
+    return message

conservancy/supporters/management/commands/export_stripe.py

@@ -0,0 +1,33 @@
+import csv
+import sys
+
+from django.core.management.base import BaseCommand
+from ...models import SustainerPayment
+
+
+class Command(BaseCommand):
+    help = "Closes the specified poll for voting"
+
+    def handle(self, *args, **options):
+        payments = SustainerPayment.objects.select_related('order').order_by('paid_time')
+        columns = ['order_time', 'payment_time', 'name', 'email', 'amount', 'transaction_id', 'public_ack', 'shirt_size', 'join_list', 'street', 'city', 'state', 'zip_code', 'country']
+        writer = csv.writer(sys.stdout)
+        writer.writerow(columns)
+        for payment in payments:
+            order = payment.order
+            writer.writerow([
+                order.created_time,
+                payment.paid_time,
+                order.name,
+                order.email,
+                payment.amount,
+                payment.stripe_payment_intent_ref,
+                order.acknowledge_publicly,
+                repr(order.tshirt_size if order.tshirt_size else ''),
+                order.add_to_mailing_list,
+                order.street,
+                order.city,
+                order.state,
+                order.zip_code,
+                order.country,
+            ])

conservancy/supporters/migrations/0004_sustainerorder_payment_id_and_more.py

@@ -0,0 +1,23 @@
+# Generated by Django 4.2.11 on 2024-10-08 09:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('supporters', '0003_remove_sustainerorder_monthly_recurring_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='payment_id',
+            field=models.CharField(blank=True, max_length=255),
+        ),
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='payment_method',
+            field=models.CharField(default='Stripe', max_length=10),
+        ),
+    ]

conservancy/supporters/migrations/0005_alter_sustainerorder_amount_and_more.py

@@ -0,0 +1,71 @@
+# Generated by Django 5.1.2 on 2024-10-22 04:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('supporters', '0004_sustainerorder_payment_id_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='sustainerorder',
+            name='amount',
+            field=models.PositiveIntegerField(),
+        ),
+        migrations.AlterField(
+            model_name='sustainerorder',
+            name='recurring',
+            field=models.CharField(
+                blank=True,
+                choices=[('', 'Once'), ('month', 'Monthly'), ('year', 'Annually')],
+                default='',
+                max_length=10,
+            ),
+        ),
+        migrations.AlterField(
+            model_name='sustainerorder',
+            name='tshirt_size',
+            field=models.CharField(
+                blank=True,
+                choices=[
+                    ('', [('', 'None')]),
+                    (
+                        "Men's",
+                        [
+                            ("Men's S", "Men's S"),
+                            ("Men's M", "Men's M"),
+                            ("Men's L", "Men's L"),
+                            ("Men's XL", "Men's XL"),
+                            ("Men's 2XL", "Men's 2XL"),
+                        ],
+                    ),
+                    (
+                        "Standard women's",
+                        [
+                            ("Standard women's S", "Standard women's S"),
+                            ("Standard women's M", "Standard women's M"),
+                            ("Standard women's L", "Standard women's L"),
+                            ("Standard women's XL", "Standard women's XL"),
+                            ("Standard women's 2XL", "Standard women's 2XL"),
+                        ],
+                    ),
+                    (
+                        "Fitted women's",
+                        [
+                            ("Fitted women's S", "Fitted women's S"),
+                            ("Fitted women's M", "Fitted women's M"),
+                            ("Fitted women's L", "Fitted women's L"),
+                            ("Fitted women's XL", "Fitted women's XL"),
+                            ("Fitted women's 2XL", "Fitted women's 2XL"),
+                        ],
+                    ),
+                ],
+                default='',
+                max_length=50,
+                verbose_name='T-shirt size',
+            ),
+        ),
+    ]

conservancy/supporters/migrations/0006_remove_sustainerorder_payment_id_and_more.py

@@ -0,0 +1,75 @@
+# Generated by Django 5.1.2 on 2024-11-15 02:56
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('supporters', '0005_alter_sustainerorder_amount_and_more'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='sustainerorder',
+            name='payment_id',
+        ),
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='stripe_checkout_session_data',
+            field=models.JSONField(null=True),
+        ),
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='stripe_customer_ref',
+            field=models.CharField(max_length=50, null=True),
+        ),
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='stripe_initial_payment_intent_ref',
+            field=models.CharField(max_length=50, null=True, unique=True),
+        ),
+        migrations.AddField(
+            model_name='sustainerorder',
+            name='stripe_subscription_ref',
+            field=models.CharField(max_length=50, null=True, unique=True),
+        ),
+        migrations.AlterField(
+            model_name='sustainerorder',
+            name='amount',
+            field=models.DecimalField(decimal_places=2, max_digits=7),
+        ),
+        migrations.CreateModel(
+            name='SustainerPayment',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                ('paid_time', models.DateTimeField(auto_now_add=True)),
+                (
+                    'stripe_invoice_ref',
+                    models.CharField(max_length=50, null=True, unique=True),
+                ),
+                ('amount', models.DecimalField(decimal_places=2, max_digits=7)),
+                (
+                    'stripe_payment_intent_ref',
+                    models.CharField(max_length=50, null=True, unique=True),
+                ),
+                ('stripe_invoice_data', models.JSONField(null=True)),
+                (
+                    'order',
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to='supporters.sustainerorder',
+                    ),
+                ),
+            ],
+        ),
+    ]

conservancy/supporters/models.py

@@ -1,4 +1,3 @@
-from django.core import validators
 from django.db import models
 
 
@@ -6,11 +5,14 @@ class Supporter(models.Model):
     """Conservancy Supporter listing"""
 
     display_name = models.CharField(max_length=200, blank=False)
-    display_until_date = models.DateTimeField("date until which this supporter name is displayed")
+    display_until_date = models.DateTimeField(
+        "date until which this supporter name is displayed"
+    )
     ledger_entity_id = models.CharField(max_length=200, blank=False)
 
     def test(self):
         return "TESTING"
+
     def __str__(self):
         return self.display_name
 
@@ -20,14 +22,14 @@ class Supporter(models.Model):
 
 class SustainerOrder(models.Model):
     RENEW_CHOICES = [
-        ('', 'None'),
+        ('', 'Once'),
         ('month', 'Monthly'),
-        ('year', 'Annual'),
+        ('year', 'Annually'),
     ]
     TSHIRT_CHOICES = [
         (
             '',
-            (("None", "None"),),
+            (("", "None"),),
         ),
         (
             "Men's",
@@ -62,17 +64,23 @@ class SustainerOrder(models.Model):
     ]
 
     created_time = models.DateTimeField(auto_now_add=True)
+    stripe_customer_ref = models.CharField(max_length=50, null=True)
+    stripe_subscription_ref = models.CharField(max_length=50, null=True, unique=True)
+    stripe_initial_payment_intent_ref = models.CharField(max_length=50, null=True, unique=True)
+    stripe_checkout_session_data = models.JSONField(null=True)
     name = models.CharField(max_length=255)
     email = models.EmailField()
-    amount = models.IntegerField(
-        validators=[
-            validators.MinValueValidator(100),
-        ])
-    recurring = models.CharField(max_length=10)
+    amount = models.DecimalField(max_digits=7, decimal_places=2)
+    recurring = models.CharField(
+        max_length=10, choices=RENEW_CHOICES, blank=True, default=''
+    )
+    payment_method = models.CharField(max_length=10, default='Stripe')
     paid_time = models.DateTimeField(null=True, blank=True)
     acknowledge_publicly = models.BooleanField(default=True)
     add_to_mailing_list = models.BooleanField(default=True)
-    tshirt_size = models.CharField(max_length=50, choices=TSHIRT_CHOICES)
+    tshirt_size = models.CharField(
+        'T-shirt size', max_length=50, choices=TSHIRT_CHOICES, blank=True, default=''
+    )
     street = models.CharField(max_length=255, blank=True)
     city = models.CharField(max_length=255, blank=True)
     state = models.CharField(max_length=255, blank=True)
@@ -84,3 +92,12 @@ class SustainerOrder(models.Model):
 
     def paid(self):
         return self.paid_time is not None
+
+
+class SustainerPayment(models.Model):
+    order = models.ForeignKey(SustainerOrder, on_delete=models.CASCADE)
+    paid_time = models.DateTimeField(auto_now_add=True)
+    stripe_invoice_ref = models.CharField(max_length=50, null=True, unique=True)
+    amount = models.DecimalField(max_digits=7, decimal_places=2)
+    stripe_payment_intent_ref = models.CharField(max_length=50, null=True, unique=True)
+    stripe_invoice_data = models.JSONField(null=True)

conservancy/supporters/static/css/buttonradio.css

@@ -0,0 +1,33 @@
+.button-select {
+  display: grid;
+  gap: 0.5rem;
+  grid-template-columns: repeat(auto-fill, minmax(5rem, 1fr));
+}
+
+.button-select label > span {
+  text-align: center;
+  display: inline-block;
+  user-select: none;
+  cursor: pointer;
+  padding: 0.5rem 0;
+  width: 100%;
+  background: #ddd;
+  border-radius: 4px;
+  border: 1px solid transparent;
+}
+
+.button-select label input {
+  opacity: 0;
+  position: absolute;
+}
+
+/* Wish we could use :has reliably. */
+.button-select label input:focus + span {
+  border-color: #eee;
+  outline: 2px solid #666;
+}
+
+.button-select label input:checked + span {
+  color: white;
+  background: #666;
+}

conservancy/supporters/templates/supporters/buttonradio_option.html

@@ -0,0 +1,2 @@
+{# Custom <span> wrapper around the label to enable radio fields to be styled like buttons. #}
+{% if widget.wrap_label %}<label onclick="click()"{% if widget.attrs.id %} for="{{ widget.attrs.id }}"{% endif %}>{% endif %}{% include "django/forms/widgets/input.html" %}{% if widget.wrap_label %} <span>{{ widget.label }}</span></label>{% endif %}

conservancy/supporters/templates/supporters/field.html

@@ -0,0 +1,11 @@
+{# Labels on a separate line, custom help text layout #}
+{% if field.use_fieldset %}
+  <fieldset{% if field.help_text and field.auto_id and "aria-describedby" not in field.field.widget.attrs %} aria-describedby="{{ field.auto_id }}_helptext"{% endif %}>
+  {% if field.label %}{{ field.legend_tag }}{% endif %}
+{% else %}
+  {% if field.label %}{{ field.label_tag }}{% endif %}
+{% endif %}
+{{ field.errors }}
+<div class="mt1">{{ field }}</div>
+<div class="f7 black-60 mt1">{{ field.help_text }}</div>
+{% if field.use_fieldset %}</fieldset>{% endif %}

conservancy/supporters/templates/supporters/mail/sustainer_thanks.txt

@@ -0,0 +1,18 @@
+{% autoescape off %}Hi {{ order.name }},
+
+Thanks so much for being a sustainer! Your support is what makes our work possible.
+
+Order: #{{ order.id }}
+Payment: ${{ order.amount }}{% if order.recurring %} {{ order.get_recurring_display }}{% endif %}
+Acknowledge me on the list of sustainers: {{ order.acknowledge_publicly|yesno }}
+Add me to the announcements email list: {{ order.add_to_mailing_list|yesno }}
+T-shirt: {{ order.get_tshirt_size_display }}{% if order.tshirt_size %}
+Postal address:
+{{ order.street }}
+{{ order.city }} {{ order.state }} {{ order.zip_code }}
+{{ order.country }}{% endif %}
+{% if order.recurring == 'month' and order.tshirt_size %}
+Please note that you may not receive the T-shirt until you've paid at least $60.{% endif %}
+
+Kind regards,
+Software Freedom Conservancy{% endautoescape %}

conservancy/supporters/templates/supporters/stripe_success.html

@@ -4,5 +4,38 @@
 {% block category %}sustainer{% endblock %}
 
 {% block content %}
-  <h1 class="lh-title tc mt4 mb4">Thanks!</h1>
+<h1 class="lh-title mt4">Thanks!</h1>
+
+<p>Thank you for being a Sustainer of Software Freedom Conservancy!</p>
+
+<!-- <p>Are you at LinuxFest Northwest right now?  If so, you are now eligible to
+  attend a special Sustainer-only dinner and drinks on Saturday 23 April 2016
+  at 6:30PM, but space is limited!  please RSVP
+  by <a href="mailto:rsvp-lfnw@sfconservancy.org">email to
+  &lt;rsvp-lfnw@sfconservancy.org&gt;</a>.  Let us know any dietary
+  restrictions in your email.  We'll email back with details of where the
+  event is.</p>
+ -->
+
+<p>As a Conservancy Sustainer, you'll also be eligible for future special
+benefits.  We may contact you directly by email later to tell you about
+special Sustainer-only benefits in the coming year.</p>
+
+<p>Meanwhile, please spread the word about supporting Conservancy with
+  a &ldquo;Sustainer Badge&rdquo; on your website, social media, or
+  other locations where people view information about you:</p>
+
+<p><a href="https://sfconservancy.org/sustainer/"><img src="https://sfconservancy.org/static/img/supporter-badge.png" width="194" height="90" alt="Become a Conservancy Sustainer!" border="0"/></a></p>
+
+<p><strong>Copy and paste this HTML for the image above:</strong></p>
+<p><textarea rows="2"
+             cols="65">
+<a href="https://sfconservancy.org/sustainer/"><img src="https://sfconservancy.org/static/img/supporter-badge.png" width="194" height="90" alt="Become a Conservancy Sustainer!" border="0"/></a>
+ </textarea></p>
+
+<p class="mb5">Also, please enjoy these &ldquo;Sustainer Cards&rdquo;, which you print out and
+  carry with you.  You've earned it! The cards are available in two different
+  styles: <a href="/static/img/supporter-card-1.12b4668a6b78.svg">Style 1
+  (SVG)</a>, <a href="/static/img/supporter-card-2.9c9e76d445e5.svg">Style 2
+  (SVG)</a>.</p>
 {% endblock %}

conservancy/supporters/templates/supporters/sustainers_paypal.html

@@ -0,0 +1,37 @@
+{% extends "base_conservancy.html" %}
+{% load static %}
+{% block subtitle %}Support Conservancy - {% endblock %}
+{% block category %}sustainer{% endblock %}
+
+{% block head %}
+<script src="{% static 'js/supporter-page.js' %}" defer></script>
+<link href="{% static 'css/forms.css' %}" rel="stylesheet" type="text/css"/>
+<style>
+  .hidden { display: none; }
+</style>
+{% endblock %}
+
+{% block content %}
+<h1 class="lh-title tc mt4">Become a Sustainer by PayPal</h1>
+
+<div class="content-with-donate-sidebar" id="formStart">
+
+{% if partial_amount > 0 %}
+  {% include "supporters/form_partial.html" with form_id="annual" min_amt=minimum_amount partial_amt=partial_amount article="an" only %}
+{% else %}
+  <div class="supporter-type-selector">
+    <a id="annualSelector" href="#annual">Annual</a>
+    | <a id="monthlySelector" href="#monthly">Monthly</a>
+    | <a id="renewalSelector" href="#renewal">Annual Renew</a>
+  </div>
+
+  {% include "supporters/form_partial.html" with form_id="annual" min_amt=120 default_amt=128 article="an" only %}
+
+  {% include "supporters/form_partial.html" with form_id="monthly" min_amt=10 default_amt=12 only %}
+
+  <a name="renew" class="hidden"></a>
+  {% include "supporters/form_partial.html" with form_id="renewal" min_amt=120 default_amt=128 verb="renew" article="an" supptype="annual" only %}
+{% endif %}
+
+<span id="form-correction-needed" class="form-error">Please ensure all form data above is correct.</span>
+{% endblock %}

conservancy/supporters/templates/supporters/sustainers_stripe.html

@@ -5,40 +5,165 @@
 
 {% block head %}
   {{ block.super }}
+  {% include "opengraph_partial.html" with url="/sustainer/" title="Support Conservancy!" description="Software freedom is critical to many of today’s most pressing social issues, but it’s only effective when FOSS is for everyone. Support Conservancy today to help make that happen!" %}
+{% include "opengraph_urllist_partial.html" with property='image' urls='' fallback='/static/img/conservancy-logo.png' %}
+  {{ form.media }}
   <style>
    @media screen and (min-width: 40em) {
-     #sustainer-grid {
+     #sustainer-grid-wrapper {
        display: grid;
-       grid-template-columns: 2fr 1fr;
-       grid-template-rows: min-content 1fr;
-       gap: 1.5rem;
      }
    }
-   progress {
-     background: #ddd;
-     border: none;
-   }
-   progress::-moz-progress-bar {
-     background: #224c57;
-   }
-   progress::-webkit-progress-bar {
-     background: #ddd;
-   }
-   progress::-webkit-progress-value {
-     background: #224c57;
-   }
    .btn:active {
      transform: scale(1.05);
    }
+   .errorlist li {
+     color: #ff4136;
+   }
   </style>
+  <script defer src="{% static "js/vendor/alpine-3.14.1.js" %}"></script>
 {% endblock %}
 
 {% block content %}
-  <h1 class="lh-title tc mt4 mb0">Become a Sustainer Now</h1>
+  <h1 class="lh-title tc mt4 mb2">Become a Sustainer Now</h1>
   <p class="measure-wide center tc">Sustainers help us do our work in a strategic, long-term way.</p>
 
-  <div id="sustainer-grid" class="mv4">
-    <div style="grid-row: 1 / span 2">
+  {% comment %}
+  <div class="f5 measure-wide center tc mv4">
+  <p class="mt3 mb0"><em>“If software freedom is important to you, I can't think of a
+    more effective way to use your money than to support Conservancy.”</em></p>
+  <p class="tr">— <strong>Made Up Person</strong></p>
+  </div>
+  {% endcomment %}
+
+  <div id="sustainer-grid-wrapper" class="mv4" style="grid-template-columns: 2fr 1fr; gap: 1.5rem">
+    <section class="mb4">
+      <noscript>
+        <div style="padding: 1rem; border: 2px solid #0f0; margin-bottom: 1.5rem">
+          <p><marquee><strong>Hey there!</strong></marquee> Thanks for visiting our site <strong>without JavaScript</strong>!</p>
+
+          <p>We do our best to ensure our site works without JavaScript or, where necessary, to use only free software JavaScript.</p>
+
+          <p>The bad news is that all credit card/ACH payment services that are available to us, like Stripe and PayPal, <strong>don't work without JavaScript</strong>. We also don't currently have the resources to handle PCI compliant credit-card processing directly.</p>
+
+          <p>You can still become a Sustainer by making a payment by <a href="#wire-transfer">wire transfer</a> or <a href="#paper-check">paper check</a>. If those aren't feasible, please <a href="mailto:donate@sfconservancy.org">get in touch</a> and we'll try to work something out. Thanks for your support! And we think you are very cool!</p>
+
+          <img src="{% static 'img/dancing-banana.gif' %}" alt="Dancing Banana">
+        </div>
+      </noscript>
+
+      {# Alpine JS is used to show different payments amounts for monthly/annual, write the selected payment amount into the "amount" field, reset the seleted amount when you change monthly/annual and pop out the address when you select a T-shirt. #}
+      <form method="post" action="."
+        {# Pre-fill field defaults in case of server-side validation error. Otherwise Alpine JS will override them. Could alternatively use the `json_script` tag here. #}
+        x-data="{
+                 recurring: '{{ form.recurring.value|escapejs }}',
+                 amount: parseInt('{{ form.amount.value|escapejs }}'),
+                 amount_option: '{{ form.amount_option.value|escapejs }}',
+                 amount_options: function() {
+                   let month_options = {{ form.MONTH_OPTIONS|escapejs }};
+                   let year_options = {{ form.YEAR_OPTIONS|escapejs }};
+                   return this.recurring === 'month' ? month_options : year_options;
+                 },
+                 amount_minimum: function() {
+                   let month_minimum = {{ form.MONTH_MINIMUM|escapejs }};
+                   let year_minimum = {{ form.YEAR_MINIMUM|escapejs }};
+                   return this.recurring === 'month' ? month_minimum : year_minimum;
+                 },
+                 tshirt_size: '{{ form.tshirt_size.value|escapejs }}',
+              }">
+        {% csrf_token %}
+        <fieldset class="bg-black-05 pa3 br3 center" style="border: 1px solid #ccc">
+          <legend class="b f5">Become a Sustainer</legend>
+          {{ form.non_field_errors }}
+
+          <div>{{ form.recurring.as_field_group }}</div>
+
+          <div class="mt3">
+            <div id="amount_options" class="button-select">
+              <template x-for="m in amount_options">
+                {# Additional click handler ensures a click-drag activates the radio (similar to a real button). #}
+                <label onclick="this.click()">
+                  {# All radios have a unique value to avoid UI glitches (even though the value isn't actually used). #}
+                  <input type="radio" name="amount_option" x-bind:value="m" x-on:change="amount = m" x-model="amount_option" required>
+                  <span>$<span x-text="m.toLocaleString()"></span></span>
+                </label>
+              </template>
+              <!-- Hide if no JS -->
+              <template x-if="true">
+                <label onclick="this.click()">
+                  <input type="radio" name="amount_option" value="other" x-on:change="amount = ''" x-model="amount_option" required>
+                  <span>Other</span>
+                </label>
+              </template>
+            </div>
+            <div class="mt2" x-show="amount_option === 'other'">
+              {{ form.amount.as_field_group }}
+              <p class="f7 black-60 mt1">Minimum $<span x-text="amount_minimum"></span>. <a href="/donate" class="black-60">Donate smaller amounts here</a>.</p>
+            </div>
+          </div>
+
+          <div class="mt3">{{ form.name.as_field_group }}</div>
+
+          <div class="mt2">
+            {{ form.email.as_field_group }}
+          </div>
+
+          <div class="mt3"><label class="lh-title">{{ form.acknowledge_publicly }} Acknowledge me on the <a href="/sponsors#sustainers" target="_blank">list of sustainers</a></label></div>
+
+          <div class="mt3"><label class="lh-title">{{ form.add_to_mailing_list }} Add me to the <a href="https://lists.sfconservancy.org/pipermail/announce/">announcements email list</a></label></div>
+
+          <div class="mt3">
+            {{ form.tshirt_size.as_field_group }}
+            <p class="f7 black-60 mt1">Sizing chart:
+              <a href="/videos/women-2017-to-2020-t-shirt-sizing.jpg" target="_blank" class="black-60">Women's</a>,
+              <a href="/videos/men-2017-to-2020-t-shirt-sizing.jpg" target="_blank" class="black-60">Men's</a></p>
+            <figure class="mt2">
+              <a href="{% static 'img/tshirt-2024.png' %}">
+                <img src="{% static 'img/tshirt-2024.png' %}" alt="Software Freedom Conservancy T-shirt" width="200">
+              </a>
+            </figure>
+          </div>
+
+          <div id="address" x-show="tshirt_size !== ''">
+            <fieldset class="mt3">
+              <legend>Postal address</legend>
+              <div>{{ form.street.as_field_group }}</div>
+              <div class="mt2">{{ form.city.as_field_group }}</div>
+              <div class="mt2">{{ form.state.as_field_group }}</div>
+              <div class="mt2">{{ form.zip_code.as_field_group }}</div>
+              <div class="mt2">{{ form.country.as_field_group }}</div>
+            </fieldset>
+          </div>
+
+          <div class="mt3"><button type="submit" class="pointer btn f5 pv2" style="width: 100%; font-weight: bold; color: white; background-color: var(--orange); border-radius: 0.5rem; border: none; border-bottom: 2px solid rgba(0,0,0,0.1);">Become a Sustainer by<br>Credit Card or <abbr title="US Bank Direct Debit">ACH</abbr></button></div>
+        </fieldset>
+      </form>
+
+      <p class="f7 mt3">Credit card and ACH payments are processed with Stripe. We also accept payment by PayPal, paper check and wire transfer.</p>
+
+      <details id="paypal">
+        <summary class="f6">PayPal</summary>
+        <p>If you would prefer not to use our Stripe payment service above you can use <a href="{% url 'sustainer_paypal' %}">PayPal</a>.</p>
+      </details>
+
+      <details id="wire-transfer">
+        <summary class="f6">Wire Transfer</summary>
+        <p>Contact <a href="mailto:donate@sfconservancy.org">Conservancy
+          by email</a> for wire transfer instructions. Include currency &amp; country.</p>
+      </details>
+
+      <details id="paper-check">
+        <summary class="f6">Paper Check</summary>
+        <p>Send a paper check to:</p>
+        <p>Software Freedom Conservancy, Inc.<br>
+          137 MONTAGUE ST  STE 380<br>
+          BROOKLYN, NY 11201-3548 &nbsp; USA</p>
+        <p>Please write <q>SUSTAINER</q>, T-shirt size, if you are renewing, and if
+          you want public acknowledgment in memo line.</p>
+      </details>
+    </section>
+
+    <section style="grid-row: 1 / span 2">
       <video controls poster="https://sfconservancy.org/videos/sfc-introduction-video_poster.jpg" class="mb3">
         <source src="https://sfconservancy.org/videos/sfc-introduction_1080p.mp4">
         <track src="/docs/sfc-introduction-vtt-captions.txt" kind="subtitles" srclang="en" label="English">
@@ -73,9 +198,10 @@
   software freedom that the world needs. <a href="/donate/">Please consider
   donating now!</a></p>
 
+<h2 class="">2023 in Review</h2>
 
 <details id="YearInReview">
-  <summary>Our Year in Review</summary>
+  <summary>Overview</summary>
 
 <p>This has been a big year for Software Freedom Conservancy in our tireless
 efforts to promote ethical technology, increase diversity and inclusion in
@@ -88,7 +214,7 @@ Right to Repair movement. We hosted our first large conference, <a href="https:/
 and while we finalize details for next year, we hope to see you there to join
 us in community!</p>
 
-<div class="picture-small right">  <img src="https://nextcloud.sfconservancy.org/apps/files_sharing/publicpreview/pnZYsi2CkjscLwc?file=/&fileId=24825&x=1366&y=768&a=true&etag=f4341a40f90786b0356201c21278ee23" alt="SFC lawyers posing outside at the courthouse“ " /></a>
+<div class="picture-small right">  <img src="https://nextcloud.sfconservancy.org/apps/files_sharing/publicpreview/pnZYsi2CkjscLwc?file=/&fileId=24825&x=1366&y=768&a=true&etag=f4341a40f90786b0356201c21278ee23" alt="SFC lawyers posing outside at the courthouse“ " />
 <p>SFC lawyers after recent Vizio case- CC BY-SA 4.0</p></div>
 
 <p>Our <a href="https://vizio.sfconservancy.org">lawsuit against Vizio</a>— the first
@@ -145,7 +271,7 @@ account will be approved.</p>
 </details>
 
 <details id="NewStaff">
-<summary>New staff!</summary>
+<summary>New Staff!</summary>
 <p>SFC hired two additional employees this year! General Counsel Rick Sanders
 joins the team to help with our continued legal needs. Rick has over 20 years
 experience as a intellectual-property litigator. His expertise has been
@@ -197,9 +323,8 @@ of FOSS and in critical infrastructure discussions and also presented in
 classroom to educate students about software freedom.</p>
 </details>
 
-
 <details id="Highlights">
-  <summary>Highlights from some of our projects</summary>
+  <summary>Highlights From Our Member Projects</summary>
   <p>We've raised, administered and/or facilitated $1.8 million to improve
 software freedom directly! This includes contractors, interns and students,
 administrators, and grants for creation, distribution and maintenance of free
@@ -249,7 +374,7 @@ very exciting developments for the project. Creation of a new <a href="https://i
 for the PLC and contributors to get together to plan and work on technical
 challenges. The first back in-person <b>Selenium</b> <a
 href="https://seleniumconf.com/">conference</a> was in Chicago this past
-may</a>. Attendance from over 10 countries, it was an incredible reunion for
+may. Attendance from over 10 countries, it was an incredible reunion for
 the project contributors and users to get together. The <b>Git</b>
 contributor summit was held online this year in September. Topics ranged from
 ideas of new library support to how to better support for scaling with large
@@ -259,35 +384,6 @@ annual summit was hosted in Hamburg featuring incredible
 technical talks, project planning and continues to build the momentum and
 reach for reproducibility. </p>
 </details>
-
-
-      <h3>Our sustainers</h3>
-
-      <p>Anonymous (100 people), Aurimas Fišeras, Kat Walsh, Richard Wheeler, Karl Ove Hufthammer, Mark Wielaard, Karl Fogel, Richard Fontana, Richard L. Schmeidler, Karen Sandler, Russ Allbery, Christine Webber, Jeremy Allison, J.B. Nicholson, Michael Dexter, Tom Marble, Johannes Krampf, Michael Linksvayer, Jack Hill, Stefano Zacchiroli, Daniel Callahan, Ben Cotton, in memory of Marina Zhurakhinskaya, Jim Radford, Tyng-Ruey Chuang, Francois Marier, Henri Sivonen, Keith Packard, Monica Neumann, Michal Nazarewicz, Bdale Garbee, David Neary, Alexander Bokovoy, Andrew Isaacson, Brian Hart, James Pannacciulli, Sasa Poznanovic, David Batley, David Crossland, Steve Sprang, Bob Murphy, Mark Galassi, James R. Garrison, Bluebird Interactive, David Quist, Patrick Masson, Neil McGovern, Lenore Ramm Hill, Paul Logston, David Arnold, Benjamin Pfaff, Timothy Howes, Britta Gustafson, Wookey, Michael Gulick, Tanu Kaskinen, Jeffrey Layton, Raphaël Hertzog, Will Thompson, Matteo Settenvini, Kevin Krammer, Elana Hashman, Richard Schultz, Charkov Alexey, Donald Craig, Michael Catanzaro, Olav Reinert, Stephen Kitt, Barry Fishman, Luigi Toscano, Steve McIntyre, Cornelia Huck, Jonathan McDowell, Emmanuel Seyman, Mike Crowe, Alexandre Julliard, Ross Vandegrift, Ian Jackson, Alexander Reichle-Schmehl, Sang Engineering, Preston Maness, John Hagemeister, Julien Cristau, Rebecca Sobol, John Hughes, Peter Link, Solomon Peachy, Riccardo Ghetta, Stefano Rivera, Julian Gilbey, Srivats P, JRS System Solutions, Eric Dorland, Matija Nalis, Brett Smith, Dmitry Borodaenko, Johannes Berg, Howard Shih, Nigel Whillier, Peter Maydell, Lars Wirzenius, Stephanie Feingold, Kevin Adler, Matthew Vernon, Stefan Seefeld, scrye.com, Robert Horn, Andreas Bombe, Michael Kuhn, Stephen Waite, Philip Cohn-Cort, Stuart Smith, Michel Machado, Joseph Thompson, Joan Sandler, Sage Ross, Peter Levy, Daniel Gillmor, James Carter, Wilson E. Alvarez, Michael Andreen, Aaron Puchert, Andrew Eikum, Vladimir Michl, Gregory Grossmeier, Josh Triplett, James Blair, Felix Gruber, Claire Connelly, Antoine Amarilli, Kenneth J. Pronovici, Igalia S. L., Karl-Johan Karlsson, David Gibson, Tom Callaway, Steven A. Ovadia, Gerard Ryan, James Garrett, William Norris, Luke Faraone, Christian Gelinek, Chris Neugebauer, David Potter, Paul Fenwick, George Bojanov, Jondale Stratton, Kiatikun Luangkesorn, hmk, Yu Tomita, Jure Varlec, Antonin Houska, Chad Henderson, Adam Batkin, Marc Jeanmougin, Mike Dowling, Nicholas George, Leif Lindholm, Diane Trout, Daniel Walls, Donald Anderson, Darrick Wong, Greg Price, Martin Krafft, Tony Sebro, Matthew Treinish, Jason Baker, Kathy Giori, Brennen Bearnes, Olly Betts, Steven Adger, John Maloney, Gargi Sharma, Andrew Janke, Andy Kittner, Holger Levsen, Jacopo Corbetta, Andy Balaam, Justin W. Flory, Albert Chae, Elias Rudberg, Gene Hightower, Asumu Takikawa, John-Isaac Greant, Ulrich Czekalla, Bob Proulx, Nick Alcock, Geoffrey Knauth, Luke Shumaker, Stephen Hinton, Philip McGrath, Anjandev Momi, Meisam Tabriz, Alex Dryden, Thomas Schwinge, Julia Kreger, nicholas Bishop, Rachel Wonnacott, Benjamin Kraus, David Witten, Pontus Ullgren, Brendan Horan, Alex Karle, Michael Pennisi, Dave Jansen, Kit Aultman, Jason Prince, Frank Eigler, Keyhan Vakil, Daniel Whiting, tam phan, Jon Stumpf, Anna Philips, Anthony Symkowick, Drew Fustini, Anthony Mirabella, Eric Perko, Simon Michael, Rod Nayfield, Joerg Jaspert, Lieven Govaerts, David Harris, BRUST, Alexander Couzens, Amisha Singla, Athul Iddya, kyle Davis, Trace Pearson, Paul Williams, Peter Murray, anne fonteyn</p>
-    </div>
-
-    <div>
-      <progress min="0" max="100" value="84.5" class="w-100">84.5%</progress>
-      <div class="mv3">
-        <div class="f2 b">$15,558</div>
-        <div class="f5 b black-50">Remaining of the $100,000 goal</div>
-      </div>
-      <div class="mv3">
-        <div class="f2 b">15 days</div>
-        <div class="f5 b black-50">Remaining</div>
-      </div>
-      <div class="mt4">
-        <a href="{% url "stripe2" %}">
-          <button type="submit" class="pointer btn" style="height: 40px; width: 100%; font-size: 18px; font-weight: bold; color: white; background-color: var(--orange); border-radius: 0.5rem; border: none; border-bottom: 2px solid rgba(0,0,0,0.1);">Become a Sustainer!</button>
-        </a>
-      </div>
-
-      <div class="mt3">
-        <figure>
-          <img src="/static/img/tshirt-2023.png" alt="Software Freedom Conservancy T-shirt">
-          <figcaption class="tc black-70" style="margin-top: -20px">Our new Sustainer T-shirt</figcaption>
-        </figure>
-      </div>
-    </div>
+    </section>
   </div>
 {% endblock %}

conservancy/supporters/templates/supporters/sustainers_stripe2.html

@@ -1,89 +0,0 @@
-{% extends "base_conservancy.html" %}
-{% load static %}
-{% block subtitle %}Support Conservancy - {% endblock %}
-{% block category %}sustainer{% endblock %}
-
-{% block head %}
-  {{ block.super }}
-  <script defer src="{% static "js/vendor/alpine-3.14.1.js" %}"></script>
-  <style>
-   .btn:active {
-     transform: scale(1.05);
-   }
-  </style>
-{% endblock %}
-
-{% block content %}
-  <h1 class="lh-title tc mt4 mb0">Become a Sustainer Now</h1>
-  <p class="measure-wide center tc">Sustainers help us do our work in a strategic, long-term way.</p>
-
-  <div class="bg-black-05 pa3 br3 mb4 center" style="max-width: 24rem; border: 1px solid #ccc">
-    <form id="sustainer" method="post" action="."
-          x-data="{
-                    tshirt_size: 'None',
-                    tshirt_required: function () { return this.tshirt_size !== 'None' },
-                    recurring: 'once',
-                  }">
-      {% csrf_token %}
-      {{ form.errors }}
-      <div class="mb2"><label>Name
-        <span class="db mt1">{{ form.name }}</span>
-      </label></div>
-      <div class="mb2"><label>Email
-        <span class="db mt1">{{ form.email }}</span>
-      </label>
-      <p class="f7 black-60 mt1">To send your receipt</p>
-      </div>
-      <div class="mb2"><label>
-        <label class="mr1"><input type="radio" name="recurring" value="" x-model="recurring"> Once</label>
-        <label class="mr1"><input type="radio" name="recurring" value="month" x-model="recurring"> Monthly</label>
-        <label><input type="radio" name="recurring" value="year" x-model="recurring"> Annual</label>
-      </label></div>
-      <div class="mb2" x-show="recurring === ''"><label>Amount
-        <span class="db mt1">$ {{ form.amount }}</span>
-      </label></div>
-      <div class="mb2" x-show="recurring === 'month'"><label>Amount
-          <span class="db mt1">$ {{ form.amount_monthly }}</span>
-      </label></div>
-      <div class="mb2" x-show="recurring === 'year'"><label>Amount
-          <span class="db mt1">$ {{ form.amount }}</span>
-      </label></div>
-      <div class="mv3"><label class="lh-title">{{ form.acknowledge_publicly }} Acknowledge me on the public <a href="">list of sustainers</a></label></div>
-      <div class="mv3"><label class="lh-title">{{ form.add_to_mailing_list }} Add me to the low-traffic <a href="https://lists.sfconservancy.org/pipermail/announce/">announcements</a> email list</label></div>
-      <div class="mv3">
-        <label>T-shirt:
-          <!-- Form field has an x-model attribute in forms.py. -->
-          <span class="db mt1">{{ form.tshirt_size }}</span>
-        </label>
-        <p class="f7 black-60 mt1">Sizing:
-          <a href="https://sfconservancy.org/videos/women-2017-to-2020-t-shirt-sizing.jpg" target="_blank" class="black-60">Women's</a>,
-          <a href="https://sfconservancy.org/videos/men-2017-to-2020-t-shirt-sizing.jpg" target="_blank" class="black-60">Men's</a></p>
-      </div>
-      <!-- Using Alpine.js to show/hide the address based on T-shirt choice. -->
-      <template x-if="tshirt_required">
-        <fieldset id="address">
-          <legend>Postal address</legend>
-        <div class="mb2"><label>Street
-          <span class="db mt1">{{ form.street }}</span>
-        </label></div>
-        <div class="mb2"><label>City
-          <span class="db mt1">{{ form.city }}</span>
-        </label></div>
-        <div class="mb2"><label>State/Region
-          <span class="db mt1">{{ form.state }}</span>
-        </label></div>
-        <div class="mb2"><label>Zip/Postal
-          <span class="db mt1">{{ form.zip_code }}</span>
-        </label></div>
-        <div class="mb2"><label>Country
-          <span class="db mt1">{{ form.country }}</span>
-        </label></div>
-        </fieldset>
-      </template>
-
-      <div class="mt3"><button type="submit" class="btn" style="height: 40px; width: 100%; font-size: 18px; font-weight: bold; color: white; background-color: var(--orange); border-radius: 0.5rem; border: none; border-bottom: 2px solid rgba(0,0,0,0.1);">Pay via Stripe</button></div>
-
-      <p class="f7 mt3">If you have concerns or issues paying with Stripe, we also accept payment by <a href="#">paper check</a> and <a href="#">wire transfer</a>.</p>
-    </form>
-  </div>
-{% endblock %}

conservancy/supporters/urls.py

@@ -4,11 +4,11 @@ from django.views.generic import TemplateView
 from . import views
 
 urlpatterns = [
-    path('', views.sustainers),
+    path('', views.sustainers_stripe, name='sustainers'),
     path('banner/', TemplateView.as_view(template_name='supporters/banners.html')),
     path('banners/', TemplateView.as_view(template_name='supporters/banners.html')),
     path('success/', views.success),
     path('webhook/', views.webhook),
-    path('stripe/', views.sustainers_stripe),
-    path('stripe2/', views.sustainers_stripe2, name='stripe2'),
+    # TODO
+    path('paypal/', views.sustainers_paypal, name='sustainer_paypal'),
 ]

conservancy/supporters/views.py

@@ -1,17 +1,21 @@
-from datetime import datetime
+import datetime
+import decimal
 import logging
 
+from django.conf import settings
+from django.db import transaction
 from django.http import HttpResponse
 from django.shortcuts import render, redirect
 from django.utils import timezone
 import stripe
 
 from .. import ParameterValidator
-from . import forms
-from .models import Supporter, SustainerOrder
+from . import forms, mail
+from .models import Supporter, SustainerOrder, SustainerPayment
 
 logger = logging.getLogger(__name__)
 
+
 def sustainers(request):
     with ParameterValidator(request.GET, 'upgrade_id') as validator:
         try:
@@ -33,20 +37,23 @@ def sponsors(request):
 
     Performs object queries necessary to render the sponsors page.
     """
-    supporters = Supporter.objects.all().filter(display_until_date__gte=datetime.now())
+    supporters = Supporter.objects.all().filter(display_until_date__gte=datetime.datetime.now())
     supporters_count = len(supporters)
-    anonymous_count  = len(supporters.filter(display_name='Anonymous'))
+    anonymous_count = len(supporters.filter(display_name='Anonymous'))
     supporters = supporters.exclude(display_name='Anonymous').order_by('ledger_entity_id')
     c = {
-        'supporters' : supporters,
-        'supporters_count' : supporters_count,
-        'anonymous_count' : anonymous_count
+        'supporters': supporters,
+        'supporters_count': supporters_count,
+        'anonymous_count': anonymous_count,
     }
     return render(request, "supporters/sponsors.html", c)
 
 
-def create_checkout_session(reference_id, email: str, amount: int, recurring: str, base_url: str):
+def create_checkout_session(
+    reference_id, email: str, amount: int, recurring: str, base_url: str
+):
     # https://docs.stripe.com/payments/accept-a-payment
+    # https://docs.stripe.com/api/checkout/sessions
     YOUR_DOMAIN = base_url
     try:
         checkout_session = stripe.checkout.Session.create(
@@ -73,78 +80,250 @@ def create_checkout_session(reference_id, email: str, amount: int, recurring: st
     return checkout_session.url
 
 
+def sustainers_paypal(request):
+    return render(request, 'supporters/sustainers_paypal.html')
+
+
+# Sustainers via Stripe
+# =====================
+#
+# Background and problem
+# ----------------------
+#
+# Conservancy accepts both one-off and monthly/annual recurring sustainer
+# payments. Currently we used PayPal for this to avoid the compliance work and cost
+# associated with PCI compliance.  The relevant sustainer details and are sent to PayPal
+# as custom fields, the donor pays via the PayPal hosted payment form, receives a
+# receipt from PayPal and then later Bradley runs a batch script that takes PayPal data
+# and sends a custom thanks email. (Where does the data come from? Is it a dashboard
+# export or an API call?)
+#
+# The problem here is firstly that PayPal are difficult and somewhat risky to deal with
+# in a business sense - they have been known to shut you down on a whim. Secondly we're
+# heavily tied to PayPal - we're using them as a sustainer database to capture things
+# like T-shirt size and address before these are imported into Bradley's
+# supporter.db. To be less tied to PayPal, we would need to capture these details in our
+# own database and only pass the necessary minimum details to the payment provider to
+# take the payment (ie. email and payment amount).
+#
+# We also use PayPal to manage billing for recurring monthly/annual subscriptions, but
+# that's less of an issue because that's more difficult to do reliably ourselves.
+#
+# We would like to integrate Stripe as a payment provider, possibly eventually replacing
+# PayPal entirely for new sustainers. We have to be careful though. While Stripe were
+# once focused on just accepting credit card payments, they've now moved into the
+# billing and "financial automation" market so we could easily tie ourselves to Stripe
+# if we're not careful.
+#
+# The first thing we need to do is keep our own database of sustainer orders. When a
+# sustainer signs up, we record all their information and unpaid order status there and
+# pass only the necessary info across to Stripe.
+#
+# The second thing is to produce a CSV of payments to be processed by Bradley's
+# fulfilment scripts that creates Beancount bookkeeping entries, updates the
+# acknowledgements on the sponsors page and determines who to send a T-shirts to (not
+# immediate for monthly donors).
+#
+#
+# Approach to integrating with Stripe
+# -----------------------------------
+#
+# The simplest approach to integrate Stripe seems to be to use their hosted checkout
+# page. It's a currently recommended approaches as of 2024 (ie. not legacy),
+# requires relatively little code, can handle complicated bank verification processes
+# like 3-D Secure, allows us to switch on/of additional payment methods such as
+# ACH/direct debit and avoids running proprietary JavaScript within an sfconservancy.org
+# page. The tradeoff is the slightly visually jarring transition to stripe.com and
+# back. With relatively little efforte we instead use an embedded Stripe form or Stripe
+# widgets in our own form; this would just require marginally more code and would run
+# proprietary JS within the sfconservancy.org page
+# (https://docs.stripe.com/payments/accept-a-payment). From a sustainer's perspective
+# it's proprietary JS either way, but it feels conceptually cleaner to isolate
+# it. Nonetheless this is a slipperly SAAS slope so we need to take care.
+#
+# To use Stripe hosted checkout, we first accept the sustainer sign-up and populate our
+# database with an unpaid order. We then create/register a Stripe checkout session via
+# the API with with the donor's email, amount and renewal period if relevant and forward
+# the donor across to the session's unique stripe.com URL.
+#
+# The donor pays on stripe.com and is then redirected to a "success_url" along with an
+# ID parameter we can use to look up the payment details to determine their payment
+# status. Stripe also allow you to register to accept webhook HTTP requests
+# corresponding to various events in their system. One of those is
+# "checkout.session.completed", which corresponds to the redirect to "success_url". The
+# Stripe fulfillment docs (https://docs.stripe.com/checkout/fulfillment) advise handling
+# both the "success_url" redirect and the "checkout.session.completed" webhook in case
+# the redirect fails. If this was a credit card payment, we know then an there that it
+# was successful. If it's an ACH/direct debit payment, it will take a few days to be
+# processed and confirmed paid "checkout.session.async_payment_succeeded".
+#
+# We record this initial payment success against our order in the sustainer database.
+#
+# If auto-renewing, Stripe will transparently set up what they call a "Subscription" and
+# will automatically bill the donor again next month or year
+# (https://docs.stripe.com/billing/subscriptions/overview). This is a GOOD THING,
+# because it avoids us having to worry about missing billing people, or worse,
+# double-billing. I've been there before. Stripe
+# offer an additional self-service subscription management portal for donors to use, but
+# by default they don't communicate with donors directly and leave you to manage
+# subscriptions manually from within the Stripe dashboard.
+#
+# To find out about subscription renewals, we can either batch query the Stripe API or
+# we can register for webhook events. If using webhooks, there are plenty of subtle
+# pitfalls such as event ordering, duplication and race conditions that could lead to us
+# messing up fulfillment. The other challenge with webhooks events is that you need to
+# link them back to the sustainer order they relate to in our database.
+
 def sustainers_stripe(request):
-    return render(request, 'supporters/sustainers_stripe.html', {})
-
-
-def sustainers_stripe2(request):
     if request.method == 'POST':
         form = forms.SustainerForm(request.POST)
         if form.is_valid():
-            order = form.save(commit=False)
-            order.recurring = form.data['recurring']
-            if order.recurring == 'month':
-                order.amount = form.cleaned_data['amount_monthly']
-            order.save()
+            order = form.save()
             base_url = f'{request.scheme}://{request.get_host()}'
-            stripe_checkout_url = create_checkout_session(order.id, order.email, order.amount, order.recurring, base_url)
+            # There are a few options for integrating with Stripe. A common one, and
+            # possibly the least intrusive is to use the proprietary
+            # https://js.stripe.com/v3/ to embed Stripe form fields into your own
+            # form. Another embeds a hosted form in your page. The approach we've used
+            # is to redirect to a hosted checkout page. This is far from perfect, but it
+            # avoids adding proprietary JS on sfconservancy.org.
+            stripe_checkout_url = create_checkout_session(
+                order.id, order.email, order.amount, order.recurring, base_url
+            )
             return redirect(stripe_checkout_url)
     else:
         form = forms.SustainerForm()
-    return render(request, 'supporters/sustainers_stripe2.html', {'form': form})
+    return render(request, 'supporters/sustainers_stripe.html', {'form': form})
 
 
-stripe.api_key = 'sk_test_zaAqrpHmpkXnHQfAs4UWkE3d'
+# Use a "restricted" API key and grant access to:
+# - checkout sessions (write)
+# - credit notes (read) - unclear why, subscription sign-ups fail otherwise
+stripe.api_key = settings.STRIPE_API_KEY
+if stripe.api_key == '':
+    logger.warning('Missing STRIPE_API_KEY')
 
-def fulfill_checkout(session_id):
-    print("Fulfilling Checkout Session", session_id)
 
-    # TODO: Make this function safe to run multiple times,
-    # even concurrently, with the same session ID
+def fulfill_signup(session):
+    session_id = session["id"]
+    logger.debug(f'Fulfilling checkout session {session_id}')
 
-    # TODO: Make sure fulfillment hasn't already been
-    # peformed for this Checkout Session
+    # TODO: Clean up orders that have been unpaid for, say, 14 days.
+    # TODO: Consider emailing ACH/direct-debit donors immediately to say pending.
 
-    # Retrieve the Checkout Session from the API with line_items expanded
-    checkout_session = stripe.checkout.Session.retrieve(
+    # Retrieve the Checkout Session from the API with line_items expanded so we can get
+    # the payment intent ID for subscriptions.
+    session = stripe.checkout.Session.retrieve(
         session_id,
-        expand=['line_items'],
+        expand=['invoice'],
     )
 
+    # This ensure's we're looking at a sustainer checkout, not some other
+    # unrelated Stripe checkout.
+    sustainerorder_id = session['client_reference_id']
+
     # Check the Checkout Session's payment_status property
     # to determine if fulfillment should be peformed
-    if checkout_session.payment_status != 'unpaid':
-        # TODO: Perform fulfillment of the line items
-
-        # TODO: Record/save fulfillment status for this
-        # Checkout Session
-        logger.info(f'Session ID {session_id} PAID!')
+    if session.payment_status != 'unpaid':
+        logger.debug(f'Actioning paid session {session_id}')
         try:
-            order = SustainerOrder.objects.get(id=checkout_session['client_reference_id'], paid_time=None)
-            order.paid_time=timezone.now()
-            order.save()
-            logger.info(f'Marked sustainer order {order.id} (order.email) as paid')
+            with transaction.atomic():
+                # Lock this order to prevent a race condition from multiple webhooks.
+                order = SustainerOrder.objects.filter(id=sustainerorder_id, paid_time=None).select_for_update().get()
+                order.stripe_customer_ref = session['customer']
+                order.stripe_subscription_ref = session['subscription']
+                order.stripe_checkout_session_data = session
+                order.stripe_initial_payment_intent_ref = (
+                    # One-off sustainer
+                    session['payment_intent']
+                    # Subscription sustainer
+                    or session['invoice']['payment_intent']
+                )
+                order.paid_time = timezone.now()
+                order.save()
+                logger.info(f'Marked sustainer order {order.id} ({order.email}) as paid')
+                payment = SustainerPayment.objects.create(
+                    order=order,
+                    stripe_invoice_ref=session['invoice']['id'] if session['invoice'] else None,
+                    amount=decimal.Decimal(session['amount_total']) / 100,
+                    stripe_payment_intent_ref=order.stripe_initial_payment_intent_ref,
+                    stripe_invoice_data=session['invoice'],
+                )
+            logger.info(f'Created sustainer payment {payment.id}')
+            email = mail.make_stripe_email(order)
+            email.send()
         except SustainerOrder.DoesNotExist:
-            logger.info('No action')
+            logger.info(f'No such unpaid SustainerOrder {sustainerorder_id} - no action')
+    else:
+        logger.debug(f'Unpaid session {session_id} - no action')
+
+
+def fulfill_invoice_payment(invoice):
+    """Handle (possible) renewal payment.
+
+    Annoyingly, this handler runs both for initial subscription and renewal payments. A
+    better option would be if there was an event that ran renewal payments ONLY. I
+    looked at "customer.subscription.updated", but couldn't seem to tell whether the
+    update was for a new successful renewal payment as opposed eg. someone changed the
+    subscription amount in the Stripe dashboard.
+
+    Scenarios:
+
+    1. This could be an initial subscription payment or a renewal payment. Only
+    action if payment intent ID doesn't match an initial sign-up payment in our
+    database.
+
+    2. This could also be an initial payment for a subsciption not yet in the
+    database (events came in out of order) or a payment for a non-sustainer
+    subscription. That's fine - we just ignore those cases.
+    """
+    invoice_id = invoice.id
+    try:
+        with transaction.atomic():
+            # An alternative to comparing the payment intent reference would be to only
+            # consider orders paid > 28 days ago. Renewals should never happen before then.
+            order = SustainerOrder.objects.exclude(stripe_initial_payment_intent_ref=invoice['payment_intent']).get(
+                stripe_subscription_ref=invoice.subscription, paid_time__isnull=False,
+            )
+            payment = SustainerPayment.objects.create(
+                order=order,
+                stripe_invoice_ref=invoice.id,
+                amount=decimal.Decimal(invoice.total) / 100,
+                stripe_payment_intent_ref=invoice['payment_intent'],
+                stripe_invoice_data=invoice,
+            )
+        logger.info(f'Created sustainer payment {payment.id} for invoice {invoice_id}')
+    except SustainerOrder.DoesNotExist:
+        logger.info(f'No such subscription to renew {invoice.subscription} for invoice {invoice_id}')
+
 
 
 def success(request):
-    fulfill_checkout(request.GET['session_id'])
+    """Handle Stripe redirect after successful checkout."""
+    # We don't run the fulfillment here since it's unnecessarily complicated to run it
+    # both here and from webhooks.
     return render(request, 'supporters/stripe_success.html', {})
 
 
 def webhook(request):
+    """Handle a request to our webhook endpoint.
+
+    Modelled on https://docs.stripe.com/checkout/fulfillment.
+
+    To test these, either use a service like Pagekite to set up a public link to your
+    development environment and configure webhooks for that, or use the Stripe CLI tool
+    to forward the events to your development environment.
+    """
     payload = request.body
     sig_header = request.META['HTTP_STRIPE_SIGNATURE']
     event = None
 
-    # From webhook dashboard
-    endpoint_secret = 'whsec_lLy9pqxAAHdl4fwiC0cFg1KwR6y4CvOH'
+    # From the "event destinations" page in Stripe's "developer tools" area.
+    endpoint_secret = settings.STRIPE_ENDPOINT_SECRET
+    if not endpoint_secret:
+        logger.warning('Missing STRIPE_ENDPOINT_SECRET')
 
     try:
-        event = stripe.Webhook.construct_event(
-            payload, sig_header, endpoint_secret
-        )
+        event = stripe.Webhook.construct_event(payload, sig_header, endpoint_secret)
     except ValueError:
         # Invalid payload
         return HttpResponse(status=400)
@@ -152,10 +331,33 @@ def webhook(request):
         # Invalid signature
         return HttpResponse(status=400)
 
-    if (
-            event['type'] == 'checkout.session.completed'
-            or event['type'] == 'checkout.session.async_payment_succeeded'
-    ):
-        fulfill_checkout(event['data']['object']['id'])
-
+    # Register for these webhook events the "event destinations" page. Must be
+    # individually enabled.
+    if event['type'] == 'checkout.session.completed':
+        # Successful Stripe checkout. For credit cards, this usually indicates that the
+        # payment was successful. For ACH/direct-debit the payment will not yet have
+        # been processed and may take a few days.
+        session = event['data']['object']
+        logger.debug(f'CHECKOUT.SESSION.COMPLETED webhook for session {session["id"]}')
+        fulfill_signup(session)
+    elif event['type'] == 'checkout.session.async_payment_succeeded':
+        # Runs for successful ACH/direct debit payments.
+        session = event['data']['object']
+        logger.debug(f'CHECKOUT.SESSION.ASYNC_PAYMENT_SUCCEEDED webhook for session {session["id"]}')
+        fulfill_signup(session)
+    elif event['type'] == 'invoice.payment_succeeded':
+        # Successful initial subscription or renewal payment (only care about renewals).
+        #
+        # It not clear that this is the *best* webhook or approach to use
+        # handle subscription renewals, but it works.
+        #
+        # You can simulate subscription renewals via the Stripe developers site:
+        # https://docs.stripe.com/billing/testing/test-clocks/simulate-subscriptions
+        #
+        # I found I had to advance time by 1 month first to create the invoice, then 1
+        # day for it to be billed. You can watch all the events via the "stripe listen"
+        # CLI command.
+        invoice = event['data']['object']
+        logger.debug(f'INVOICE.PAYMENT_SUCCEEDED webhook for invoice {invoice["id"]}')
+        fulfill_invoice_payment(invoice)
     return HttpResponse(status=200)

conservancy/templates/base_conservancy.html

@@ -12,7 +12,7 @@
     <link rel="stylesheet" type="text/css" href="{% static 'css/tachyons.min.css' %}"/>
     <link rel="stylesheet" type="text/css" media="screen" href="{% static 'css/conservancy.css' %}" />
     <link rel="stylesheet" type="text/css" media="(min-width: 67em)" href="{% static 'css/conservancy-bigscreen.css' %}" />
-    <script type="text/javascript" src="{% static 'js/conservancy.js' %}" defer></script>
+    <script src="{% static 'js/conservancy.js' %}" defer></script>
     {% block head %}{% endblock %}
   </head>
 
@@ -51,10 +51,10 @@
 
           <li class="search dn-ns">
             <form method="get" action="https://duckduckgo.com" class="ml2 flex mw6">
-              <input id="search-query" type="text" name="q" placeholder="Search with DuckDuckGo" class="pa2 ba b--gray br0" style="x-border-right: none; flex: 1 1 auto; width: 1%;" />
+              <input id="search-query" type="text" name="q" placeholder="Search with DuckDuckGo" class="pa2 ba b--gray br0" style="flex: 1 1 auto; width: 1%;" />
               <input type="hidden" name="sites" value="sfconservancy.org" />
               <button type="submit" class="bg-orange bn white pa2 pointer btn-orange" style="margin-left: -1px;">
-                <svg style="color: white; width: 20px; height: 20px;"><use href="{% static 'img/font_awesome.svg' %}#search"></use></svg></a>
+                <svg style="color: white; width: 20px; height: 20px;"><use href="{% static 'img/font_awesome.svg' %}#search"></use></svg>
               </button>
     </form>
           </li>

conservancy/templates/submenus/who_we_are_partial.html

@@ -3,8 +3,8 @@
   <li class="Sustainers"><a href="/sustainer/">Sustainers</a></li>
   <li class="Directors"><a href="/about/board/">Board of Directors</a></li>
   <li class="Staff"><a href="/about/staff/">Staff</a></li>
-  <li clas="Eval"><a href="/about/eval-committee/">Evaluation Committee</a></li>
-  <li clas="Outside"><a href="/about/outside/">Outside Counsel, et alia</a></li>
+  <li class="Eval"><a href="/about/eval-committee/">Evaluation Committee</a></li>
+  <li class="Outside"><a href="/about/outside/">Outside Counsel, et alia</a></li>
   <li class="Transparency"><a href="/about/transparency">Transparency</a></li>
   <li class="Contact"><a href="/about/contact/">Contact</a></li>
 </ul>

conservancy/templates/supporters/sustainers.html

@@ -4,7 +4,7 @@
 {% block category %}sustainer{% endblock %}
 
 {% block head %}
-<script type="text/javascript" src="{% static 'js/supporter-page.js' %}" defer></script>
+<script src="{% static 'js/supporter-page.js' %}" defer></script>
 <link href="{% static 'css/forms.css' %}" rel="stylesheet" type="text/css"/>
 <style>
   .hidden { display: none; }
@@ -43,7 +43,7 @@
 <span id="form-correction-needed" class="form-error">Please ensure all form data above is correct.</span>
 
 <div style="overflow: auto; text-align: center;">
-  <a href="/img/tshirt-2023.png"><img src="{% static 'img/tshirt-2023.png' %}"  height="300"/></a>
+  <a href="/img/tshirt-2024.png"><img src="{% static 'img/tshirt-2024.png' %}"  height="300"/></a>
 </div>
 </p>
 

conservancy/urls.py

@@ -51,7 +51,7 @@ urlpatterns = [
     re_path(r'^about/', views.content),
     re_path(r'^activities/', views.content),
     re_path(r'^copyleft-compliance/', views.content, {'fundraiser_sought': 'vmware-match-0'}),
-    re_path(r'^donate/', views.content),
+    path('donate/', views.content, name='donate'),
     path('fossy/', views.content),
     re_path(r'^GiveUpGitHub/', views.content),
     re_path(r'^learn/', views.content),
@@ -61,6 +61,8 @@ urlpatterns = [
     re_path(r'^privacy-policy/', views.content),
     re_path(r'^projects/', views.content),
     re_path(r'^sustainer/', views.content),
+
+    path('captcha/', include('captcha.urls')),
 ]
 
 # Serve uploaded media. Works only when DEBUG == True. Using '/media/'

conservancy/usethesource/admin.py

@@ -1,7 +1,7 @@
 from django.contrib import admin
 
 from .emails import make_candidate_email
-from .models import Candidate, Comment
+from .models import Candidate, Comment, SourceOffer
 
 
 class CommentInline(admin.TabularInline):
@@ -36,3 +36,10 @@ class CandidateAdmin(admin.ModelAdmin):
             # Announce the new candidate
             email = make_candidate_email(obj, request.user)
             email.send()
+
+
+@admin.register(SourceOffer)
+class SourceOfferAdmin(admin.ModelAdmin):
+    list_display = ['time', 'vendor', 'device']
+    fields = ['time', 'vendor', 'device', 'photo']
+    readonly_fields = ['time']

conservancy/usethesource/forms.py

@@ -1,6 +1,6 @@
 from django import forms
 
-from .models import Comment
+from .models import Comment, SourceOffer
 
 
 class CommentForm(forms.ModelForm):
@@ -17,3 +17,14 @@ class CommentForm(forms.ModelForm):
 
 class DownloadForm(forms.Form):
     agree = forms.BooleanField(label="I understand that the goal of this process is to determine compliance with FOSS licenses, and that in downloading the source code candidate and/or firmware image, I am assisting SFC as a volunteer to investigate that question.  I, therefore, promise and represent that I will not copy, distribute, modify, or otherwise use this source code candidate and/or firmware image for any purpose other than to help SFC evaluate the source code candidate for compliance with the terms of FOSS licenses, including but not limited to any version of the GNU General Public License.  Naturally, if I determine in good faith that portions of the source code candidate and/or firmware image are subject to a FOSS license and are compliant with it, I may copy, distribute, modify, or otherwise use those portions in accordance with the FOSS license, and I take full responsibility for that determination and subsequent use.")
+
+
+class SourceOfferForm(forms.ModelForm):
+    class Meta:
+        model = SourceOffer
+        fields = ['vendor', 'device', 'photo']
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['photo'].widget.attrs['capture'] = 'camera'
+        self.fields['photo'].widget.attrs['accept'] = 'image/*'

conservancy/usethesource/migrations/0009_sourceoffer.py

@@ -0,0 +1,30 @@
+# Generated by Django 4.2.11 on 2024-07-22 08:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('usethesource', '0008_comment_attribute_to'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SourceOffer',
+            fields=[
+                (
+                    'id',
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name='ID',
+                    ),
+                ),
+                ('vendor', models.CharField(max_length=50, verbose_name='Vendor name')),
+                ('device', models.CharField(max_length=50, verbose_name='Device name')),
+                ('photo', models.ImageField(upload_to='usethesource/offers')),
+            ],
+        ),
+    ]

conservancy/usethesource/migrations/0010_sourceoffer_time.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.11 on 2024-07-29 09:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('usethesource', '0009_sourceoffer'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sourceoffer',
+            name='time',
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+    ]

conservancy/usethesource/models.py

@@ -67,3 +67,13 @@ class Comment(models.Model):
 
     class Meta:
         ordering = ['id']
+
+
+class SourceOffer(models.Model):
+    time = models.DateTimeField(auto_now_add=True, null=True)
+    vendor = models.CharField('Vendor name', max_length=50)
+    device = models.CharField('Device name', max_length=50)
+    photo = models.ImageField(upload_to='usethesource/offers')
+
+    def __str__(self):
+        return f'{self.vendor} {self.device}'

conservancy/usethesource/templates/usethesource/landing_page.html

@@ -24,7 +24,7 @@
   <p>One crucial way to get involved is to let us know about any source candidates you find!  Many devices have an offer for source code (check the manual or device's user interface to find it) and we'd be very interested to know what they send you when you request it.  Here are the steps to submit a new source candidate to list on this page:</p>
 
   <ol class="pl4">
-    <li class="mb2">find a source candidate offered by a company - normally this is offered to you in the manual or user interface of your device, through a link or email address (the company's GitHub page is not canonical, unless they explicitly say so in this offer)</li>
+    <li class="mb2">find a source candidate offered by a company - normally this is offered to you in the manual or user interface of your device, through a link or email address (the company's GitHub page is not canonical, unless they explicitly say so in this offer). If you're curious what an offer is, check out the PDFs referenced in <a href="https://sfconservancy.org/blog/2022/dec/21/energyguide-software-repair-label/">our submission to the FTC</a>, and <a href="{% url 'usethesource:upload_offer' %}">submit a picture/image of a new offer</a> so we can test it for you if you like</li>
 
     <li class="mb2"><a href="https://usl-upload.sfconservancy.org/s/4Ykmx7rSGMJ7s43">upload the source candidate</a> to us - write down the file name(s) you uploaded for the next step (can be multiple), and upload a firmware image if you have it and are ok with us publishing it</li>
 

conservancy/usethesource/templates/usethesource/upload_offer.html

@@ -0,0 +1,49 @@
+{% extends "usethesource/base.html" %}
+
+{% block title %}Upload an offer for source - Software Freedom Conservancy{% endblock %}
+
+{% block head %}
+  {{ block.super }}
+  <script src="https://unpkg.com/htmx.org@1.9.6"></script>
+{% endblock %}
+
+{% block content %}
+  {{ block.super }}
+
+  <section class="mt4 mb3">
+    <h2 class="f2 lh-title ttu mt0">Upload an offer for source</h2>
+  </section>
+
+  <form id="form" hx-encoding="multipart/form-data" hx-post="{% url 'usethesource:upload_offer' %}">
+    {% csrf_token %}
+    {{ form.non_field_errors }}
+    <div class="mv2">
+      {{ form.vendor.errors }}
+      <label for="{{ form.vendor.id_for_label }}" class="db mb1">Vendor:</label>
+      {{ form.vendor }}
+    </div>
+    <div class="mv2">
+      {{ form.device.errors }}
+      <label for="{{ form.device.id_for_label }}" class="db mb1">Device:</label>
+      {{ form.device }}
+    </div>
+    <div class="mv2">
+      {{ form.photo.errors }}
+      <label for="{{ form.photo.id_for_label }}" class="db mb1">Photo:</label>
+      {{ form.photo }}
+    </div>
+    <progress id="progress" class="htmx-indicator" value="0" max="100"></progress>
+    <div class="mv1">
+      <button type="submit" class="white bg-green b db pv2 ph3 bn mb2">Send</button>
+    </div>
+  </form>
+
+  <script>
+   form = document.querySelector('#form');
+   let progress = document.querySelector('#progress');
+   form.addEventListener('htmx:xhr:progress', function(evt) {
+     console.log('progress', evt.detail.loaded/evt.detail.total * 100);
+     progress.value = evt.detail.loaded/evt.detail.total * 100;
+   });
+  </script>
+{% endblock content %}

conservancy/usethesource/templates/usethesource/upload_success_partial.html

@@ -0,0 +1 @@
+<p>Thanks! We've received your offer for source.</p>

conservancy/usethesource/urls.py

@@ -13,4 +13,5 @@ urlpatterns = [
     path('delete-comment/<int:comment_id>/<show_add>/', views.delete_comment, name='delete_comment'),
     path('add-button/<slug:slug>/', views.add_button, name='add_button'),
     path('ccirt-process/', views.ccirt_process, name='ccirt_process'),
+    path('offer/', views.upload_offer, name='upload_offer'),
 ]

conservancy/usethesource/views.py

@@ -3,7 +3,7 @@ from django.core.exceptions import PermissionDenied
 from django.shortcuts import get_object_or_404, redirect, render
 
 from .models import Candidate, Comment
-from .forms import CommentForm, DownloadForm
+from .forms import CommentForm, DownloadForm, SourceOfferForm
 from .emails import make_comment_email
 
 
@@ -91,3 +91,21 @@ def add_button(request, slug):
 
 def ccirt_process(request):
     return render(request, 'usethesource/ccirt_process.html', {})
+
+
+def handle_uploaded_file(f):
+    with open("some/file/name.txt", "wb+") as destination:
+        for chunk in f.chunks():
+            destination.write(chunk)
+
+def upload_offer(request):
+    if request.method == 'POST':
+        form = SourceOfferForm(request.POST, request.FILES)
+        if form.is_valid():
+            form.save()
+            return render(request, 'usethesource/upload_success_partial.html')
+        else:
+            return render(request, 'usethesource/upload_offer.html', {'form': form})
+    else:
+        form = SourceOfferForm()
+        return render(request, 'usethesource/upload_offer.html', {'form': form})

deploy/install.yml

@@ -130,6 +130,10 @@
        apt:
          name: build-essential,python3-dev,libffi-dev
 
+     - name: Install flite and sox for CAPTCHA text-to-speech
+       apt:
+         name: flite, sox
+
      - name: Security settings
        apt:
          name: fail2ban
@@ -157,7 +161,7 @@
      # TODO: Needs to force owner to www-data:www-data
      - name: Git checkout
        ansible.builtin.git:
-         repo: 'https://k.sfconservancy.org/website'
+         repo: 'https://f.sfconservancy.org/Conservancy/website'
          dest: /var/www/website
          version: master
          remote: upstream

requirements.txt

@@ -1,8 +1,9 @@
 # Installed in virtualenv
-Django==4.2.11
+Django==5.1.2
+django-countries==7.6.1
+stripe
 # Provided by Debian Bookworm.
 beautifulsoup4==4.11.2
 html5lib==1.1
-django-countries==7.3.2
 Pillow==9.4.0
-stripe
+django-simple-captcha==0.6.0