In the course of building out Lilac, we’ve run into a stumbling block around Ecommerce. @sambapete writes in Slack here and in this thread that changes edX has made to the ecomm service has blocked custom payment processors from being used in the new Payment MFE (that is, only Cybersource works in the Payment MFE). Further complicating matters, the old ecommerce workflow is currently broken, and no longer PCI compliant - which is why we were defaulting to the Payment MFE in Lilac. To quote Pierre:
It may still come as a surprise to those with a custom payment processor when they will start upgrading / deploying Lilac and discover their ecommerce flow doesn’t work anymore. There is no easy way backwards if they are not warned not to upgrade.
BIG QUESTION: Who in the community is using payment processors aside from Cybersource? Are there any people who are well-versed in ecommerce and able to help out?
We see four remediation paths, 2 long term and 2 short term:
(Long term) Allow the payment MFE to be configured to use other payment processors, and add those payment processors to the codebase alongside cybersource, paypal, and apple pay.
(Long term) Fix the issues in ecommerce that prevent the old payment flow from working.
(short term) Figure out what commits in the ecommerce repo can be reverted to make the old ecommerce flow work again. We’ve identified one, but there may be others.
(short term) Run the old ecommerce flow from Koa, but apply library upgrades. This may be dangerous as API contracts could be broken.
Who does this affect? Who is willing to jump in here and help? @djoy and I are happy to provide some assistance, but both of us are unfamiliar with the ecommerce service. We can help expedite your work/pull requests however we can. We need community experience and expertise to move this issue forward.
Finally, I’d like to acknowledge that communication of the limitations of the new Payment MFE, as well as deprecation of the old ecommerce workflow, was not done well (see this Discuss thread). We needed to be more transparent and louder about breaking changes. To that end, I am running an internal RCA (root cause analysis) in the coming weeks for involved internal teams to capture learnings from this incident and inform us how we can do better moving forward.