Can I Prevent Someone from Signing Up for a Free Trial Subscription More than Once?
This article discusses options for preventing an adversary from abusing free trial subscriptions.
We are sometimes asked whether or not we can prevent a customer who had a free trial subscription from signing up for another free trial when the initial trial period has ended. The concern is that a customer might cancel the original subscription before the end of the trial period and immediately sign up for another free trial. In our experience, reports of such exploitation have been rare. Although there is no automatic way to detect and prevent these orders, it is possible for you to potentially detect them and cancel subsequent trial subscriptions for the same customer.
- Taking Advantage of Webhooks and the FastSpring API
Taking Advantage of Webhooks and the FastSpring API
If you subscribe to the subscription.activated webhook event, FastSpring notifies you in near-real-time when a new subscription is activated. The subscription.activated event payload includes the customer's account ID, which uniquely identifies the customer.
FastSpring creates new customer accounts automatically when a customer orders using an email address that is not associated with any previous orders in your Store. When a customer places an order using an email address already associated with a previous order, FastSpring automatically associates the new order with the same customer account ID.
You can use the customer account ID from subscription.activated to check for previous orders of the same free trial subscription product (by product ID). There are two different ways you could do this, depending on whether or not you automatically populate your own external database from all webhook data.
Checking Your Own External Database
If your webhook script populates an external database each time new webhook events come in, you could design to detect duplicate trial orders. The script could react to subscription.activated events for a given free trial product by checking your database for previous orders of the same product bearing the same customer account ID.
Checking for Previous Orders via the FastSpring API
Alternatively, you could design your webhook script to react to subscription.activated events for a given free trial product by triggering a GET request to the /accounts endpoint of the FastSpring API. The response would be a list of all orders associated with the customer account. For example, if the account ID is ABCDEF123456:
Then, call GET /orders once with all order IDs returned in response to GET /accounts, to find the products that the customer has previously ordered. For example, if GET /accounts returns the following three IDs in the orders array of the response:
Finally, you would parse the response to this GET /orders request, looking for previous orders with the same free trial subscription's product ID in the product field of each order's items array.
Handling Exploitation of Free Trial Periods
If a previous free trial subscription is found for the same customer, your script could be designed to automatically trigger a DELETE call to the /subscriptions endpoint of the FastSpring API. Your DELETE request would include the new subscription's ID and the parameter &billingPeriod=0. The new free trial subscription would thus be deactivated immediately. For example, if the new subscription's ID is OU8128675309:
By default, FastSpring sends a subscription deactivated email message to the customer upon deactivation of the subscription. However, you might also want your script to trigger a separate email message from your side, letting the customer know why you have canceled the subscription.