dj-stripe VS YouTubeShop

If you don't want to use Pegasus or another paid product (presumably because of the cost), the packages I'd reach for are django-allauth for login/user stuff and dj-stripe for the Stripe integration. As for teams, there wasn't a library I was happy with so I rolled my own for Pegasus, but some people like django-tenants. It's too heavyweight for my taste as it requires a more complex dev/test/infrastructure setup with Postgres schemas, as opposed to having a single-database and handling multitenancy in the application layer. But there are pros and cons to both approaches.

dj-stripe, Django library for Stripe, released a long awaited version 2.7, which features full in-db management of webhook endpoints through the admin, multiple endpoints per install, and more.

I would also recommend using dj-stripe to help with syncing payment intents and setting foreign keys to the whole payment intent object since it also will handle updates via webhooks for you. https://github.com/dj-stripe/dj-stripe

Just gonna leave this here: dj-stripe

Add Stripe to your site via dj-stripe. That will help you manage customers and plans. I strongly recommend focusing on integrating Stripe Checkout, as you won't have to handle any cards or anything like that. Unfortunately, I did not yet write a guide about that :( And I haven't found a good one online that will go into details, step by step.

I make it a point to check the current status and state of issues and pull requests for djstripe before updating or modifying the surrounding codebase codebase for every project I have that uses the module itself.

Nice work. Why start from scratch, instead of building atop https://github.com/dj-stripe/dj-stripe?

Django 4.0 support has been added in the master-branch as stated in https://github.com/dj-stripe/dj-stripe/issues/1507 But… this has not been released to pypi yet.

You might also want to take a look at the dj-stripe library: https://github.com/dj-stripe/dj-stripe

It's a very significant increase indeed. The increase is (or was) large enough to entirely wipe out most adversaries and restructure the battlefield in ways very advantageous to those playing defense. At least, in the social web space. It's something of a secret weapon to those who know about it: because so many developers assume it can't work the companies that master it have a large competitive advantage.

Source: About a decade ago I created Google's main "device detection" platform, as this article calls it (not Picasso, the thing that executes Picasso). It's actually more like an automation detection platform, as it's not a fingerprinting or device tracker, it just tries to separate human operated from automated clients. These days I'm told there's a large-ish team that maintains it full time and has ported the concepts to other platforms like Android.

It started as a 20% project because at that time almost nobody at Google took the idea seriously. Fortunately, my manager was happy to support my experiments. People had the same common (but incorrect) intuition you're displaying here, that any sort of client integrity technique is so easy to work around it's hardly worth the bother. Actually even I believed this to a large extent, just less so than the others. This turned out to be wrong for some not entirely obvious reasons related to the structure of the spam industry:

1. Most spammers are either not programmers at all, or are extremely poor programmers compared to a typical tech firm employee. They can in fact be out-coded.

2. This is because spamming is usually not all that profitable, so programmers who get good can find better and steadier money in the white market. The ones who remain are typically those who live in places without any local software opportunities (e.g. developing countries).

3. Because of this mounting even a not very strong defense is sufficient to corral your adversaries into a shallow economic pyramid, in which a small number of "skilled" people produce tools and services they sell the others, who then run the individual campaigns. This means you are probably not fighting as many people as you think you are. Screwing with the supply chain is an excellent way to wreak havoc on spammers.

When we first deployed the system we spent several months tuning it in what was effectively a running battle with the major Google account sellers. We discovered that the sellers were in turn buying their account creation bots from other people, and some sellers were actually re-sellers. One of the sellers had been using a "raw" bot that didn't embed a browser engine, and thus was knocked out of the market for months as they waited for a new bot to be written from scratch. When that came online there were mistakes in its browser automation that we were able to detect. The developer of the bot couldn't de-obfuscate the JavaScript we used (too hard for them) so treated the platform as a black box, just trying random things in the hope it'd work. We could watch this evolution in real time and block new versions as they were released. After a few rounds of this the seller got sick of it and switched to a new bot supplier. This new bot also took months to complete, and when it arrived it had fixed the bug we were using to spot the first bot, but introduced new bugs the other didn't have, meaning even then it was detectable.

At that point the seller gave up, as presumably paying for the development of all these bots was quite expensive relative to the margins involved. This in turn nuked all the resellers that had been relying on that guy, and blew a hole in the entire Google-oriented spam ecosystem. Spammers had to start phone verifying accounts en-masse, and for most of them it just wasn't worth it (a few switched to using stolen accounts instead of creating them). I haven't been there for years so don't know what the current state of play is, but you do still see public threads crop up from time to time where spammers say they tried to beat the system and couldn't, like this one:

https://github.com/BitTheByte/YouTubeShop/issues/14

If you want some insights into the minds of the typical newbie spammer when faced with this system, try this search and flick through some of the results:

https://www.google.com/search?q=site%3Ablackhatworld.com+bot...