For my application (Angular in the frontend and NodeJS in the backend) I would like to offer several subscription models. I use Stripe to pay. When I initially took out a subscription everything worked great.
So far so good. But if the user now wants to change their subscription, the procedure confuses me. I implemented it like this:
const updatedSubscription = await stripe.subscriptions.update(subscription, {
items: [{
id: subscription.items.data[0].id,
price: newProductId,
}],
proration_behavior: 'always_invoice',
});
And everything seems to work. But why is it not necessary to create a new checkout so that the user confirms the new price on his payment method (card, PayPal...)? If this is not required, it would be possible to scam the user and charge 1000 euros?!
Once you have collected the customer payment information, although it's only the Stripe Id getting from Stripe API, you are responsible of any transactions making used of the saved card. It's called off-session transactions and is popular in the payment industry. Stripe has a guide section about saved payment details (look for the "compliance" paragraphs)
Now charging the Customer on the new Price is similar to using their saved card to initiate any transaction. That's technically not "scam" but "do what you and the customer earlier agreed on you are capable of". In step 2 when you show the customer the new price, make sure you collected their consent. That could help later if they dispute and you need to provide evidences to their issuer bank. Learn more about dispute here.