At a brief glance it seems they ensure idempotency w.r.t. possible errors/network failures etc. not necessarily to multiple purchases done by the customer by mistake.
In that case I think some high velocity fraud filters should kick in (which they probably did). Indeed the purchase amount is very large, so you wouldn't really expect it to be a repeated high velocity buy. On the other hand Stripe can't really cover all possible edge cases all of the time.
You render a UUID into the browser form and send it along with the submission however you want (post input, http header, etc). Then the server both requires the UUID to be there and passes it along to stripe.
Stripe will not allow an idempotent key to be reused w/i 24 hours.
You can use anything for the idempotent key and Stripe will actually track that along with the charge object so you can use something more meaningful if it's useful for your business.
edit: and if you generate a key that's more meaningful I'd be careful about leaking important/private data.
Yeah, but that should only prevent duplicates due to technical errors, but not duplicates because the person actually made a number of distinct purchases my mistake.
In that case I think some high velocity fraud filters should kick in (which they probably did). Indeed the purchase amount is very large, so you wouldn't really expect it to be a repeated high velocity buy. On the other hand Stripe can't really cover all possible edge cases all of the time.