Payments using the Express Checkout Element fail if card testing prevention is enabled

asumaran commented 5 months ago

Describe the bug

Originally reported by @ricardo in https://github.com/Automattic/woocommerce-payments/pull/8937#issuecomment-2161724831. A site with the Fraud Prevention Service enabled fails to checkout using the Express Checkout Element.

To Reproduce

In the WP folder of your local server run the following command to enable the card testing protection service:
```
wp wcpay set_account_meta 233401173 --key=card_testing_prevention_enabled --value=1
```
Go to "WCPay Dev" in the admin area of the merchant store.
Click "clear" to refresh the account data. Confirm card_testing_protection_eligible is set to true
Enable ECE by running the following command in the merchant's WP folder:
```
wp option update _wcpay_feature_stripe_ece 1
```
Attempt a purchase using Google Pay or Apple Pay.

Actual behavior

Error message is shown: "We're not able to process this payment. Please refresh the page and try again." on checking out using ECE.

Expected behavior

Payment should finish without issues and no error should be displayed.

vbelolapotkov commented 5 months ago

@dwainm although it's focused on checkout, I think it's a better fit for your team due to carding prevention involved. Could you please prioritize it and take a look?

asumaran commented 5 months ago

It would be ideal if we could confirm whether this is a legitimate issue or if it only occurs when using the local server.

dwainm commented 5 months ago

Sure @vbelolapotkov , we'll take a look at it.

tpaksu commented 5 months ago

@asumaran hey 👋 I think you forgot to send the card testing nonce in the checkout data to the server, which is added to the page when the card testing prevention is enabled, and checked by the server. That might be the cause of it. If you have capacity to solve it by looking to the previous code about how it was sent, feel free to own the issue, otherwise, you'd need to help us set up ECE on our locals :)

tpaksu commented 5 months ago

Also FYI, I added a setting to the WCPay dev tools plugin that mimics the card testing prevention flag as activated on the client. You can use that option to test this scenario too.

asumaran commented 5 months ago

@tpaksu I've noticed that the wcpay-fraud-prevention-token is defined on the cart and checkout pages, but it’s missing from the product page. When the token is present, the checkout process completes smoothly.

I'll address this for ECEs (and PRBs) as I'm currently handling it.

asumaran commented 5 months ago

The token isn't being added to the product page https://github.com/Automattic/woocommerce-payments/blob/261a1ec990b1fe84d512029c6e90995b6c790cf6/includes/fraud-prevention/class-fraud-prevention-service.php#L89-L93

asumaran commented 5 months ago

I'll submit the fix as part of https://github.com/Automattic/woocommerce-payments/pull/8987

tpaksu commented 5 months ago

Thanks for the confirmation, the digging, and finding the fix @asumaran! Let me know if you need anything.

asumaran commented 4 months ago

Just FYI: The wcpay-fraud-prevention-token token was also missing from the Pay for order page. I'm fixing it here

Automattic / woocommerce-payments