Closed charlesLF closed 5 years ago
bluepnume
commented
6 years ago This looks great to me! Please feel free to raise a PR. This is something I had on my roadmap to figure out, so thanks for taking care of it. Wasn't sure how to persist the token, but using order metadata makes a lot of sense.
Do you think you'll have a chance to run a local woocommerce and double check this works as expected? I'll also run some tests myself.
charlesLF
commented
6 years ago @bluepnume: Did you get the chance to test it?
I don't hold any XRB, so I can't really do any test payments on my local Woocommerce. Does BrainBlocks have a "sandbox" mode?
bluepnume
commented
6 years ago I finally got a chance to try this out, but I can't seem to get it to work with duplicate tokens.
@charlesLF what's your xrb address? I'll send you some so you're able to try it out locally.
davidteal
commented
6 years ago Hey guys.
I think @charlesLF is correct here and a check should be made to make sure the token isn't reused. I was able to verify unpaid orders in my OpenCart plugin without this check. I now make sure to check for re-use when attempting to verify an order: https://github.com/brainblocks/brainblocks-opencart/blob/master/upload/catalog/controller/extension/payment/brainblocks.php#L187-L197
schenkty
commented
5 years ago This has been addressed in V1.4. Thank you!
I don't see a check against token re-use in the current code.
A client could (theoretically) capture the token from their first successful order and re-run the same order multiple times by sending a previously captured token.
This branch is an attempt to fix this by saving the brainblocks token as a custom meta, and checking that it is unique before processing any order.
https://github.com/charlesLF/woocommerce-brainblocks/tree/token-reuse
Note: I don't currently have a working installation of Woocommerce, so the code remains untested.