When the webhook is called with an ID which is not in the backend, it returns a 404 HTTP status code. This reveals that the ID of that transaction does not belong to the merchant. As stated in the Mollie docs:
"To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Because of this, I have deleted the lines of code which returns anything but a 200 OK response, and instead used the method getOkResponse() to return a 200 OK, on transactions and orders which are not found in the backend. Checked a few other integrations and they seem to do this properly (always return 200 OK).
Scenario to test this code:
Once installed, call the webhook of the webshop with any transaction/order id. The webhook should return a 200 OK even if the transaction is not in the backend.
This PR touches code in the Webhook.
When the webhook is called with an ID which is not in the backend, it returns a 404 HTTP status code. This reveals that the ID of that transaction does not belong to the merchant. As stated in the Mollie docs:
"To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Because of this, I have deleted the lines of code which returns anything but a 200 OK response, and instead used the method getOkResponse() to return a 200 OK, on transactions and orders which are not found in the backend. Checked a few other integrations and they seem to do this properly (always return 200 OK).
Scenario to test this code:
Once installed, call the webhook of the webshop with any transaction/order id. The webhook should return a 200 OK even if the transaction is not in the backend.
From Mollie TS <3