When the webhook is called with an ID which is not in the backend, it returns a 409 HTTP status code. This reveals that the ID of that transaction does not belong to the merchant. As stated in the Mollie docs:
"To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Because of this, I have deleted the lines of code which change the response code to 409 HTTP response when the order id did not match with any order id in the backend. Checked a few other integrations and they seem to do this properly (always return 200 OK).
Scenario to test this code:
Once installed, call the webhook of the webshop with any transaction/order id. The webhook should return a 200 OK even if the transaction is not in the backend.
This PR touches code in the Webhook.
When the webhook is called with an ID which is not in the backend, it returns a 409 HTTP status code. This reveals that the ID of that transaction does not belong to the merchant. As stated in the Mollie docs:
"To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Because of this, I have deleted the lines of code which change the response code to 409 HTTP response when the order id did not match with any order id in the backend. Checked a few other integrations and they seem to do this properly (always return 200 OK).
Scenario to test this code:
Once installed, call the webhook of the webshop with any transaction/order id. The webhook should return a 200 OK even if the transaction is not in the backend.
<3 From Mollie TS