[PLUGINS-257: Sec-fetch header is checked to determine whether the re…

[aashishgurung]

1. Objective

Prevent customer to reach return_uri before success payment

Jira: #257

2. Description of change

Sec-fetch header is checked to determine whether the request is a user originated operation or not. Created a new helper class request for it. This can be used to add request related helper function in the future.

Reference

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site
• https://stackoverflow.com/questions/66115532/what-does-the-sec-fetch-site-header-mean-why-is-the-origin-header-undefined

HTTP_REFERER header was not present this time. We might need to change the implementation in Magento.

Reference

• https://stackoverflow.com/questions/5551094/http-referer-coming-back-with-null-key-does-not-exist-in-server

3. Quality assurance

• Setup to use manual capture
• Checkout with some items via Card.
• You will be redirected to the authorize page
  • Do nothing on authorize page. Open a new tab
• Go to the return URI http://{YOUR_BASE_PATH}/?wc-api=omise_callback&order_id={ORDER_ID}
• You should be redirected to the checkout page.
• Go to the authorize page and complete the transaction
• You should be redirected to the thank you page.

🔧 Environments:

• WooCommerce: v6.4.1
• WordPress: v5.9.3
• PHP version: 7.3.33
• Omise plugin version: Omise-WooCommerce 4.22.0

[tanawin-opn]

@aashishgurung ✅ works as expected krub. it's also blocked the second cart page (when it redirect from return_uri) to check out after the first checkout page is already done.