Double invoice for €0.00 gets created after webhook is called

[unreal4u]

Hello:

I've encountered a problem when a webhook event triggers from Stripe to the store. It occurs probably with all direct debit payment methods.

The following JSON is being sent by Stripe: (stripped out personal information)

{
  "id": "evt_XXXXXXXXXXXXXXXXXXXXXXXXXX",
  "object": "event",
  "api_version": "2019-02-19",
  "created": 1552580745,
  "data": {
    "object": {
      "id": "src_XXXXXXXXXXXXXXXXXXXXXXXXXX",
      "object": "source",
      "amount": 13699,
      "client_secret": "src_client_secret_XXXXXXXXXXXXXXXXXXXXXXXXXX",
      "created": 1552580664,
      "currency": "eur",
      "flow": "redirect",
      "ideal": {
        "bank": "rabobank",
        "bic": "RABONL2U",
        "iban_last4": "5264",
        "statement_descriptor": null
      },
      "livemode": false,
      "metadata": {
      },
      "owner": {
        "address": {
          "city": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
          "country": "NL",
          "line1": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
          "line2": null,
          "postal_code": null,
          "state": "XXXXXXXXXXXXXXXXXXXXXXXXXX"
        },
        "email": "XXXXXXXXXXXXXXXXXXXXXXXXXX@XXXXXXXXXXXXXXXXXXXXXXXXXX.nl",
        "name": "XXXXXXXXXXXXXXXXXXXXXXXXXX",
        "phone": null,
        "verified_address": null,
        "verified_email": null,
        "verified_name": "Jenny Rosen",
        "verified_phone": null
      },
      "redirect": {
        "failure_reason": null,
        "return_url": "https://XXXXXXXXXXXXXXXXXXXXXXXXXX.docksal/nl/stripe/ideal/returnurl",
        "status": "succeeded",
        "url": "https://hooks.stripe.com/redirect/authenticate/src_XXXXXXXXXXXXXXXXXXXXXXXXXX?client_secret=src_client_secret_XXXXXXXXXXXXXXXXXXXXXXXXXX"
      },
      "statement_descriptor": "Nederlands",
      "status": "chargeable",
      "type": "ideal",
      "usage": "single_use"
    }
  },
  "livemode": false,
  "pending_webhooks": 1,
  "request": {
    "id": null,
    "idempotency_key": null
  },
  "type": "source.chargeable"
}

Once this webhook comes in at Magento the following invoice is being created despite the fact that the invoice has been fully paid (through the actual returnUrl):

As far as I can see, the problem may reside in the following line: https://github.com/vphat28/stripe-module-core/blob/master/Model/Cron/Webhook.php#L404

Greetings.

[aadmathijssen]

One of the potential causes of this issue is due to a bug in the iDEAL module: https://github.com/vphat28/stripe-module-ideal/issues/3

However, even if that bug is fixed, there should still be a check in place whether the order can actually be invoiced.

See for instance the following Magento 2 payment modules:

• The TIG_Buckaroo module checks whether the order can actually be invoiced and does not already contain an invoice: https://github.com/tig-nl/buckaroo-magento2/blob/v1.9.1/Model/Push.php#L839
• The Mollie Payment module checks whether the order amount matches the actual amount that is paid: https://github.com/mollie/magento2/blob/v1.5.0/Model/Client/Payments.php#L208
• The Pay.nl Magento 2 module checks whether the total due of the order is a positive amount: https://github.com/paynl/magento2-plugin/blob/v1.4.10/Controller/Checkout/Exchange.php#L125

[vphat28]

should be fixed in new version, keep me posted

[aadmathijssen]

Hi,

I'm afraid this issue has not been fixed. One of the scenario's that lead to this issue has been fixed (see vphat28/stripe-module-ideal#3), but there is still a place where no checks are performed whether that the order is already invoiced.

In the source code, I can find three places in `\Stripeofficial\Core\Model\Cron\Webhookin where invoices are created:

• handleChargeCaptureEvent and handleChargeSuccessEvent: these methods have protection against multiple invoice creation by checking the stripe_captured additional information field on the payment object.
• handleSourceChargeable: this method has protection against multiple invoice creation by checking the base_charge_id additional information field on the payment object.

When triggering both handleSourceChargeable and one of the handleChargeCaptureEvent or handleChargeSuccessEvent methods, it is still possible to create duplicate invoices because these methods check different fields.

As an another example, you can also create a 0.00 invoice as follows:

1. In the frontend, place an order using iDEAL or Bancontact, but do not finish the payment (yet).
2. In the admin, go to the newly created order, click on "Invoice", choose "Not capture" en click on "Submit invoice".
3. In the frontend, finish the payment.
4. Processing of the Stripe webhook calls create a 0.00 invoice (while the original unpaid invoice is kept and stays unpaid).

Can you please reopen this issue?

Thanks.