search

woocommerce / woocommerce-paypal-payments

https://wordpress.org/plugins/woocommerce-paypal-payments/
GNU General Public License v2.0
62 stars 48 forks source link

Orders being received without payment processing #2812

Open eugeniobonifacio opened 6 days ago

eugeniobonifacio commented 6 days ago

Describe the Bug

With PR #2523 the orders are being received without payment. The PR solves the fatal error resulting from not expected responses but it simply ignores them, while it should handle them correctly instead.

To Reproduce

When a customer saves the credit card for future payments, this results in an unhandled flow in \WooCommerce\PayPalCommerce\WcGateway\Gateway\CreditCardGateway::process_payment that lets the issue I'm experiencing.

When these customers place a new order, the following happens via API:

  1. A payment token request for the customer is done and matched with the local ones for him.
  2. The payment order is created with a 200 OK response, instead of 201 Created
  3. The relative response body is the following:
{
  "id": "[**OBFUSCATED**]",
  "status": "PAYER_ACTION_REQUIRED",
  "payment_source": {
    "card": {
      "last_digits": "xxxxxx",
      "expiry": "xxxxxx",
      "brand": "xxxxxx",
      "available_networks": [
        "VISA"
      ],
      "type": "xxxxxx",
      "bin_details": {
        "bin": "xxxxxx",
        "bin_country_code": "AT",
        "products": [
          "CORPORATE"
        ]
      }
    }
  },
  "purchase_units": [
    {
      "reference_id": "default"
    }
  ],
  "links": [
    {
      "href": "https://api.paypal.com/v2/checkout/orders/[**OBFUSCATED**]",
      "rel": "self",
      "method": "GET"
    },
    {
      "href": "https://www.paypal.com/webapps/helios?action=verify&flow=3ds&cart_id=[**OBFUSCATED**]",
      "rel": "payer-action",
      "method": "GET"
    }
  ]
}

Before PR #2523 this response produced a fatal error because of null call exception, now it is simply ignored. Doing so the processing goes on and produces an order being received but without being paid and also without any notification to the merchant.

The response should be handled with a redirect to the payer-action reported in the "links" section.

Expected Behavior

The processing should continue, redirecting the customer to the 3DS verification process (the "payer-action" href inside the response body).

Actual Behavior

The order is received, no payment is done and no notifications are sent to the merchant. The (wrong) order placement is never notified and the merchant cannot be aware of the issue.

Environment

eugeniobonifacio commented 20 hours ago

Just a clarification: the order is only shown as received in the customer’s checkout final step view. It is not actually completed; in fact, it appears as cancelled in the orders list.