Avoid processing webhooks meant for different sites (#11010)

Author: RadoslavGeorgiev

changelog/woopmnt-5262-payments-transactions-report-link-to-order-id-if-order

@@ -0,0 +1,4 @@
+Significance: minor
+Type: fix
+
+Ignore webhooks whenever the order key in their body does not match the local order.

includes/class-wc-payments-webhook-processing-service.php

@@ -722,6 +722,7 @@ private function get_order_from_event_body( $event_body ) {
 		$event_data   = $this->read_webhook_property( $event_body, 'data' );
 		$event_object = $this->read_webhook_property( $event_data, 'object' );
 		$intent_id    = $this->read_webhook_property( $event_object, 'id' );
+		$order_key    = $this->read_webhook_property( $event_object, 'metadata' )['order_key'] ?? null;
 
 		// Look up the order related to this intent.
 		$order = $this->wcpay_db->order_from_intent_id( $intent_id );
@@ -746,6 +747,24 @@ private function get_order_from_event_body( $event_body ) {
 			}
 		}
 
+		/**
+		 * If the order has been found, but there is an order key mismatch, it
+		 * could be caused by another site creating orders with the same IDs
+		 * while this site remains the primary webhook receiver.
+		 */
+		if ( null !== $order_key && $order instanceof WC_Order && $order->get_order_key() !== $order_key ) {
+			Logger::debug(
+				'Mismatching order key found while retrieving an order for webhook processing',
+				[
+					'intent_id'         => $intent_id,
+					'order_id'          => $order->get_id(),
+					'webhook_order_key' => $order_key,
+					'local_order_key'   => $order->get_order_key(),
+				]
+			);
+			return null;
+		}
+
 		if ( ! $order instanceof \WC_Order ) {
 			throw new Invalid_Payment_Method_Exception(
 				sprintf(

includes/wc-payment-api/class-wc-payments-api-client.php

@@ -2289,7 +2289,7 @@ public function deserialize_payment_intention_object_from_array( array $intentio
 		$payment_method_options = $intention_array['payment_method_options'] ?? [];
 
 		$charge = ! empty( $charge_array ) ? self::deserialize_charge_object_from_array( $charge_array ) : null;
-		$order  = $this->get_order_info_from_intention_object( $intention_array['id'] );
+		$order  = $this->get_order_info_from_intention_object( $intention_array['id'], $intention_array['metadata']['order_key'] ?? null );
 
 		$intent = new WC_Payments_API_Payment_Intention(
 			$intention_array['id'],
@@ -2756,13 +2756,16 @@ private function maybe_act_on_fraud_prevention( string $error_code ) {
 	 * Adds additional info to intention object.
 	 *
 	 * @param string $intention_id Intention ID.
-	 *
+	 * @param string $order_key    Order key.
 	 * @return array
 	 */
-	private function get_order_info_from_intention_object( $intention_id ) {
-		$order  = $this->wcpay_db->order_from_intent_id( $intention_id );
-		$object = $this->add_order_info_to_object( $order, [] );
+	private function get_order_info_from_intention_object( $intention_id, $order_key = null ) {
+		$order = $this->wcpay_db->order_from_intent_id( $intention_id );
+		if ( $order instanceof WC_Order && null !== $order_key && $order_key !== $order->get_order_key() ) {
+			return [];
+		}
 
+		$object = $this->add_order_info_to_object( $order, [] );
 		return $object['order'];
 	}
 

tests/unit/test-class-wc-payments-webhook-processing-service.php

@@ -748,6 +748,46 @@ public function test_payment_intent_successful_and_completes_order() {
 		$this->webhook_processing_service->process( $this->event_body );
 	}
 
+	/**
+	 * Tests that a payment_intent.succeeded event will ignore the order due to key mismatch.
+	 */
+	public function test_payment_intent_successful_ignores_order_due_to_key_mismatch() {
+		$this->event_body['type']           = 'payment_intent.succeeded';
+		$this->event_body['livemode']       = true;
+		$this->event_body['data']['object'] = [
+			'id'       => 'pi_123123123123123', // payment_intent's ID.
+			'amount'   => 1500,
+			'charges'  => [
+				'data' => [
+					[
+						'id' => 'py_123123123123123',
+					],
+				],
+			],
+			'currency' => 'eur',
+			'metadata' => [
+				'order_key' => 'abcd',
+			],
+		];
+
+		$this->mock_order->expects( $this->any() )
+			->method( 'get_order_key' )
+			->willReturn( 'xyz' );
+
+		$this->mock_order->expects( $this->never() )->method( 'update_meta_data' );
+		$this->mock_order->expects( $this->never() )->method( 'save' );
+		$this->mock_order->expects( $this->never() )->method( 'payment_complete' );
+
+		$this->mock_db_wrapper
+			->expects( $this->once() )
+			->method( 'order_from_intent_id' )
+			->with( 'pi_123123123123123' )
+			->willReturn( $this->mock_order );
+
+		// Run the test.
+		$this->webhook_processing_service->process( $this->event_body );
+	}
+
 	/**
 	 * Tests that a payment_intent.succeeded event will add relevant metadata.
 	 */
@@ -1275,6 +1315,7 @@ public function test_payment_intent_fails_and_fails_order() {
 					],
 				],
 			],
+			'metadata'           => [],
 			'last_payment_error' => [
 				'message'        => 'error message',
 				'payment_method' => [
@@ -1345,6 +1386,7 @@ public function test_payment_intent_without_charges_fails_and_fails_order() {
 			'object'             => 'payment_intent',
 			'amount'             => 1500,
 			'charges'            => [],
+			'metadata'           => [],
 			'last_payment_error' => [
 				'code'           => 'card_declined',
 				'decline_code'   => 'debit_notification_undelivered',
@@ -1988,6 +2030,7 @@ public function test_payment_intent_failed_handles_terminal_payment() {
 							],
 						],
 					],
+					'metadata'           => [],
 					'last_payment_error' => [
 						'message'        => 'Card declined',
 						'payment_method' => [