Add order locking to payment redirect processing (#4437)

* Add order locking to payment redirect processing

* Remove extra changes from linter

* Add comments

* Add readme and changelog entries

* Add unit test

* Move unlock to finally block

Co-authored-by: Malith Senaweera <[email protected]>

* Add logging for when we bail because order is locked

Co-authored-by: Diego Curbelo <[email protected]>

* Fix spacing

* Fix unit test

---------

Co-authored-by: Malith Senaweera <[email protected]>
Co-authored-by: Diego Curbelo <[email protected]>

Author: 3 people

changelog.txt

@@ -55,6 +55,7 @@
 * Fix - Add safety check when checking error object
 * Fix - Correctly handle countries without states when using the express payment methods
 * Update - Include extension data from block checkout when submitting an express checkout order
+* Fix - Add order locking when processing payment redirects, to mitigate cases of double status updates
 
 = 9.5.3 - 2025-06-23 =
 * Fix - Reimplement mapping of Express Checkout state values to align with WooCommerce's expected state formats

includes/payment-methods/class-wc-stripe-upe-payment-gateway.php

@@ -1616,13 +1616,21 @@ public function process_upe_redirect_payment( $order_id, $intent_id, $save_payme
 			return;
 		}
 
-		WC_Stripe_Logger::log( "Begin processing UPE redirect payment for order $order_id for the amount of {$order->get_total()}" );
-
 		try {
+			// First check if the order is already being processed by another request.
+			$locked = $this->lock_order_payment( $order );
+			if ( $locked ) {
+				WC_Stripe_Logger::log( "Skip processing UPE redirect payment for order $order_id for the amount of {$order->get_total()}, order payment is already being processed (locked)" );
+				return;
+			}
+
+			WC_Stripe_Logger::log( "Begin processing UPE redirect payment for order $order_id for the amount of {$order->get_total()}" );
+
 			$this->process_order_for_confirmed_intent( $order, $intent_id, $save_payment_method );
 		} catch ( Exception $e ) {
-			WC_Stripe_Logger::log( 'Error: ' . $e->getMessage() );
+			$this->unlock_order_payment( $order );
 
+			WC_Stripe_Logger::log( 'Error: ' . $e->getMessage() );
 			/* translators: localized exception message */
 			$order->update_status( OrderStatus::FAILED, sprintf( __( 'UPE payment failed: %s', 'woocommerce-gateway-stripe' ), $e->getMessage() ) );
 
@@ -1637,6 +1645,8 @@ public function process_upe_redirect_payment( $order_id, $intent_id, $save_payme
 			wp_safe_redirect( wp_sanitize_redirect( $redirect_url ) );
 
 			exit;
+		} finally {
+			$this->unlock_order_payment( $order );
 		}
 	}
 

readme.txt

@@ -166,5 +166,6 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Fix - Add safety check when checking error object
 * Fix - Correctly handle countries without states when using the express payment methods
 * Update - Include extension data from block checkout when submitting an express checkout order
+* Fix - Add order locking when processing payment redirects, to mitigate cases of double status updates
 
 [See changelog for full details across versions](https://raw.githubusercontent.com/woocommerce/woocommerce-gateway-stripe/trunk/changelog.txt).

tests/phpunit/PaymentMethods/WC_Stripe_UPE_Payment_Gateway_Test.php

@@ -203,6 +203,8 @@ public function set_up() {
 					'has_pre_order',
 					'is_subscriptions_enabled',
 					'update_saved_payment_method',
+					'lock_order_payment',
+					'unlock_order_payment',
 				]
 			)
 			->getMock();
@@ -237,6 +239,11 @@ public function set_up() {
 			->will(
 				$this->returnValue( 'cus_mock' )
 			);
+		$this->mock_gateway->expects( $this->any() )
+			->method( 'unlock_order_payment' )
+			->will(
+				$this->returnValue( null )
+			);
 	}
 
 	public function tear_down() {
@@ -938,6 +945,11 @@ public function test_process_redirect_payment_returns_valid_response() {
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';
 
+		$this->mock_gateway->expects( $this->any() )
+			->method( 'lock_order_payment' )
+			->will(
+				$this->returnValue( false )
+			);
 		$this->mock_gateway->expects( $this->once() )
 			->method( 'stripe_request' )
 			->with( "payment_intents/$payment_intent_id?expand[]=payment_method" )
@@ -1051,6 +1063,48 @@ public function test_process_redirect_payment_only_runs_once() {
 		$this->assertEquals( OrderStatus::FAILED, $final_order->get_status() );
 	}
 
+	/**
+	 * Test locking for process redirect payment.
+	 */
+	public function test_process_redirect_payment_locks_order() {
+		$payment_intent_id = 'pi_mock';
+		$payment_method_id = 'pm_mock';
+		$customer_id       = 'cus_mock';
+		$order             = WC_Helper_Order::create_order();
+		$order_id          = $order->get_id();
+
+		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
+		$order->save();
+
+		$payment_method_mock                     = self::MOCK_CARD_PAYMENT_METHOD_TEMPLATE;
+		$payment_method_mock['id']               = $payment_method_id;
+		$payment_method_mock['customer']         = $customer_id;
+		$payment_method_mock['card']['exp_year'] = intval( gmdate( 'Y' ) ) + 1;
+
+		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
+		$payment_intent_mock['id']                 = $payment_intent_id;
+		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['last_payment_error'] = [];
+		$payment_intent_mock['payment_method']     = $payment_method_mock;
+		$payment_intent_mock['latest_charge']      = 'ch_mock';
+
+		$this->mock_gateway->expects( $this->once() )
+			->method( 'lock_order_payment' )
+			->will(
+				$this->returnValue( true )
+			);
+		$this->mock_gateway->expects( $this->once() )
+			->method( 'unlock_order_payment' );
+
+		// Expect the process to bail early.
+		$this->mock_gateway->expects( $this->never() )
+			->method( 'stripe_request' )
+			->with( "payment_intents/$payment_intent_id?expand[]=payment_method" );
+
+		$this->mock_gateway->process_upe_redirect_payment( $order_id, $payment_intent_id, false );
+	}
+
 	/**
 	 * Test checkout flow with setup intents.
 	 */