Improve checks in non-deferred-intent flow

Author: diegocurbelo

includes/class-wc-stripe-helper.php

@@ -1896,4 +1896,91 @@ public static function has_gateway_plugin_active( $plugin_id ) {
 		}
 		return false;
 	}
+
+	/**
+	 * Checks if the given payment intent is valid for the order.
+	 * This checks the currency, amount, and payment method types.
+	 * The function will log a critical error if there is a mismatch.
+	 *
+	 * @param WC_Order      $order                 The order to check.
+	 * @param object|string $intent                The payment intent to check, can either be an object or an intent ID.
+	 * @param string|null   $selected_payment_type The selected payment type, which is generally applicable for updates. If null, we will use the stored payment type for the order.
+	 *
+	 * @throws Exception Throws an exception if the intent is not valid for the order.
+	 */
+	public static function validate_intent_for_order( $order, $intent, ?string $selected_payment_type = null ): void {
+		$intent_id = null;
+		if ( is_string( $intent ) ) {
+			$intent_id = $intent;
+			$is_setup_intent = substr( $intent_id, 0, 4 ) === 'seti';
+			if ( $is_setup_intent ) {
+				$intent = WC_Stripe_API::retrieve( 'setup_intents/' . $intent_id . '?expand[]=payment_method' );
+			} else {
+				$intent = WC_Stripe_API::retrieve( 'payment_intents/' . $intent_id . '?expand[]=payment_method' );
+			}
+		}
+
+		if ( ! is_object( $intent ) ) {
+			throw new Exception( __( "We're not able to process this request. Please try again later.", 'woocommerce-gateway-stripe' ) );
+		}
+
+		if ( null === $intent_id ) {
+			$intent_id = $intent->id ?? null;
+		}
+
+		// Make sure we actually fetched the intent.
+		if ( ! empty( $intent->error ) ) {
+			WC_Stripe_Logger::error(
+				'Error: failed to fetch requested Stripe intent',
+				[
+					'intent_id' => $intent_id,
+					'error'     => $intent->error,
+				]
+			);
+			throw new Exception( __( "We're not able to process this request. Please try again later.", 'woocommerce-gateway-stripe' ) );
+		}
+
+		if ( null === $selected_payment_type ) {
+			$selected_payment_type = $order->get_meta( '_stripe_upe_payment_type', true );
+		}
+
+		// If we don't have a selected payment type, that implies we have no stored value and a new payment type is permitted.
+		$is_valid_payment_type = empty( $selected_payment_type ) || ( ! empty( $intent->payment_method_types ) && in_array( $selected_payment_type, $intent->payment_method_types, true ) );
+		$order_currency        = strtolower( $order->get_currency() );
+		$order_amount          = WC_Stripe_Helper::get_stripe_amount( $order->get_total(), $order->get_currency() );
+		$order_intent_id       = self::get_intent_id_from_order( $order );
+
+		if ( 'payment_intent' === $intent->object ) {
+			$is_valid = $order_currency === $intent->currency
+				&& $is_valid_payment_type
+				&& $order_amount === $intent->amount
+				&& ( ! $order_intent_id || $order_intent_id === $intent->id );
+		} else {
+			// Setup intents don't have an amount or currency.
+			$is_valid = $is_valid_payment_type
+				&& ( ! $order_intent_id || $order_intent_id === $intent->id );
+		}
+
+		// Return early if we have a valid intent.
+		if ( $is_valid ) {
+			return;
+		}
+
+		$permitted_payment_types = implode( '/', $intent->payment_method_types );
+		WC_Stripe_Logger::critical(
+			"Error: Invalid payment intent for order. Intent: {$intent->currency} {$intent->amount} via {$permitted_payment_types}, Order: {$order_currency} {$order_amount} {$selected_payment_type}",
+			[
+				'order_id'                    => $order->get_id(),
+				'intent_id'                   => $intent->id,
+				'intent_currency'             => $intent->currency,
+				'intent_amount'               => $intent->amount,
+				'intent_payment_method_types' => $intent->payment_method_types,
+				'selected_payment_type'       => $selected_payment_type,
+				'order_currency'              => $order->get_currency(),
+				'order_total'                 => $order->get_total(),
+			]
+		);
+
+		throw new Exception( __( "We're not able to process this request. Please try again later.", 'woocommerce-gateway-stripe' ) );
+	}
 }

includes/class-wc-stripe-intent-controller.php

@@ -414,7 +414,20 @@ public function update_payment_intent_ajax() {
 				throw new Exception( __( 'Unable to verify your request. Please reload the page and try again.', 'woocommerce-gateway-stripe' ) );
 			}
 
-			wp_send_json_success( $this->update_intent( $payment_intent_id, $order_id, $save_payment_method, $selected_upe_payment_type ), 200 );
+			$update_intent_result = $this->update_intent( $payment_intent_id, $order_id, $save_payment_method, $selected_upe_payment_type );
+
+			if ( ! ( $update_intent_result['success'] ?? false ) ) {
+				$error_message = $update_intent_result['error'] ?? __( "We're not able to process this request. Please try again later.", 'woocommerce-gateway-stripe' );
+				wp_send_json_error(
+					[
+						'error' => [
+							'message' => $error_message,
+						],
+					]
+				);
+			} else {
+				wp_send_json_success( $update_intent_result, 200 );
+			}
 		} catch ( Exception $e ) {
 			// Send back error so it can be displayed to the customer.
 			wp_send_json_error(
@@ -433,10 +446,10 @@ public function update_payment_intent_ajax() {
 	 * @since 5.6.0
 	 * @version 9.4.0
 	 *
-	 * @param {string}  $intent_id                 The id of the payment intent or setup intent to update.
-	 * @param {int}     $order_id                  The id of the order if intent created from Order.
-	 * @param {boolean} $save_payment_method       True if saving the payment method.
-	 * @param {string}  $selected_upe_payment_type The name of the selected UPE payment type or empty string.
+	 * @param string  $intent_id                 The id of the payment intent or setup intent to update.
+	 * @param int     $order_id                  The id of the order if intent created from Order.
+	 * @param boolean $save_payment_method       True if saving the payment method.
+	 * @param string  $selected_upe_payment_type The name of the selected UPE payment type or empty string.
 	 *
 	 * @throws Exception  If the update intent call returns with an error.
 	 * @return array|null An array with result of the update, or nothing
@@ -445,9 +458,15 @@ public function update_intent( $intent_id = '', $order_id = null, $save_payment_
 		$order = wc_get_order( $order_id );
 
 		if ( ! is_a( $order, 'WC_Order' ) ) {
-			return;
+			return [
+				'success' => false,
+				'error'   => __( 'Unable to find a matching order.', 'woocommerce-gateway-stripe' ),
+			];
 		}
 
+		$selected_payment_type = '' !== $selected_upe_payment_type && is_string( $selected_upe_payment_type ) ? $selected_upe_payment_type : null;
+		WC_Stripe_Helper::validate_intent_for_order( $order, $intent_id, $selected_payment_type );
+
 		$gateway  = $this->get_upe_gateway();
 		$amount   = $order->get_total();
 		$currency = $order->get_currency();
@@ -497,13 +516,42 @@ public function update_intent( $intent_id = '', $order_id = null, $save_payment_
 
 			// Use "setup_intents" endpoint if `$intent_id` starts with `seti_`.
 			$endpoint = $is_setup_intent ? 'setup_intents' : 'payment_intents';
-			WC_Stripe_API::request_with_level3_data(
+			$result = WC_Stripe_API::request_with_level3_data(
 				$request,
 				"{$endpoint}/{$intent_id}",
 				$level3_data,
 				$order
 			);
 
+			if ( ! empty( $result->error ) ) {
+				if ( 'payment_intent_unexpected_state' === $result->error->code ) {
+					WC_Stripe_Logger::critical(
+						'Error: Failed to update intent due to invalid operation',
+						[
+							'intent_id'   => $intent_id,
+							'order_id'    => $order_id,
+							'error'       => $result->error,
+						]
+					);
+
+					throw new Exception( __( "We're not able to process this request. Please try again later.", 'woocommerce-gateway-stripe' ) );
+				}
+
+				WC_Stripe_Logger::error(
+					'Error: Failed to update Stripe intent',
+					[
+						'intent_id' => $intent_id,
+						'order_id'  => $order_id,
+						'error'     => $result->error,
+					]
+				);
+
+				return [
+					'success' => false,
+					'error'   => $result->error->message,
+				];
+			}
+
 			// Prevent any failures if updating the status of a subscription order.
 			if ( ! $gateway->has_subscription( $order_id ) ) {
 				$order->update_status( OrderStatus::PENDING, __( 'Awaiting payment.', 'woocommerce-gateway-stripe' ) );

includes/payment-methods/class-wc-stripe-upe-payment-gateway.php

@@ -835,7 +835,11 @@ public function process_payment( $order_id, $retry = true, $force_save_source =
 		if ( $payment_intent_id && ! $this->payment_methods[ $selected_payment_type ]->supports_deferred_intent() ) {
 			// Adds customer and metadata to PaymentIntent.
 			// These parameters cannot be added upon updating the intent via the `/confirm` API.
-			$this->intent_controller->update_intent( $payment_intent_id, $order_id, $save_payment_method, $selected_payment_type );
+			try {
+				$this->intent_controller->update_intent( $payment_intent_id, $order_id, $save_payment_method, $selected_payment_type );
+			} catch ( Exception $update_intent_exception ) {
+				throw new Exception( __( "We're not able to process this payment. Please try again later.", 'woocommerce-gateway-stripe' ) );
+			}
 		}
 
 		// Flag for using a deferred intent. To be removed.
@@ -1658,6 +1662,13 @@ public function process_order_for_confirmed_intent( $order, $intent_id, $save_pa
 			throw new WC_Stripe_Exception( __( "We're not able to process this payment. Please try again later.", 'woocommerce-gateway-stripe' ) );
 		}
 
+		// Validates the intent can be applied to the order.
+		try {
+			WC_Stripe_Helper::validate_intent_for_order( $order, $intent );
+		} catch ( Exception $e ) {
+			throw new Exception( __( "We're not able to process this payment. Please try again later.", 'woocommerce-gateway-stripe' ) );
+		}
+
 		list( $payment_method_type, $payment_method_details ) = $this->get_payment_method_data_from_intent( $intent );
 
 		if ( ! isset( $this->payment_methods[ $payment_method_type ] ) ) {

tests/phpunit/PaymentMethods/WC_Stripe_UPE_Payment_Gateway_Test.php

@@ -125,6 +125,10 @@ class WC_Stripe_UPE_Payment_Gateway_Test extends WC_Mock_Stripe_API_Unit_Test_Ca
 				],
 			],
 		],
+		'payment_method_types' => [
+			WC_Stripe_Payment_Methods::CARD,
+			WC_Stripe_Payment_Methods::LINK,
+		],
 	];
 
 	/**
@@ -299,7 +303,7 @@ private function get_order_details( $order ) {
 			'signature'      => sprintf( '%d:%s', $order->get_id(), md5( implode( '-', [ absint( $order->get_id() ), $order->get_order_key(), $order->get_customer_id(), $amount ] ) ) ),
 			'tax_amount'     => WC_Stripe_Helper::get_stripe_amount( $total_tax, strtolower( $currency ) ),
 		];
-		return [ $amount, $description, $metadata ];
+		return [ $amount, $description, $metadata, strtolower( $currency ) ];
 	}
 
 	/**
@@ -931,7 +935,7 @@ public function test_process_redirect_payment_returns_valid_response() {
 		$order             = WC_Helper_Order::create_order();
 		$order_id          = $order->get_id();
 
-		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		list( $amount, $description, $metadata, $currency ) = $this->get_order_details( $order );
 		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
 		$order->save();
 
@@ -943,6 +947,7 @@ public function test_process_redirect_payment_returns_valid_response() {
 		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
 		$payment_intent_mock['id']                 = $payment_intent_id;
 		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['currency']           = $currency;
 		$payment_intent_mock['last_payment_error'] = [];
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';
@@ -999,7 +1004,7 @@ public function test_process_redirect_payment_only_runs_once() {
 		$order             = WC_Helper_Order::create_order();
 		$order_id          = $order->get_id();
 
-		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		list( $amount, $description, $metadata, $currency ) = $this->get_order_details( $order );
 		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
 		$order->save();
 
@@ -1011,6 +1016,7 @@ public function test_process_redirect_payment_only_runs_once() {
 		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
 		$payment_intent_mock['id']                 = $payment_intent_id;
 		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['currency']           = $currency;
 		$payment_intent_mock['last_payment_error'] = [];
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';
@@ -1166,7 +1172,7 @@ public function test_checkout_saves_payment_method_to_order() {
 		$order             = WC_Helper_Order::create_order();
 		$order_id          = $order->get_id();
 
-		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		list( $amount, $description, $metadata, $currency ) = $this->get_order_details( $order );
 		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
 		$order->save();
 
@@ -1178,6 +1184,7 @@ public function test_checkout_saves_payment_method_to_order() {
 		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
 		$payment_intent_mock['id']                 = $payment_intent_id;
 		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['currency']           = $currency;
 		$payment_intent_mock['last_payment_error'] = [];
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';
@@ -1229,7 +1236,7 @@ public function test_checkout_saves_sepa_generated_payment_method_to_order() {
 		$order                       = WC_Helper_Order::create_order();
 		$order_id                    = $order->get_id();
 
-		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		list( $amount, $description, $metadata, $currency ) = $this->get_order_details( $order );
 		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
 		$order->save();
 
@@ -1243,6 +1250,7 @@ public function test_checkout_saves_sepa_generated_payment_method_to_order() {
 		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
 		$payment_intent_mock['id']                 = $payment_intent_id;
 		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['currency']           = $currency;
 		$payment_intent_mock['last_payment_error'] = [];
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';
@@ -2248,7 +2256,7 @@ public function test_pre_order_payment_is_successful() {
 		$order             = WC_Helper_Order::create_order();
 		$order_id          = $order->get_id();
 
-		list( $amount, $description, $metadata ) = $this->get_order_details( $order );
+		list( $amount, $description, $metadata, $currency ) = $this->get_order_details( $order );
 		$order->set_payment_method( WC_Stripe_UPE_Payment_Gateway::ID );
 		$order->save();
 
@@ -2260,6 +2268,7 @@ public function test_pre_order_payment_is_successful() {
 		$payment_intent_mock                       = self::MOCK_CARD_PAYMENT_INTENT_TEMPLATE;
 		$payment_intent_mock['id']                 = $payment_intent_id;
 		$payment_intent_mock['amount']             = $amount;
+		$payment_intent_mock['currency']           = $currency;
 		$payment_intent_mock['last_payment_error'] = [];
 		$payment_intent_mock['payment_method']     = $payment_method_mock;
 		$payment_intent_mock['latest_charge']      = 'ch_mock';