Moving existing order lock and bailing out when it is active (#4462)

* Moving existing order lock and bailing out when it is active

* Changelog and readme entries

* Moving the unlocking call to the finally clause

* Removing unlock call from finally and reverting to original positions

* Removing redundancy in lock check

* Reverting intent data removal

* Removing it again due incompatibility

---------

Co-authored-by: Anne Mirasol <[email protected]>

Author: wjrosa

changelog.txt

@@ -1,6 +1,7 @@
 *** Changelog ***
 
 = 9.7.0 - xxxx-xx-xx =
+* Fix - Moves the existing order lock functionality earlier in the order processing flow to prevent duplicate processing requests
 * Add - Adds two new safety filters to the subscriptions detached debug tool: `wc_stripe_detached_subscriptions_maximum_time` and `wc_stripe_detached_subscriptions_maximum_count`
 * Add - Show a notice when editing an active subscription that has no payment method attached
 * Fix - Fixes a possible fatal error when trying to generate the order signature for a `WC_Order_Refund` object

includes/abstracts/abstract-wc-stripe-payment-gateway.php

@@ -1747,26 +1747,15 @@ private function get_intent( $intent_type, $intent_id ) {
 	 *
 	 * @since 4.2
 	 * @param WC_Order $order  The order that is being paid.
-	 * @param stdClass $intent The intent that is being processed.
 	 * @return bool            A flag that indicates whether the order is already locked.
 	 */
-	public function lock_order_payment( $order, $intent = null ) {
-		$order->read_meta_data( true );
-
-		$existing_lock = $order->get_meta( '_stripe_lock_payment', true );
-
-		if ( $existing_lock ) {
-			$parts         = explode( '|', $existing_lock ); // Format is: "{expiry_timestamp}" or "{expiry_timestamp}|{pi_xxxx}" if an intent is passed.
-			$expiration    = (int) $parts[0];
-			$locked_intent = ! empty( $parts[1] ) ? $parts[1] : '';
-
-			// If the lock is still active, return true.
-			if ( time() <= $expiration && ( empty( $intent ) || empty( $locked_intent ) || ( $intent->id ?? '' ) === $locked_intent ) ) {
-				return true;
-			}
+	public function lock_order_payment( $order ) {
+		if ( $this->is_order_payment_locked( $order ) ) {
+			// If the order is already locked, return true.
+			return true;
 		}
 
-		$new_lock = ( time() + 5 * MINUTE_IN_SECONDS ) . ( isset( $intent->id ) ? '|' . $intent->id : '' );
+		$new_lock = ( time() + 5 * MINUTE_IN_SECONDS );
 
 		$order->update_meta_data( '_stripe_lock_payment', $new_lock );
 		$order->save_meta_data();
@@ -1785,6 +1774,38 @@ public function unlock_order_payment( $order ) {
 		$order->save_meta_data();
 	}
 
+	/**
+	 * Retrieves the existing lock for an order.
+	 *
+	 * @param WC_Order $order The order to retrieve the lock for
+	 * @return mixed
+	 */
+	protected function get_order_existing_lock( $order ) {
+		$order->read_meta_data( true );
+		return $order->get_meta( '_stripe_lock_payment', true );
+	}
+
+	/**
+	 * Checks if an order is locked for payment processing.
+	 *
+	 * @param WC_Order $order The order to check the lock for
+	 * @return bool
+	 */
+	protected function is_order_payment_locked( $order ) {
+		$existing_lock = $this->get_order_existing_lock( $order );
+		if ( $existing_lock ) {
+			$parts      = explode( '|', $existing_lock ); // Format is: "{expiry_timestamp}"
+			$expiration = (int) $parts[0];
+
+			// If the lock is still active, return true.
+			if ( time() <= $expiration ) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	/**
 	 * Locks an order for refund processing for 5 minutes.
 	 *

includes/payment-methods/class-wc-stripe-upe-payment-gateway.php

@@ -1033,6 +1033,17 @@ private function process_payment_with_payment_method( int $order_id ) {
 
 			$this->validate_selected_payment_method_type( $payment_information, $order->get_billing_country() );
 
+			// Attempt to acquire lock, bail if already locked
+			$is_order_payment_locked = $this->lock_order_payment( $order );
+			if ( $is_order_payment_locked ) {
+				// If the request is already being processed, return an error.
+				return [
+					'result'   => 'failure',
+					'redirect' => '',
+					'message'  => __( 'Your payment is already being processed. Please wait.', 'woocommerce-gateway-stripe' ),
+				];
+			}
+
 			$payment_needed                = $this->is_payment_needed( $order->get_id() );
 			$payment_method_id             = $payment_information['payment_method'];
 			$payment_method_details        = $payment_information['payment_method_details'];
@@ -1079,9 +1090,6 @@ private function process_payment_with_payment_method( int $order_id ) {
 				$this->update_saved_payment_method( $payment_method_id, $order );
 			}
 
-			// Lock the order before we create and confirm the payment/setup intents to prevent Stripe sending the success webhook before this request is completed.
-			$this->lock_order_payment( $order );
-
 			if ( $payment_needed ) {
 				// Throw an exception if the minimum order amount isn't met.
 				$this->validate_minimum_order_amount( $order );
@@ -1185,6 +1193,8 @@ private function process_payment_with_payment_method( int $order_id ) {
 				$response_args
 			);
 		} catch ( WC_Stripe_Exception $e ) {
+			// Ensure the order is unlocked in case of an exception.
+			$this->unlock_order_payment( $order );
 			return $this->handle_process_payment_error( $e, $order );
 		}
 	}

readme.txt

@@ -111,6 +111,7 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 == Changelog ==
 
 = 9.7.0 - xxxx-xx-xx =
+* Fix - Moves the existing order lock functionality earlier in the order processing flow to prevent duplicate processing requests
 * Add - Adds two new safety filters to the subscriptions detached debug tool: `wc_stripe_detached_subscriptions_maximum_time` and `wc_stripe_detached_subscriptions_maximum_count`
 * Add - Show a notice when editing an active subscription that has no payment method attached
 * Fix - Fixes a possible fatal error when trying to generate the order signature for a `WC_Order_Refund` object