Improve webhook status related messages on the settings page. (#3681)

* return 400 status code for webhook signature mismatch

* check if duplicate webhook is set up in Stripe account

* update webhook message

* fix logic and update variable name

Author: Mayisha

changelog.txt

@@ -25,6 +25,7 @@
 * Add - Correctly handles charge expired webhook events, setting the order status to failed and adding a note.
 * Fix - Allow account creation on checkout, if enabled, when purchasing subscriptions using ECE.
 * Tweak - Add empty check for cart when checking for allowed products for express checkout.
+* Tweak - Improve webhook status related messages on the settings page.
 * Update - Prevent editing of orders awaiting payment capture.
 * Add - Introduce locking and unlocking in refund flow to prevent double refund due to race condition.
 * Fix - Check order currency on pay for order page to display supported payment methods.

includes/class-wc-stripe-webhook-handler.php

@@ -115,6 +115,16 @@ public function check_for_webhook() {
 			WC_Stripe_Logger::error( 'Webhook body: ' . print_r( $request_body, true ) ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
 
 			WC_Stripe_Webhook_State::set_last_webhook_failure_at( time() );
+
+			if ( WC_Stripe_Webhook_State::VALIDATION_FAILED_SIGNATURE_MISMATCH === $validation_result && $this->has_duplicate_webhooks_setup() ) {
+				WC_Stripe_Webhook_State::set_last_error_reason( WC_Stripe_Webhook_State::VALIDATION_FAILED_DUPLICATE_WEBHOOKS );
+
+				// Return a 400 HTTP status code to notify Stripe about a misconfigured webhook when the signature does not match.
+				// @see https://docs.stripe.com/webhooks#disable
+				status_header( 400 );
+				exit;
+			}
+
 			WC_Stripe_Webhook_State::set_last_error_reason( $validation_result );
 
 			// A webhook endpoint must return a 2xx HTTP status code to prevent future webhook
@@ -125,6 +135,33 @@ public function check_for_webhook() {
 		}
 	}
 
+	/**
+	 * Check if the Stripe account has duplicate webhooks setup for this site.
+	 *
+	 * @since 9.1.0
+	 */
+	public function has_duplicate_webhooks_setup() {
+		$webhook_url = WC_Stripe_Helper::get_webhook_url();
+		$webhooks    = WC_Stripe_API::retrieve( 'webhook_endpoints' );
+
+		if ( is_wp_error( $webhooks ) || ! isset( $webhooks->data ) || empty( $webhooks->data ) ) {
+			return false;
+		}
+
+		$number_of_webhooks = 0;
+		foreach ( $webhooks->data as $webhook ) {
+			if ( ! isset( $webhook->url ) ) {
+				continue;
+			}
+
+			if ( $webhook->url === $webhook_url ) {
+				$number_of_webhooks++;
+			}
+		}
+
+		return $number_of_webhooks > 1;
+	}
+
 	/**
 	 * Verify the incoming webhook notification to make sure it is legit.
 	 *

includes/class-wc-stripe-webhook-state.php

@@ -27,6 +27,7 @@ class WC_Stripe_Webhook_State {
 	const VALIDATION_FAILED_EMPTY_SECRET       = 'empty_secret';
 	const VALIDATION_FAILED_USER_AGENT_INVALID = 'user_agent_invalid';
 	const VALIDATION_FAILED_SIGNATURE_INVALID  = 'signature_invalid';
+	const VALIDATION_FAILED_DUPLICATE_WEBHOOKS  = 'duplicate_webhooks';
 	const VALIDATION_FAILED_TIMESTAMP_MISMATCH = 'timestamp_out_of_range';
 	const VALIDATION_FAILED_SIGNATURE_MISMATCH = 'signature_mismatch';
 
@@ -170,7 +171,7 @@ public static function get_last_error_reason() {
 		}
 
 		if ( self::VALIDATION_FAILED_EMPTY_SECRET === $last_error ) {
-			return( __( 'The webhook secret is not set in the store', 'woocommerce-gateway-stripe' ) );
+			return( __( 'The webhook secret is not set in the store. Please configure the webhooks', 'woocommerce-gateway-stripe' ) );
 		}
 
 		// Legacy failure reason. Removed in 8.6.0.
@@ -182,6 +183,10 @@ public static function get_last_error_reason() {
 			return( __( 'The webhook signature was missing or was incorrectly formatted', 'woocommerce-gateway-stripe' ) );
 		}
 
+		if ( self::VALIDATION_FAILED_DUPLICATE_WEBHOOKS == $last_error ) {
+			return( __( 'Multiple webhooks exist for this site. Please remove the duplicate webhooks or re-configure the webhooks', 'woocommerce-gateway-stripe' ) );
+		}
+
 		if ( self::VALIDATION_FAILED_TIMESTAMP_MISMATCH == $last_error ) {
 			return( __( 'The timestamp in the webhook differed more than five minutes from the site time', 'woocommerce-gateway-stripe' ) );
 		}

readme.txt

@@ -135,6 +135,7 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Add - Correctly handles charge expired webhook events, setting the order status to failed and adding a note.
 * Fix - Allow account creation on checkout, if enabled, when purchasing subscriptions using ECE.
 * Tweak - Add empty check for cart when checking for allowed products for express checkout.
+* Tweak - Improve webhook status related messages on the settings page.
 * Update - Prevent editing of orders awaiting payment capture.
 * Add - Introduce locking and unlocking in refund flow to prevent double refund due to race condition.
 * Fix - Check order currency on pay for order page to display supported payment methods.

tests/phpunit/test-wc-stripe-webhook-state.php

@@ -248,7 +248,7 @@ public function test_get_error_reason_empty_secret() {
 
 		$this->set_valid_request_data();
 		$this->process_webhook();
-		$this->assertEquals( 'The webhook secret is not set in the store', WC_Stripe_Webhook_State::get_last_error_reason() );
+		$this->assertEquals( 'The webhook secret is not set in the store. Please configure the webhooks', WC_Stripe_Webhook_State::get_last_error_reason() );
 	}
 
 	// Test failure reason: invalid signature.