Fix rate limit for failed add payment method attempts (#4491)

* Fix rate limit for failed add payment method attempts
* Add the exception as arg to the delay filter

Author: diegocurbelo

changelog.txt

@@ -19,6 +19,7 @@
 * Fix - Validate create customer payload against required billing fields before sending to Stripe
 * Update - Enhanced logging system with support for all log levels and improved context handling
 * Fix - Set default values for custom field options
+* Fix - Enforce rate limiter for failed add payment method attempts
 
 = 9.6.0 - 2025-07-07 =
 * Fix - Register Express Checkout script before use to restore buttons on “order-pay” pages

includes/class-wc-stripe-intent-controller.php

@@ -1116,9 +1116,10 @@ public function create_and_confirm_setup_intent( $payment_information ) {
 	 * @throws Exception If the AJAX request is missing the required data or if there's an error creating and confirming the setup intent.
 	 */
 	public function create_and_confirm_setup_intent_ajax() {
+		$wc_add_payment_method_rate_limit_id = 'add_payment_method_' . get_current_user_id();
+
 		try {
 			// similar rate limiter is present in WC Core, but it's executed on page submission (and not on AJAX calls).
-			$wc_add_payment_method_rate_limit_id = 'add_payment_method_' . get_current_user_id();
 			if ( WC_Rate_Limiter::retried_too_soon( $wc_add_payment_method_rate_limit_id ) ) {
 				throw new WC_Stripe_Exception( 'Failed to save payment method.', __( 'You cannot add a new payment method so soon after the previous one.', 'woocommerce-gateway-stripe' ) );
 			}
@@ -1174,6 +1175,18 @@ public function create_and_confirm_setup_intent_ajax() {
 		} catch ( WC_Stripe_Exception $e ) {
 			WC_Stripe_Logger::log( 'Failed to create and confirm setup intent. ' . $e->getMessage() );
 
+			/**
+			 * Filter the rate limit delay after a failure adding a payment method.
+			 *
+			 * @since 9.7.0
+			 *
+			 * @param int $rate_limit_delay The rate limit delay in seconds.
+			 * @param WC_Stripe_Exception $e The exception that occurred.
+			 */
+			$rate_limit_delay = apply_filters( 'wc_stripe_add_payment_method_on_error_rate_limit_delay', 10, $e );
+
+			WC_Rate_Limiter::set_rate_limit( $wc_add_payment_method_rate_limit_id, $rate_limit_delay );
+
 			// Send back error so it can be displayed to the customer.
 			wp_send_json_error(
 				[

readme.txt

@@ -129,5 +129,6 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 * Fix - Validate create customer payload against required billing fields before sending to Stripe
 * Update - Enhanced logging system with support for all log levels and improved context handling
 * Fix - Set default values for custom field options
+* Fix - Enforce rate limiter for failed add payment method attempts
 
 [See changelog for full details across versions](https://raw.githubusercontent.com/woocommerce/woocommerce-gateway-stripe/trunk/changelog.txt).

tests/phpunit/WC_Stripe_Intent_Controller_Test.php

@@ -546,4 +546,59 @@ public function test_mandate_options_for_card_setup_intent_for_subscription() {
 
 		$this->assertEquals( 'succeeded', $result->status );
 	}
+
+	/**
+	 * Test that rate limiting works after a failed attempt.
+	 */
+	public function test_rate_limiting_on_consecutive_failed_calls() {
+		add_filter( 'wp_doing_ajax', '__return_true' );
+		add_filter( 'wp_die_ajax_handler', [ $this, 'wp_ajax_halt_handler_filter' ] );
+
+		wp_set_current_user( 1 );
+		$_POST['wc-stripe-payment-method'] = 'pm_test_123';
+		$_POST['wc-stripe-payment-type']   = WC_Stripe_Payment_Methods::CARD;
+		// First call with invalid nonce - should fail and trigger rate limiting
+		$_POST['_ajax_nonce'] = 'invalid_nonce';
+
+		ob_start();
+		$this->mock_controller->create_and_confirm_setup_intent_ajax();
+		$output = ob_get_clean();
+		$response = json_decode( $output, true );
+		$this->assertFalse( $response['success'] );
+		$this->assertArrayHasKey( 'error', $response['data'] );
+		$this->assertEquals( 'Unable to verify your request. Please refresh the page and try again.', $response['data']['error']['message'] );
+
+		// Second call should fail due to rate limiting, regardless of nonce.
+		$_POST['_ajax_nonce'] = wp_create_nonce( 'wc_stripe_create_and_confirm_setup_intent_nonce' );
+
+		ob_start();
+		$this->mock_controller->create_and_confirm_setup_intent_ajax();
+		$output = ob_get_clean();
+
+		$response = json_decode( $output, true );
+		$this->assertFalse( $response['success'] );
+		$this->assertArrayHasKey( 'error', $response['data'] );
+		$this->assertEquals( 'You cannot add a new payment method so soon after the previous one.', $response['data']['error']['message'] );
+
+		remove_filter( 'wp_die_ajax_handler', [ $this, 'wp_ajax_halt_handler_filter' ] );
+		remove_filter( 'wp_doing_ajax', '__return_true' );
+	}
+
+	/**
+	 * Filter to return a custom handler for AJAX requests.
+	 *
+	 * @return callable The custom handler function.
+	 */
+	public function wp_ajax_halt_handler_filter() {
+		return [ $this, 'wp_ajax_print_handler' ];
+	}
+
+	/**
+	 * Custom handler function to output the message.
+	 *
+	 * @param string $message The message to print.
+	 */
+	public function wp_ajax_print_handler( $message ) {
+		echo wp_kses_post( $message );
+	}
 }