idempotency_key increment causing Double charging in case of false error respons

  • Resolved TimBHowe

    (@timbhowe)


    5 years, 8 months ago

    The issue:
    We have a site using the WooCommerce Square plugin for a payment gateway that utilize the WooCommerce Plugin Framework. The issue appears to happen from 2 parts.

    1st Issue
    When the WooCommerce Square plugin makes a charge request to the Square API it will sometimes return a 500 Internal Server Error as a response when in fact it has charged the card. This leads to the customer seeing and error and repeating the transaction. We have been working with the Square API support team to try and resolve the issue. They have said their partnerships engineer just let me know that WooCommerce contacted them, and stated they were able to troubleshoot the issue. We still do not know is causing the 500 code response, but causes the 2nd issue.

    2nd Issue
    When the user repeats the charge a new “idempotency_key”: is created built from a md5 hash from the sites URL followed by the order ID from woocommerce. This key is regenerated with an incremented number appended to it, meaning that Square views it as a new requests and repeats the charge.

    Here is an exmaple:
    “idempotency_key”: “d40b426b36bc2091a80197f2521b1776:242011” – Original
    “idempotency_key”: “d40b426b36bc2091a80197f2521b1776:242011-1” – Repeat Charge

    It looks like in this file: woocommerce-square/vendor/skyverge/wc-plugin-framework/woocommerce/payment-gateway/class-sv-wc-payment-gateway.php

    In the function get_order_with_unique_transaction_ref they include the retry count at the end of the key to make it unique for each try.

    They increment it on every request no matter what. Nothing to check if the previous request was a server error.

    This is used to create the “idempotency_key” when the order is created and charged
    https://plugins.trac.wordpress.org/browser/woocommerce-square/tags/2.1.0/includes/Gateway/API/Requests/Transactions.php#L78

    This idempotency_key needs to always be the same to prevent just this from happening so it should be set using a different method.

    Please let us know if you need anymore information.

    We are also going to post an update request to the https://github.com/skyverge/wc-plugin-framework to potentially add a function to handle this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter TimBHowe

    (@timbhowe)

    5 years, 8 months ago

    https://wordpress.org/support/topic/internal_server_error-issues-duplicate-charges-created/ – Similar Issue

    Elvira K.

    (@treibalen)

    5 years, 7 months ago

    Hi there @timbhowe,

    We apologize for the late response and thank you for reporting the issue!

    I’ve passed this information to our dev team and we’re waiting for their feedback.

    I’ll keep you posted on the discussion. Cheers!

    Thread Starter TimBHowe

    (@timbhowe)

    5 years, 6 months ago

    I have submitted a pull request to the wc-plugin-framework plugin.
    https://github.com/skyverge/wc-plugin-framework/pull/492

    If it is accepted and updated copy of the framework should be merge into this plugin and the set_charge_data function update

    From
    $this->square_request->setIdempotencyKey( wc_square()->get_idempotency_key( $order->unique_transaction_ref ) );
    To
    $this->square_request->setIdempotencyKey( wc_square()->get_idempotency_key( $order->idempotency_key ) );

    The main issue is that the $order->unique_transaction_ref is a combination of order number + retry count, should provide a unique value for each transaction attempt.

    When the Idempotency Key should only be unique to the transaction itself.

    So as a quick fix you could just remove the retry count from the $order->unique_transaction_ref string when it is used in the function above.

    Let me know if there is anything else I can do?

    • This reply was modified 5 years, 6 months ago by TimBHowe.
    • This reply was modified 5 years, 6 months ago by TimBHowe.
    Plugin Support Damianne P (a11n)

    (@drwpcom)

    5 years, 5 months ago

    Hi @timbhowe. Since the conversation about a solution for this is continuing via Github, I’ll mark this thread as resolved to avoid duplicate discussions.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘idempotency_key increment causing Double charging in case of false error respons’ is closed to new replies.