fix: prevent race conditions in payment processing with atomic locks

jimmyn · jimmyn · commit 8561db1a40c0 · 2025-10-09T21:30:55.000+02:00
- Created WC_Monei_Lock_Helper with atomic wp_cache_add() operations
- Fixed broken lock in IPN webhook (was using set_transient which always overwrites)
- Added lock mechanism to redirect verification
- Ensured consistent lock keys (monei_payment_ + payment_id) across IPN and redirect
- Increased lock timeout from 30s to 60s (aligned with Magento)
- Added try-finally blocks for guaranteed lock release
- Added PHPStan stubs for WordPress cache functions

This prevents duplicate order processing when webhook and redirect arrive simultaneously.
Verified working in production - idempotency check logs confirm no duplicate processing.
diff --git a/class-woocommerce-gateway-monei.php b/class-woocommerce-gateway-monei.php
@@ -139,6 +139,7 @@ private function includes() {
 			$container = ContainerProvider::getContainer();
 			include_once 'includes/woocommerce-gateway-monei-core-functions.php';
 			include_once 'includes/class-wc-monei-ipn.php';
+		include_once 'includes/class-wc-monei-lock-helper.php';
 			include_once 'includes/class-wc-monei-logger.php';
 			include_once 'includes/class-wc-monei-payment-method-display.php';
 
diff --git a/includes/class-wc-monei-ipn.php b/includes/class-wc-monei-ipn.php
@@ -86,11 +86,12 @@ public function check_ipn_request() {
 		}
 
 		// Acquire lock to prevent concurrent processing of the same payment.
+		// IMPORTANT: Must use same lock key pattern as redirect verification to prevent race conditions.
 		$payment_id = $payload['id'] ?? '';
-		$lock_key   = 'monei_ipn_' . md5( $payment_id );
+		$lock_key   = WC_Monei_Lock_Helper::get_payment_lock_key( $payment_id );
 		$lock_value = wp_rand();
 
-		if ( ! $this->acquire_lock( $lock_key, $lock_value ) ) {
+		if ( ! WC_Monei_Lock_Helper::acquire_lock( $lock_key, $lock_value ) ) {
 			// Another process is handling this payment.
 			$this->logging && WC_Monei_Logger::log( '[MONEI] Webhook already being processed [payment_id=' . $payment_id . ']', 'debug' );
 			http_response_code( 200 );
@@ -114,7 +115,7 @@ public function check_ipn_request() {
 			echo 'Bad Request';
 		} finally {
 			// Always release the lock.
-			$this->release_lock( $lock_key, $lock_value );
+			WC_Monei_Lock_Helper::release_lock( $lock_key, $lock_value );
 		}
 
 		exit;
@@ -329,45 +330,4 @@ protected function log_ipn_request( $headers, $raw_body ) {
 		$headers = implode( "\n", $headers );
 		$this->logging && WC_Monei_Logger::log( 'IPN Request from ' . WC_Geolocation::get_ip_address() . ': ' . "\n\n" . $headers . "\n\n" . $raw_body . "\n", 'debug' );
 	}
-
-	/**
-	 * Acquire a lock using WordPress transients.
-	 *
-	 * @param string $lock_key   The lock key.
-	 * @param mixed  $lock_value The lock value.
-	 * @param int    $timeout    Lock timeout in seconds (default 30).
-	 * @return bool True if lock acquired, false otherwise.
-	 */
-	private function acquire_lock( $lock_key, $lock_value, $timeout = 30 ) {
-		// Try to set transient. If it already exists, add_transient returns false.
-		$acquired = set_transient( $lock_key, $lock_value, $timeout );
-
-		if ( ! $acquired ) {
-			// Transient already exists. Check if it's stale.
-			$existing_value = get_transient( $lock_key );
-			if ( false === $existing_value ) {
-				// Transient expired between checks, try again.
-				return set_transient( $lock_key, $lock_value, $timeout );
-			}
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * Release a lock using WordPress transients.
-	 *
-	 * @param string $lock_key   The lock key.
-	 * @param mixed  $lock_value The lock value to verify ownership.
-	 * @return void
-	 */
-	private function release_lock( $lock_key, $lock_value ) {
-		$existing_value = get_transient( $lock_key );
-
-		// Only delete if we own the lock.
-		if ( $existing_value === $lock_value ) {
-			delete_transient( $lock_key );
-		}
-	}
 }
diff --git a/includes/class-wc-monei-lock-helper.php b/includes/class-wc-monei-lock-helper.php
@@ -0,0 +1,72 @@
+<?php
+/**
+ * MONEI Lock Helper
+ * Provides locking mechanism to prevent concurrent payment processing
+ *
+ * @package MONEI
+ * @since 6.5.0
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly
+}
+
+/**
+ * Lock Helper Class
+ * Provides shared locking functionality for payment processing
+ */
+class WC_Monei_Lock_Helper {
+
+	/**
+	 * Acquire a lock using WordPress object cache or transients.
+	 *
+	 * @param string $lock_key   The lock key.
+	 * @param mixed  $lock_value The lock value.
+	 * @param int    $timeout    Lock timeout in seconds (default 60).
+	 * @return bool True if lock acquired, false otherwise.
+	 */
+	public static function acquire_lock( $lock_key, $lock_value, $timeout = 60 ) {
+		// Try wp_cache_add first (atomic, fails if key exists)
+		// This requires object cache, but works with default WordPress cache
+		$acquired = wp_cache_add( $lock_key, $lock_value, 'monei_locks', $timeout );
+
+		if ( ! $acquired ) {
+			// Lock already held by another process
+			// Check if it's stale by trying to get it
+			$existing_value = wp_cache_get( $lock_key, 'monei_locks' );
+			if ( false === $existing_value ) {
+				// Cache expired between checks, try again
+				return wp_cache_add( $lock_key, $lock_value, 'monei_locks', $timeout );
+			}
+			return false;
+		}
+
+		return true;
+	}
+
+	/**
+	 * Release a lock using WordPress object cache.
+	 *
+	 * @param string $lock_key   The lock key.
+	 * @param mixed  $lock_value The lock value to verify ownership.
+	 * @return void
+	 */
+	public static function release_lock( $lock_key, $lock_value ) {
+		$existing_value = wp_cache_get( $lock_key, 'monei_locks' );
+
+		// Only delete if we own the lock.
+		if ( $existing_value === $lock_value ) {
+			wp_cache_delete( $lock_key, 'monei_locks' );
+		}
+	}
+
+	/**
+	 * Generate a consistent lock key for a payment ID.
+	 *
+	 * @param string $payment_id The MONEI payment ID.
+	 * @return string The lock key.
+	 */
+	public static function get_payment_lock_key( $payment_id ) {
+		return 'monei_payment_' . $payment_id;
+	}
+}
diff --git a/includes/class-wc-monei-redirect-hooks.php b/includes/class-wc-monei-redirect-hooks.php
@@ -200,81 +200,96 @@ private function verify_and_complete_order( $order_id, $payment ) {
 			return;
 		}
 
-		// Check if payment was already processed (prevent duplicate processing)
-		$processed_payment_id = $order->get_meta( '_monei_payment_id_processed', true );
-		if ( $processed_payment_id === $payment->getId() ) {
-			WC_Monei_Logger::log( sprintf( '[MONEI] Payment already processed via IPN [payment_id=%s, order_id=%s]', $payment->getId(), $order_id ), 'debug' );
+		// Acquire lock to prevent race condition with IPN webhook.
+		// IMPORTANT: Must use same lock key pattern as IPN to prevent race conditions.
+		$lock_key   = WC_Monei_Lock_Helper::get_payment_lock_key( $payment->getId() );
+		$lock_value = wp_rand();
+
+		if ( ! WC_Monei_Lock_Helper::acquire_lock( $lock_key, $lock_value, 60 ) ) {
+			WC_Monei_Logger::log( sprintf( '[MONEI] Order completion already in progress [order_id=%s, payment_id=%s]', $order_id, $payment->getId() ), 'debug' );
 			return;
 		}
 
-		/** @var string $payment_status */
-		$payment_status = $payment->getStatus();
-		$order_status   = $order->get_status();
+		try {
+			// Check if payment was already processed (prevent duplicate processing)
+			$processed_payment_id = $order->get_meta( '_monei_payment_id_processed', true );
+			if ( $processed_payment_id === $payment->getId() ) {
+				WC_Monei_Logger::log( sprintf( '[MONEI] Payment already processed via IPN [payment_id=%s, order_id=%s]', $payment->getId(), $order_id ), 'debug' );
+				return;
+			}
 
-		WC_Monei_Logger::log( sprintf( '[MONEI] Redirect verification [payment_id=%s, order_id=%s, payment_status=%s, order_status=%s]', $payment->getId(), $order_id, $payment_status, $order_status ), 'debug' );
+			/** @var string $payment_status */
+			$payment_status = $payment->getStatus();
+			$order_status   = $order->get_status();
 
-		// Only process if order is still pending/on-hold/failed and payment succeeded
-		if ( ! in_array( $order_status, array( 'pending', 'on-hold', 'failed' ), true ) ) {
-			WC_Monei_Logger::log( sprintf( '[MONEI] Order already processed, skipping [order_id=%s, status=%s]', $order_id, $order_status ), 'debug' );
-			return;
-		}
+			WC_Monei_Logger::log( sprintf( '[MONEI] Redirect verification [payment_id=%s, order_id=%s, payment_status=%s, order_status=%s]', $payment->getId(), $order_id, $payment_status, $order_status ), 'debug' );
 
-		// If payment is SUCCEEDED or AUTHORIZED, complete the order
-		if ( PaymentStatus::SUCCEEDED === $payment_status || PaymentStatus::AUTHORIZED === $payment_status ) {
-			$amount      = $payment->getAmount();
-			$order_total = $order->get_total();
-
-			// Verify amounts match (with 1 cent exception for subscriptions)
-			if ( ( (int) $amount !== monei_price_format( $order_total ) ) && ( 1 !== $amount ) ) {
-				$order->update_status(
-					'on-hold',
-					sprintf(
-						/* translators: 1: Order amount, 2: Payment amount */
-						__( 'Validation error: Order vs. Payment amounts do not match (order: %1$s - received: %2$s).', 'monei' ),
-						monei_price_format( $order_total ),
-						$amount
-					)
-				);
-				WC_Monei_Logger::log( sprintf( '[MONEI] Amount mismatch [order_id=%s, order_amount=%s, payment_amount=%s]', $order_id, monei_price_format( $order_total ), $amount ), 'error' );
+			// Only process if order is still pending/on-hold/failed and payment succeeded
+			if ( ! in_array( $order_status, array( 'pending', 'on-hold', 'failed' ), true ) ) {
+				WC_Monei_Logger::log( sprintf( '[MONEI] Order already processed, skipping [order_id=%s, status=%s]', $order_id, $order_status ), 'debug' );
 				return;
 			}
 
-			// Mark payment as processed to prevent duplicate processing by IPN
-			$order->update_meta_data( '_monei_payment_id_processed', $payment->getId() );
-			$order->update_meta_data( '_payment_order_number_monei', $payment->getId() );
-			$order->update_meta_data( '_payment_order_status_monei', $payment_status );
-			$order->update_meta_data( '_payment_order_status_code_monei', $payment->getStatusCode() );
-			$order->update_meta_data( '_payment_order_status_message_monei', $payment->getStatusMessage() );
-
-			// Store formatted payment method display
-			$payment_method_display = $this->paymentMethodFormatter->get_payment_method_display_from_payment( $payment );
-			if ( $payment_method_display ) {
-				$order->update_meta_data( '_monei_payment_method_display', $payment_method_display );
-			}
+			// If payment is SUCCEEDED or AUTHORIZED, complete the order
+			if ( PaymentStatus::SUCCEEDED === $payment_status || PaymentStatus::AUTHORIZED === $payment_status ) {
+				$amount      = $payment->getAmount();
+				$order_total = $order->get_total();
+
+				// Verify amounts match (with 1 cent exception for subscriptions)
+				if ( ( (int) $amount !== monei_price_format( $order_total ) ) && ( 1 !== $amount ) ) {
+					$order->update_status(
+						'on-hold',
+						sprintf(
+							/* translators: 1: Order amount, 2: Payment amount */
+							__( 'Validation error: Order vs. Payment amounts do not match (order: %1$s - received: %2$s).', 'monei' ),
+							monei_price_format( $order_total ),
+							$amount
+						)
+					);
+					WC_Monei_Logger::log( sprintf( '[MONEI] Amount mismatch [order_id=%s, order_amount=%s, payment_amount=%s]', $order_id, monei_price_format( $order_total ), $amount ), 'error' );
+					return;
+				}
 
-			if ( PaymentStatus::AUTHORIZED === $payment_status ) {
-				$order->update_meta_data( '_payment_not_captured_monei', 1 );
-				$order_note  = __( 'Payment verified via redirect - <strong>Payment Authorized</strong>', 'monei' ) . '. <br><br>';
-				$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
-				$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
-				$order->add_order_note( $order_note );
-				$order->update_status( 'on-hold', __( 'Order On-Hold by MONEI', 'monei' ) );
-			} else {
-				// SUCCEEDED
-				$order_note  = __( 'Payment verified via redirect - <strong>Payment Completed</strong>', 'monei' ) . '. <br><br>';
-				$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
-				$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
-				$order->add_order_note( $order_note );
-				$order->payment_complete();
+				// Mark payment as processed to prevent duplicate processing by IPN
+				$order->update_meta_data( '_monei_payment_id_processed', $payment->getId() );
+				$order->update_meta_data( '_payment_order_number_monei', $payment->getId() );
+				$order->update_meta_data( '_payment_order_status_monei', $payment_status );
+				$order->update_meta_data( '_payment_order_status_code_monei', $payment->getStatusCode() );
+				$order->update_meta_data( '_payment_order_status_message_monei', $payment->getStatusMessage() );
+
+				// Store formatted payment method display
+				$payment_method_display = $this->paymentMethodFormatter->get_payment_method_display_from_payment( $payment );
+				if ( $payment_method_display ) {
+					$order->update_meta_data( '_monei_payment_method_display', $payment_method_display );
+				}
 
-				$payment_method_woo_id = $order->get_payment_method();
-				if ( 'completed' === monei_get_settings( 'orderdo', $payment_method_woo_id ) ) {
-					$order->update_status( 'completed', __( 'Order Completed by MONEI', 'monei' ) );
+				if ( PaymentStatus::AUTHORIZED === $payment_status ) {
+					$order->update_meta_data( '_payment_not_captured_monei', 1 );
+					$order_note  = __( 'Payment verified via redirect - <strong>Payment Authorized</strong>', 'monei' ) . '. <br><br>';
+					$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
+					$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
+					$order->add_order_note( $order_note );
+					$order->update_status( 'on-hold', __( 'Order On-Hold by MONEI', 'monei' ) );
+				} else {
+					// SUCCEEDED
+					$order_note  = __( 'Payment verified via redirect - <strong>Payment Completed</strong>', 'monei' ) . '. <br><br>';
+					$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
+					$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
+					$order->add_order_note( $order_note );
+					$order->payment_complete();
+
+					$payment_method_woo_id = $order->get_payment_method();
+					if ( 'completed' === monei_get_settings( 'orderdo', $payment_method_woo_id ) ) {
+						$order->update_status( 'completed', __( 'Order Completed by MONEI', 'monei' ) );
+					}
 				}
-			}
 
-			$order->save();
-			WC_Monei_Logger::log( sprintf( '[MONEI] Order completed via redirect verification [order_id=%s, payment_status=%s]', $order_id, $payment_status ), 'debug' );
+				$order->save();
+				WC_Monei_Logger::log( sprintf( '[MONEI] Order completed via redirect verification [order_id=%s, payment_status=%s]', $order_id, $payment_status ), 'debug' );
+			}
+		} finally {
+			// Always release the lock.
+			WC_Monei_Lock_Helper::release_lock( $lock_key, $lock_value );
 		}
 	}
 }
diff --git a/tests/phpstan-bootstrap.php b/tests/phpstan-bootstrap.php
@@ -130,6 +130,41 @@ function set_transient( $transient, $value, $expiration = 0 ) {
 	}
 }
 
+if ( ! function_exists( 'wp_cache_add' ) ) {
+	/**
+	 * @param string $key
+	 * @param mixed $data
+	 * @param string $group
+	 * @param int $expire
+	 * @return bool
+	 */
+	function wp_cache_add( $key, $data, $group = '', $expire = 0 ) {
+		return true;
+	}
+}
+
+if ( ! function_exists( 'wp_cache_get' ) ) {
+	/**
+	 * @param string $key
+	 * @param string $group
+	 * @return mixed
+	 */
+	function wp_cache_get( $key, $group = '' ) {
+		return false;
+	}
+}
+
+if ( ! function_exists( 'wp_cache_delete' ) ) {
+	/**
+	 * @param string $key
+	 * @param string $group
+	 * @return bool
+	 */
+	function wp_cache_delete( $key, $group = '' ) {
+		return true;
+	}
+}
+
 if ( ! function_exists( 'get_transient' ) ) {
 	/**
 	 * @param string $transient
