fix: resolve redirect mode and race condition issues for Bizum/PayPal

jimmyn · jimmyn · commit dd538d9b939e · 2025-10-03T15:05:19.000+02:00
- Fix redirect mode not working in Blocks checkout for Bizum/PayPal
  - Backend now checks redirect_flow property to distinguish modes
  - Frontend checks paymentId existence before confirmPayment()

- Fix race condition where order shows unpaid on arrival
  - Implement verify_and_complete_order() to fetch payment status from API
  - Complete order immediately if payment SUCCEEDED/AUTHORIZED
  - Use _monei_payment_id_processed meta for idempotency
  - Matches PrestaShop's approach

- Add monei_token_exits() mock to PHPStan bootstrap
- Remove redundant empty() check in save_payment_token()
diff --git a/assets/js/monei-block-checkout-bizum.js b/assets/js/monei-block-checkout-bizum.js
@@ -246,41 +246,45 @@
 			const unsubscribeSuccess = onCheckoutSuccess(
 				( { processingResponse } ) => {
 					const { paymentDetails } = processingResponse;
-					if ( paymentDetails && paymentDetails.paymentId ) {
-						const paymentId = paymentDetails.paymentId;
-						const tokenValue = paymentDetails.token;
-						monei
-							.confirmPayment( {
-								paymentId,
-								paymentToken: tokenValue,
-							} )
-							.then( ( result ) => {
-								if (
-									result.nextAction &&
-									result.nextAction.mustRedirect
-								) {
-									window.location.assign(
-										result.nextAction.redirectUrl
-									);
-								}
-								if ( result.status === 'FAILED' ) {
-									window.location.href = `${ paymentDetails.failUrl }&status=FAILED`;
-								} else {
-									window.location.href =
-										paymentDetails.completeUrl;
-								}
-							} )
-							.catch( ( error ) => {
-								console.error(
-									'Error during payment confirmation:',
-									error
-								);
-								window.location.href = paymentDetails.failUrl;
-							} );
-					} else {
-						console.error( 'No paymentId found in paymentDetails' );
+
+					// In redirect mode, backend returns redirect URL and no paymentId
+					// WooCommerce Blocks handles redirect automatically
+					if ( ! paymentDetails?.paymentId ) {
+						return false;
 					}
 
+					// Component mode: confirm payment with token
+					const paymentId = paymentDetails.paymentId;
+					const tokenValue = paymentDetails.token;
+					monei
+						.confirmPayment( {
+							paymentId,
+							paymentToken: tokenValue,
+						} )
+						.then( ( result ) => {
+							if (
+								result.nextAction &&
+								result.nextAction.mustRedirect
+							) {
+								window.location.assign(
+									result.nextAction.redirectUrl
+								);
+							}
+							if ( result.status === 'FAILED' ) {
+								window.location.href = `${ paymentDetails.failUrl }&status=FAILED`;
+							} else {
+								window.location.href =
+									paymentDetails.completeUrl;
+							}
+						} )
+						.catch( ( error ) => {
+							console.error(
+								'Error during payment confirmation:',
+								error
+							);
+							window.location.href = paymentDetails.failUrl;
+						} );
+
 					// Return true to indicate that the checkout is successful
 					return true;
 				}
diff --git a/assets/js/monei-block-checkout-paypal.js b/assets/js/monei-block-checkout-paypal.js
@@ -144,40 +144,45 @@
 			const unsubscribeSuccess = onCheckoutSuccess(
 				( { processingResponse } ) => {
 					const { paymentDetails } = processingResponse;
-					if ( paymentDetails && paymentDetails.paymentId ) {
-						const paymentId = paymentDetails.paymentId;
-						const tokenValue = paymentDetails.token;
-						monei
-							.confirmPayment( {
-								paymentId,
-								paymentToken: tokenValue,
-							} )
-							.then( ( result ) => {
-								if (
-									result.nextAction &&
-									result.nextAction.mustRedirect
-								) {
-									window.location.assign(
-										result.nextAction.redirectUrl
-									);
-								}
-								if ( result.status === 'FAILED' ) {
-									window.location.href = `${ paymentDetails.failUrl }&status=FAILED`;
-								} else {
-									window.location.href =
-										paymentDetails.completeUrl;
-								}
-							} )
-							.catch( ( error ) => {
-								console.error(
-									'Error during payment confirmation:',
-									error
-								);
-								window.location.href = paymentDetails.failUrl;
-							} );
-					} else {
-						console.error( 'No paymentId found in paymentDetails' );
+
+					// In redirect mode, backend returns redirect URL and no paymentId
+					// WooCommerce Blocks handles redirect automatically
+					if ( ! paymentDetails?.paymentId ) {
+						return false;
 					}
+
+					// Component mode: confirm payment with token
+					const paymentId = paymentDetails.paymentId;
+					const tokenValue = paymentDetails.token;
+					monei
+						.confirmPayment( {
+							paymentId,
+							paymentToken: tokenValue,
+						} )
+						.then( ( result ) => {
+							if (
+								result.nextAction &&
+								result.nextAction.mustRedirect
+							) {
+								window.location.assign(
+									result.nextAction.redirectUrl
+								);
+							}
+							if ( result.status === 'FAILED' ) {
+								window.location.href = `${ paymentDetails.failUrl }&status=FAILED`;
+							} else {
+								window.location.href =
+									paymentDetails.completeUrl;
+							}
+						} )
+						.catch( ( error ) => {
+							console.error(
+								'Error during payment confirmation:',
+								error
+							);
+							window.location.href = paymentDetails.failUrl;
+						} );
+
 					// Return true to indicate that the checkout is successful
 					return true;
 				}
diff --git a/includes/class-wc-monei-redirect-hooks.php b/includes/class-wc-monei-redirect-hooks.php
@@ -91,6 +91,9 @@ public function add_notice_monei_order_cancelled( $order_id ) {
 	 * We trigger this same behaviour in order received page. After a successful payment in MONEI we are redirected
 	 * to order_received_page. If there is a token available, we need to save it.
 	 * We don't do this at IPN level, since right now, token doesn't come thru.
+	 *
+	 * Also, we verify the payment status from the API to complete the order if the IPN hasn't processed yet (race condition).
+	 *
 	 * todo: refactor and split code for is_add_payment_method_page and is_order_received_page to make it more readable.
 	 */
 	public function save_payment_token() {
@@ -125,9 +128,15 @@ public function save_payment_token() {
 			$payment       = $this->moneiPaymentServices->get_payment( $payment_id );
 			$payment_token = $payment->getPaymentToken();
 
+			// Verify payment status and complete order if needed (race condition fix)
+			// If user arrives before IPN webhook processes, we complete the order here
+			if ( $order_id && is_order_received_page() ) {
+				$this->verify_and_complete_order( $order_id, $payment );
+			}
+
 			// A payment can come without token, user didn't check on save payment method.
 			// We just ignore it then and do nothing.
-			if ( ! $payment_token || empty( $payment_token ) ) {
+			if ( ! $payment_token ) {
 				return;
 			}
 
@@ -168,6 +177,91 @@ public function save_payment_token() {
 			WC_Monei_Logger::log( $e->getMessage(), 'error' );
 		}
 	}
+
+	/**
+	 * Verify payment status and complete order if needed (race condition fix).
+	 * When user returns from MONEI before IPN webhook processes, we need to complete the order here.
+	 *
+	 * @param int    $order_id Order ID.
+	 * @param object $payment MONEI payment object.
+	 * @return void
+	 */
+	private function verify_and_complete_order( $order_id, $payment ) {
+		$order = wc_get_order( $order_id );
+		if ( ! $order ) {
+			return;
+		}
+
+		// Check if payment was already processed (prevent duplicate processing)
+		$processed_payment_id = $order->get_meta( '_monei_payment_id_processed', true );
+		if ( $processed_payment_id === $payment->getId() ) {
+			WC_Monei_Logger::log( sprintf( '[MONEI] Payment already processed via IPN [payment_id=%s, order_id=%s]', $payment->getId(), $order_id ), 'debug' );
+			return;
+		}
+
+		$payment_status = $payment->getStatus();
+		$order_status   = $order->get_status();
+
+		WC_Monei_Logger::log( sprintf( '[MONEI] Redirect verification [payment_id=%s, order_id=%s, payment_status=%s, order_status=%s]', $payment->getId(), $order_id, $payment_status, $order_status ), 'debug' );
+
+		// Only process if order is still pending/on-hold and payment succeeded
+		if ( ! in_array( $order_status, array( 'pending', 'on-hold' ), true ) ) {
+			WC_Monei_Logger::log( sprintf( '[MONEI] Order already processed, skipping [order_id=%s, status=%s]', $order_id, $order_status ), 'debug' );
+			return;
+		}
+
+		// If payment is SUCCEEDED or AUTHORIZED, complete the order
+		if ( 'SUCCEEDED' === $payment_status || 'AUTHORIZED' === $payment_status ) {
+			$amount      = $payment->getAmount();
+			$order_total = $order->get_total();
+
+			// Verify amounts match (with 1 cent exception for subscriptions)
+			if ( ( (int) $amount !== monei_price_format( $order_total ) ) && ( 1 !== $amount ) ) {
+				$order->update_status(
+					'on-hold',
+					sprintf(
+						/* translators: 1: Order amount, 2: Payment amount */
+						__( 'Validation error: Order vs. Payment amounts do not match (order: %1$s - received: %2$s).', 'monei' ),
+						monei_price_format( $order_total ),
+						$amount
+					)
+				);
+				WC_Monei_Logger::log( sprintf( '[MONEI] Amount mismatch [order_id=%s, order_amount=%s, payment_amount=%s]', $order_id, monei_price_format( $order_total ), $amount ), 'error' );
+				return;
+			}
+
+			// Mark payment as processed to prevent duplicate processing by IPN
+			$order->update_meta_data( '_monei_payment_id_processed', $payment->getId() );
+			$order->update_meta_data( '_payment_order_number_monei', $payment->getId() );
+			$order->update_meta_data( '_payment_order_status_monei', $payment_status );
+			$order->update_meta_data( '_payment_order_status_code_monei', $payment->getStatusCode() );
+			$order->update_meta_data( '_payment_order_status_message_monei', $payment->getStatusMessage() );
+
+			if ( 'AUTHORIZED' === $payment_status ) {
+				$order->update_meta_data( '_payment_not_captured_monei', 1 );
+				$order_note  = __( 'Payment verified via redirect - <strong>Payment Authorized</strong>', 'monei' ) . '. <br><br>';
+				$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
+				$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
+				$order->add_order_note( $order_note );
+				$order->update_status( 'on-hold', __( 'Order On-Hold by MONEI', 'monei' ) );
+			} else {
+				// SUCCEEDED
+				$order_note  = __( 'Payment verified via redirect - <strong>Payment Completed</strong>', 'monei' ) . '. <br><br>';
+				$order_note .= __( 'MONEI Transaction id: ', 'monei' ) . $payment->getId() . '. <br><br>';
+				$order_note .= __( 'MONEI Status Message: ', 'monei' ) . $payment->getStatusMessage();
+				$order->add_order_note( $order_note );
+				$order->payment_complete();
+
+				$payment_method_woo_id = $order->get_payment_method();
+				if ( 'completed' === monei_get_settings( 'orderdo', $payment_method_woo_id ) ) {
+					$order->update_status( 'completed', __( 'Order Completed by MONEI', 'monei' ) );
+				}
+			}
+
+			$order->save();
+			WC_Monei_Logger::log( sprintf( '[MONEI] Order completed via redirect verification [order_id=%s, payment_status=%s]', $order_id, $payment_status ), 'debug' );
+		}
+	}
 }
 
 new WC_Monei_Redirect_Hooks();
diff --git a/src/Gateways/Abstracts/WCMoneiPaymentGatewayHosted.php b/src/Gateways/Abstracts/WCMoneiPaymentGatewayHosted.php
@@ -137,17 +137,25 @@ public function process_payment( $order_id, $allowed_payment_method = null ) {
 			$this->log( $payment, 'debug' );
 			do_action( 'wc_gateway_monei_process_payment_success', $payload, $payment, $order );
 
-			if ( $this->isBlockCheckout() ) {
+			// Block checkout with component mode (Bizum/PayPal button)
+			// Return paymentId for frontend confirmation
+			$redirect_flow = property_exists( $this, 'redirect_flow' ) ? $this->redirect_flow : true;
+			$has_token     = $this->get_frontend_generated_token();
+			$is_block      = $this->isBlockCheckout();
+
+			if ( $is_block && ! $redirect_flow && $has_token ) {
 				return array(
 					'result'      => 'success',
 					'redirect'    => false,
-					'paymentId'   => $payment->getId(), // Send the paymentId back to the client
-					'token'       => $this->get_frontend_generated_token(), // Send the token back to the client
+					'paymentId'   => $payment->getId(),
+					'token'       => $has_token,
 					'completeUrl' => $payload['completeUrl'],
 					'failUrl'     => $payload['failUrl'],
 					'orderId'     => $order_id,
 				);
 			}
+			// Classic checkout or Block checkout in redirect mode
+			// Return redirect URL to MONEI hosted page
 			return array(
 				'result'   => 'success',
 				'redirect' => $payment->getNextAction()->getRedirectUrl(),
diff --git a/tests/phpstan-bootstrap.php b/tests/phpstan-bootstrap.php
@@ -198,3 +198,14 @@ public static function get_ip_address() {
 		}
 	}
 }
+
+if ( ! function_exists( 'monei_token_exits' ) ) {
+	/**
+	 * @param string $monei_token
+	 * @param string $gateway_id
+	 * @return bool
+	 */
+	function monei_token_exits( $monei_token, $gateway_id ) {
+		return false;
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -198,3 +198,14 @@ public static function get_ip_address() {`
`198`	`198`	`}`
`199`	`199`	`}`
`200`	`200`	`}`
	`201`	`+`
	`202`	`+if ( ! function_exists( 'monei_token_exits' ) ) {`
	`203`	`+ /**`
	`204`	`+ * @param string $monei_token`
	`205`	`+ * @param string $gateway_id`
	`206`	`+ * @return bool`
	`207`	`+ */`
	`208`	`+ function monei_token_exits( $monei_token, $gateway_id ) {`
	`209`	`+ return false;`
	`210`	`+ }`
	`211`	`+}`