Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid processing a webhook event twice when having two endpoints pointing to the same URL in the Stripe dashboard #3326

Closed
Tracked by #3327
a-danae opened this issue Jul 31, 2024 · 1 comment
Closed
Tracked by #3327

Avoid processing a webhook event twice when having two endpoints pointing to the same URL in the Stripe dashboard #3326

a-danae opened this issue Jul 31, 2024 · 1 comment
Assignees
@a-danae
Labels
component: webhooks Issues related to webhooks

Comments

@a-danae
Copy link
Contributor

a-danae commented Jul 31, 2024
edited
Loading

Describe the bug
We're processing webhook events twice when two endpoints are configured for the same URL in the Stripe dashboard.

To Reproduce

  1. Ensure the Legacy checkout experience is disabled

  2. Ensure your test site is publicly accessible so it can receive webhooks

  3. Go to your list of configured webhooks at https://dashboard.stripe.com/webhooks

  4. Check out the table under "Hosted endpoints"

  5. Create two endpoints pointing to the same URL. Like this
    image

  6. As a shopper, add a subscription to your cart

  7. Place the order

  8. As the merchant, go to the Edit order page for the latest order

  9. Notice there are two order notes with the "Charge complete (...)" message
    image

Expected behavior
A single webhook event must only be processed once when there are multiple webhooks configured for the same endpoint.

Additional context

  • Try replicating the issue without having breakpoints. When we add breakpoints, the pause in the flow allows the order to be updated before the second webhook is processed.
  • This doesn't seem to be the root of the duplicated notes issue - A user having a duplicated notes issue confirmed they have a single endpoint in their webhook configuration. But it's worth to have a more robust approach when facing a potential misconfiguration

There are at least two flows that could be improved:

  • When no webhook secret is configured in the store, we must bail out and not process the webhook.

    • Not having a webhook secret is possible in Stripe < 8.6.0 where the webhook secret can be added manually.
    • When no secret is set, we must fail the validation instead of using a fallback based on the user agent.

  • When the webhook secret is configured in the store, the invalid webhook is still processed.

    • We're in fact failing the validation when the webhook secret validation fails, but the webhook is still processed for some reason.
@a-danae a-danae mentioned this issue Jul 31, 2024
Closed
@a-danae a-danae added the component: webhooks Issues related to webhooks label Jul 31, 2024
@a-danae a-danae self-assigned this Aug 1, 2024
@james-allan james-allan mentioned this issue Aug 2, 2024
Merged
6 tasks
@a-danae
Copy link
Contributor Author

a-danae commented Aug 11, 2024

This should have been fixed by #3331

@a-danae a-danae closed this as completed Aug 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@a-danae a-danae

Labels
component: webhooks Issues related to webhooks
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@a-danae