Use metadata stored on the intent to fetch an order for webhook processing

[james-allan]

Changes proposed in this Pull Request:

This PR updates the webhook handler to enable it to fetch the relevant order from payment_intent metadata.

This has two impacts:

1. If we fail to record the intent ID on the order after we've sent the payment intent request to Stripe, we can use this mechanism to process the response from Stripe.
2. It improves the performance of webhook processing because we no longer run a database query to locate an order by the intent ID.

We've seen at least 1 large store where we fire off the payment intent request to Stripe, however, we never process the response. This means we don't record the intent ID on the order and therefore cannot process the webhook when we receive it. This PR adds a way for us to fetch the order from data stored in the intent's metadata. Internal link to this case: pcJe93-4NE-p2#comment-4929

cc @geektzu

Testing instructions

1. This should have no impact on payments.
2. You should notice two changes:
   • Payments in the Stripe Dashboard will now record a "signature" in metadata. This value will contain the order ID followed by a hash.
   • The webhook processing will now use the order ID in this signature to validate and process the webhook.

^{The new signature stored in payment intent metadata.}

Because this changes a core part of the way we process webhook payments, please scrutinize this change to make sure we root out any potential gotchas.

---

• Covered with tests (or have a good reason not to test in description ☝️)
• Added changelog entry in both changelog.txt and readme.txt (or does not apply)
• Tested on mobile (or does not apply)

Post merge

• Added testing instructions to the Release Testing Instructions wiki page (or does not apply)
• Added the needs docs label (or does not apply)
• Included this PR in the Release Thread scope (or does not apply)

[geektzu]

Hi, team; thank you for looking into this issue. Let us know when there is an ETA so we can inform the merchant for updates.

[Mayisha]

Nice work 🎉

✅ Confirmed from logs that a signature is sent as a metadata during payment intent request. Also the signature is received as a metadata in the webhook event data.
✅ I can see the signature present in the relevant transaction in my Stripe dashboard.

✅ Checkout with regular card.
✅ Checkout with 3DS card.
✅ Checkout with GPay (PRB and ECE)
✅ Checkout with iDeal.
✅ Checkout with SEPA.
✅ Checkout with CashApp (Wallet)
✅ Checkout with Klarna (BNPL)
✅ Checkout with Multibanco (Voucher)

[wjrosa]

I will merge this since tests are still failing for some reason unrelated to the test itself (checking). Test results locally:

[wjrosa]

Tests passed after replaying them: https://github.com/woocommerce/woocommerce-gateway-stripe/actions/runs/11819563698?pr=3567

[geektzu]

@wjrosa Believe this change was released with version 8.9.0?

= 8.9.0 - 2024-11-14 =

• Update - Enhance webhook processing to enable retrieving orders using payment_intent metadata.

I'm double-checking there to see if the webhook was processed for the subscription renewal order. Will the Woo subscription status be set from "On hold" back to "Active"?

[wjrosa]

@wjrosa Believe this change was released with version 8.9.0?

= 8.9.0 - 2024-11-14 =

• Update - Enhance webhook processing to enable retrieving orders using payment_intent metadata.

Yes, released with 8.9.0.

I'm double-checking there to see if the webhook was processed for the subscription renewal order. Will the Woo subscription status be set from "On hold" back to "Active"?

That's the expected behavior, yes. Are you having issues specific with this flow, related to this change?