btcpayserver/BTCPayServer/Plugins/Shopify/OrderTransactionRegisterLogic.cs

using System;
using System.Linq;
using System.Threading.Tasks;
using BTCPayServer.Plugins.Shopify.ApiModels;

namespace BTCPayServer.Plugins.Shopify
{
    public class OrderTransactionRegisterLogic
    {
        private readonly ShopifyApiClient _client;

        public OrderTransactionRegisterLogic(ShopifyApiClient client)
        {
            _client = client;
        }

        private static string[] _keywords = new[] { "bitcoin", "btc", "btcpayserver", "btcpay server" };
        public async Task<TransactionsCreateResp> Process(string orderId, string invoiceId, string currency, string amountCaptured, bool success)
        {
            currency = currency.ToUpperInvariant().Trim();
            var existingShopifyOrderTransactions = (await _client.TransactionsList(orderId)).transactions;
            var baseParentTransaction = existingShopifyOrderTransactions.FirstOrDefault();
            if (baseParentTransaction is null ||
                !_keywords.Any(a => baseParentTransaction.gateway.Contains(a, StringComparison.InvariantCultureIgnoreCase)))
            {
                return null;
            }

            //technically, this exploit should not be possible as we use internal invoice tags to verify that the invoice was created by our controlled, dedicated endpoint.
            if (currency.ToUpperInvariant().Trim() != baseParentTransaction.currency.ToUpperInvariant().Trim())
            {
                // because of parent_id present, currency will always be the one from parent transaction
                // malicious attacker could potentially exploit this by creating invoice 
                // in different currency and paying that one, registering order on Shopify as paid
                // so if currency is supplied and is different from parent transaction currency we just won't register
                return null;
            }

            var kind = "capture";
            var parentId = baseParentTransaction.id;
            var status = success ? "success" : "failure";
            //find all existing transactions recorded around this invoice id 
            var existingShopifyOrderTransactionsOnSameInvoice =
                existingShopifyOrderTransactions.Where(holder => holder.authorization == invoiceId);

            //filter out the successful ones
            var successfulActions =
                existingShopifyOrderTransactionsOnSameInvoice.Where(holder => holder.status == "success").ToArray();

            //of the successful ones, get the ones we registered as a valid payment
            var successfulCaptures = successfulActions.Where(holder => holder.kind == "capture").ToArray();

            //of the successful ones, get the ones we registered as a voiding of a previous successful payment
            var refunds = successfulActions.Where(holder => holder.kind == "refund").ToArray();

            //if we are working with a non-success registration, but see that we have previously registered this invoice as a success, we switch to creating a "void" transaction, which in shopify terms is a refund.
            if (!success && successfulCaptures.Length > 0 && (successfulCaptures.Length - refunds.Length) > 0)
            {
                kind = "void";
                parentId = successfulCaptures.Last().id;
                status = "success";
            }
            //if we are working with a success registration, but can see that we have already had a successful transaction saved, get outta here
            else if (success && successfulCaptures.Length > 0 && (successfulCaptures.Length - refunds.Length) > 0)
            {
                return null;
            }
            var createTransaction = new TransactionsCreateReq
            {
                transaction = new TransactionsCreateReq.DataHolder
                {
                    parent_id = parentId,
                    currency = currency,
                    amount = amountCaptured,
                    kind = kind,
                    gateway = "BTCPayServer",
                    source = "external",
                    authorization = invoiceId,
                    status = status
                }
            };
            var createResp = await _client.TransactionCreate(orderId, createTransaction);
            return createResp;
        }
    }
}
Remove unused imports 2020-09-28 08:42:14 +02:00			`using System;`
Removing dynamic variables from Shopify api interactions 2020-09-17 07:12:03 +02:00			`using System.Linq;`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00			`using System.Threading.Tasks;`
Abstract Store integrations (#2384) * Decouple Shopify from Store * Decouple shopify from store blob * Update BTCPayServer.Tests.csproj * Make sure shopify obj is set * make shopify a system plugin 2021-04-08 06:37:05 +02:00			`using BTCPayServer.Plugins.Shopify.ApiModels;`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00
Abstract Store integrations (#2384) * Decouple Shopify from Store * Decouple shopify from store blob * Update BTCPayServer.Tests.csproj * Make sure shopify obj is set * make shopify a system plugin 2021-04-08 06:37:05 +02:00			`namespace BTCPayServer.Plugins.Shopify`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00			`{`
			`public class OrderTransactionRegisterLogic`
			`{`
			`private readonly ShopifyApiClient _client;`

			`public OrderTransactionRegisterLogic(ShopifyApiClient client)`
			`{`
			`_client = client;`
			`}`

Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00			`private static string[] _keywords = new[] { "bitcoin", "btc", "btcpayserver", "btcpay server" };`
Simplify Shopify integration Added dedicated endpoint that generates an invoice or returns an existing one as needed for a shopify order Added rate limiter to shopify endpoint to prevent abuse Reduce shopify js to a small file Use events from btcpay modal to reduce constant pinging to btcpay server Register invoice payment failures on the shopify backend. 2020-09-21 12:40:45 +02:00			`public async Task<TransactionsCreateResp> Process(string orderId, string invoiceId, string currency, string amountCaptured, bool success)`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00			`{`
Simplify Shopify integration Added dedicated endpoint that generates an invoice or returns an existing one as needed for a shopify order Added rate limiter to shopify endpoint to prevent abuse Reduce shopify js to a small file Use events from btcpay modal to reduce constant pinging to btcpay server Register invoice payment failures on the shopify backend. 2020-09-21 12:40:45 +02:00			`currency = currency.ToUpperInvariant().Trim();`
			`var existingShopifyOrderTransactions = (await _client.TransactionsList(orderId)).transactions;`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00			`var baseParentTransaction = existingShopifyOrderTransactions.FirstOrDefault();`
			`if (baseParentTransaction is null \|\|`
			`!_keywords.Any(a => baseParentTransaction.gateway.Contains(a, StringComparison.InvariantCultureIgnoreCase)))`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`{`
			`return null;`
			`}`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//technically, this exploit should not be possible as we use internal invoice tags to verify that the invoice was created by our controlled, dedicated endpoint.`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`if (currency.ToUpperInvariant().Trim() != baseParentTransaction.currency.ToUpperInvariant().Trim())`
			`{`
			`// because of parent_id present, currency will always be the one from parent transaction`
			`// malicious attacker could potentially exploit this by creating invoice`
			`// in different currency and paying that one, registering order on Shopify as paid`
			`// so if currency is supplied and is different from parent transaction currency we just won't register`
			`return null;`
			`}`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`var kind = "capture";`
			`var parentId = baseParentTransaction.id;`
			`var status = success ? "success" : "failure";`
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//find all existing transactions recorded around this invoice id`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`var existingShopifyOrderTransactionsOnSameInvoice =`
			`existingShopifyOrderTransactions.Where(holder => holder.authorization == invoiceId);`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//filter out the successful ones`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`var successfulActions =`
			`existingShopifyOrderTransactionsOnSameInvoice.Where(holder => holder.status == "success").ToArray();`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//of the successful ones, get the ones we registered as a valid payment`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`var successfulCaptures = successfulActions.Where(holder => holder.kind == "capture").ToArray();`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//of the successful ones, get the ones we registered as a voiding of a previous successful payment`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`var refunds = successfulActions.Where(holder => holder.kind == "refund").ToArray();`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//if we are working with a non-success registration, but see that we have previously registered this invoice as a success, we switch to creating a "void" transaction, which in shopify terms is a refund.`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`if (!success && successfulCaptures.Length > 0 && (successfulCaptures.Length - refunds.Length) > 0)`
			`{`
			`kind = "void";`
			`parentId = successfulCaptures.Last().id;`
			`status = "success";`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00			`}`
Commenting OrderTransactionRegisterLogic 2020-09-28 08:30:50 +02:00			`//if we are working with a success registration, but can see that we have already had a successful transaction saved, get outta here`
Ensuring matching of keywords only on first transaction 2020-09-30 00:23:42 +02:00			`else if (success && successfulCaptures.Length > 0 && (successfulCaptures.Length - refunds.Length) > 0)`
Make Shopify transaction register system handle marked payments slightly more 2020-09-21 15:34:41 +02:00			`{`
			`return null;`
			`}`
			`var createTransaction = new TransactionsCreateReq`
			`{`
			`transaction = new TransactionsCreateReq.DataHolder`
			`{`
			`parent_id = parentId,`
			`currency = currency,`
			`amount = amountCaptured,`
			`kind = kind,`
			`gateway = "BTCPayServer",`
			`source = "external",`
			`authorization = invoiceId,`
			`status = status`
			`}`
			`};`
			`var createResp = await _client.TransactionCreate(orderId, createTransaction);`
			`return createResp;`
Importing hosted service that will register transactions on Shopify 2020-09-14 00:14:36 +02:00			`}`
			`}`
			`}`