checkout/checkout-woocommerce-plugin

Suspected Fraud status is never used

Updula opened this issue · 8 comments

The plugin has a built in feature which would help to stop fraud transactions.

So far this status was never used by the plugin even though many fraud attempts were manually detected by our team.

Hi @Updula can you please provide more details + examples?

Hello, example would be something like

if country = USA and amount is >$1000 then mark order as suspected fraud.

Also please find below list of bugs found in your plugin, we had to manually edit it after each update. Would be amazing to fix in core:

  • Show Fawry reference to user and not only to admin. You can use WooCommerce "note to customer" functionality.
  • In webhook file, stop webhook from running on completed orders by wrapping webhook function with if ($order_status != 'completed')
  • In webhook file, perform payments using $order->payment_complete($action_id); function and not $order->update_status as per WC guidelines: https://docs.woocommerce.com/document/payment-gateway-api/
  • In cards or callback file, wc_reduce_stock_levels and use payment_complete(), this one function will reduce stock, mark order, and empty cart at once.
  • In ApplePay file, bypass check of custom checkout fields if(name === 'mobile/email') { return true; }
  • In ApplePay file, remove 'shipping' item unless shipping is set.
  • In ApplePay file, show fees + discount items.

Hi @Updula
thanks for your detailed feedback, our product team is looking into the different points you've listed.
We'll get back to you once we have more details around the next steps

Thank you @nicolas-maalouf-cko , also please:

  • Enqueue https://pay.google.com/gp/p/js/pay.js script only if google pay is enabled.

Just saw latest pull request to show Fawry reference

jQuery('.woocommerce-thankyou-order-details.order_details').append('<li >Fawry number: $fawryNumber</li>')

This is simply bad and hacky coding, even "Fawry number:" text is not translatable.

Also please find below list of bugs found in your plugin, we had to manually edit it after each update. Would be amazing to fix in core:

  • In webhook file, stop webhook from running on completed orders by wrapping webhook function with if ($order_status != 'completed')
  • In webhook file, perform payments using $order->payment_complete($action_id); function and not $order->update_status as per WC guidelines: https://docs.woocommerce.com/document/payment-gateway-api/
  • In cards or callback file, wc_reduce_stock_levels and use payment_complete(), this one function will reduce stock, mark order, and empty cart at once.

Hello @Updula,

Below is the analysis made for the requested improvement.

Improvement 1: In webhook file, perform payments using $order->payment_complete($action_id); function and not $order->update_status as per WC guidelines: https://docs.woocommerce.com/document/payment-gateway-api/

Normally the "$order->payment_complete()" function is used in WooCommerce when a payment has completed.
This function changes the status and reduces the number of stocks automatically.
However, this function only changes order status to either "Processing" for Physical Products or "Completed" for virtual products.
On the plugin, we have used "$order->update_status" so as to take into consideration the order setting configuration set up by the merchant. And it is very important to note that
all merchants have not configured the order setting the same way.

Therefore, by using "$order->payment_complete()", we are assuming that all merchants have the same configurations and thus ignoring the merchant set up.

Improvement 2: In webhook file, stop webhook from running on completed orders by wrapping webhook function with if ($order_status != 'completed')

It's again based on the merchant order configuration.
For e.g in the order management setting, not all merchants will set up the status "On - hold" for Authorized Order Status.
In the same way, not all merchant uses the status completed. Some can use it when a payment is captured or when Authorized. (It's up to them).

However, please note that this improvement has already been implemented taking into consideration the merchant configurations.

Therefore, by using the condition "if ($order_status != 'completed')", we are assuming that all merchants are using the status completed and others the same way.

Improvement 3: In cards or callback file, wc_reduce_stock_levels and use payment_complete(), this one function will reduce stock, mark order, and empty cart at once.

Same issue as improvement 1.

I understand. I saw another issue with ApplePay not supporting "mada" network. How can we add this support?