Add support for CheckoutSession#129
Conversation
…and composer.lock
| ->setShopOrderId( $order_id ) | ||
| ->setAmount( round( $amount, 2 ) ) | ||
| ->setCurrency( $currency ) | ||
| ->setSessionId( $order->get_order_key() ); |
There was a problem hiding this comment.
In WooCommerce, the order_key acts as a bearer capability token—anyone with this key can view the order receipt and potentially access customer PII (address, email).
Is this a problem?
Maybe we can create a hash derived from the order_key, so the identifier is always the same, but it can't be used to see order information?
| } else { | ||
| $renewal_order->payment_complete(); |
| $sessionId = WC()->session->get( 'altapay_checkout_session_id' ); | ||
| if ( $sessionId !== $order->get_order_key() ) { | ||
| $sessionId = null; | ||
| } |
There was a problem hiding this comment.
Is this the right approach?
If for any reason a session is created at at time when woocommerce is upgraded, changing the order_key, or we deploy a change that changes the way you define the sessionId, we will see a lot of errors in the flow.
Once the session is created, and established, why not relying on that session, even if it does not have a predefined format you expected?
3 participants
No description provided.