Return 200 OK on IDs not known in the system #14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As stated in the Mollie docs: "To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR touches code in the Webhook.
When the webhook is called with an ID which is not in the backend, it returns a 409 HTTP status code. This reveals that the ID of that transaction does not belong to the merchant. As stated in the Mollie docs:
"To not leak any information to malicious third parties, it is recommended to return a 200 OK response even if the ID is not known to your system."
Because of this, I have deleted the lines of code which change the response code to 409 HTTP response when the order id did not match with any order id in the backend. Checked a few other integrations and they seem to do this properly (always return 200 OK).
Scenario to test this code:
Once installed, call the webhook of the webshop with any transaction/order id. The webhook should return a 200 OK even if the transaction is not in the backend.
<3 From Mollie TS