Merge remote-tracking branch 'origin/release/9.5.1' into trunk

annemirasol · annemirasol · commit 1dff8743b8e5 · 2025-05-17T14:39:08.000-05:00
diff --git a/changelog.txt b/changelog.txt
@@ -1,5 +1,11 @@
 *** Changelog ***
 
+= 9.5.1 - 2025-05-17 =
+* Fix - Add a fetch cooldown to the payment method configuration retrieval endpoint to prevent excessive requests.
+* Fix - Prevent further Stripe API calls if API keys are invalid (401 response).
+* Fix - Stop checking for detached subscriptions for admin users, as it was slowing down wp-admin.
+* Fix - Fix fatal error when checking for a payment method availability using a specific order ID.
+
 = 9.5.0 - 2025-05-13 =
 * Fix - Fixes the listing of payment methods on the classic checkout when the Optimized Checkout is enabled.
 * Fix - Fixes the availability of WeChat Pay when the Optimized Checkout is enabled on the block checkout. Removes it from the classic/shortcode checkout to avoid issues.
diff --git a/client/settings/account-details/index.js b/client/settings/account-details/index.js
@@ -133,11 +133,11 @@ const AccountDetails = () => {
 					{ createInterpolateElement(
 						isTestModeEnabled
 							? __(
-									"Seems like the test API keys we've saved for you are no longer valid. If you recently updated them, use the <strong>Configure Connection</strong> button below to reconnect.",
+									"We couldn't connect to your account, it seems like the test API keys we've saved for you are no longer valid. Please use the <strong>Configure connection</strong> button below to reconnect.",
 									'woocommerce-gateway-stripe'
 							  )
 							: __(
-									"Seems like the live API keys we've saved for you are no longer valid. If you recently updated them, use the <strong>Configure Connection</strong> button below to reconnect.",
+									"We couldn't connect to your account, it seems like the live API keys we've saved for you are no longer valid. Please use the <strong>Configure connection</strong> button below to reconnect.",
 									'woocommerce-gateway-stripe'
 							  ),
 						{
diff --git a/client/settings/stripe-auth-account/account-status-panel.js b/client/settings/stripe-auth-account/account-status-panel.js
@@ -150,7 +150,7 @@ const getAccountStatus = ( accountKeys, data, testMode ) => {
 		},
 	};
 
-	if ( ! hasKeys ) {
+	if ( ! hasKeys || data?.account === null ) {
 		return accountStatusMap.disconnected;
 	}
 
diff --git a/includes/admin/class-wc-stripe-admin-notices.php b/includes/admin/class-wc-stripe-admin-notices.php
@@ -66,11 +66,6 @@ public function admin_notices() {
 		// All other payment methods.
 		$this->payment_methods_check_environment();
 
-		// Subscription related checks.
-		if ( WC_Stripe_Subscriptions_Helper::is_subscriptions_enabled() ) {
-			$this->subscriptions_check_environment();
-		}
-
 		foreach ( (array) $this->notices as $notice_key => $notice ) {
 			echo '<div class="' . esc_attr( $notice['class'] ) . '" style="position:relative;">';
 
@@ -467,8 +462,11 @@ public function payment_methods_check_environment() {
 	 * Environment check for subscriptions.
 	 *
 	 * @return void
+	 *
+	 * @deprecated 9.6.0 This method is no longer used and will be removed in a future version.
 	 */
 	public function subscriptions_check_environment() {
+		_deprecated_function( __METHOD__, '9.6.0' );
 		$options = WC_Stripe_Helper::get_stripe_settings();
 		if ( 'yes' === ( $options['enabled'] ?? null ) && 'no' !== get_option( 'wc_stripe_show_subscriptions_notice' ) ) {
 			$subscriptions     = WC_Stripe_Subscriptions_Helper::get_some_detached_subscriptions();
diff --git a/includes/class-wc-stripe-api.php b/includes/class-wc-stripe-api.php
@@ -16,6 +16,20 @@ class WC_Stripe_API {
 	const ENDPOINT           = 'https://api.stripe.com/v1/';
 	const STRIPE_API_VERSION = '2024-06-20';
 
+	/**
+	 * The test mode invalid API keys option key.
+	 *
+	 * @var string
+	 */
+	const TEST_MODE_INVALID_API_KEYS_OPTION_KEY = 'wc_stripe_test_invalid_api_keys_detected';
+
+	/**
+	 * The live mode invalid API keys option key.
+	 *
+	 * @var string
+	 */
+	const LIVE_MODE_INVALID_API_KEYS_OPTION_KEY = 'wc_stripe_live_invalid_api_keys_detected';
+
 	/**
 	 * Secret API Key.
 	 *
@@ -231,6 +245,13 @@ public static function request( $request, $api = 'charges', $method = 'POST', $w
 	 * @param string $api
 	 */
 	public static function retrieve( $api ) {
+		// If we have an option flag indicating that the secret key is not valid, we don't attempt the API call and we return an error.
+		$invalid_api_keys_option_key = WC_Stripe_Mode::is_test() ? self::TEST_MODE_INVALID_API_KEYS_OPTION_KEY : self::LIVE_MODE_INVALID_API_KEYS_OPTION_KEY;
+		$invalid_api_keys_detected = get_option( $invalid_api_keys_option_key );
+		if ( $invalid_api_keys_detected ) {
+			return null; // The UI expects this empty response in case of invalid API keys.
+		}
+
 		WC_Stripe_Logger::log( "{$api}" );
 
 		$response = wp_safe_remote_get(
@@ -242,6 +263,18 @@ public static function retrieve( $api ) {
 			]
 		);
 
+		// If we get a 401 error, we know the secret key is not valid.
+		if ( is_array( $response ) && isset( $response['response'] ) && is_array( $response['response'] ) && isset( $response['response']['code'] ) && 401 === $response['response']['code'] ) {
+			// We save a flag in the options to avoid making calls until the secret key gets updated.
+			update_option( $invalid_api_keys_option_key, true );
+			update_option( $invalid_api_keys_option_key . '_at', time() );
+
+			// We delete the transient for the account data to trigger the not-connected UI in the admin dashboard.
+			delete_transient( WC_Stripe_Mode::is_test() ? WC_Stripe_Account::TEST_ACCOUNT_OPTION : WC_Stripe_Account::LIVE_ACCOUNT_OPTION );
+
+			return null; // The UI expects this empty response in case of invalid API keys.
+		}
+
 		if ( is_wp_error( $response ) || empty( $response['body'] ) ) {
 			WC_Stripe_Logger::log( 'Error Response: ' . print_r( $response, true ) );
 			return new WP_Error( 'stripe_error', __( 'There was a problem connecting to the Stripe API endpoint.', 'woocommerce-gateway-stripe' ) );
diff --git a/includes/class-wc-stripe-payment-method-configurations.php b/includes/class-wc-stripe-payment-method-configurations.php
@@ -51,36 +51,64 @@ class WC_Stripe_Payment_Method_Configurations {
 	 */
 	const CONFIGURATION_CACHE_TRANSIENT_EXPIRATION = 10 * MINUTE_IN_SECONDS;
 
+	/**
+	 * The payment method configuration fetch cooldown option key.
+	 */
+	const FETCH_COOLDOWN_OPTION_KEY = 'wcstripe_payment_method_config_fetch_cooldown';
+
 	/**
 	 * Get the merchant payment method configuration in Stripe.
 	 *
 	 * @param bool $force_refresh Whether to force a refresh of the payment method configuration from Stripe.
 	 * @return object|null
 	 */
 	private static function get_primary_configuration( $force_refresh = false ) {
-		if ( ! $force_refresh ) {
+		// Only allow fetching payment configuration once per minute.
+		$fetch_cooldown = get_option( self::FETCH_COOLDOWN_OPTION_KEY, 0 );
+		$is_in_cooldown = $fetch_cooldown > time();
+		if ( ! $force_refresh || $is_in_cooldown ) {
 			$cached_primary_configuration = self::get_payment_method_configuration_from_cache();
 			if ( $cached_primary_configuration ) {
 				return $cached_primary_configuration;
 			}
+
+			// If we are hitting the API too much, and our main cache is not working, use the fallback cache.
+			if ( $is_in_cooldown ) {
+				$fallback_cache = self::get_payment_method_configuration_from_cache( true );
+				if ( $fallback_cache ) {
+					return $fallback_cache;
+				}
+			}
+
+			// Intentionally fall through to fetching the data from Stripe if we don't have it locally,
+			// even when $force_refresh = false and/or $is_in_cooldown is true.
+			// We _need_ the payment method configuration for things to work as expected,
+			// so we will fetch it if we don't have anything locally.
 		}
 
+		update_option( self::FETCH_COOLDOWN_OPTION_KEY, time() + MINUTE_IN_SECONDS );
+
 		return self::get_payment_method_configuration_from_stripe();
 	}
 
 	/**
 	 * Get the payment method configuration from cache.
 	 *
+	 * @param bool $use_fallback Whether to use the fallback cache if the transient is not available.
+	 *
 	 * @return object|null
 	 */
-	private static function get_payment_method_configuration_from_cache() {
+	private static function get_payment_method_configuration_from_cache( $use_fallback = false ) {
 		if ( null !== self::$primary_configuration ) {
 			return self::$primary_configuration;
 		}
 
-		$cache_key = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
+		$cache_key                    = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
 		$cached_primary_configuration = get_transient( $cache_key );
 		if ( false === $cached_primary_configuration || null === $cached_primary_configuration ) {
+			if ( $use_fallback ) {
+				return get_option( $cache_key );
+			}
 			return null;
 		}
 
@@ -93,8 +121,9 @@ private static function get_payment_method_configuration_from_cache() {
 	 */
 	public static function clear_payment_method_configuration_cache() {
 		self::$primary_configuration = null;
-		$cache_key = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
+		$cache_key                   = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
 		delete_transient( $cache_key );
+		delete_option( $cache_key );
 	}
 
 	/**
@@ -104,8 +133,11 @@ public static function clear_payment_method_configuration_cache() {
 	 */
 	private static function set_payment_method_configuration_cache( $configuration ) {
 		self::$primary_configuration = $configuration;
-		$cache_key = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
+		$cache_key                   = WC_Stripe_Mode::is_test() ? self::TEST_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY : self::LIVE_MODE_CONFIGURATION_CACHE_TRANSIENT_KEY;
 		set_transient( $cache_key, $configuration, self::CONFIGURATION_CACHE_TRANSIENT_EXPIRATION );
+
+		// To be used as fallback if we are in API cooldown and the transient is not available.
+		update_option( $cache_key, $configuration );
 	}
 
 	/**
@@ -115,11 +147,7 @@ private static function set_payment_method_configuration_cache( $configuration )
 	 */
 	private static function get_payment_method_configuration_from_stripe() {
 		$result         = WC_Stripe_API::get_instance()->get_payment_method_configurations();
-		$configurations = $result->data ?? null;
-
-		if ( ! $configurations ) {
-			return null;
-		}
+		$configurations = $result->data ?? [];
 
 		// When connecting to the WooCommerce Platform account a new payment method configuration is created for the merchant.
 		// This new payment method configuration has the WooCommerce Platform payment method configuration as parent, and inherits it's default payment methods.
diff --git a/includes/compat/class-wc-stripe-subscriptions-helper.php b/includes/compat/class-wc-stripe-subscriptions-helper.php
@@ -27,8 +27,11 @@ public static function is_subscriptions_enabled() {
 	 * Loads up to 50 subscriptions, and attempts to return up to 5 of those that are detached from the customer.
 	 *
 	 * @return array
+	 *
+	 * @deprecated 9.6.0 This method is no longer used and will be removed in a future version.
 	 */
 	public static function get_some_detached_subscriptions() {
+		_deprecated_function( __METHOD__, '9.6.0' );
 		// Check if we have a cached result.
 		$cached_subscriptions = get_transient( self::DETACHED_SUBSCRIPTIONS_TRANSIENT_KEY );
 		if ( ! empty( $cached_subscriptions ) ) {
diff --git a/includes/connect/class-wc-stripe-connect.php b/includes/connect/class-wc-stripe-connect.php
@@ -183,6 +183,11 @@ private function save_stripe_keys( $result, $type = 'connect', $mode = 'live' )
 			update_option( 'wc_stripe_' . $prefix . 'oauth_failed_attempts', 0 );
 			update_option( 'wc_stripe_' . $prefix . 'oauth_last_failed_at', '' );
 
+			// Clear the invalid API keys transient.
+			$invalid_api_keys_option_key = $is_test ? WC_Stripe_API::TEST_MODE_INVALID_API_KEYS_OPTION_KEY : WC_Stripe_API::LIVE_MODE_INVALID_API_KEYS_OPTION_KEY;
+			update_option( $invalid_api_keys_option_key, false );
+			update_option( $invalid_api_keys_option_key . '_at', time() );
+
 			if ( 'app' === $type ) {
 				// Stripe App OAuth access_tokens expire after 1 hour:
 				// https://docs.stripe.com/stripe-apps/api-authentication/oauth#refresh-access-token
diff --git a/includes/payment-methods/class-wc-stripe-upe-payment-method.php b/includes/payment-methods/class-wc-stripe-upe-payment-method.php
@@ -287,9 +287,8 @@ public function is_enabled_at_checkout( $order_id = null, $account_domestic_curr
 		$currencies             = $this->get_supported_currencies();
 		if ( ! empty( $currencies ) ) {
 			if ( is_wc_endpoint_url( 'order-pay' ) && isset( $_GET['key'] ) ) {
-				$order          = wc_get_order( $order_id ? $order_id : absint( get_query_var( 'order-pay' ) ) );
-				$order_currency = $order->get_currency();
-				if ( ! in_array( $order_currency, $currencies, true ) ) {
+				$order = wc_get_order( $order_id ? $order_id : absint( get_query_var( 'order-pay' ) ) );
+				if ( ! $order || ! in_array( $order->get_currency(), $currencies, true ) ) {
 					return false;
 				}
 			} elseif ( ! in_array( $current_store_currency, $currencies, true ) ) {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "woocommerce-gateway-stripe",
   "title": "WooCommerce Gateway Stripe",
-  "version": "9.5.0",
+  "version": "9.5.1",
   "license": "GPL-3.0",
   "homepage": "http://wordpress.org/plugins/woocommerce-gateway-stripe/",
   "repository": {
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
@@ -25,5 +25,4 @@
 			<html outputDirectory="phpunit-html"/>
 		</report>
 	</coverage>
-
 </phpunit>
diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: credit card, stripe, payments, woocommerce, automattic
 Requires at least: 6.6
 Tested up to: 6.8
 Requires PHP: 7.4
-Stable tag: 9.5.0
+Stable tag: 9.5.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 Attributions: thorsten-stripe
@@ -110,70 +110,10 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 
 == Changelog ==
 
-= 9.5.0 - 2025-05-13 =
-
-**New Features**
-
-* Synchronize payment methods with the Stripe dashboard - if you've connected to Stripe, changes in payment methods are synchronized between the plugin and your Stripe dashboard. Changes from the Stripe dashboard may take a few minutes to flow through to shoppers.
-* Support Pre-authorized Debit (PAD) payments in Canada and the US
-* Support BLIK payments in Poland and from other EU countries
-* Support BECS Direct Debit payments in Australia
-
-**Important Fixes and Updates**
-
-* Update - Add express checkout support for One Page Checkout and other dynamic cart update scenarios
-* Fix - Show error notice when 'Add payment method' fails on My Account page in block-based themes
-* Add - Add WordPress Action for processing payments with delayed charge attempts due to pre-debit notification period
-* Fix - Add caching for the Stripe Payment Method Configuration API
-* Fix - Prevent deletion of webhooks for other tools
-* Update - Add support for customer order notes and express checkout
-* Add - New filter to allow merchants to bypass the default visibility of the express payment method buttons when taxes are based on customer's billing address (`wc_stripe_should_hide_express_checkout_button_based_on_tax_setup`)
-* Fix - Improves the subscriptions detached admin notice, making it less intrusive and limiting the querying to 5 subscriptions (avoiding slow loading times)
-* Fix - Fixes an issue where the order signature retrieval method could throw a fatal error when the received order parameter is actually an OrderRefund object (instead of a `WC_Order`)
-* Fix - Fixes a possible fatal error when a product added to the cart cannot be found (with Payment Request Buttons)
-* Fix - Fixed subscription features not being properly registered when hooks were already attached
-* Add - Expand Klarna support to some additional countries in EEA
-* Update - Hide express checkout buttons when no product variation is selected
-* Fix - Express checkout error when using extensions that reduce total cart amount (e.g. Gift Cards)
-* Fix - Checkout page focus loss
-* Fix - Updated payment method radio button selector to correctly find the selected payment method in different themes
-* Fix - Add `wc_stripe_generate_create_intent_request` filter to support mandate information in setup intent creation
-* Fix - Prepare mandate data from subscription object on change payment method page
-
-**Other Fixes**
-
-* Fix - Checks for the existence of the `WC_Stripe_Feature_Flags` class before including it during extension initialization
-* Fix - Prevents fatal errors for cases where we fail to load product details
-* Fix - Address an edge case with webhook URL comparisons
-* Add - Only show payment methods in Stripe settings that are available for the connected Stripe account
-* Fix - Show correct gateway name in non payments settings pages
-* Fix - Fixes the Stripe checkout container visuals when Smart Checkout is disabled
-* Fix - Prevent reuse of payment intents when order total doesn't match intent amount
-* Fix - Fix invalid IP address error encountered during mandate data creation
-* Fix - Compatibility with email preview in the Auth Requested email
-* Update - Update Alipay and bank debit icons
-* Tweak - Update payment method type check for `charge.succeeded` webhook
-* Add - Disable unsupported payment methods in Stripe settings
-* Update - Update handling of Puerto Rico as a country in the terminal locations endpoint
-* Fix - Fix express checkout button width in shortcode cart page
-* Fix - Translation warning when initializing the status page information
-* Update - Remove unused express checkout button tracking
-* Tweak - Add save payment method parameter to update intent call for non-deferred intent payment methods
-* Update - Back button on the settings pages
-* Update - Use individual product tax status instead of storewide tax setup when determining express checkout availability
-* Dev - Add tracking events when enabling/disabling payment methods.
-
-**Internal Changes and Upcoming Features**
-
-* Feature - Work to support Optimized Checkout
-* Feature - Work to support Amazon Pay
-* Dev - Splits the code coverage GitHub Actions Workflow into two separate actions
-* Dev - Updates the Code Sniffer package to version 1.0.0.
-* Dev - Minor fix to e2e setup code
-* Dev - Make PHP error log from Docker container available in docker/logs/php/error.log
-* Dev - Do not generate filenames with underscores
-* Dev - Replaces references to order status values with their respective constants from the WooCommerce plugin.
-* Dev - Introduce new payment method constants for the express methods: Google Pay, Apple Pay, Link, and Amazon Pay (backend version)
-* Dev - Improves how we handle express payment method titles by introducing new constants and methods to replace duplicate code.
+= 9.5.1 - 2025-05-17 =
+* Fix - Add a fetch cooldown to the payment method configuration retrieval endpoint to prevent excessive requests.
+* Fix - Prevent further Stripe API calls if API keys are invalid (401 response).
+* Fix - Stop checking for detached subscriptions for admin users, as it was slowing down wp-admin.
+* Fix - Fix fatal error when checking for a payment method availability using a specific order ID.
 
 [See changelog for full details across versions](https://raw.githubusercontent.com/woocommerce/woocommerce-gateway-stripe/trunk/changelog.txt).
diff --git a/tests/phpunit/compat/test-class-wc-stripe-subscriptions-helper.php b/tests/phpunit/compat/test-class-wc-stripe-subscriptions-helper.php
diff --git a/tests/phpunit/test-class-wc-stripe-api.php b/tests/phpunit/test-class-wc-stripe-api.php
diff --git a/woocommerce-gateway-stripe.php b/woocommerce-gateway-stripe.php

Original file line number	Diff line number	Diff line change
`@@ -133,11 +133,11 @@ const AccountDetails = () => {`
`133`	`133`	`{ createInterpolateElement(`
`134`	`134`	`isTestModeEnabled`
`135`	`135`	`? __(`
`136`		`- "Seems like the test API keys we've saved for you are no longer valid. If you recently updated them, use the <strong>Configure Connection</strong> button below to reconnect.",`
	`136`	`+ "We couldn't connect to your account, it seems like the test API keys we've saved for you are no longer valid. Please use the <strong>Configure connection</strong> button below to reconnect.",`
`137`	`137`	`'woocommerce-gateway-stripe'`
`138`	`138`	`)`
`139`	`139`	`: __(`
`140`		`- "Seems like the live API keys we've saved for you are no longer valid. If you recently updated them, use the <strong>Configure Connection</strong> button below to reconnect.",`
	`140`	`+ "We couldn't connect to your account, it seems like the live API keys we've saved for you are no longer valid. Please use the <strong>Configure connection</strong> button below to reconnect.",`
`141`	`141`	`'woocommerce-gateway-stripe'`
`142`	`142`	`),`
`143`	`143`	`{`
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ const getAccountStatus = ( accountKeys, data, testMode ) => {`
`150`	`150`	`},`
`151`	`151`	`};`
`152`	`152`
`153`		`- if ( ! hasKeys ) {`
	`153`	`+ if ( ! hasKeys \|\| data?.account === null ) {`
`154`	`154`	`return accountStatusMap.disconnected;`
`155`	`155`	`}`
`156`	`156`