Payments using the Express Checkout Element fail if card testing prevention is enabled

[asumaran]

Describe the bug

Originally reported by @ricardo in #8937 (comment). A site with the Fraud Prevention Service enabled fails to checkout using the Express Checkout Element.

To Reproduce

• In the WP folder of your local server run the following command to enable the card testing protection service:

  wp wcpay set_account_meta 233401173 --key=card_testing_prevention_enabled --value=1
  

• Go to "WCPay Dev" in the admin area of the merchant store.
• Click "clear" to refresh the account data. Confirm card_testing_protection_eligible is set to true
• Enable ECE by running the following command in the merchant's WP folder:

  wp option update _wcpay_feature_stripe_ece 1
  

• Attempt a purchase using Google Pay or Apple Pay.

Actual behavior

Error message is shown: "We're not able to process this payment. Please refresh the page and try again." on checking out using ECE.

Expected behavior

Payment should finish without issues and no error should be displayed.

[vbelolapotkov]

@dwainm although it's focused on checkout, I think it's a better fit for your team due to carding prevention involved. Could you please prioritize it and take a look?

[asumaran]

It would be ideal if we could confirm whether this is a legitimate issue or if it only occurs when using the local server.

[dwainm]

Sure @vbelolapotkov , we'll take a look at it.

[tpaksu]

@asumaran hey 👋 I think you forgot to send the card testing nonce in the checkout data to the server, which is added to the page when the card testing prevention is enabled, and checked by the server. That might be the cause of it. If you have capacity to solve it by looking to the previous code about how it was sent, feel free to own the issue, otherwise, you'd need to help us set up ECE on our locals :)

[tpaksu]

Also FYI, I added a setting to the WCPay dev tools plugin that mimics the card testing prevention flag as activated on the client. You can use that option to test this scenario too.

[asumaran]

@tpaksu I've noticed that the wcpay-fraud-prevention-token is defined on the cart and checkout pages, but it’s missing from the product page. When the token is present, the checkout process completes smoothly.

I'll address this for ECEs (and PRBs) as I'm currently handling it.

[asumaran]

The token isn't being added to the product page

woocommerce-payments/includes/fraud-prevention/class-fraud-prevention-service.php

Lines 89 to 93 in 261a1ec

	// Don't add the token if the user isn't on the cart or checkout page.
	// Checking the cart page too because the user can pay quickly via the payment buttons on that page.
	if ( ! is_checkout() && ! is_cart() ) {
	return;
	}

[asumaran]

I'll submit the fix as part of #8987

[tpaksu]

Thanks for the confirmation, the digging, and finding the fix @asumaran! Let me know if you need anything.

[asumaran]

Just FYI: The wcpay-fraud-prevention-token token was also missing from the Pay for order page. I'm fixing it here