feat: rate limit checkout attempts #3678
Conversation
dkoo
added
the
[Status] Needs Review
|
@miguelpeixe refactored this to use |
There was a problem hiding this comment.
Nice work @dkoo!
Works as described. Just one question regarding whether we should be including successful transactions here.
If I do something like make a successful donation, then decide to purchase a monthly subscription product, I have to wait rate limit duration.
It's probably unlikely readers will do these things back to back like this in such a short time, but just in case, should we not trigger the rate limit on successful transactions? Or is there a scenario where a bad actor might want to flood a site with successful orders?
|
Great question! My thinking was that in a card-testing scenario, some of the tested cards might result in successful orders, so we should still rate limit those. |
There was a problem hiding this comment.
My thinking was that in a card-testing scenario, some of the tested cards might result in successful orders, so we should still rate limit those.
Makes sense, although I don't think we would see back to back successful tested cards. Rate limiting the failures is probably good enough right? The only scenario where this might be necessary is if the successful card is reused, which I don't think would happen, but am not sure if there is some strategy I'm not aware of.
My concern is we inadvertently create friction for more real readers than we are for these card testing attackers.
I'm not super familiar with these attacks though, so will defer to you and approve this. Its still worth noting we should look out for reports from real readers in the future.
github-actions
bot
added
[Status] Approved
|
That's definitely a valid concern. I suspect that a reader is extremely unlikely to attempt two real transactions within a 60-second period, but let's stay vigilant for publisher/reader complaints. |
|
Hey @dkoo, good job getting this PR merged! 🎉 Now, the Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label. If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label. Thank you! ❤️ |
# [5.13.0-alpha.1](v5.12.2...v5.13.0-alpha.1) (2025-01-23) ### Bug Fixes * add supported gateways check ([#3650](#3650)) ([74f7773](74f7773)) * **corrections:** replace deprecated sanitize method ([#3694](#3694)) ([ce50e24](ce50e24)) * remove support for legacy form checkout ([#3691](#3691)) ([46a3c16](46a3c16)) * **wcs:** expire manual subscriptions after on-hold duration ([#3681](#3681)) ([658416c](658416c)) ### Features * add custom bylines ([#3667](#3667)) ([3f45a6f](3f45a6f)) * rate limit checkout attempts ([#3678](#3678)) ([d275524](d275524))
|
🎉 This PR is included in version 5.13.0-alpha.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
# [5.13.0](v5.12.5...v5.13.0) (2025-02-03) ### Bug Fixes * add supported gateways check ([#3650](#3650)) ([74f7773](74f7773)) * **corrections:** replace deprecated sanitize method ([#3694](#3694)) ([ce50e24](ce50e24)) * remove support for legacy form checkout ([#3691](#3691)) ([46a3c16](46a3c16)) * **wcs:** expire manual subscriptions after on-hold duration ([#3681](#3681)) ([658416c](658416c)) ### Features * add custom bylines ([#3667](#3667)) ([3f45a6f](3f45a6f)) * rate limit checkout attempts ([#3678](#3678)) ([d275524](d275524)) * **reader-revenue:** add PayPal Payments gateway to wizard ([#3665](#3665)) ([1476eed](1476eed))
|
🎉 This PR is included in version 5.13.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
All Submissions:
Changes proposed in this Pull Request:
Adds support for rate limiting checkout attempts by user. If a
NEWSPACK_CHECKOUT_RATE_LIMITenvironment constant is defined as an integer, checkout attempts that occur within that number of seconds of a prior checkout attempt by the same user (if logged in) or IP (if not logged in) will be rejected before WooCommerce sends payment info to any payment gateways.If WooCommerce detects any other checkout validation errors that would prevent the checkout from occurring (such as missing required fields), we won't count this as a checkout attempt, so that readers can attempt successive checkouts in order to correct errors without being rate limited. So in practice, only successful transactions and checkout requests which would result in declined payments should be rate-limited.
The mechanism used is WooCommerce's built-in
WC_Rate_Limiterutility. This offers a lightweight API to check and limit the rate of particular actions by arbitrary ID string.Also adds rate-limiting for adding new payment methods in My Account, but because of how this feature is split between the main WooCommerce plugin and many payment gateway extension plugins, it doesn't necessarily rate limit declined payment methods (thus still allowing for card testing with some payment gateways). This will need to be handled in a separate PR, possibly via JS since each payment method behaves differently when deciding when/whether to contact the payment processor.
How to test the changes in this Pull Request:
wp-config.php, defineNEWSPACK_CHECKOUT_RATE_LIMITas something long enough for manual testing like60or90.Please wait a moment before trying to complete this transaction again.Testing rate-limiting of adding new payment methods
/my-account/add-payment-methodsince this URL isn't blocked even if the menu item is hidden).Please wait a moment before trying to add a new payment methoderror message. (Note that the error message may flash and disappear after a moment, but this seems to be a Woo/My Account bug and isn't related to the changes in this PR.)Other information: