tweak: 'add payment method page' to honor WC rate limiter (#3810)

woocommerce · Feb 3, 2025 · 1d1f364 · 1d1f364
1 parent 47fd9cd
commit 1d1f364
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/changelog.txt b/changelog.txt
@@ -1,6 +1,7 @@
 *** Changelog ***
 
 = 9.2.0 - xxxx-xx-xx =
+* Tweak - Use WC Core's rate limiter on "Add payment method" page.
 * Dev - Introduces new payment intent status constants for the frontend.
 * Fix - Fix Stripe customer creation when using the Blocks API for express checkout.
 * Add - Add new payment processing flow using confirmation tokens.

diff --git a/includes/class-wc-stripe-intent-controller.php b/includes/class-wc-stripe-intent-controller.php
@@ -205,6 +205,21 @@ public function create_setup_intent() {
 			return;
 		}
 
+		// similar rate limiter is present in WC Core, but it's executed on page submission (and not on AJAX calls).
+		$wc_add_payment_method_rate_limit_id = 'add_payment_method_' . get_current_user_id();
+		if ( WC_Rate_Limiter::retried_too_soon( $wc_add_payment_method_rate_limit_id ) ) {
+			echo wp_json_encode(
+				[
+					'status' => 'error',
+					'error'  => [
+						'type'    => 'setup_intent_error',
+						'message' => __( 'Failed to save payment method.', 'woocommerce-gateway-stripe' ),
+					],
+				]
+			);
+			exit;
+		}
+
 		try {
 			$source_id = wc_clean( wp_unslash( $_POST['stripe_source_id'] ) );
 
@@ -1034,9 +1049,13 @@ public function create_and_confirm_setup_intent( $payment_information ) {
 	 * @throws Exception If the AJAX request is missing the required data or if there's an error creating and confirming the setup intent.
 	 */
 	public function create_and_confirm_setup_intent_ajax() {
-		$setup_intent = null;
-
 		try {
+			// similar rate limiter is present in WC Core, but it's executed on page submission (and not on AJAX calls).
+			$wc_add_payment_method_rate_limit_id = 'add_payment_method_' . get_current_user_id();
+			if ( WC_Rate_Limiter::retried_too_soon( $wc_add_payment_method_rate_limit_id ) ) {
+				throw new WC_Stripe_Exception( 'Failed to save payment method.', __( 'You cannot add a new payment method so soon after the previous one.', 'woocommerce-gateway-stripe' ) );
+			}
+
 			$is_nonce_valid = check_ajax_referer( 'wc_stripe_create_and_confirm_setup_intent_nonce', false, false );
 
 			if ( ! $is_nonce_valid ) {

diff --git a/readme.txt b/readme.txt
@@ -111,6 +111,7 @@ If you get stuck, you can ask for help in the [Plugin Forum](https://wordpress.o
 == Changelog ==
 
 = 9.2.0 - xxxx-xx-xx =
+* Tweak - Use WC Core's rate limiter on "Add payment method" page.
 * Dev - Introduces new payment intent status constants for the frontend.
 * Fix - Fix Stripe customer creation when using the Blocks API for express checkout.
 * Add - Add new payment processing flow using confirmation tokens.