One customer received 2 orders, while paid only once

[matks]

I copy here the report I got because I think it's interesting

We were reported that one customer received 2 orders, while paid only once. basically 2 orders shared same payment transaction.

The issue is related to ps_checkout module and happening when there is a lot of cart_rules rules in the order. Potentially due to this something is lagging

Issue Duplicate Orders with Same Transaction ID in ps_checkout Module

We have observed cases where two separate PrestaShop orders are created for the same PayPal transaction ID multiple time

One Example:

• ps_order_payment.id_order_payment = ... → order_reference ...
• ps_order_payment.id_order_payment = ... → order_reference ...

Both rows share the same transaction_id = ...

This results in customers got two orders while only paying once.

we detail checked the code of module and we found:

PayPal webhooks are not guaranteed to be sent once.
If response is slow (e.g., due to heavy cart rules slowing down getOrderTotal()), PayPal retries the same event.

Missing idempotency check

ps_checkout calls validateOrder() without checking if transaction_id/cart already exists.

modules/ps_checkout/controller/front/webhook.php
The webhook controller (Ps_CheckoutWebhookModuleFrontController) just passes the payload to a WebhookHandler.

modules/ps_checkout/classes/ValidateOrder.php
Then eventually ValidateOrder::validateOrder() calls:

$module->validateOrder(
$payload['cartId'],
$this->getPendingStatusId($payload['paymentMethod']),
$payload['amount'],
$this->getPaymentMessageTranslation($payload['paymentMethod'], $module),
null,
[
'transaction_id' => $response['body']['id'],
],
$payload['currencyId'],
false,
$payload['secureKey']
);

This is where duplicates can happen because:

Nothing checks if $response['body']'id' already exists in ps_order_payment.
Nothing checks if $payload['cartId'] already has an order.

This allows multiple valid PrestaShop orders to be created for the same payment.