Fix QIT warning in WooPay session endpoint

[cesarcosta99]

Fixes #8732.

Changes proposed in this Pull Request

This PR tweaks the WooPay session REST endpoint by replacing a wp_set_current_user approach with an existent approach designed specifically for WooPay.

Testing instructions

Pre-requisites

1. Ensure the WooPay direct checkout flow is enabled: npm run wp option update _wcpay_feature_woopay_direct_checkout 1.
2. As a customer, log in into WooPay, if needed.
3. As a customer, log in into WooPayments, if needed.

Test: current approach to note current user and customer

1. Checkout to develop branch.
2. Ensure you have third party cookies disabled in your browser.
   2.1. Alternatively, you can comment this line. But if you're going down this path you'll need to build the assets: npm run build:client.
3. Navigate to the merchant site, add an item to the cart and navigate to the cart.
4. Enable the debugger on WooPayments and add a breakpoint to this line.
5. Click on the Proceed to checkout button.
6. When you hit the breakpoint, note the user ID and customer ID.
7. After hitting play on the debugger, you should land on the WooPay checkout page.

Test: determine current user approach works as expected

1. Checkout to this branch.
2. Ensure you have third party cookies disabled in your browser.
   2.1. Alternatively, you can comment this line. But if you're going down this path you'll need to build the assets: npm run build:client.
3. Navigate to the merchant site, add an item to the cart and navigate to the cart.
4. Enable the debugger on WooPayments and add a breakpoint to this line.
5. Click on the Proceed to checkout button.
6. When you hit the breakpoint, verify the user ID and customer ID are the same you noted in step 6 in the previous test.
7. After hitting play on the debugger, you should land on the WooPay checkout page.

Test: QIT warning has been fixed

1. Setup QIT tests, if needed.
2. Run npm run test:qit.
3. Analyze the results and make sure the warning reported in [QIT] Warning in class-wc-rest-woopay-session-controller.php #8732 is gone.

---

• Run npm run changelog to add a changelog file, choose patch to leave it empty if the change is not significant. You can add multiple changelog files in one PR by running this command a few times.
• Covered with tests (or have a good reason not to test in description ☝️)
• Tested on mobile (or does not apply)

Post merge

• Link to testing instructions from release testing doc following these instructions : Add link here / 'QA Testing Not Applicable'
• Add or update critical flows and testing instructions for critical flows, if applicable.
• Add what's changed (description, screenshot, demo videos etc.) to the release announcement post, if applicable.

[botwoo]

Test the build

Option 1. Jetpack Beta

• Install and activate Jetpack Beta.
• Use this build by searching for PR number 8760 or branch name fix/8732-qit-warning in your-test.site/wp-admin/admin.php?page=jetpack-beta&plugin=woocommerce-payments

Option 2. Jurassic Ninja - available for logged-in A12s

🚀 Launch a JN site with this branch 🚀

ℹ️ Install this Tampermonkey script to get more options.

---

Build info:

• Latest commit: 980a5b6
• Build time: 2024-05-02 15:38:00 UTC

Note: the build is updated when a new commit is pushed to this PR.

[github-actions]

Size Change: 0 B

Total Size: 1.25 MB

ℹ️ View Unchanged

Filename	Size
release/woocommerce-payments/assets/css/admin.css	1.08 kB
release/woocommerce-payments/assets/css/admin.rtl.css	1.08 kB
release/woocommerce-payments/assets/css/success.css	172 B
release/woocommerce-payments/assets/css/success.rtl.css	172 B
release/woocommerce-payments/dist/blocks-checkout-rtl.css	2.06 kB
release/woocommerce-payments/dist/blocks-checkout.css	2.07 kB
release/woocommerce-payments/dist/blocks-checkout.js	56.3 kB
release/woocommerce-payments/dist/bnpl-announcement-rtl.css	530 B
release/woocommerce-payments/dist/bnpl-announcement.css	531 B
release/woocommerce-payments/dist/bnpl-announcement.js	20 kB
release/woocommerce-payments/dist/cart-block.js	21.4 kB
release/woocommerce-payments/dist/cart.js	4.39 kB
release/woocommerce-payments/dist/checkout-rtl.css	599 B
release/woocommerce-payments/dist/checkout.css	599 B
release/woocommerce-payments/dist/checkout.js	37.5 kB
release/woocommerce-payments/dist/index-rtl.css	40.7 kB
release/woocommerce-payments/dist/index.css	40.6 kB
release/woocommerce-payments/dist/index.js	292 kB
release/woocommerce-payments/dist/multi-currency-analytics.js	1.05 kB
release/woocommerce-payments/dist/multi-currency-rtl.css	3.28 kB
release/woocommerce-payments/dist/multi-currency-switcher-block.js	59.5 kB
release/woocommerce-payments/dist/multi-currency.css	3.29 kB
release/woocommerce-payments/dist/multi-currency.js	54.6 kB
release/woocommerce-payments/dist/order-rtl.css	733 B
release/woocommerce-payments/dist/order.css	735 B
release/woocommerce-payments/dist/order.js	41.8 kB
release/woocommerce-payments/dist/payment-gateways-rtl.css	1.21 kB
release/woocommerce-payments/dist/payment-gateways.css	1.21 kB
release/woocommerce-payments/dist/payment-gateways.js	38.6 kB
release/woocommerce-payments/dist/payment-request-rtl.css	155 B
release/woocommerce-payments/dist/payment-request.css	155 B
release/woocommerce-payments/dist/payment-request.js	12 kB
release/woocommerce-payments/dist/product-details-rtl.css	398 B
release/woocommerce-payments/dist/product-details.css	402 B
release/woocommerce-payments/dist/product-details.js	17.2 kB
release/woocommerce-payments/dist/settings-rtl.css	11.1 kB
release/woocommerce-payments/dist/settings.css	10.9 kB
release/woocommerce-payments/dist/settings.js	201 kB
release/woocommerce-payments/dist/subscription-edit-page.js	669 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal-rtl.css	527 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal.css	527 B
release/woocommerce-payments/dist/subscription-product-onboarding-modal.js	19.4 kB
release/woocommerce-payments/dist/subscription-product-onboarding-toast.js	693 B
release/woocommerce-payments/dist/subscriptions-empty-state-rtl.css	120 B
release/woocommerce-payments/dist/subscriptions-empty-state.css	120 B
release/woocommerce-payments/dist/subscriptions-empty-state.js	18.5 kB
release/woocommerce-payments/dist/tos-rtl.css	235 B
release/woocommerce-payments/dist/tos.css	236 B
release/woocommerce-payments/dist/tos.js	21 kB
release/woocommerce-payments/dist/woopay-direct-checkout.js	4.54 kB
release/woocommerce-payments/dist/woopay-express-button-rtl.css	155 B
release/woocommerce-payments/dist/woopay-express-button.css	155 B
release/woocommerce-payments/dist/woopay-express-button.js	21 kB
release/woocommerce-payments/dist/woopay-rtl.css	4.25 kB
release/woocommerce-payments/dist/woopay.css	4.22 kB
release/woocommerce-payments/dist/woopay.js	69.4 kB
release/woocommerce-payments/includes/subscriptions/assets/css/plugin-page.css	622 B
release/woocommerce-payments/includes/subscriptions/assets/js/plugin-page.js	815 B
release/woocommerce-payments/vendor/automattic/jetpack-assets/build/i18n-loader.js	2.44 kB
release/woocommerce-payments/vendor/automattic/jetpack-assets/src/js/i18n-loader.js	1.01 kB
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/tracks-ajax.js	522 B
release/woocommerce-payments/vendor/automattic/jetpack-connection/dist/tracks-callables.js	581 B
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/babel.config.js	160 B
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.css	2.37 kB
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.js	13.5 kB
release/woocommerce-payments/vendor/automattic/jetpack-identity-crisis/build/index.rtl.css	2.37 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/about.css	1.03 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin-empty-state.css	291 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin-order-statuses.css	403 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/admin.css	3.6 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/checkout.css	299 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/modal.css	742 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/view-subscription.css	572 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/css/wcs-upgrade.css	411 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/admin-pointers.js	544 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/admin.js	9.4 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/jstz.js	6.8 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/jstz.min.js	3.83 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/meta-boxes-coupon.js	544 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/meta-boxes-subscription.js	2.52 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/moment.js	22.1 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/moment.min.js	11.6 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/payment-method-restrictions.js	1.29 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/admin/wcs-meta-boxes-order.js	502 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/payment-methods.js	355 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/single-product.js	429 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/view-subscription.js	1.38 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/frontend/wcs-cart.js	781 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/modal.js	1.1 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/assets/js/wcs-upgrade.js	1.27 kB
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/build/index.css	392 B
release/woocommerce-payments/vendor/woocommerce/subscriptions-core/build/index.js	3.05 kB

_{compressed-size-action}

[bborman22]

I was able to test this in a few ways and confirmed that it all worked as expected. Some of the ways I tested this:

• Confirmed that adding the URL to the woopay session list allowed it to process the determine_current_user_for_woopay using the Cart Token.
• Confirmed that within get_init_session_request the same $customer_id was returned for each session through multiple attempts as well as through using Direct Checkout, Express Checkout, or OTP modal.
• Confirmed that when testing from the sandbox the has_valid_request_signature was properly verifying or failing the requests.

This seems like a strong move to centralize this logic in one place and removes the warning about a dangerous function and instead uses the more recommended determine_current_user filter.

Overall, everything tested well for me. I had one note about redundancy that you can share your opinion on, but it's not a blocker in my opinion.

[bborman22]

These checks are redundant now, but considering leaving them in as they are low-cost and would prevent accidentally removing them from another place and leaving this open. It also satisfies the goal of having defined check permissions. Let me know what you think though about this redundancy?

[cesarcosta99]

I agree with everything you said. This is now redundant, but better be redundant and safe than taking an unnecessary risk of leaving it open, especially with this redundancy being low-cost.