Charging Wrong Amount — inconsistent checkout

Paypal Plus 1.0.8, WC 3.5.5, WP 5.1

Hi,
this is a strange bug, but it does lead to wrong payments, so quite important for us.

Problem:
If customer enters EU VAT ID during checkout, the price changes to the net price. When the customer pays with Paypal Plus, the price WITH VAT is charged.

Setup:
Multiple Payment methods. Paypal Plus is neither the first nor the forced default.
Germanized Pro: for VAT ID checking and multi-step checkout.
Prices are displayed with VAT

Steps to reproduce:
1. Start a new browser session (e.g. “new private window”)
2. Go to shop, add a (software) product to cart (e.g. Bome Network Pro: EUR 29 incl. VAT)
3. Go to cart
4. Click “Checkout”
5. Enter billing details, setting country to a EU country which is not Germany, and enter a valid VAT ID.
6. For payment selection, change the default to Paypal Plus, “Paypal”.
7. On review page, the price should be changed to the net price (without VAT). For the case of Austria, the price jumps from 29 to 24.17.
8. Now press “Order with obligation to Pay”
9. You’re redirected to Paypal, where it charges for the price with VAT: EUR 29.00

The bug is not reproducible if you refresh the page after entering the VAT ID, or if Paypal Plus is the default payment provider, or if the customer is already marked VAT_exempt before checking out.

But I suspect that the bug will also show if there other reasons why the price changes when the user enters the personal information (e.g. change of country).

Analysis:
I tried to find the issue and could not find a fix, but a few pointers.
Below is an example session. When checking out, a Paypal token is created: EC-6MD94945S2044312W
When the price changes due to entering the VAT ID, the plugin creates a new Paypal session and gets a new Paypal token: EC-3L2355080R9627002
All further plugin actions operate using that token.
Now when the user presses the Order button, Paypal redirects to:
https://www.sandbox.paypal.com/webapps/hermes?country=AT&useraction=commit&token=EC-6MD94945S2044312W&country.x=AT&locale.x=en_US
So it uses the OLD token from the early paypal session with the old price. If I manually replace the token with the new one, I get to pay the correct amount.

I saw that the redirect relies on a cookie. That cookie stores the token for the first paypal session (EC-3L2355080R9627002), but it is not updated when the new session is created. The cookie remains this:
paypalplus_session_v2={“mode”:”sandbox”,”useraction”:”commit”,”language”:”en_US”,”country”:”AT”,”ecToken”:”EC-6MD94945S2044312W”,”thirdPartyMethods”:{},”paymentMethod”:”pp-496f45a9915906310adc1d3cd3f85b65″}

So I guess the fix would need to trigger an update of the cookie whenever the paypal session is changed.

Thanks,
Florian

The log excerpt:
================================================================================================================================

[23-02-2019 04:27:20] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: POST https://api.sandbox.paypal.com/v1/payments/payment
[23-02-2019 04:27:22] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Headers : POST /v1/payments/payment HTTP/1.1, Host: api.sandbox.paypal.com, Accept: */*, Content-Type: application/json, User-Agent: PayPalSDK/PayPal-PHP-SDK 1.11.0 (platform-ver=7.0.33-0+deb9u1; bit=64; os=Linux_4.9.0-8-amd64; machine=x86_64; crypto-lib-ver=1.1.0j; curl=7.52.1), Authorization: Bearer A21AAFkksuCvGltICpZJroeKJlMcpPUEUMkgBQMg2wJfMSw6Jof-o73eC6Ig06zv9DiDe-xqY1tkuBxmd4flkCTYi7oFyzgeA, PayPal-Request-Id: https://www.bomeloft.com5c717468a4475, PayPal-Partner-Attribution-Id: WooCommerce_Cart_Plus, Content-Length: 571, ,
[23-02-2019 04:27:22] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Data : {“intent”:”sale”,”experience_profile_id”:”XP-69YN-LDAF-RCC4-GJ8R”,”payer”:{“payment_method”:”paypal”},”redirect_urls”:{“return_url”:”https://www.bomeloft.com/wc-api/paypal_plus/”,”cancel_url”:”https://www.bomeloft.com/shop/cart”},”transactions”:[{“amount”:{“currency”:”EUR”,”total”:”29.00″,”details”:{“shipping”:”0″,”subtotal”:”29.00″}},”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”currency”:”EUR”,”quantity”:1,”price”:”29.00″}]},”description”:”Payment description”,”invoice_number”:”5c717468aae94″,”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}]}
——————————————————————————————————————————–

[23-02-2019 04:27:22] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: Response Status : 201
[23-02-2019 04:27:22] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Headers : HTTP/1.1 201 Created, Date: Sat, 23 Feb 2019 16:27:21 GMT, Server: Apache, paypal-debug-id: 5562dd658b785, Content-Language: *, HTTP_X_PP_AZ_LOCATOR: sandbox.slc, Paypal-Debug-Id: 5562dd658b785, Set-Cookie: X-PP-SILOVER=name%3DSANDBOX3.API.1%26silo_version%3D1880%26app%3Dapiplatformproxyserv%26TIME%3D1769238876%26HTTP_X_PP_AZ_LOCATOR%3Dsandbox.slc; Expires=Sat, 23 Feb 2019 16:57:22 GMT; domain=.paypal.com; path=/; Secure; HttpOnly, Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT, Vary: Authorization, Content-Length: 975, Connection: close, Content-Type: application/json, ,
[23-02-2019 04:27:22] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Data : {“id”:”PAYID-LRYXI2Q6RU89631PE280305F”,”intent”:”sale”,”state”:”created”,”payer”:{“payment_method”:”paypal”},”transactions”:[{“amount”:{“total”:”29.00″,”currency”:”EUR”,”details”:{“subtotal”:”29.00″,”shipping”:”0.00″}},”description”:”Payment description”,”invoice_number”:”5c717468aae94″,”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”price”:”29.00″,”currency”:”EUR”,”quantity”:1}]},”related_resources”:[],”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}],”experience_profile_id”:”XP-69YN-LDAF-RCC4-GJ8R”,”create_time”:”2019-02-23T16:27:21Z”,”links”:[{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXI2Q6RU89631PE280305F”,”rel”:”self”,”method”:”GET”},{“href”:”https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-6MD94945S2044312W”,”rel”:”approval_url”,”method”:”REDIRECT”},{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXI2Q6RU89631PE280305F/execute”,”rel”:”execute”,”method”:”POST”}]}

================================================================================================================================

[23-02-2019 04:27:46] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: POST https://api.sandbox.paypal.com/v1/payments/payment
[23-02-2019 04:27:47] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Headers : POST /v1/payments/payment HTTP/1.1, Host: api.sandbox.paypal.com, Accept: */*, Content-Type: application/json, User-Agent: PayPalSDK/PayPal-PHP-SDK 1.11.0 (platform-ver=7.0.33-0+deb9u1; bit=64; os=Linux_4.9.0-8-amd64; machine=x86_64; crypto-lib-ver=1.1.0j; curl=7.52.1), Authorization: Bearer A21AAFkksuCvGltICpZJroeKJlMcpPUEUMkgBQMg2wJfMSw6Jof-o73eC6Ig06zv9DiDe-xqY1tkuBxmd4flkCTYi7oFyzgeA, PayPal-Request-Id: https://www.bomeloft.com5c7174827e6a8, PayPal-Partner-Attribution-Id: WooCommerce_Cart_Plus, Content-Length: 571, ,
[23-02-2019 04:27:47] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Data : {“intent”:”sale”,”experience_profile_id”:”XP-69YN-LDAF-RCC4-GJ8R”,”payer”:{“payment_method”:”paypal”},”redirect_urls”:{“return_url”:”https://www.bomeloft.com/wc-api/paypal_plus/”,”cancel_url”:”https://www.bomeloft.com/shop/cart”},”transactions”:[{“amount”:{“currency”:”EUR”,”total”:”24.17″,”details”:{“shipping”:”0″,”subtotal”:”24.17″}},”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”currency”:”EUR”,”quantity”:1,”price”:”24.17″}]},”description”:”Payment description”,”invoice_number”:”5c71748285678″,”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}]}
——————————————————————————————————————————–

[23-02-2019 04:27:47] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: Response Status : 201
[23-02-2019 04:27:47] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Headers : HTTP/1.1 201 Created, Date: Sat, 23 Feb 2019 16:27:47 GMT, Server: Apache, paypal-debug-id: d6b07ff93e084, Content-Language: *, HTTP_X_PP_AZ_LOCATOR: sandbox.slc, Paypal-Debug-Id: d6b07ff93e084, Set-Cookie: X-PP-SILOVER=name%3DSANDBOX3.API.1%26silo_version%3D1880%26app%3Dapiplatformproxyserv%26TIME%3D2205446492%26HTTP_X_PP_AZ_LOCATOR%3Dsandbox.slc; Expires=Sat, 23 Feb 2019 16:57:47 GMT; domain=.paypal.com; path=/; Secure; HttpOnly, Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT, Vary: Authorization, Content-Length: 975, Connection: close, Content-Type: application/json, ,
[23-02-2019 04:27:47] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Data : {“id”:”PAYID-LRYXJAY5LU406255Y283834W”,”intent”:”sale”,”state”:”created”,”payer”:{“payment_method”:”paypal”},”transactions”:[{“amount”:{“total”:”24.17″,”currency”:”EUR”,”details”:{“subtotal”:”24.17″,”shipping”:”0.00″}},”description”:”Payment description”,”invoice_number”:”5c71748285678″,”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”price”:”24.17″,”currency”:”EUR”,”quantity”:1}]},”related_resources”:[],”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}],”experience_profile_id”:”XP-69YN-LDAF-RCC4-GJ8R”,”create_time”:”2019-02-23T16:27:47Z”,”links”:[{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W”,”rel”:”self”,”method”:”GET”},{“href”:”https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-3L2355080R9627002″,”rel”:”approval_url”,”method”:”REDIRECT”},{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W/execute”,”rel”:”execute”,”method”:”POST”}]}

================================================================================================================================

[23-02-2019 04:28:08] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: GET https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W
[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Headers : GET /v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W HTTP/1.1, Host: api.sandbox.paypal.com, Accept: */*, Content-Type: application/json, User-Agent: PayPalSDK/PayPal-PHP-SDK 1.11.0 (platform-ver=7.0.33-0+deb9u1; bit=64; os=Linux_4.9.0-8-amd64; machine=x86_64; crypto-lib-ver=1.1.0j; curl=7.52.1), Authorization: Bearer A21AAFkksuCvGltICpZJroeKJlMcpPUEUMkgBQMg2wJfMSw6Jof-o73eC6Ig06zv9DiDe-xqY1tkuBxmd4flkCTYi7oFyzgeA, PayPal-Partner-Attribution-Id: WooCommerce_Cart_Plus, ,
[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: No Request Payload
——————————————————————————————————————————–

[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: Response Status : 200
[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Headers : HTTP/1.1 200 OK, Date: Sat, 23 Feb 2019 16:28:08 GMT, Server: Apache, paypal-debug-id: 190f9e34dfe4c, Content-Language: *, HTTP_X_PP_AZ_LOCATOR: sandbox.slc, Paypal-Debug-Id: 190f9e34dfe4c, Set-Cookie: X-PP-SILOVER=name%3DSANDBOX3.API.1%26silo_version%3D1880%26app%3Dapiplatformproxyserv%26TIME%3D2557768028%26HTTP_X_PP_AZ_LOCATOR%3Dsandbox.slc; Expires=Sat, 23 Feb 2019 16:58:09 GMT; domain=.paypal.com; path=/; Secure; HttpOnly, Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT, Vary: Authorization, Content-Length: 1203, Connection: close, Content-Type: application/json, ,
[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Data : {“id”:”PAYID-LRYXJAY5LU406255Y283834W”,”intent”:”sale”,”state”:”created”,”cart”:”3L2355080R9627002″,”transactions”:[{“amount”:{“total”:”24.17″,”currency”:”EUR”,”details”:{“subtotal”:”24.17″,”shipping”:”0.00″}},”payee”:{“merchant_id”:”RTRN83C2HRSD2″,”email”:”[email protected]”},”description”:”Payment description”,”invoice_number”:”5c71748285678″,”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”price”:”24.17″,”currency”:”EUR”,”quantity”:1}]},”related_resources”:[],”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}],”redirect_urls”:{“return_url”:”https://www.bomeloft.com/wc-api/paypal_plus/?paymentId=PAYID-LRYXJAY5LU406255Y283834W”,”cancel_url”:”https://www.bomeloft.com/shop/cart”},”create_time”:”2019-02-23T16:27:47Z”,”update_time”:”2019-02-23T16:28:09Z”,”links”:[{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W”,”rel”:”self”,”method”:”GET”},{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W/execute”,”rel”:”execute”,”method”:”POST”},{“href”:”https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-3L2355080R9627002″,”rel”:”approval_url”,”method”:”REDIRECT”}]}

================================================================================================================================

[23-02-2019 04:28:09] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: PATCH https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W
[23-02-2019 04:28:10] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Headers : PATCH /v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W HTTP/1.1, Host: api.sandbox.paypal.com, Accept: */*, Content-Type: application/json, User-Agent: PayPalSDK/PayPal-PHP-SDK 1.11.0 (platform-ver=7.0.33-0+deb9u1; bit=64; os=Linux_4.9.0-8-amd64; machine=x86_64; crypto-lib-ver=1.1.0j; curl=7.52.1), Authorization: Bearer A21AAFkksuCvGltICpZJroeKJlMcpPUEUMkgBQMg2wJfMSw6Jof-o73eC6Ig06zv9DiDe-xqY1tkuBxmd4flkCTYi7oFyzgeA, PayPal-Partner-Attribution-Id: WooCommerce_Cart_Plus, Content-Length: 534, ,
[23-02-2019 04:28:10] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Request Data : [{“op”:”replace”,”path”:”/transactions/0/amount”,”value”:{“total”:”24.17″,”currency”:”EUR”,”details”:{“subtotal”:”24.17″,”shipping”:0}}},{“op”:”add”,”path”:”/transactions/0/custom”,”value”:”{\”order_id\”:24983,\”order_key\”:\”wc_order_v9BHbCWGRoA9D\”}”},{“op”:”add”,”path”:”/transactions/0/invoice_number”,”value”:”Bome-24983″},{“op”:”add”,”path”:”/transactions/0/item_list/shipping_address”,”value”:{“recipient_name”:”Florian Test”,”line1″:”10 Test St.”,”line2″:””,”city”:”Graz”,”state”:””,”postal_code”:”9021″,”country_code”:”AT”}}]
——————————————————————————————————————————–

[23-02-2019 04:28:10] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : INFO: Response Status : 200
[23-02-2019 04:28:10] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Headers : HTTP/1.1 200 OK, Date: Sat, 23 Feb 2019 16:28:09 GMT, Server: Apache, paypal-debug-id: 4d7baef7e60bb, Content-Language: *, HTTP_X_PP_AZ_LOCATOR: sandbox.slc, Paypal-Debug-Id: 4d7baef7e60bb, Set-Cookie: X-PP-SILOVER=name%3DSANDBOX3.API.1%26silo_version%3D1880%26app%3Dapiplatformproxyserv%26TIME%3D2574545244%26HTTP_X_PP_AZ_LOCATOR%3Dsandbox.slc; Expires=Sat, 23 Feb 2019 16:58:10 GMT; domain=.paypal.com; path=/; Secure; HttpOnly, Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT, Vary: Authorization, Content-Length: 1414, Connection: close, Content-Type: application/json, ,
[23-02-2019 04:28:10] Inpsyde\Lib\PayPal\Core\PayPalHttpConnection : DEBUG: Response Data : {“id”:”PAYID-LRYXJAY5LU406255Y283834W”,”intent”:”sale”,”state”:”created”,”cart”:”3L2355080R9627002″,”transactions”:[{“amount”:{“total”:”24.17″,”currency”:”EUR”,”details”:{“subtotal”:”24.17″,”shipping”:”0.00″}},”payee”:{“merchant_id”:”RTRN83C2HRSD2″,”email”:”[email protected]”},”description”:”Payment description”,”custom”:”{\”order_id\”:24983,\”order_key\”:\”wc_order_v9BHbCWGRoA9D\”}”,”invoice_number”:”Bome-24983″,”item_list”:{“items”:[{“name”:”Bome Network Pro x 1″,”price”:”24.17″,”currency”:”EUR”,”quantity”:1}],”shipping_address”:{“recipient_name”:”Florian Test”,”line1″:”10 Test St.”,”city”:”Graz”,”state”:””,”postal_code”:”9021″,”country_code”:”AT”}},”related_resources”:[],”notify_url”:”https://www.bomeloft.com/wc-api/paypal_plus_ipn/”}],”redirect_urls”:{“return_url”:”https://www.bomeloft.com/wc-api/paypal_plus/?paymentId=PAYID-LRYXJAY5LU406255Y283834W”,”cancel_url”:”https://www.bomeloft.com/shop/cart”},”create_time”:”2019-02-23T16:27:47Z”,”update_time”:”2019-02-23T16:28:10Z”,”links”:[{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W”,”rel”:”self”,”method”:”GET”},{“href”:”https://api.sandbox.paypal.com/v1/payments/payment/PAYID-LRYXJAY5LU406255Y283834W/execute”,”rel”:”execute”,”method”:”POST”},{“href”:”https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-3L2355080R9627002″,”rel”:”approval_url”,”method”:”REDIRECT”}]}

================================================================================================================================

The page I need help with: [log in to see the link]