BTI-684 Payment finalize token replay causes error after successful async payment (Wero/mobile) #405
Description
Issue
Shopware: 6.5.8.18
Plugin: 3.2.3
After completing an async payment (e.g. Wero), the customer is redirected back to the shop. If the customer then presses the browser back button, they land back on the Buckaroo/Wero payment page. That page automatically redirects them to the shop again using the same finalize URL with the same payment token. Since the token was already consumed on the first redirect, Shopware throws a CHECKOUT__PAYMENT_TOKEN_INVALIDATED error, even though the payment was successful.
This is especially common on mobile devices where the customer is sent to their banking app. When they return to the browser, the Buckaroo payment page fires the redirect again with the already-consumed token.
Steps to Reproduce
- Start checkout and select Wero (or another async Buckaroo payment method)
- Complete the payment on the external Buckaroo/Wero page
- Get redirected back to the shop — order confirmation page loads successfully
- Press browser back button — you land back on the Buckaroo/Wero payment page
- Wait for the automatic redirect timer to fire again
- Result: Error page with "token invalidated" message
- Expected: Redirect to order confirmation or account orders page
Root Cause
Shopware's _sw_payment_token is a one-time-use JWT. After the first successful finalize, the token is deleted from the payment_token database table. Any subsequent request with the same token throws TokenInvalidatedException (HTTP 410), which is not gracefully handled.
The Buckaroo plugin's return URL contains this token. When the Buckaroo payment page redirects the customer a second time using the same URL, Shopware rejects it before the Buckaroo payment handler is even reached.