High SeverityPaymentSecurity

Zombie-Proof Payment Gateway

1.The Symptom (The Chaos)

The customer's bank account shows a successful deduction, yet the system displays the status as 'PENDING' and refuses to trigger fulfillment, leading to a spike in support tickets for 'missing' items.

2.The Trigger Condition

The payment succeeds at the gateway, but the critical 'success' callback fails to reach our server due to network instability. Our system remains trapped in a 'PENDING' state because it has no secondary method to verify the transaction.

3.The Catch (Why it broke)

We relied exclusively on incoming Webhooks as the sole source of truth, treating a fragile network-based signal as a guaranteed delivery.

4.Architectural Trade-offs

To resolve this, we implemented a periodic reconciliation worker to force-sync payment statuses. This ensures end-to-end data integrity, though it introduces a slight delay in fulfillment while we wait for the background polling cycle to verify the payment.

PaymentController.java

[Vulnerable Target View]

// VULNERABLE: Lacks signature validation and idempotency checks
@PostMapping("/webhook")
public ResponseEntity<Void> handleRazorpayWebhook(@RequestBody String payload) {
// SECURITY GAP: We process the payload without verifying if it 
// actually came from Razorpay. An attacker can POST fake success 
// notifications to our system.

String paymentId = extractPaymentId(payload);
Order order = orderRepository.findByPaymentId(paymentId);

// LOGIC GAP: No check for order.isInventoryDeducted(). 
// This will trigger inventory deduction every time a webhook is received,
// leading to massive stock inaccuracies.
paymentService.processInventory(order);
order.setStatus("PAID");
orderRepository.save(order);

return ResponseEntity.ok().build();
}