GX-Task #70799
Von Rico Schreiber vor 6 Monaten aktualisiert
_Description_ : Using the EU's VAT ID Check API, the VAT identification number can be checked. The EU blocks the IP address of the shop if the API is misused. It is possible to misuse the API via the shop. _How to reproduce_ If the live check of the VAT ID is activated in the shop, a request is always sent to the EU during creation of a customer account, even if only a "1" is entered as the VAT ID. 1. Register and enter something to the Vat ID field 2. Repeat 10.000 times in a short period of time. (i.e. with a bot that spams registrations) _What should we do now?_ 1. Refactor VAT ID check to avoid redundancy. There are currently two different mechanisms in use for checking the VAT ID: One legacy class used for registration, one service used for updating existing customers VAT ID from the admin interface. 2. The shop should already check the format of the VAT ID.(Two letters followd by a bunch of numbers) If this is not valid, there shouldn't be a request to the API. Show an error message. 3. Cache the result of the API for one hour. So if the same number is requested several times in a row only one request per hour to the API is made. 4. implement a limit (max 3 vatid-live-check-calls per IPadress per minute) to avoid too many requests to the VAT ID Check API. _How can I test this?_ Registration - invalid VAT-ID: Invalid format: 1. Install Shop shop 2. Create Try registering a new account using a VAT-ID with an invalid VAT-ID. format (like "123"). Expected result: The registration fails displaying an error informing and informs the user about the VAT-ID being invalid. The database table "vatid_live_check_triggered" does not contain a recent entry for your IP. The database table "vatid_live_check_cache" does not contain an entry for the entered VAT-ID. Registration - valid Valid format, invalid VAT-ID: 1. Install Shop shop 2. Create Try registering a new account using a VAT-ID with a valid VAT-ID. format, but an invalid value (like DE000000000) Expected result: The registration completes without issues. Changing fails and informs the user about the VAT-ID of existing account - invalid being invalid. The database table "vatid_live_check_triggered" contains a recent entry for your IP. The database table "vatid_live_check_cache" contains a recent entry for the entered VAT-ID. Valid VAT-ID: 1. Install Shop shop 2. Login as admin. 3. Go Try registering a new account using a (known to Customers, open the existing customer's account. 4. Under "BUSINESS INFORMATION" edit the VAT-ID and change it to an invalid one. be) valid VAT-ID. Expected result: The VAT-ID gets saved but the symbol registration is successful. The database table "vatid_live_check_triggered" contains a recent entry for "VAT ID not verified" is displayed under your IP. The database table "vatid_live_check_cache" contains a recent entry for the customer's name on entered VAT-ID. Limited access to the same screen. Changing VAT-ID of existing account - valid VAT-ID. VAT-ID-Live-Check: 1. Install Shop shop 2. Login as admin. Open the registration form for new customers and enter valid values into all required fields. 3. Go to Customers, open Within one minute try registering 3 times with VAT-IDs that are valid in format, but invalid in value by using the existing customer's account. corresponding field. Examples for VAT-IDs fitting these criteria: DE000000000, DE000000001, DE000000002 4. Under "BUSINESS INFORMATION" edit the VAT-ID and change it For a fourth attempt, try to register with a valid one. VAT-ID. Expected result: The VAT-ID gets saved and registration fails informing the symbol user about an invalid VAT-ID. The database table "vatid_live_check_triggered" contains 3 recent entries for "VAT ID verified" is displayed under your IP. The database table "vatid_live_check_cache" contains a recent entry for all the customer's name on entered VAT-IDs except for the same screen. fourth one.