From c5ae1b82837031fb9d81a90b498e1e904f9622fb Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Fri, 17 Jan 2020 21:11:48 -0500
Subject: [PATCH] prevent duplicate paypal charges

---
 src/Billing/Controllers/StripeController.cs | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/Billing/Controllers/StripeController.cs b/src/Billing/Controllers/StripeController.cs
index a9e7098ff6..ded3ffb026 100644
--- a/src/Billing/Controllers/StripeController.cs
+++ b/src/Billing/Controllers/StripeController.cs
@@ -584,10 +584,25 @@ namespace Bit.Billing.Controllers
                 return false;
             }
 
-            var btObjIdField = ids.Item1.HasValue ? "organization_id" : "user_id";
+            var orgTransaction = ids.Item1.HasValue;
+            var btObjIdField = orgTransaction ? "organization_id" : "user_id";
             var btObjId = ids.Item1 ?? ids.Item2.Value;
             var btInvoiceAmount = (invoice.AmountDue / 100M);
 
+            var existingTransactions = orgTransaction ?
+                await _transactionRepository.GetManyByOrganizationIdAsync(ids.Item1.Value) :
+                await _transactionRepository.GetManyByUserIdAsync(ids.Item2.Value);
+            var duplicateTimeSpan = TimeSpan.FromHours(24);
+            var now = DateTime.UtcNow;
+            var duplicateTransaction = existingTransactions?
+                .FirstOrDefault(t => (now - t.CreationDate) < duplicateTimeSpan);
+            if(duplicateTransaction != null)
+            {
+                _logger.LogWarning("There is already a recent PayPal transaction ({0}). " +
+                    "Do not charge again to prevent possible duplicate.", duplicateTransaction.GatewayId);
+                return false;
+            }
+
             var transactionResult = await _btGateway.Transaction.SaleAsync(
                 new Braintree.TransactionRequest
                 {