Payment Gateway Callback Handling in Magento — The Idempotency Recipe
Three real production failures we shipped fixes for in 2026 on Magento 2.4.4 — 2.4.9: a Stripe webhook retry that double-captured an order, a double-click on Place Order that ran submitQuote twice, and a webhook signature check that compared HMACs with == and leaked the secret. Each one has a small, boring fix — a UNIQUE key on (gateway, event_id), a SELECT FOR UPDATE on the quote row, and hash_equals. Here is the exact PHP, SQL, the observer wiring, and the Stripe CLI replay command to prove it works.