sdk-dotnet icon indicating copy to clipboard operation
sdk-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AuthorizeNet

Concurrency and multi-thread issues

Open mexner opened this issue 4 years ago • 4 comments

The MerchantAuthentication approach provided in the documentation is not thread safe and leads to concurrency issues. This has lead to huge consequences and reliability, where we are seeing payments being processed into the wrong merchant account (because the Transaction ID and Key) are being overwritten when multiple threads are accessing this static method at the same time.

I suspect the abstract class with static method approach works for 98% of the public because they are always accessing the same gateway account (Transaction ID and Key). But we have 100's of customers each with their own Transaction ID and Key, processing hundreds of transactions.

I see there is an overload method for each request object which allows us to push the MerchantAuthentication object in. This solves the concurrency issues.

I opened this issue - so that the documentation can be updated to notate, this is NOT THREAD SAFE,

ApiOperationBase<ANetApiRequest, ANetApiResponse>.MerchantAuthentication = new merchantAuthenticationType()
{
  name = ApiLoginID,
  ItemElementName = ItemChoiceType.transactionKey,
  Item = ApiTransactionKey,
};

And that the overload constructor for each request (ie: createTransactionRequest) allows to pass the MerchantAuthentication object in real-time, and fix this issue.

merchantAuthenticationType myMAT = new merchantAuthenticationType {
    name = "API Login",
    ItemElementName = ItemChoiceType.transactionKey,
    Item = "Transaction Key"
};

createTransactionRequest myRequest = new createTransactionRequest { transactionRequest = myTR, merchantAuthentication = myMAT };

I just didn't see any documentation pointing to this issue and want to save other users the headaches this has caused us and our customers. https://community.developer.authorize.net/t5/Integration-and-Testing/Multi-Tennant-concurrency-issues/td-p/72341

mexner avatar Jun 28 '20 18:06 mexner

Thanks for posting this. We have multi-tenants and I just found we have that exact code. Thankfully most of our tenants are using other gateways, but this would be a serious problem

hunkydoryrepair avatar Dec 14 '21 10:12 hunkydoryrepair

I supposed RunEnvironment has the same issue. Unfortunately that doesn't seem to be configurable on the individual request, so we can't have some tenants running in sandbox mode.

hunkydoryrepair avatar Dec 14 '21 10:12 hunkydoryrepair

Thank you for this. Major problem for multi-client systems. Not a great look for a leading payment processor 😬

zeroClearAmerican avatar Dec 22 '21 17:12 zeroClearAmerican