solidus-adyen 0.1.2

data/app/assets/stylesheets/spree/backend/solidus-adyen/communication.scss

@@ -0,0 +1,121 @@
+@import 'variables';
+@import 'bourbon';
+
+$color-received-bg: mix($color-3, white, 10%);
+$color-sent-bg: mix($color-3, white, 100%);
+$notch-size-side: 12px;
+$notch-size-top: 18px;
+$timestamp-fade: 0.25;
+
+@mixin notch($side, $color) {
+  #{$side}: -($notch-size-side);
+  border-#{$side}: $notch-size-side solid transparent;
+  border-top: $notch-size-top solid $color;
+  content: '';
+  padding-left: 0;
+  position: absolute;
+  top: 0;
+}
+
+@mixin message($side, $color-bg, $color-text) {
+  background-color: $color-bg;
+  border-top-#{$side}-radius: 0;
+  box-shadow: 2px 2px 1px -1px fade-out(mix($color-bg, black, 70%), 0.2);
+  color: $color-text;
+  line-height: 1.6em;
+
+  margin-right: $notch-size-side;
+  margin-left: $notch-size-side;
+
+  @if $side == right {
+    float: right;
+  }
+
+  &:before {
+    @include notch($side, $color-bg);
+  }
+
+  .adyen-comm-timestamp {
+    color: fade-out($color-text, $timestamp-fade);
+  }
+}
+
+/* cannot use a real table here because spree clobbers all default style for
+ * tables and is super specific.
+ */
+.adyen-comm-content {
+  display: table;
+  border-spacing: 20px 10px
+}
+
+.adyen-comm-content-cell {
+  display: table-cell;
+
+  &:first-child {
+    font-weight: bold;
+  }
+}
+
+.adyen-comm-content-row {
+  display: table-row;
+}
+
+.adyen-comm {
+  border-radius: 10px;
+  display: inline-block;
+  margin-bottom: 10px;
+  min-width: 350px;
+  padding: 5px 20px;
+  position: relative;
+
+  .adyen-comm-sent & {
+    @include message(right, $color-sent-bg, white);
+  }
+
+  .adyen-comm-received & {
+    @include message(left, $color-received-bg, black);
+  }
+}
+
+.adyen-comm-received,
+.adyen-comm-sent {
+  & + & .adyen-comm {
+    border-top-right-radius: 10px;
+    border-top-left-radius: 10px;
+    &:before {
+      display: none;
+    }
+  }
+}
+
+.adyen-comm-icon-success {
+  color: $color-success;
+}
+
+.adyen-comm-icon-failure {
+  color: $color-error;
+}
+
+.adyen-comm-icon-unprocessed {
+  color: $color-safety-yellow;
+}
+
+.adyen-comm-icon {
+  @include display(flex);
+  @include flex-direction(column);
+  @include justify-content(space-between);
+  font-size: 30px;
+}
+
+.adyen-comm-body {
+  @include display(flex);
+  @include align-items(center);
+
+  .adyen-comm-sent & {
+    @include flex-direction(row-reverse);
+  }
+}
+
+.adyen-comm-timestamp {
+  text-align: right;
+}

data/app/assets/stylesheets/spree/backend/solidus-adyen/variables.scss

@@ -0,0 +1,4 @@
+@import 'spree/backend/globals/variables';
+
+$color-safety-yellow: #eed202;
+$color-warning: $color-safety-yellow;

data/app/assets/stylesheets/spree/backend/solidus-adyen.css

@@ -0,0 +1,5 @@
+/*
+ *= require spree/backend
+ *= require spree/backend/solidus-adyen/buttons
+ *= require spree/backend/solidus-adyen/communication
+ */

data/app/assets/stylesheets/spree/frontend/solidus-adyen.css

@@ -0,0 +1,3 @@
+/*
+ *=require spree/frontend
+ */

data/app/controllers/concerns/spree/adyen/admin/refunds_controller.rb

@@ -0,0 +1,59 @@
+module Spree
+  module Adyen
+    module Admin
+      module RefundsController
+        extend ActiveSupport::Concern
+        include Spree::Adyen::HppCheck
+
+        included do
+          before_filter :adyen_create, only: [:create]
+        end
+
+        def adyen_create
+          if hpp_payment?(@payment)
+            # this sucks, but the attributes are not assigned until after
+            # callbacks if we're here we aren't going down the normal flow
+            # anyways
+            @refund.attributes = permitted_resource_params
+
+            # early exit if @refund is invalid, .create will have the error
+            # messages
+            return if @refund.invalid?
+
+            @payment.refunds.reset # we don't want to save the refund
+            @payment.credit!(cents, currency: currency)
+
+            respond
+          end
+        end
+
+        private
+
+        def currency
+          money.currency.iso_code
+        end
+
+        def cents
+          money.cents
+        end
+
+        def money
+          @refund.money.money
+        end
+
+        # This is directly copied from .create's response, no way to make it
+        # any less awful than this as we still want it to have the same
+        # response.
+        def respond
+          respond_with(@object) do |format|
+            format.html do
+              flash[:success] = "Refund request was received"
+              redirect_to location_after_save
+            end
+            format.js { render :layout => false }
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/adyen/hpps_controller.rb

@@ -0,0 +1,22 @@
+module Spree
+  module Adyen
+    class HppsController < ::ActionController::Base
+      load_resource :order, class: "Spree::Order", id_param: :order_id
+      load_resource(
+        :payment_method,
+        class: "Spree::PaymentMethod",
+        id_param: :payment_method_id)
+
+      def directory
+        @brands = Adyen::Form.payment_methods_from_directory(
+          @order,
+          @payment_method)
+
+        respond_to do |format|
+          format.html
+          format.json { render json: @brands }
+        end
+      end
+    end
+  end
+end

data/app/controllers/spree/adyen_notifications_controller.rb

@@ -0,0 +1,34 @@
+module Spree
+  class AdyenNotificationsController < StoreController
+    skip_before_filter :verify_authenticity_token
+
+    before_filter :authenticate
+
+    def notify
+      notification = AdyenNotification.build(params)
+
+      if notification.duplicate?
+        accept and return
+      end
+
+      notification.save!
+
+      Spree::Adyen::NotificationProcessor.new(notification).process!
+      accept
+    end
+
+    protected
+    # Enable HTTP basic authentication
+    def authenticate
+      authenticate_or_request_with_http_basic do |username, password|
+        username == ENV["ADYEN_NOTIFY_USER"] &&
+          password == ENV["ADYEN_NOTIFY_PASSWD"]
+      end
+    end
+
+    private
+    def accept
+      render text: "[accepted]"
+    end
+  end
+end

data/app/controllers/spree/adyen_redirect_controller.rb

@@ -0,0 +1,90 @@
+module Spree
+  class AdyenRedirectController < StoreController
+    before_filter :restore_session
+    before_filter :check_signature, only: :confirm
+
+    skip_before_filter :verify_authenticity_token
+
+    # This is the entry point after an Adyen HPP payment is completed
+    def confirm
+      source = Adyen::HppSource.new(source_params(params))
+
+      unless source.authorised?
+        flash.notice = Spree.t(:payment_processing_failed)
+        redirect_to checkout_state_path(@order.state)
+        return
+      end
+
+      # payment is created in a 'checkout' state so that the payment method
+      # can attempt to auth it. The payment of course is already auth'd and
+      # adyen hpp's authorize implementation just returns a dummy response.
+      payment =
+        @order.payments.create!(
+          amount: @order.total,
+          payment_method: @payment_method,
+          source: source,
+          response_code: params[:pspReference],
+          state: "checkout",
+          # Order is explicitly defined here because as of writing the
+          # Order -> Payments association does not have the inverse of defined
+          # when we call `order.complete` below payment.order will still
+          # refer to a previous state of the record.
+          #
+          # If the payment is auto captured only then the payment will completed
+          # in `process_outstanding!`, and because Payment calls
+          # .order.update_totals after save the order is saved with its
+          # previous values, causing payment_state and shipment_state to revert
+          # to nil.
+          order: @order
+        )
+
+      if @order.complete
+        # We may have already recieved the authorization notification, so process
+        # it now
+        Spree::Adyen::NotificationProcessor.process_outstanding!(payment)
+
+        flash.notice = Spree.t(:order_processed_successfully)
+        redirect_to order_path(@order)
+      else
+        #TODO void/cancel payment
+        redirect_to checkout_state_path(@order.state)
+      end
+    end
+
+    private
+
+    def check_signature
+      unless ::Adyen::Form.redirect_signature_check(params, @payment_method.shared_secret)
+        raise "Payment Method not found."
+      end
+    end
+
+    # We pass the guest token and payment method id in, pipe seperated in the
+    # merchantReturnData parameter so that we can recover the session.
+    def restore_session
+      guest_token, payment_method_id =
+        params.fetch(:merchantReturnData).split("|")
+
+      cookies.permanent.signed[:guest_token] = guest_token
+
+      @payment_method = Spree::PaymentMethod.find(payment_method_id)
+
+      @order =
+        Spree::Order.
+        incomplete.
+        find_by!(guest_token: cookies.signed[:guest_token])
+    end
+
+    def source_params params
+      params.permit(
+        :authResult,
+        :pspReference,
+        :merchantReference,
+        :skinCode,
+        :merchantSig,
+        :paymentMethod,
+        :shopperLocale,
+        :merchantReturnData)
+    end
+  end
+end

data/app/models/adyen_notification.rb

@@ -0,0 +1,159 @@
+# The +AdyenNotification+ class handles notifications sent by Adyen to your servers.
+#
+# Because notifications contain important payment status information, you should store
+# these notifications in your database. For this reason, +AdyenNotification+ inherits
+# from +ActiveRecord::Base+, and a migration is included to simply create a suitable table
+# to store the notifications in.
+#
+# Adyen can either send notifications to you via HTTP POST requests, or SOAP requests.
+# Because SOAP is not really well supported in Rails and setting up a SOAP server is
+# not trivial, only handling HTTP POST notifications is currently supported.
+#
+# @example
+#    @notification = AdyenNotification.log(request)
+#    if @notification.successful_authorisation?
+#      @invoice = Invoice.find(@notification.merchant_reference)
+#      @invoice.set_paid!
+#    end
+class AdyenNotification < ActiveRecord::Base
+  AUTO_CAPTURE_ONLY_METHODS = ["ideal", "c_cash", "directEbanking"].freeze
+
+  AUTHORISATION = "AUTHORISATION".freeze
+  CANCELLATION = "CANCELLATION".freeze
+  REFUND = "REFUND".freeze
+  CANCEL_OR_REFUND = "CANCEL_OR_REFUND".freeze
+  CAPTURE = "CAPTURE".freeze
+  CAPTURE_FAILED = "CAPTURE_FAILED".freeze
+  REFUND_FAILED = "REFUND_FAILED".freeze
+  REFUNDED_REVERSED = "REFUNDED_REVERSED".freeze
+
+  belongs_to :prev,
+    class_name: self,
+    foreign_key: :original_reference,
+    primary_key: :psp_reference,
+    inverse_of: :next
+
+  # Auth will have no original reference, all successive notifications with
+  # reference the first auth notification
+  has_many :next,
+    class_name: self,
+    foreign_key: :original_reference,
+    primary_key: :psp_reference,
+    inverse_of: :prev
+
+  belongs_to :order,
+    class_name: Spree::Order,
+    primary_key: :number,
+    foreign_key: :merchant_reference
+
+  scope :as_dispatched, -> { order(event_date: :desc) }
+  scope :processed, -> { where processed: true }
+  scope :unprocessed, -> { where processed: false }
+  scope :authorisation, -> { where event_code: "AUTHORISATION" }
+
+  validates_presence_of :event_code
+  validates_presence_of :psp_reference
+  validates_uniqueness_of :success, scope: [:psp_reference, :event_code]
+
+  # Logs an incoming notification into the database.
+  #
+  # @param [Hash] params The notification parameters that should be stored in the database.
+  # @return [Adyen::Notification] The initiated and persisted notification instance.
+  # @raise This method will raise an exception if the notification cannot be stored.
+  # @see Adyen::Notification::HttpPost.log
+  def self.build(params)
+    # Assign explicit each attribute from CamelCase notation to notification
+    # For example, merchantReference will be converted to merchant_reference
+    self.new.tap do |notification|
+      params.each do |key, value|
+        setter = "#{key.to_s.underscore}="
+
+        # don't assign if value is empty string.
+        if notification.respond_to?(setter) && value.present?
+          notification.send(setter, value)
+        end
+      end
+    end
+  end
+
+  def payment
+    Spree::Payment.find_by response_code: original_reference || psp_reference
+  end
+
+  # Returns true if this notification is an AUTHORISATION notification
+  # @return [true, false] true iff event_code == 'AUTHORISATION'
+  # @see Adyen.notification#successful_authorisation?
+  def authorisation?
+    event_code == AUTHORISATION
+  end
+
+  def capture?
+    event_code == CAPTURE
+  end
+
+  def cancel_or_refund?
+    event_code == CANCEL_OR_REFUND
+  end
+
+  def refund?
+    event_code == REFUND
+  end
+
+  def processed!
+    update! processed: true
+  end
+
+  def actions
+    if operations
+      operations.
+        split(",").
+        map(&:downcase)
+
+    else
+      []
+
+    end
+  end
+
+  # https://docs.adyen.com/display/TD/Notification+fields
+  def modification_event?
+    [ CANCELLATION,
+      REFUND,
+      CANCEL_OR_REFUND,
+      CAPTURE,
+      CAPTURE_FAILED,
+      REFUND_FAILED,
+      REFUNDED_REVERSED
+    ].member? self.event_code
+  end
+
+  def normal_event?
+    AUTHORISATION == self.event_code
+  end
+
+  def bank_transfer?
+    self.payment_method.match(/^bankTransfer/)
+  end
+
+  def duplicate?
+    self.class.exists?(
+      psp_reference: self.psp_reference,
+      event_code: self.event_code,
+      success: self.success
+    )
+  end
+
+  def auto_captured?
+    payment_method_auto_capture_only? || bank_transfer?
+  end
+
+  def payment_method_auto_capture_only?
+    AUTO_CAPTURE_ONLY_METHODS.member?(self.payment_method)
+  end
+
+  def money
+    ::Money.new(value, currency)
+  end
+
+  alias_method :authorization?, :authorisation?
+end

data/app/models/concerns/spree/adyen/order.rb

@@ -0,0 +1,11 @@
+module Spree
+  module Adyen
+    module Order
+      def requires_manual_refund?
+        canceled? && payments.any? do |payment|
+          payment.source.try(:requires_manual_refund?)
+        end
+      end
+    end
+  end
+end

data/app/models/concerns/spree/adyen/payment.rb

@@ -0,0 +1,95 @@
+# Because adyen payment modifications are delayed we don't actually know if
+# the request succeeded after doing it. For that reason we can't use the
+# standard capture! and friends as they change the payment state and would
+# result is false positives (payment could fail after capture).
+module Spree
+  module Adyen
+    module Payment
+      extend ActiveSupport::Concern
+      include Spree::Adyen::HppCheck
+
+      # capture! :: bool | error
+      def capture!
+        if hpp_payment?
+          amount = money.money.cents
+          process do
+            payment_method.send(
+              :capture, amount, response_code, gateway_options)
+          end
+        else
+          super
+        end
+      end
+
+      # credit! :: bool | error
+      #
+      # Issue a request to credit the payment, this does NOT perform validation
+      # on the amount to be credited, which is assumed to have been done prior
+      # to this.
+      #
+      # credit! is only implemented for hpp payments, because of the delayed
+      # manner of Adyen api communications. If this method is called on a
+      # payment that is not from Adyen then it should fail. This is crummy way
+      # of getting around the fact that Payment methods cannot specifiy these
+      # methods.
+      def credit! amount, options
+        if hpp_payment?
+          process { payment_method.credit(amount, response_code, options) }
+        else
+          fail NotImplementedError, "Spree::Payment does not implement credit!"
+        end
+      end
+
+      # cancel! :: bool | error
+      #
+      # Borrowed from handle_void_response, this has been modified so that it
+      # won't actually void the payment _yet_.
+      def cancel!
+        if hpp_payment?
+          if source.requires_manual_refund?
+            log_manual_refund
+          else
+            process { payment_method.cancel response_code }
+          end
+        else
+          super
+        end
+      end
+
+      private
+
+      def log_manual_refund
+        message = I18n.t("solidus-adyen.manual_refund.log_message")
+        record_response(
+          OpenStruct.new(
+            success?: false,
+            message: message))
+      end
+
+      def process &block
+        check_environment
+        response = nil
+
+        Spree::Payment.transaction do
+          protect_from_connection_error do
+            started_processing!
+            response = yield(block)
+            fail ActiveRecord::Rollback unless response.success?
+          end
+        end
+
+        record_response(response)
+
+        if response.success?
+          # The payments controller's fire action expects a truthy value to
+          # indicate success
+          true
+        else
+          # this is done to be consistent with capture, but we might actually
+          # want them to just return to the previous state
+          gateway_error(response)
+        end
+      end
+    end
+  end
+end