solidus_mollie 0.1.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b93ec5f4b4a21514882eb71bbe99ba37826ad0cbbd83421b3661b2251cc2e589
-  data.tar.gz: af024b49050bbeaf8e186b0b4b338e8e8893fe507087d369a417e152aaa052b2
+  metadata.gz: 9dc0df8101384051b947487223e3b8aac8092e7da9dcbc394cb4bcfc5cac77a2
+  data.tar.gz: 32b058d3cdd52adac6b85b98e9eb2b267e688a111f29447879a654812951ea9f
 SHA512:
-  metadata.gz: f3ad564dcc8d5ea425b5cfe5c9887a74deb903acba47bcc4f30cc40600243dc42d8a433350a1533875bf180f3adc14c723582f495592ed747a28ab76876ebc6e
-  data.tar.gz: 89a485930ff1261aa2d49bb24061305a45eb7f5ea6a00116d6c00aa82759c175385017ff5bbf0a193176b208650960e20ab088b9b8f1f891449dce5df5a8ae74
+  metadata.gz: 1f3e7bdaf7b94a4235ca2cf91c4d61f056f0fd0f320300fe3c3f584227bbd9ca701bc903cefa08931fc8742959c9da1d1da318069b74af853a83af5a9111b483
+  data.tar.gz: 4cc1d2a6542ee1b2fc401a676ee9275e6422fde82af2c510cff051b8504f89ca69e69138ddfa55b3c70384146630cba68df67b55aff0163fac86e25face74dbd

data/LICENSE

@@ -1,26 +1,24 @@
-Copyright (c) 2021 [name of plugin creator]
-All rights reserved.
+BSD 2-Clause License
 
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
+Copyright (c) 2026, Kalopa Robotics
 
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright notice,
-      this list of conditions and the following disclaimer in the documentation
-      and/or other materials provided with the distribution.
-    * Neither the name Solidus nor the names of its contributors may be used to
-      endorse or promote products derived from this software without specific
-      prior written permission.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
-EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -1,91 +1,123 @@
-# Solidus Mollie
+# solidus_mollie
 
-[![CircleCI](https://circleci.com/gh/solidusio-contrib/solidus_mollie.svg?style=shield)](https://circleci.com/gh/solidusio-contrib/solidus_mollie)
-[![codecov](https://codecov.io/gh/solidusio-contrib/solidus_mollie/branch/master/graph/badge.svg)](https://codecov.io/gh/solidusio-contrib/solidus_mollie)
+Accept [Mollie](https://www.mollie.com) payments in your [Solidus](https://solidus.io)
+store using Mollie's **hosted checkout** (the buyer is redirected to Mollie to pay)
+and **webhooks** for settlement.
+
+Tested against the stack it was written for: **Solidus 4.6 / Rails 7.1 / Ruby 3.2**,
+with `mollie-api-ruby ~> 4`.
+
+## How it works (read this first)
+
+Mollie is **not** a synchronous credit-card gateway, so this is not a normal
+ActiveMerchant-style `authorize`/`capture` extension. The flow is:
+
+1. Buyer selects Mollie at the checkout **payment** step. A `Spree::Payment` is
+   created with a `SolidusMollie::MollieSource` (no card data is collected).
+2. At the **confirm** step, instead of completing the order synchronously, the
+   buyer is redirected to Mollie's hosted page. The payment is moved to
+   `pending`. (See `SolidusMollie::CreateOrderPayment` and the
+   `Spree::CheckoutController` override.)
+3. The buyer pays on Mollie and is sent back to `/mollie/return`, which forwards
+   them to their order page.
+4. Mollie also POSTs to `/mollie/webhook` — **this is the source of truth.**
+   `SolidusMollie::ProcessWebhook` re-fetches the authoritative status, marks the
+   `Spree::Payment` complete/failed, and completes the order. It is idempotent
+   because Mollie may call the webhook more than once.
+
+> Because the webhook is what completes the order, **Mollie must be able to reach
+> your app over a public HTTPS URL**, including in development. Use a tunnel such
+> as `ngrok` or `cloudflared` locally — Mollie will not call `localhost`.
 
 ## Installation
 
-Add solidus\_mollie to your Gemfile:
+Add to your store's `Gemfile`:
 
 ```ruby
 gem 'solidus_mollie'
 ```
 
-Bundle your dependencies and run the installation generator:
+Then:
 
-```shell
+```bash
+bundle install
 bin/rails generate solidus_mollie:install
+bin/rails db:migrate
 ```
 
-## Usage
-
-<!-- Explain how to use your extension once it's been installed. -->
-
-## Development
-
-### Testing the extension
+## Configuration
 
-First bundle your dependencies, then run `bin/rake`. `bin/rake` will default to building the dummy
-app if it does not exist, then it will run specs. The dummy app can be regenerated by using
-`bin/rake extension:test_app`.
+1. In the admin, go to **Configuration → Payment Methods → New Payment Method**.
+2. Choose **`SolidusMollie::PaymentMethod`** as the provider.
+3. Paste your Mollie **API key** (`test_…` for testing, `live_…` for production).
+4. Optionally set **Mollie method** to force a single method (e.g. `ideal`,
+   `creditcard`, `bancontact`). Leave blank to let the buyer choose on Mollie's page.
 
-```shell
-bin/rake
-```
+The key prefix (`test_`/`live_`) determines test vs live mode automatically.
 
-To run [Rubocop](https://github.com/bbatsov/rubocop) static code analysis run
+## Frontend
 
-```shell
-bundle exec rubocop
-```
+The gem ships a `spree/checkout/payment/_mollie` partial (an informational note)
+and prepends a `Spree::CheckoutController#update` override that performs the
+redirect. This works with `solidus_starter_frontend` out of the box.
 
-When testing your application's integration with this extension you may use its factories.
-Simply add this require statement to your `spec/spec_helper.rb`:
+If you run a **headless / API frontend**, the controller override is skipped.
+Trigger the redirect yourself after confirm:
 
 ```ruby
-require 'solidus_mollie/testing_support/factories'
+result = SolidusMollie::CreateOrderPayment.call(
+  order: order,
+  payment: order.payments.detect { |p| p.checkout? && p.payment_method.is_a?(SolidusMollie::PaymentMethod) },
+  redirect_url: mollie_return_url(order_number: order.number, token: order.token),
+  webhook_url: mollie_webhook_url
+)
+# => redirect the buyer to result.checkout_url
 ```
 
-Or, if you are using `FactoryBot.definition_file_paths`, you can load Solidus core
-factories along with this extension's factories using this statement:
-
-```ruby
-SolidusDevSupport::TestingSupport::Factories.load_for(SolidusMollie::Engine)
-```
+## Refunds & cancellation
 
-### Running the sandbox
+Refunds from the Solidus admin call `PaymentMethod#credit`, which creates a Mollie
+refund. Cancelling a still-cancelable Mollie payment is attempted via `try_void`;
+otherwise Solidus falls back to a refund.
 
-To run this extension in a sandboxed Solidus application, you can run `bin/sandbox`. The path for
-the sandbox app is `./sandbox` and `bin/rails` will forward any Rails commands to
-`sandbox/bin/rails`.
+## Development & tests
 
-Here's an example:
+The extension is scaffolded with `solidus_dev_support`, which generates a dummy
+Solidus app under `spec/dummy` to test against.
 
-```
-$ bin/rails server
-=> Booting Puma
-=> Rails 6.0.2.1 application starting in development
-* Listening on tcp://127.0.0.1:3000
-Use Ctrl-C to stop
+```bash
+bin/setup                      # bundle + generate the dummy app
+bin/rake                       # run the full spec suite (extension:specs)
+bundle exec rspec spec/services/solidus_mollie/process_webhook_spec.rb  # one file
+SOLIDUS_BRANCH=v4.6 bin/setup  # pin a specific Solidus version
+bin/sandbox                    # build a runnable sandbox store under ./sandbox
 ```
 
-### Updating the changelog
+Bundled specs to build on:
 
-Before and after releases the changelog should be updated to reflect the up-to-date status of
-the project:
+- `spec/services/solidus_mollie/process_webhook_spec.rb` — settlement (paid /
+  failed / idempotent / unknown-id). This is the behaviour most worth covering.
+- `spec/requests/solidus_mollie/callbacks_spec.rb` — webhook + return endpoints.
+- `spec/models/solidus_mollie/payment_method_spec.rb` — test-mode detection, refunds.
+- `spec/support/mollie_stubs.rb` — helpers to fake the Mollie API so specs never
+  hit the network (`stub_mollie_get`, `stub_mollie_create`).
 
-```shell
-bin/rake changelog
-git add CHANGELOG.md
-git commit -m "Update the changelog"
-```
+### Testing against Mollie for real
+
+Mollie has no separate sandbox URL — use a **test API key** (`test_…`) on the
+payment method. Test payments are fully isolated from live data, and Mollie's
+hosted page is replaced by a screen where you choose the resulting status
+(Paid / Failed / Expired / Cancelled). Because settlement is webhook-driven,
+Mollie must reach `/mollie/webhook` over a public HTTPS URL even in test mode —
+run a tunnel (`ngrok http 3000`) and use the public host.
 
-### Releasing new versions
+## Known limitations / TODO
 
-Please refer to the dedicated [page](https://github.com/solidusio/solidus/wiki/How-to-release-extensions) on Solidus wiki.
+- No one-click / reusable mandates (sources are non-reusable in this version).
+- No partial-payment handling beyond a single payment per order.
+- A buyer can technically re-enter checkout while an order sits in `confirm`
+  awaiting a Mollie result; revisit if this matters for your flow.
 
 ## License
 
-Copyright (c) 2021 Victor ter Hark.
-Copyright (c) 2026 Kalopa Robotics Limited.
-Released under the New BSD License.
+BSD-2-Clause.

data/app/controllers/solidus_mollie/callbacks_controller.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  # Handles the two requests Mollie sends us:
+  #   * #webhook  - server-to-server POST with the payment id (source of truth)
+  #   * #return   - the buyer's browser coming back from Mollie's hosted page
+  class CallbacksController < ::Spree::StoreController
+    skip_before_action :verify_authenticity_token, only: :webhook
+
+    # POST /mollie/webhook  (body: id=tr_xxxxx)
+    def webhook
+      SolidusMollie::ProcessWebhook.call(mollie_payment_id: params[:id])
+      head :ok
+    rescue SolidusMollie::ProcessWebhook::PaymentNotFound => e
+      # 422 so Mollie retries (covers the rare webhook-before-persist race).
+      Rails.logger.warn("[solidus_mollie] webhook payment not found: #{e.message}")
+      head :unprocessable_entity
+    rescue StandardError => e
+      Rails.logger.error("[solidus_mollie] webhook error: #{e.message}")
+      head :internal_server_error
+    end
+
+    # GET /mollie/return?order_number=R123&token=abc
+    def return
+      order = ::Spree::Order.find_by!(number: params[:order_number])
+
+      if params[:token].present? && order.token.present? &&
+         !ActiveSupport::SecurityUtils.secure_compare(params[:token].to_s, order.token.to_s)
+        raise ActiveRecord::RecordNotFound
+      end
+
+      unless order.completed?
+        flash[:notice] = I18n.t('solidus_mollie.confirming_payment',
+                                default: "Thanks! We're confirming your payment with Mollie.")
+      end
+
+      redirect_to spree.order_url(order, token: order.token)
+    rescue ActiveRecord::RecordNotFound
+      flash[:error] = I18n.t('solidus_mollie.order_not_found', default: 'Order not found.')
+      redirect_to spree.root_path
+    end
+  end
+end

data/app/decorators/solidus_mollie/spree/checkout_controller_decorator.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  module Spree
+    # Intercepts the checkout confirm step. When the order is paying with a
+    # Mollie payment method, the buyer is redirected to Mollie's hosted checkout
+    # instead of the order being completed synchronously. The order is finished
+    # later by the webhook (see SolidusMollie::ProcessWebhook).
+    module CheckoutControllerDecorator
+      def update
+        return redirect_to_mollie if divert_to_mollie?
+
+        super
+      end
+
+      private
+
+      def divert_to_mollie?
+        return false unless params[:state].to_s == 'confirm' || @order&.confirm?
+
+        mollie_payment.present?
+      end
+
+      def mollie_payment
+        @mollie_payment ||= @order&.payments&.detect do |payment|
+          payment.checkout? && payment.payment_method.is_a?(SolidusMollie::PaymentMethod)
+        end
+      end
+
+      def redirect_to_mollie
+        result = SolidusMollie::CreateOrderPayment.call(
+          order: @order,
+          payment: mollie_payment,
+          redirect_url: spree.mollie_return_url(mollie_url_options.merge(
+                                                  order_number: @order.number,
+                                                  token: @order.token
+                                                )),
+          webhook_url: spree.mollie_webhook_url(mollie_url_options)
+        )
+
+        if result.success?
+          redirect_to result.checkout_url, allow_other_host: true
+        else
+          flash[:error] = I18n.t('solidus_mollie.payment_error',
+                                 message: result.error,
+                                 default: "We couldn't start your Mollie payment.")
+          redirect_to spree.checkout_state_path(:payment)
+        end
+      end
+
+      def mollie_url_options
+        {
+          host: request.host,
+          port: request.optional_port,
+          protocol: request.ssl? ? 'https' : 'http'
+        }.compact
+      end
+    end
+  end
+end

data/app/models/solidus_mollie/client.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'bigdecimal'
+
+module SolidusMollie
+  # Thin wrapper around the mollie-api-ruby gem. Centralises API-key handling
+  # and the (fiddly) amount formatting Mollie requires: a string value with
+  # exactly the right number of decimals for the currency.
+  class Client
+    def initialize(api_key:)
+      raise ArgumentError, 'Mollie API key is blank' if api_key.to_s.empty?
+
+      @api_key = api_key
+    end
+
+    # amount: a BigDecimal/Numeric in MAJOR units (e.g. 10.00 for €10).
+    def create_payment(amount:, currency:, description:, redirect_url:, webhook_url:,
+                       method: nil, metadata: {})
+      Mollie::Payment.create(
+        amount: { value: self.class.format_amount(amount, currency), currency: currency },
+        description: description,
+        redirect_url: redirect_url,
+        webhook_url: webhook_url,
+        method: method.presence,
+        metadata: metadata,
+        api_key: @api_key
+      )
+    end
+
+    def get_payment(payment_id)
+      Mollie::Payment.get(payment_id, api_key: @api_key)
+    end
+
+    def cancel_payment(payment_id)
+      Mollie::Payment.delete(payment_id, api_key: @api_key)
+    end
+
+    def create_refund(payment_id:, amount:, currency:)
+      Mollie::Payment::Refund.create(
+        payment_id: payment_id,
+        amount: { value: self.class.format_amount(amount, currency), currency: currency },
+        api_key: @api_key
+      )
+    end
+
+    # --- formatting helpers --------------------------------------------------
+
+    # Format a major-unit amount into the string Mollie expects, honouring the
+    # currency's decimal places (EUR -> "10.00", JPY -> "10").
+    def self.format_amount(amount, currency)
+      format("%.#{currency_exponent(currency)}f", BigDecimal(amount.to_s))
+    end
+
+    # Convert a cents/minor-unit integer (as Solidus passes to #credit) into a
+    # major-unit BigDecimal.
+    def self.cents_to_major(cents, currency)
+      BigDecimal(cents.to_s) / (10**currency_exponent(currency))
+    end
+
+    def self.currency_exponent(currency)
+      ::Money::Currency.new(currency).exponent
+    rescue StandardError
+      2
+    end
+  end
+end

data/app/models/solidus_mollie/mollie_source.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  # Persists the Mollie payment id and last-known status alongside a
+  # Spree::Payment. The buyer enters no card data here (that happens on Mollie's
+  # hosted page), so this source has no validated fields.
+  class MollieSource < ::Spree::PaymentSource
+    self.table_name = 'solidus_mollie_sources'
+
+    # Off-site payments are not reusable for one-click in this version.
+    def reusable?
+      false
+    end
+
+    def actions
+      %w[void credit]
+    end
+
+    def can_void?(payment)
+      payment.pending? || payment.checkout?
+    end
+
+    def can_credit?(payment)
+      payment.completed? && payment.credit_allowed.positive?
+    end
+
+    def paid?
+      SolidusMollie::PAID_STATUSES.include?(status)
+    end
+  end
+end

data/app/models/solidus_mollie/payment_method.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  # A Solidus payment method backed by Mollie's hosted (redirect) checkout.
+  #
+  # Unlike credit-card gateways, Mollie does not authorise/capture
+  # synchronously. The buyer is redirected to Mollie, and the *webhook* is the
+  # source of truth for whether payment succeeded. See
+  # SolidusMollie::CreateOrderPayment (redirect) and
+  # SolidusMollie::ProcessWebhook (settlement).
+  class PaymentMethod < ::Spree::PaymentMethod
+    preference :api_key, :string
+    # Optional. Force a single Mollie method (e.g. "ideal", "creditcard",
+    # "bancontact"). Leave blank to let the buyer choose on Mollie's page.
+    preference :mollie_method, :string
+
+    def payment_source_class
+      SolidusMollie::MollieSource
+    end
+
+    # Frontend/admin look for spree/checkout/payment/_mollie and friends.
+    def partial_name
+      'mollie'
+    end
+
+    def source_required?
+      true
+    end
+
+    def payment_profiles_supported?
+      false
+    end
+
+    # Money is moved on Mollie's side, so there is nothing to auto-capture here.
+    def auto_capture?
+      false
+    end
+
+    def test_mode?
+      preferred_api_key.to_s.start_with?('test_')
+    end
+
+    def client
+      SolidusMollie::Client.new(api_key: preferred_api_key)
+    end
+
+    # --- Solidus gateway interface ------------------------------------------
+    # These are deliberately defensive. The normal checkout flow never calls
+    # purchase/authorize/capture (we redirect instead), but implementing them
+    # keeps Solidus happy if Order#process_payments! is ever invoked.
+
+    def authorize(_amount, _source, _gateway_options = {})
+      SolidusMollie::Response.pending('Awaiting Mollie redirect')
+    end
+
+    def purchase(_amount, _source, _gateway_options = {})
+      SolidusMollie::Response.pending('Awaiting Mollie redirect')
+    end
+
+    def capture(_amount, _response_code, _gateway_options = {})
+      SolidusMollie::Response.success('Captured by Mollie webhook')
+    end
+
+    # Refund. Solidus' Spree::Refund#perform! has varied across versions; accept
+    # both (amount, response_code, options) and (amount, source, response_code,
+    # options).
+    def credit(amount_cents, *rest)
+      options = rest.last.is_a?(Hash) ? rest.last : {}
+      response_code = rest.reverse.find { |arg| arg.is_a?(String) } || options[:response_code]
+      currency = refund_currency(options)
+
+      client.create_refund(
+        payment_id: response_code,
+        amount: SolidusMollie::Client.cents_to_major(amount_cents, currency),
+        currency: currency
+      )
+      SolidusMollie::Response.success('Mollie refund created', authorization: response_code)
+    rescue StandardError => e
+      Rails.logger.error("[solidus_mollie] refund failed: #{e.message}")
+      SolidusMollie::Response.failure(e.message)
+    end
+
+    # Solidus calls try_void before issuing a refund. Cancel the Mollie payment
+    # if it is still cancelable; otherwise return false so Solidus falls back to
+    # a refund.
+    def try_void(payment)
+      remote = client.get_payment(payment.response_code)
+      return false unless remote.respond_to?(:cancelable?) ? remote.cancelable? : remote.try(:cancelable)
+
+      client.cancel_payment(payment.response_code)
+      SolidusMollie::Response.success('Mollie payment canceled', authorization: payment.response_code)
+    rescue StandardError => e
+      Rails.logger.error("[solidus_mollie] void failed: #{e.message}")
+      false
+    end
+
+    private
+
+    def refund_currency(options)
+      options[:currency] ||
+        options[:originator]&.try(:payment)&.try(:currency) ||
+        ::Spree::Config.try(:currency) ||
+        'EUR'
+    end
+  end
+end

data/app/models/solidus_mollie/response.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  # Solidus serialises gateway responses into Spree::LogEntry as YAML and expects
+  # an ActiveMerchant::Billing::Response-shaped object. We reuse that class
+  # (active_merchant is a solidus_core dependency) so logging, #success? and
+  # #authorization all behave as Solidus expects.
+  module Response
+    module_function
+
+    def success(message, authorization: nil, params: {})
+      build(true, message, params, authorization: authorization)
+    end
+
+    def failure(message, params: {})
+      build(false, message, params)
+    end
+
+    def pending(message, params: {})
+      build(true, message, params.merge('pending' => true))
+    end
+
+    def build(success, message, params, authorization: nil)
+      ::ActiveMerchant::Billing::Response.new(
+        success,
+        message,
+        params,
+        authorization: authorization,
+        test: false
+      )
+    end
+  end
+end

data/app/services/solidus_mollie/create_order_payment.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module SolidusMollie
+  # Creates a Mollie payment for an order and returns the hosted checkout URL the
+  # buyer should be redirected to. The associated Spree::Payment is moved to
+  # `pending` so Solidus knows it is awaiting an off-site result.
+  class CreateOrderPayment
+    Result = Struct.new(:checkout_url, :error, keyword_init: true) do
+      def success?
+        error.nil?
+      end
+    end
+
+    def self.call(**kwargs)
+      new(**kwargs).call
+    end
+
+    def initialize(order:, payment:, redirect_url:, webhook_url:)
+      @order = order
+      @payment = payment
+      @redirect_url = redirect_url
+      @webhook_url = webhook_url
+    end
+
+    def call
+      payment_method = @payment.payment_method
+      mollie = payment_method.client.create_payment(
+        amount: @order.total,
+        currency: @order.currency,
+        description: description,
+        redirect_url: @redirect_url,
+        webhook_url: @webhook_url,
+        method: payment_method.preferred_mollie_method,
+        metadata: { order_number: @order.number, payment_number: @payment.number }
+      )
+
+      persist(mollie)
+      Result.new(checkout_url: mollie.checkout_url)
+    rescue StandardError => e
+      Rails.logger.error("[solidus_mollie] failed to create payment for #{@order.number}: #{e.message}")
+      Result.new(error: e.message)
+    end
+
+    private
+
+    def persist(mollie)
+      source = mollie_source
+      source.update!(
+        mollie_payment_id: mollie.id,
+        mollie_method: mollie.try(:method),
+        status: mollie.status
+      )
+
+      @payment.update!(response_code: mollie.id)
+      @payment.pend! if @payment.checkout?
+    end
+
+    def mollie_source
+      if @payment.source.is_a?(SolidusMollie::MollieSource)
+        @payment.source
+      else
+        source = SolidusMollie::MollieSource.create!(
+          payment_method: @payment.payment_method,
+          user: @order.user
+        )
+        @payment.update!(source: source)
+        source
+      end
+    end
+
+    def description
+      store_name = @order.try(:store)&.name || ::Spree::Store.try(:default)&.name || 'Order'
+      "#{store_name} ##{@order.number}"
+    end
+  end
+end