@easypayment/medusa-paypal 0.1.0

package/src/api/store/paypal/capture-order/route.ts

@@ -0,0 +1,270 @@
+import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
+import { randomUUID } from "crypto"
+import type PayPalModuleService from "../../../../modules/paypal/service"
+import { isPayPalProviderId } from "../../../../modules/paypal/utils/provider-ids"
+
+type Body = {
+  cart_id: string
+  order_id: string
+}
+
+async function getPayPalApiBase(environment: string) {
+  return environment === "live"
+    ? "https://api-m.paypal.com"
+    : "https://api-m.sandbox.paypal.com"
+}
+
+async function getPayPalAccessToken(opts: {
+  environment: string
+  client_id: string
+  client_secret: string
+}) {
+  const base = await getPayPalApiBase(opts.environment)
+  const auth = Buffer.from(`${opts.client_id}:${opts.client_secret}`).toString("base64")
+
+  const resp = await fetch(`${base}/v1/oauth2/token`, {
+    method: "POST",
+    headers: {
+      Authorization: `Basic ${auth}`,
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: "grant_type=client_credentials",
+  })
+
+  const text = await resp.text()
+  if (!resp.ok) {
+    throw new Error(`PayPal token error (${resp.status}): ${text}`)
+  }
+
+  const json = JSON.parse(text)
+  return { accessToken: String(json.access_token), base }
+}
+
+function resolveIdempotencyKey(req: MedusaRequest, suffix: string, fallback: string) {
+  const header =
+    req.headers["idempotency-key"] ||
+    req.headers["Idempotency-Key"] ||
+    req.headers["x-idempotency-key"] ||
+    req.headers["X-Idempotency-Key"]
+  const key = Array.isArray(header) ? header[0] : header
+  if (key && String(key).trim()) {
+    return `${String(key).trim()}-${suffix}`
+  }
+  return fallback || `pp-${suffix}-${randomUUID()}`
+}
+
+async function attachPayPalCaptureToSession(
+  req: MedusaRequest,
+  cartId: string,
+  orderId: string,
+  capture: any
+) {
+  try {
+    const paymentCollectionService = req.scope.resolve("payment_collection") as any
+    const paymentSessionService = req.scope.resolve("payment_session") as any
+
+    const pc = await paymentCollectionService.retrieveByCartId(cartId).catch(() => null)
+    if (!pc?.id) {
+      return
+    }
+
+    const sessions = await paymentSessionService.list({ payment_collection_id: pc.id })
+    const paypalSession = sessions?.find((s: any) => isPayPalProviderId(s.provider_id))
+    if (!paypalSession) {
+      return
+    }
+
+    await paymentSessionService.update(paypalSession.id, {
+      status: "captured",
+      data: {
+        ...(paypalSession.data || {}),
+        paypal: {
+          ...((paypalSession.data || {}).paypal || {}),
+          order_id: orderId,
+          capture_id: capture?.id || capture?.purchase_units?.[0]?.payments?.captures?.[0]?.id,
+          capture,
+        },
+      },
+    })
+  } catch {
+    // ignore
+  }
+}
+
+async function attachPayPalAuthorizationToSession(
+  req: MedusaRequest,
+  cartId: string,
+  orderId: string,
+  authorization: any
+) {
+  try {
+    const paymentCollectionService = req.scope.resolve("payment_collection") as any
+    const paymentSessionService = req.scope.resolve("payment_session") as any
+
+    const pc = await paymentCollectionService.retrieveByCartId(cartId).catch(() => null)
+    if (!pc?.id) {
+      return
+    }
+
+    const sessions = await paymentSessionService.list({ payment_collection_id: pc.id })
+    const paypalSession = sessions?.find((s: any) => isPayPalProviderId(s.provider_id))
+    if (!paypalSession) {
+      return
+    }
+
+    await paymentSessionService.update(paypalSession.id, {
+      status: "authorized",
+      data: {
+        ...(paypalSession.data || {}),
+        paypal: {
+          ...((paypalSession.data || {}).paypal || {}),
+          order_id: orderId,
+          authorization_id:
+            authorization?.purchase_units?.[0]?.payments?.authorizations?.[0]?.id,
+          authorization,
+        },
+      },
+    })
+  } catch {
+    // ignore
+  }
+}
+async function getExistingCapture(
+  req: MedusaRequest,
+  cartId: string,
+  orderId: string
+) {
+  try {
+    const paymentCollectionService = req.scope.resolve("payment_collection") as any
+    const paymentSessionService = req.scope.resolve("payment_session") as any
+
+    const pc = await paymentCollectionService.retrieveByCartId(cartId).catch(() => null)
+    if (!pc?.id) {
+      return null
+    }
+
+    const sessions = await paymentSessionService.list({ payment_collection_id: pc.id })
+    const paypalSession = sessions?.find((s: any) => isPayPalProviderId(s.provider_id))
+    if (!paypalSession) {
+      return null
+    }
+
+    const paypalData = (paypalSession.data || {}).paypal || {}
+    const existingOrderId = String(paypalData.order_id || "")
+    if (existingOrderId && existingOrderId !== orderId) {
+      return null
+    }
+    if (paypalData.capture) {
+      return paypalData.capture
+    }
+    if (paypalData.capture_id) {
+      return { id: paypalData.capture_id }
+    }
+    return null
+  } catch {
+    return null
+  }
+}
+
+
+export async function POST(req: MedusaRequest, res: MedusaResponse) {
+  const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
+  let debugId: string | null = null
+
+  try {
+    const body = (req.body || {}) as Body
+    const cartId = body.cart_id
+    const orderId = body.order_id
+
+    if (!cartId || !orderId) {
+      return res.status(400).json({ message: "cart_id and order_id are required" })
+    }
+
+    const existingCapture = await getExistingCapture(req, cartId, orderId)
+    if (existingCapture) {
+      return res.json({ capture: existingCapture })
+    }
+
+    const creds = await paypal.getActiveCredentials()
+    const { accessToken, base } = await getPayPalAccessToken(creds)
+    const settings = await paypal.getSettings().catch(() => ({}))
+    const data =
+      settings && typeof settings === "object" && "data" in settings
+        ? ((settings as { data?: Record<string, any> }).data ?? {})
+        : {}
+    const additionalSettings = (data.additional_settings || {}) as Record<string, any>
+    const paymentAction =
+      typeof additionalSettings.paymentAction === "string"
+        ? additionalSettings.paymentAction
+        : "capture"
+
+    const requestId = resolveIdempotencyKey(req, "capture-order", `pp-capture-${orderId}`)
+    const endpoint =
+      paymentAction === "authorize"
+        ? `${base}/v2/checkout/orders/${orderId}/authorize`
+        : `${base}/v2/checkout/orders/${orderId}/capture`
+
+    const ppResp = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        "PayPal-Request-Id": requestId,
+      },
+    })
+
+    const ppText = await ppResp.text()
+    debugId = ppResp.headers.get("paypal-debug-id")
+    if (!ppResp.ok) {
+      throw new Error(
+        `PayPal capture error (${ppResp.status}): ${ppText}${
+          debugId ? ` debug_id=${debugId}` : ""
+        }`
+      )
+    }
+
+    const payload = JSON.parse(ppText)
+    if (paymentAction === "authorize") {
+      await attachPayPalAuthorizationToSession(req, cartId, orderId, payload)
+    } else {
+      await attachPayPalCaptureToSession(req, cartId, orderId, payload)
+    }
+
+    console.info("[PayPal] capture-order", {
+      cart_id: cartId,
+      order_id: orderId,
+      request_id: requestId,
+      debug_id: ppResp.headers.get("paypal-debug-id"),
+      capture_id: payload?.id,
+    })
+    try {
+      await paypal.recordMetric(
+        paymentAction === "authorize" ? "authorize_order_success" : "capture_order_success"
+      )
+    } catch {
+      // ignore metrics failures
+    }
+
+
+    // Clear storefront cart cookie (httpOnly) so user gets a fresh cart after successful payment
+    // Note: works when storefront and backend share the same cookie domain (e.g. localhost)
+    res.setHeader("Set-Cookie", "_medusa_cart_id=; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict")
+    return paymentAction === "authorize"
+      ? res.json({ authorization: payload })
+      : res.json({ capture: payload })
+  } catch (e: any) {
+    try {
+      const body = (req.body || {}) as Body
+      await paypal.recordAuditEvent("capture_order_failed", {
+        cart_id: body.cart_id,
+        order_id: body.order_id,
+        debug_id: debugId,
+        message: e?.message || String(e),
+      })
+      await paypal.recordMetric("capture_order_failed")
+    } catch {
+      // ignore audit logging failures
+    }
+    return res.status(500).json({ message: e?.message || "Failed to capture PayPal order" })
+  }
+}

package/src/api/store/paypal/config/route.ts

@@ -0,0 +1,59 @@
+import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
+import type PayPalModuleService from "../../../../modules/paypal/service"
+import {
+  getPayPalCurrencyCompatibility,
+  getPayPalSupportedCurrencies,
+  normalizeCurrencyCode,
+} from "../../../../modules/paypal/utils/currencies"
+
+export async function GET(req: MedusaRequest, res: MedusaResponse) {
+  const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
+
+  try {
+    const creds = await paypal.getActiveCredentials()
+    const apiDetails = await paypal.getApiDetails().catch(() => null)
+
+    // CardFields/PaymentFields require a client token on the script tag.
+    // Generate it server-side and return it with config.
+    const client_token = await paypal.generateClientToken({ locale: "en_US" }).catch(() => "")
+
+    const cartId = (req.query?.cart_id as string) || ""
+    const query = req.scope.resolve("query")
+
+    let currency = normalizeCurrencyCode(
+      apiDetails?.apiDetails?.currency_code || process.env.PAYPAL_CURRENCY || "USD"
+    )
+    if (cartId) {
+      const { data: carts } = await query.graph({
+        entity: "cart",
+        fields: ["id", "currency_code", "region.currency_code"],
+        filters: { id: cartId },
+      })
+
+      const cart = carts?.[0]
+      if (cart) {
+        currency = normalizeCurrencyCode(
+          cart.region?.currency_code || cart.currency_code || currency
+        )
+      }
+    }
+
+    const compatibility = getPayPalCurrencyCompatibility({
+      currencyCode: currency,
+      paypalCurrencyOverride:
+        apiDetails?.apiDetails?.currency_code || process.env.PAYPAL_CURRENCY,
+    })
+
+    return res.json({
+      environment: creds.environment,
+      client_id: creds.client_id,
+      currency: compatibility.currency,
+      currency_supported: compatibility.supported,
+      currency_errors: compatibility.errors,
+      supported_currencies: getPayPalSupportedCurrencies(),
+      client_token,
+    })
+  } catch (e: any) {
+    return res.status(500).json({ message: e?.message || "Failed to load PayPal config" })
+  }
+}

package/src/api/store/paypal/create-order/route.ts

@@ -0,0 +1,374 @@
+import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
+import { randomUUID } from "crypto"
+import { formatAmountForPayPal } from "../../../../modules/paypal/utils/amounts"
+import {
+  assertPayPalCurrencySupported,
+  normalizeCurrencyCode,
+} from "../../../../modules/paypal/utils/currencies"
+import type PayPalModuleService from "../../../../modules/paypal/service"
+import { isPayPalProviderId } from "../../../../modules/paypal/utils/provider-ids"
+
+type Body = {
+  cart_id: string
+}
+
+async function getPayPalApiBase(environment: string) {
+  return environment === "live"
+    ? "https://api-m.paypal.com"
+    : "https://api-m.sandbox.paypal.com"
+}
+
+async function getPayPalAccessToken(opts: {
+  environment: string
+  client_id: string
+  client_secret: string
+}) {
+  const base = await getPayPalApiBase(opts.environment)
+  const auth = Buffer.from(`${opts.client_id}:${opts.client_secret}`).toString("base64")
+
+  const resp = await fetch(`${base}/v1/oauth2/token`, {
+    method: "POST",
+    headers: {
+      Authorization: `Basic ${auth}`,
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    body: "grant_type=client_credentials",
+  })
+
+  const text = await resp.text()
+  if (!resp.ok) {
+    throw new Error(`PayPal token error (${resp.status}): ${text}`)
+  }
+
+  const json = JSON.parse(text)
+  return { accessToken: String(json.access_token), base }
+}
+
+function resolveIdempotencyKey(req: MedusaRequest, suffix: string, fallback: string) {
+  const header =
+    req.headers["idempotency-key"] ||
+    req.headers["Idempotency-Key"] ||
+    req.headers["x-idempotency-key"] ||
+    req.headers["X-Idempotency-Key"]
+  const key = Array.isArray(header) ? header[0] : header
+  if (key && String(key).trim()) {
+    return `${String(key).trim()}-${suffix}`
+  }
+  return fallback || `pp-${suffix}-${randomUUID()}`
+}
+
+async function attachPayPalOrderToSession(
+  req: MedusaRequest,
+  cartId: string,
+  orderId: string
+) {
+  try {
+    const paymentCollectionService = req.scope.resolve("payment_collection") as any
+    const paymentSessionService = req.scope.resolve("payment_session") as any
+
+    const pc = await paymentCollectionService.retrieveByCartId(cartId).catch(() => null)
+    if (!pc?.id) {
+      return
+    }
+
+    const sessions = await paymentSessionService.list({ payment_collection_id: pc.id })
+    const paypalSession = sessions?.find((s: any) => isPayPalProviderId(s.provider_id))
+    if (!paypalSession) {
+      return
+    }
+
+    await paymentSessionService.update(paypalSession.id, {
+      data: {
+        ...(paypalSession.data || {}),
+        paypal: {
+          ...((paypalSession.data || {}).paypal || {}),
+          order_id: orderId,
+        },
+      },
+    })
+  } catch {
+    // ignore best-effort session update
+  }
+}
+
+async function getExistingPayPalOrderId(req: MedusaRequest, cartId: string) {
+  try {
+    const paymentCollectionService = req.scope.resolve("payment_collection") as any
+    const paymentSessionService = req.scope.resolve("payment_session") as any
+
+    const pc = await paymentCollectionService.retrieveByCartId(cartId).catch(() => null)
+    if (!pc?.id) {
+      return null
+    }
+
+    const sessions = await paymentSessionService.list({ payment_collection_id: pc.id })
+    const paypalSession = sessions?.find((s: any) => isPayPalProviderId(s.provider_id))
+    if (!paypalSession) {
+      return null
+    }
+
+    const paypalData = (paypalSession.data || {}).paypal || {}
+    return paypalData.order_id ? String(paypalData.order_id) : null
+  } catch {
+    return null
+  }
+}
+
+function resolveReturnUrl(req: MedusaRequest) {
+  const configured = process.env.STOREFRONT_URL || process.env.STORE_URL
+  if (!configured) {
+    return undefined
+  }
+  return `${configured.replace(/\/$/, "")}/checkout`
+}
+
+function resolveCancelUrl(req: MedusaRequest) {
+  const configured = process.env.STOREFRONT_URL || process.env.STORE_URL
+  if (!configured) {
+    return undefined
+  }
+  return `${configured.replace(/\/$/, "")}/cart`
+}
+
+export async function POST(req: MedusaRequest, res: MedusaResponse) {
+  const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
+  let debugId: string | null = null
+
+  try {
+    const body = (req.body || {}) as Body
+    const cartId = body.cart_id
+
+    if (!cartId) {
+      return res.status(400).json({ message: "cart_id is required" })
+    }
+
+    const existingOrderId = await getExistingPayPalOrderId(req, cartId)
+    if (existingOrderId) {
+      return res.json({ id: existingOrderId })
+    }
+
+    /**
+     * ✅ Medusa v2 cart retrieval via Query Graph
+     */
+    const query = req.scope.resolve("query")
+
+    const { data } = await query.graph({
+      entity: "cart",
+      fields: [
+        "id",
+        "total",
+        "subtotal",
+        "shipping_total",
+        "tax_total",
+        "discount_total",
+        "gift_card_total",
+        "currency_code",
+        "region.currency_code",
+      ],
+      filters: { id: cartId },
+    })
+
+    const cart = (data?.[0] as any) || null
+
+    if (!cart) {
+      return res.status(404).json({ message: "Cart not found" })
+    }
+
+    const creds = await paypal.getActiveCredentials()
+
+    type PayPalSettingsResponse = {
+      data?: { additional_settings?: Record<string, unknown>; api_details?: Record<string, unknown> }
+    }
+    const settings = await paypal
+      .getSettings()
+      .catch((): PayPalSettingsResponse => ({}))
+    const additionalSettings = settings.data?.additional_settings || {}
+    const apiDetails = settings.data?.api_details || {}
+    const configuredCurrency =
+      typeof apiDetails.currency_code === "string"
+        ? normalizeCurrencyCode(apiDetails.currency_code)
+        : normalizeCurrencyCode(process.env.PAYPAL_CURRENCY || "USD")
+
+    const currency = normalizeCurrencyCode(
+      cart.region?.currency_code || cart.currency_code || configuredCurrency
+    )
+    assertPayPalCurrencySupported({
+      currencyCode: currency,
+      paypalCurrencyOverride: configuredCurrency,
+    })
+
+    const totalMinor = Number(cart.total || 0)
+    const value = formatAmountForPayPal(totalMinor, currency)
+
+    const paymentActionRaw =
+      typeof additionalSettings.paymentAction === "string"
+        ? additionalSettings.paymentAction
+        : "capture"
+    const paymentAction = paymentActionRaw === "authorize" ? "AUTHORIZE" : "CAPTURE"
+    const brandName =
+      typeof additionalSettings.brandName === "string"
+        ? additionalSettings.brandName
+        : undefined
+    const landingPageRaw =
+      typeof additionalSettings.landingPage === "string"
+        ? additionalSettings.landingPage
+        : undefined
+    const landingPage =
+      landingPageRaw === "login"
+        ? "LOGIN"
+        : landingPageRaw === "billing"
+          ? "BILLING"
+          : landingPageRaw === "no_preference"
+            ? "NO_PREFERENCE"
+            : undefined
+    const skipReview =
+      typeof additionalSettings.skipOrderReviewPage === "boolean"
+        ? additionalSettings.skipOrderReviewPage
+        : undefined
+    const requireInstantPayment =
+      typeof additionalSettings.requireInstantPayment === "boolean"
+        ? additionalSettings.requireInstantPayment
+        : undefined
+    const invoicePrefix =
+      typeof additionalSettings.invoicePrefix === "string"
+        ? additionalSettings.invoicePrefix
+        : ""
+    const invoiceId = `${invoicePrefix}${cart.id}`.trim() || cart.id
+    const returnUrl =
+      (typeof apiDetails.storefront_url === "string" && apiDetails.storefront_url.trim()
+        ? `${apiDetails.storefront_url.replace(/\/$/, "")}/checkout`
+        : resolveReturnUrl(req))
+    const cancelUrl =
+      (typeof apiDetails.storefront_url === "string" && apiDetails.storefront_url.trim()
+        ? `${apiDetails.storefront_url.replace(/\/$/, "")}/cart`
+        : resolveCancelUrl(req))
+
+    const applicationContext: Record<string, any> = {
+      ...(brandName ? { brand_name: brandName } : {}),
+      ...(landingPage ? { landing_page: landingPage } : {}),
+      ...(typeof skipReview === "boolean"
+        ? { user_action: skipReview ? "PAY_NOW" : "CONTINUE" }
+        : {}),
+      ...(requireInstantPayment ? { payment_method_preference: "IMMEDIATE_PAYMENT_REQUIRED" } : {}),
+      ...(returnUrl ? { return_url: returnUrl } : {}),
+      ...(cancelUrl ? { cancel_url: cancelUrl } : {}),
+    }
+
+    const breakdown: Record<string, any> = {}
+    const subtotalMinor = Number(cart.subtotal || 0)
+    const shippingMinor = Number(cart.shipping_total || 0)
+    const taxMinor = Number(cart.tax_total || 0)
+    const discountMinor = Number(cart.discount_total || 0)
+    const giftCardMinor = Number(cart.gift_card_total || 0)
+    const adjustmentMinor = Math.max(
+      0,
+      subtotalMinor + shippingMinor + taxMinor - totalMinor
+    )
+    if (subtotalMinor > 0) {
+      breakdown.item_total = {
+        currency_code: currency,
+        value: formatAmountForPayPal(subtotalMinor, currency),
+      }
+    }
+    if (shippingMinor > 0) {
+      breakdown.shipping = {
+        currency_code: currency,
+        value: formatAmountForPayPal(shippingMinor, currency),
+      }
+    }
+    if (taxMinor > 0) {
+      breakdown.tax_total = {
+        currency_code: currency,
+        value: formatAmountForPayPal(taxMinor, currency),
+      }
+    }
+    const discountValue = Math.max(0, discountMinor + giftCardMinor, adjustmentMinor)
+    if (discountValue > 0) {
+      breakdown.discount = {
+        currency_code: currency,
+        value: formatAmountForPayPal(discountValue, currency),
+      }
+    }
+
+    const { accessToken, base } = await getPayPalAccessToken({
+      environment: creds.environment,
+      client_id: creds.client_id,
+      client_secret: creds.client_secret,
+    })
+
+    const requestId = resolveIdempotencyKey(req, "create-order", `pp-create-${cart.id}`)
+
+    const ppResp = await fetch(`${base}/v2/checkout/orders`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        "PayPal-Request-Id": requestId,
+      },
+      body: JSON.stringify({
+        intent: paymentAction,
+        purchase_units: [
+          {
+            reference_id: cart.id,
+            invoice_id: invoiceId,
+            amount: {
+              currency_code: currency,
+              value,
+              ...(Object.keys(breakdown).length > 0 ? { breakdown } : {}),
+            },
+          },
+        ],
+        custom_id: cart.id,
+        ...(Object.keys(applicationContext).length > 0
+          ? { application_context: applicationContext }
+          : {}),
+      }),
+    })
+
+    const ppText = await ppResp.text()
+    debugId = ppResp.headers.get("paypal-debug-id")
+    if (!ppResp.ok) {
+      throw new Error(
+        `PayPal create order error (${ppResp.status}): ${ppText}${
+          debugId ? ` debug_id=${debugId}` : ""
+        }`
+      )
+    }
+
+    const order = JSON.parse(ppText)
+
+    await attachPayPalOrderToSession(req, cart.id, order.id)
+
+    console.info("[PayPal] create-order", {
+      cart_id: cart.id,
+      order_id: order.id,
+      request_id: requestId,
+      debug_id: ppResp.headers.get("paypal-debug-id"),
+    })
+    try {
+      await paypal.recordMetric("create_order_success")
+    } catch {
+      // ignore metrics failures
+    }
+    return res.json({ id: order.id })
+  } catch (e: any) {
+    try {
+      const body = (req.body || {}) as Body
+      await paypal.recordAuditEvent("create_order_failed", {
+        cart_id: body.cart_id,
+        debug_id: debugId,
+        message: e?.message || String(e),
+      })
+      await paypal.recordMetric("create_order_failed")
+    } catch {
+      // ignore audit logging failures
+    }
+    const message = e?.message || "Failed to create PayPal order"
+    const status = message.includes("PayPal does not support currency")
+      ? 400
+      : message.includes("PayPal is configured for")
+        ? 400
+        : 500
+    return res.status(status).json({ message })
+  }
+}