npm - @easypayment/medusa-paypal - Versions diffs - 0.4.7 → 0.4.8 - Mend

@easypayment/medusa-paypal 0.4.7 → 0.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/src/api/store/paypal/webhook/route.ts CHANGED Viewed

@@ -1,246 +1,246 @@
-import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
-import type PayPalModuleService from "../../../../modules/paypal/service"
-import {
-  computeNextRetryAt,
-  isAllowedEventType,
-  normalizeEventVersion,
-  processPayPalWebhookEvent,
-} from "../../../../modules/paypal/webhook-processor"
-const REPLAY_WINDOW_MINUTES = (() => {
-  const configured = Number(process.env.PAYPAL_WEBHOOK_REPLAY_WINDOW_MINUTES)
-  return Number.isFinite(configured) ? configured : 60
-})()
-function getHeader(headers: Record<string, string | string[] | undefined>, name: string) {
-  const direct = headers[name]
-  if (Array.isArray(direct)) {
-    return direct[0]
-  }
-  if (typeof direct === "string") {
-    return direct
-  }
-  const needle = name.toLowerCase()
-  const key = Object.keys(headers).find((header) => header.toLowerCase() === needle)
-  const value = key ? headers[key] : undefined
-  if (Array.isArray(value)) {
-    return value[0]
-  }
-  return value
-}
-function isReplay(headers: Record<string, string | string[] | undefined>) {
-  const transmissionTime = getHeader(headers, "paypal-transmission-time")
-  if (!transmissionTime) {
-    throw new Error("Missing PayPal transmission time header")
-  }
-  const parsed = Date.parse(transmissionTime)
-  if (!Number.isFinite(parsed)) {
-    throw new Error("Invalid PayPal transmission time header")
-  }
-  const deltaMs = Math.abs(Date.now() - parsed)
-  return deltaMs > REPLAY_WINDOW_MINUTES * 60 * 1000
-}
-function resolveWebhookId(
-  environment: string,
-  settings?: Record<string, unknown>
-) {
-  const ids = (settings?.webhook_ids || {}) as Record<string, string | undefined>
-  const legacyLive = settings?.webhook_id_live as string | undefined
-  const legacySandbox = settings?.webhook_id_sandbox as string | undefined
-  if (environment === "live") {
-    return ids.live || legacyLive || process.env.PAYPAL_WEBHOOK_ID_LIVE
-  }
-  return ids.sandbox || legacySandbox || process.env.PAYPAL_WEBHOOK_ID_SANDBOX
-}
-async function verifyWebhookSignature(
-  paypal: PayPalModuleService,
-  environment: string,
-  body: Record<string, unknown>,
-  headers: Record<string, string | string[] | undefined>
-) {
-  if (isReplay(headers)) {
-    throw new Error("PayPal webhook replay protection triggered")
-  }
-  const settings = await paypal.getSettings().catch(() => ({ data: {} }))
-  const webhookId = resolveWebhookId(
-    environment,
-    (settings?.data as Record<string, unknown>) || {}
-  )
-  if (!webhookId) {
-    throw new Error(`Missing PayPal webhook ID for environment "${environment}"`)
-  }
-  const base =
-    environment === "live"
-      ? "https://api-m.paypal.com"
-      : "https://api-m.sandbox.paypal.com"
-  const accessToken = await paypal.getAppAccessToken()
-  const verifyPayload = {
-    auth_algo: getHeader(headers, "paypal-auth-algo"),
-    cert_url: getHeader(headers, "paypal-cert-url"),
-    transmission_id: getHeader(headers, "paypal-transmission-id"),
-    transmission_sig: getHeader(headers, "paypal-transmission-sig"),
-    transmission_time: getHeader(headers, "paypal-transmission-time"),
-    webhook_id: webhookId,
-    webhook_event: body,
-  }
-  const requiredHeaders = [
-    verifyPayload.auth_algo,
-    verifyPayload.cert_url,
-    verifyPayload.transmission_id,
-    verifyPayload.transmission_sig,
-    verifyPayload.transmission_time,
-  ]
-  if (requiredHeaders.some((value) => !value)) {
-    throw new Error("Missing required PayPal webhook signature headers")
-  }
-  const resp = await fetch(`${base}/v1/notifications/verify-webhook-signature`, {
-    method: "POST",
-    headers: {
-      Authorization: `Bearer ${accessToken}`,
-      "Content-Type": "application/json",
-    },
-    body: JSON.stringify(verifyPayload),
-  })
-  const json = await resp.json().catch(() => ({}))
-  if (!resp.ok || json?.verification_status !== "VERIFIED") {
-    const debugId = resp.headers.get("paypal-debug-id") || json?.debug_id
-    throw new Error(
-      `PayPal webhook verification failed (${resp.status}): ${JSON.stringify(json)}${
-        debugId ? ` debug_id=${debugId}` : ""
-      }`
-    )
-  }
-}
-export async function POST(req: MedusaRequest, res: MedusaResponse) {
-  const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
-  try {
-    const payload = (req.body || {}) as Record<string, any>
-    const eventId = String(payload?.id || payload?.event_id || "")
-    const eventType = String(payload?.event_type || payload?.eventType || "")
-    if (!eventId || !eventType) {
-      return res.status(400).json({ message: "Missing PayPal event id or type" })
-    }
-    const creds = await paypal.getActiveCredentials()
-    await verifyWebhookSignature(paypal, creds.environment, payload, req.headers)
-    const transmissionId = getHeader(req.headers, "paypal-transmission-id") || null
-    const transmissionTimeHeader = getHeader(req.headers, "paypal-transmission-time")
-    const transmissionTime = transmissionTimeHeader ? new Date(transmissionTimeHeader) : null
-    const eventVersion = normalizeEventVersion(payload)
-    if (transmissionId) {
-      const existingByTransmission = await paypal.listPayPalWebhookEvents({
-        transmission_id: transmissionId,
-      })
-      if ((existingByTransmission || []).length > 0) {
-        return res.json({ ok: true, duplicate: true })
-      }
-    }
-    const recordResult = await paypal.createWebhookEventRecord({
-      event_id: eventId,
-      event_type: eventType,
-      payload,
-      event_version: eventVersion,
-      transmission_id: transmissionId,
-      transmission_time: transmissionTime,
-      status: "processing",
-      attempt_count: 1,
-    })
-    if (!recordResult.created) {
-      return res.json({ ok: true, duplicate: true })
-    }
-    if (!isAllowedEventType(eventType)) {
-      await paypal.recordAuditEvent("webhook_unsupported_event", {
-        event_id: eventId,
-        event_type: eventType,
-      })
-      if (recordResult.event?.id) {
-        await paypal.updateWebhookEventRecord({
-          id: recordResult.event.id,
-          status: "ignored",
-          processed_at: new Date(),
-        })
-      }
-      return res.json({ ok: true, ignored: true })
-    }
-    const processed = await processPayPalWebhookEvent(req.scope, {
-      eventType,
-      payload,
-    })
-    if (recordResult.event?.id) {
-      await paypal.updateWebhookEventRecord({
-        id: recordResult.event.id,
-        status: "processed",
-        processed_at: new Date(),
-        resource_id: processed.refundId || processed.captureId || processed.orderId || null,
-      })
-    }
-    console.info("[PayPal] webhook", {
-      event_id: eventId,
-      event_type: eventType,
-      order_id: processed.orderId,
-      capture_id: processed.captureId,
-      refund_id: processed.refundId,
-      cart_id: processed.cartId,
-    })
-    try {
-      await paypal.recordMetric("webhook_success")
-    } catch {
-      // ignore metrics failures
-    }
-    return res.json({ ok: true })
-  } catch (e: any) {
-    try {
-      const payload = (req.body || {}) as Record<string, any>
-      const eventId = String(payload?.id || payload?.event_id || "")
-      const eventType = String(payload?.event_type || payload?.eventType || "")
-      if (eventId) {
-        const existing = await paypal.listPayPalWebhookEvents({ event_id: eventId })
-        const record = existing?.[0]
-        if (record?.id) {
-          const attemptCount = Number(record.attempt_count || 0) + 1
-          await paypal.updateWebhookEventRecord({
-            id: record.id,
-            status: "failed",
-            attempt_count: attemptCount,
-            next_retry_at: computeNextRetryAt(attemptCount),
-            last_error: e?.message || String(e),
-          })
-        }
-      }
-      await paypal.recordAuditEvent("webhook_failed", {
-        event_id: payload?.id || payload?.event_id,
-        event_type: payload?.event_type || payload?.eventType,
-        message: e?.message || String(e),
-      })
-      await paypal.recordMetric("webhook_failed")
-    } catch {
-      // ignore audit logging failures
-    }
-    console.error("[PayPal] webhook error", e?.message || e)
-    return res.status(500).json({ message: e?.message || "PayPal webhook error" })
-  }
-}
+import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
+import type PayPalModuleService from "../../../../modules/paypal/service"
+import {
+  computeNextRetryAt,
+  isAllowedEventType,
+  normalizeEventVersion,
+  processPayPalWebhookEvent,
+} from "../../../../modules/paypal/webhook-processor"
+const REPLAY_WINDOW_MINUTES = (() => {
+  const configured = Number(process.env.PAYPAL_WEBHOOK_REPLAY_WINDOW_MINUTES)
+  return Number.isFinite(configured) ? configured : 60
+})()
+function getHeader(headers: Record<string, string | string[] | undefined>, name: string) {
+  const direct = headers[name]
+  if (Array.isArray(direct)) {
+    return direct[0]
+  }
+  if (typeof direct === "string") {
+    return direct
+  }
+  const needle = name.toLowerCase()
+  const key = Object.keys(headers).find((header) => header.toLowerCase() === needle)
+  const value = key ? headers[key] : undefined
+  if (Array.isArray(value)) {
+    return value[0]
+  }
+  return value
+}
+function isReplay(headers: Record<string, string | string[] | undefined>) {
+  const transmissionTime = getHeader(headers, "paypal-transmission-time")
+  if (!transmissionTime) {
+    throw new Error("Missing PayPal transmission time header")
+  }
+  const parsed = Date.parse(transmissionTime)
+  if (!Number.isFinite(parsed)) {
+    throw new Error("Invalid PayPal transmission time header")
+  }
+  const deltaMs = Math.abs(Date.now() - parsed)
+  return deltaMs > REPLAY_WINDOW_MINUTES * 60 * 1000
+}
+function resolveWebhookId(
+  environment: string,
+  settings?: Record<string, unknown>
+) {
+  const ids = (settings?.webhook_ids || {}) as Record<string, string | undefined>
+  const legacyLive = settings?.webhook_id_live as string | undefined
+  const legacySandbox = settings?.webhook_id_sandbox as string | undefined
+  if (environment === "live") {
+    return ids.live || legacyLive || process.env.PAYPAL_WEBHOOK_ID_LIVE
+  }
+  return ids.sandbox || legacySandbox || process.env.PAYPAL_WEBHOOK_ID_SANDBOX
+}
+async function verifyWebhookSignature(
+  paypal: PayPalModuleService,
+  environment: string,
+  body: Record<string, unknown>,
+  headers: Record<string, string | string[] | undefined>
+) {
+  if (isReplay(headers)) {
+    throw new Error("PayPal webhook replay protection triggered")
+  }
+  const settings = await paypal.getSettings().catch(() => ({ data: {} }))
+  const webhookId = resolveWebhookId(
+    environment,
+    (settings?.data as Record<string, unknown>) || {}
+  )
+  if (!webhookId) {
+    throw new Error(`Missing PayPal webhook ID for environment "${environment}"`)
+  }
+  const base =
+    environment === "live"
+      ? "https://api-m.paypal.com"
+      : "https://api-m.sandbox.paypal.com"
+  const accessToken = await paypal.getAppAccessToken()
+  const verifyPayload = {
+    auth_algo: getHeader(headers, "paypal-auth-algo"),
+    cert_url: getHeader(headers, "paypal-cert-url"),
+    transmission_id: getHeader(headers, "paypal-transmission-id"),
+    transmission_sig: getHeader(headers, "paypal-transmission-sig"),
+    transmission_time: getHeader(headers, "paypal-transmission-time"),
+    webhook_id: webhookId,
+    webhook_event: body,
+  }
+  const requiredHeaders = [
+    verifyPayload.auth_algo,
+    verifyPayload.cert_url,
+    verifyPayload.transmission_id,
+    verifyPayload.transmission_sig,
+    verifyPayload.transmission_time,
+  ]
+  if (requiredHeaders.some((value) => !value)) {
+    throw new Error("Missing required PayPal webhook signature headers")
+  }
+  const resp = await fetch(`${base}/v1/notifications/verify-webhook-signature`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(verifyPayload),
+  })
+  const json = await resp.json().catch(() => ({}))
+  if (!resp.ok || json?.verification_status !== "VERIFIED") {
+    const debugId = resp.headers.get("paypal-debug-id") || json?.debug_id
+    throw new Error(
+      `PayPal webhook verification failed (${resp.status}): ${JSON.stringify(json)}${
+        debugId ? ` debug_id=${debugId}` : ""
+      }`
+    )
+  }
+}
+export async function POST(req: MedusaRequest, res: MedusaResponse) {
+  const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
+  try {
+    const payload = (req.body || {}) as Record<string, any>
+    const eventId = String(payload?.id || payload?.event_id || "")
+    const eventType = String(payload?.event_type || payload?.eventType || "")
+    if (!eventId || !eventType) {
+      return res.status(400).json({ message: "Missing PayPal event id or type" })
+    }
+    const creds = await paypal.getActiveCredentials()
+    await verifyWebhookSignature(paypal, creds.environment, payload, req.headers)
+    const transmissionId = getHeader(req.headers, "paypal-transmission-id") || null
+    const transmissionTimeHeader = getHeader(req.headers, "paypal-transmission-time")
+    const transmissionTime = transmissionTimeHeader ? new Date(transmissionTimeHeader) : null
+    const eventVersion = normalizeEventVersion(payload)
+    if (transmissionId) {
+      const existingByTransmission = await paypal.listPayPalWebhookEvents({
+        transmission_id: transmissionId,
+      })
+      if ((existingByTransmission || []).length > 0) {
+        return res.json({ ok: true, duplicate: true })
+      }
+    }
+    const recordResult = await paypal.createWebhookEventRecord({
+      event_id: eventId,
+      event_type: eventType,
+      payload,
+      event_version: eventVersion,
+      transmission_id: transmissionId,
+      transmission_time: transmissionTime,
+      status: "processing",
+      attempt_count: 1,
+    })
+    if (!recordResult.created) {
+      return res.json({ ok: true, duplicate: true })
+    }
+    if (!isAllowedEventType(eventType)) {
+      await paypal.recordAuditEvent("webhook_unsupported_event", {
+        event_id: eventId,
+        event_type: eventType,
+      })
+      if (recordResult.event?.id) {
+        await paypal.updateWebhookEventRecord({
+          id: recordResult.event.id,
+          status: "ignored",
+          processed_at: new Date(),
+        })
+      }
+      return res.json({ ok: true, ignored: true })
+    }
+    const processed = await processPayPalWebhookEvent(req.scope, {
+      eventType,
+      payload,
+    })
+    if (recordResult.event?.id) {
+      await paypal.updateWebhookEventRecord({
+        id: recordResult.event.id,
+        status: "processed",
+        processed_at: new Date(),
+        resource_id: processed.refundId || processed.captureId || processed.orderId || null,
+      })
+    }
+    console.info("[PayPal] webhook", {
+      event_id: eventId,
+      event_type: eventType,
+      order_id: processed.orderId,
+      capture_id: processed.captureId,
+      refund_id: processed.refundId,
+      cart_id: processed.cartId,
+    })
+    try {
+      await paypal.recordMetric("webhook_success")
+    } catch {
+      // ignore metrics failures
+    }
+    return res.json({ ok: true })
+  } catch (e: any) {
+    try {
+      const payload = (req.body || {}) as Record<string, any>
+      const eventId = String(payload?.id || payload?.event_id || "")
+      const eventType = String(payload?.event_type || payload?.eventType || "")
+      if (eventId) {
+        const existing = await paypal.listPayPalWebhookEvents({ event_id: eventId })
+        const record = existing?.[0]
+        if (record?.id) {
+          const attemptCount = Number(record.attempt_count || 0) + 1
+          await paypal.updateWebhookEventRecord({
+            id: record.id,
+            status: "failed",
+            attempt_count: attemptCount,
+            next_retry_at: computeNextRetryAt(attemptCount),
+            last_error: e?.message || String(e),
+          })
+        }
+      }
+      await paypal.recordAuditEvent("webhook_failed", {
+        event_id: payload?.id || payload?.event_id,
+        event_type: payload?.event_type || payload?.eventType,
+        message: e?.message || String(e),
+      })
+      await paypal.recordMetric("webhook_failed")
+    } catch {
+      // ignore audit logging failures
+    }
+    console.error("[PayPal] webhook error", e?.message || e)
+    return res.status(500).json({ message: e?.message || "PayPal webhook error" })
+  }
+}

package/src/api/store/paypal-complete/route.ts CHANGED Viewed

@@ -1,76 +1,76 @@
-import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
-import type { IPaymentModuleService } from "@medusajs/framework/types"
-import { Modules } from "@medusajs/framework/utils"
-import type PayPalModuleService from "../../../modules/paypal/service"
-export async function POST(req: MedusaRequest, res: MedusaResponse) {
-  const { cart_id } = req.body as { cart_id: string }
-  if (!cart_id) {
-    return res.status(400).json({ error: "cart_id is required" })
-  }
-  try {
-    // Step 1 — read paymentAction from DB settings (same pattern as capture-order)
-    const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
-    const settings = await paypal.getSettings().catch(() => ({}))
-    const settingsData =
-      settings && typeof settings === "object" && "data" in settings
-        ? ((settings as { data?: Record<string, any> }).data ?? {})
-        : {}
-    const additionalSettings = (settingsData.additional_settings || {}) as Record<string, any>
-    const paymentAction =
-      typeof additionalSettings.paymentAction === "string"
-        ? additionalSettings.paymentAction
-        : "capture"
-    // "authorize" mode → session status = "authorized"
-    // "capture" mode  → session status = "captured"
-    const sessionStatus = paymentAction === "authorize" ? "authorized" : "captured"
-    const timestampKey = paymentAction === "authorize" ? "authorized_at" : "captured_at"
-    // Step 2 — find the PayPal session for this cart
-    const query = req.scope.resolve("query")
-    const { data: carts } = await query.graph({
-      entity: "cart",
-      fields: [
-        "id",
-        "payment_collection.payment_sessions.id",
-        "payment_collection.payment_sessions.data",
-        "payment_collection.payment_sessions.provider_id",
-        "payment_collection.payment_sessions.created_at",
-        "payment_collection.payment_sessions.amount",
-        "payment_collection.payment_sessions.currency_code",
-      ],
-      filters: { id: cart_id },
-    })
-    const sessions = carts?.[0]?.payment_collection?.payment_sessions || []
-    const session = sessions
-      .filter((s: any) => String(s.provider_id || "").includes("paypal"))
-      .sort(
-        (a: any, b: any) =>
-          new Date(b.created_at || 0).getTime() - new Date(a.created_at || 0).getTime()
-      )[0]
-    if (!session) {
-      return res.status(400).json({ error: "No PayPal payment session found for cart" })
-    }
-    // Step 3 — update session with correct status + amount
-    const paymentModule = req.scope.resolve(Modules.PAYMENT) as IPaymentModuleService
-    await (paymentModule as any).updatePaymentSession({
-      id: session.id,
-      data: { ...(session.data || {}), [timestampKey]: new Date().toISOString() },
-      status: sessionStatus as any,
-      amount: session.amount,
-      currency_code: session.currency_code,
-    })
-    console.log(`[paypal-complete] session ${sessionStatus}:`, session.id)
-    return res.json({ success: true, session_id: session.id })
-  } catch (e: any) {
-    console.error("[paypal-complete] error:", e?.message || e)
-    return res.status(500).json({ error: e?.message || "Internal error" })
-  }
+import type { MedusaRequest, MedusaResponse } from "@medusajs/framework/http"
+import type { IPaymentModuleService } from "@medusajs/framework/types"
+import { Modules } from "@medusajs/framework/utils"
+import type PayPalModuleService from "../../../modules/paypal/service"
+export async function POST(req: MedusaRequest, res: MedusaResponse) {
+  const { cart_id } = req.body as { cart_id: string }
+  if (!cart_id) {
+    return res.status(400).json({ error: "cart_id is required" })
+  }
+  try {
+    // Step 1 — read paymentAction from DB settings (same pattern as capture-order)
+    const paypal = req.scope.resolve<PayPalModuleService>("paypal_onboarding")
+    const settings = await paypal.getSettings().catch(() => ({}))
+    const settingsData =
+      settings && typeof settings === "object" && "data" in settings
+        ? ((settings as { data?: Record<string, any> }).data ?? {})
+        : {}
+    const additionalSettings = (settingsData.additional_settings || {}) as Record<string, any>
+    const paymentAction =
+      typeof additionalSettings.paymentAction === "string"
+        ? additionalSettings.paymentAction
+        : "capture"
+    // "authorize" mode → session status = "authorized"
+    // "capture" mode  → session status = "captured"
+    const sessionStatus = paymentAction === "authorize" ? "authorized" : "captured"
+    const timestampKey = paymentAction === "authorize" ? "authorized_at" : "captured_at"
+    // Step 2 — find the PayPal session for this cart
+    const query = req.scope.resolve("query")
+    const { data: carts } = await query.graph({
+      entity: "cart",
+      fields: [
+        "id",
+        "payment_collection.payment_sessions.id",
+        "payment_collection.payment_sessions.data",
+        "payment_collection.payment_sessions.provider_id",
+        "payment_collection.payment_sessions.created_at",
+        "payment_collection.payment_sessions.amount",
+        "payment_collection.payment_sessions.currency_code",
+      ],
+      filters: { id: cart_id },
+    })
+    const sessions = carts?.[0]?.payment_collection?.payment_sessions || []
+    const session = sessions
+      .filter((s: any) => String(s.provider_id || "").includes("paypal"))
+      .sort(
+        (a: any, b: any) =>
+          new Date(b.created_at || 0).getTime() - new Date(a.created_at || 0).getTime()
+      )[0]
+    if (!session) {
+      return res.status(400).json({ error: "No PayPal payment session found for cart" })
+    }
+    // Step 3 — update session with correct status + amount
+    const paymentModule = req.scope.resolve(Modules.PAYMENT) as IPaymentModuleService
+    await (paymentModule as any).updatePaymentSession({
+      id: session.id,
+      data: { ...(session.data || {}), [timestampKey]: new Date().toISOString() },
+      status: sessionStatus as any,
+      amount: session.amount,
+      currency_code: session.currency_code,
+    })
+    console.log(`[paypal-complete] session ${sessionStatus}:`, session.id)
+    return res.json({ success: true, session_id: session.id })
+  } catch (e: any) {
+    console.error("[paypal-complete] error:", e?.message || e)
+    return res.status(500).json({ error: e?.message || "Internal error" })
+  }
 }