@sakeetech/vendure-payment-viva 0.2.1

package/dist/api/admin-sources.controller.js

@@ -0,0 +1,283 @@
+/**
+ * api/admin-sources.controller.ts — ISV-only admin REST for /api/sources wrapping.
+ *
+ * Single route:
+ *
+ *   POST /viva/admin/connected-accounts/:id/sources
+ *     Creates a payment source (ecommerce or physical) on a connected
+ *     merchant's Viva account via POST /api/sources on the legacy host,
+ *     authenticated with Reseller Basic auth (per AUTH.md §1.2).
+ *
+ * Flow:
+ *   1. Mode gate: 404 in merchant mode (mirrors Medusa _mode-gate.ts).
+ *   2. Reseller gate: 412 VIVA_RESELLER_CREDENTIALS_MISSING when
+ *      options.reseller is absent.
+ *   3. Body parse: 400 on missing/invalid fields or unknown kind.
+ *   4. Account lookup: IsvAccounts.retrieveConnectedAccount(:id).
+ *      → 409 VIVA_ACCOUNT_NOT_VERIFIED when verified !== true or
+ *        merchantId is null.
+ *   5. BasicAuthClient {authVariant:'reseller'} built with the connected
+ *      merchant's UUID (account.merchantId — NOT config.reseller.merchantId).
+ *   6. IsvSources.createEcommerceSource / createPhysicalSource.
+ *   7. 201 with {sourceCode, name, kind}.
+ *
+ * Viva 4xx on /api/sources → 422 VIVA_SOURCE_CREATION_FAILED.
+ * Viva 5xx / auth errors → 503 VIVA_AUTH_DOWN (existing envelope rule).
+ *
+ * @see docs/plans/multi-mode-v0.md §6 (admin REST table)
+ * @see docs/AUTH.md §1.2 (Reseller Basic)
+ * @see docs/ENDPOINTS.md §5.1
+ * @see packages/medusa-payment-viva/src/api/viva/admin/connected-accounts/[id]/sources/route.ts
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { Controller, Post, Param, Body, Res, Inject, UseGuards, } from '@nestjs/common';
+import { Allow, Permission, Logger, AuthGuard } from '@vendure/core';
+import { IsvAccounts, IsvHttpClient, IsvSources, } from '@sakeetech/viva-payments-core/isv';
+import { BasicAuthClient } from '@sakeetech/viva-payments-core/legacy';
+import { VivaApiError, VivaAuthError, VivaValidationError, } from '@sakeetech/viva-payments-core/errors';
+import { VivaPluginError } from '../util/error-envelope.js';
+import { VIVA_PLUGIN_OPTIONS, VIVA_OAUTH2_STRATEGY_TOKEN, VIVA_LOG_CONTEXT, } from '../constants.js';
+function parseBody(raw) {
+    const body = (raw ?? {});
+    const kind = body.kind;
+    if (kind !== 'ecommerce' && kind !== 'physical') {
+        return {
+            ok: false,
+            status: 400,
+            message: "body.kind must be 'ecommerce' or 'physical'",
+        };
+    }
+    const sourceCode = body.sourceCode;
+    if (sourceCode !== undefined && typeof sourceCode !== 'number') {
+        return {
+            ok: false,
+            status: 400,
+            message: 'sourceCode must be a number',
+        };
+    }
+    if (kind === 'physical') {
+        if (typeof body.name !== 'string' || body.name.trim() === '') {
+            return {
+                ok: false,
+                status: 400,
+                message: 'name is required for physical sources',
+            };
+        }
+        const input = {
+            name: body.name,
+            ...(sourceCode !== undefined ? { sourceCode: sourceCode } : {}),
+        };
+        return { ok: true, kind, input };
+    }
+    if (typeof body.domain !== 'string' || body.domain.trim() === '') {
+        return { ok: false, status: 400, message: 'domain is required for ecommerce sources' };
+    }
+    if (typeof body.pathSuccess !== 'string' || body.pathSuccess.trim() === '') {
+        return { ok: false, status: 400, message: 'pathSuccess is required for ecommerce sources' };
+    }
+    if (typeof body.pathFail !== 'string' || body.pathFail.trim() === '') {
+        return { ok: false, status: 400, message: 'pathFail is required for ecommerce sources' };
+    }
+    const ecomInput = {
+        domain: body.domain,
+        pathSuccess: body.pathSuccess,
+        pathFail: body.pathFail,
+        ...(typeof body.name === 'string' ? { name: body.name } : {}),
+        ...(typeof body.isSecure === 'boolean' ? { isSecure: body.isSecure } : {}),
+        ...(sourceCode !== undefined ? { sourceCode: sourceCode } : {}),
+    };
+    return { ok: true, kind, input: ecomInput };
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function writeError(res, status, err) {
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify(err.toJSON()));
+}
+// ---------------------------------------------------------------------------
+// Controller
+// ---------------------------------------------------------------------------
+let AdminSourcesController = class AdminSourcesController {
+    options;
+    oauth2;
+    constructor(options, oauth2) {
+        this.options = options;
+        this.oauth2 = oauth2;
+    }
+    /**
+     * Narrow options to ISV mode + reseller block.
+     * Returns:
+     *   - { ok: true, isv } on success.
+     *   - { ok: false, status, err } on mode mismatch (404) or missing reseller (412).
+     */
+    requireIsvWithReseller() {
+        if (this.options.mode !== 'isv') {
+            return {
+                ok: false,
+                status: 404,
+                err: VivaPluginError.channelMisconfigured('POST /viva/admin/connected-accounts/:id/sources is ISV-only — not available in merchant mode.'),
+            };
+        }
+        if (!this.options.reseller) {
+            return {
+                ok: false,
+                status: 412,
+                err: VivaPluginError.resellerCredentialsMissing(),
+            };
+        }
+        return {
+            ok: true,
+            isv: this.options,
+        };
+    }
+    /** Build the OAuth2-backed IsvAccounts client (platform creds). */
+    buildIsvAccounts() {
+        const client = new IsvHttpClient({
+            environment: this.options.environment,
+            authStrategy: this.oauth2,
+        });
+        return new IsvAccounts(client);
+    }
+    // -------------------------------------------------------------------------
+    // POST /viva/admin/connected-accounts/:id/sources
+    // -------------------------------------------------------------------------
+    async createSource(id, body, res) {
+        if (!id) {
+            writeError(res, 400, VivaPluginError.channelMisconfigured('id is required'));
+            return;
+        }
+        // 1. Mode + reseller gate
+        const gate = this.requireIsvWithReseller();
+        if (!gate.ok) {
+            writeError(res, gate.status, gate.err);
+            return;
+        }
+        const { isv } = gate;
+        // 2. Parse body
+        const parsed = parseBody(body);
+        if (!parsed.ok) {
+            writeError(res, parsed.status, VivaPluginError.channelMisconfigured(parsed.message));
+            return;
+        }
+        // 3. Resolve connected account
+        let account;
+        try {
+            const accounts = this.buildIsvAccounts();
+            account = await accounts.retrieveConnectedAccount(id);
+        }
+        catch (err) {
+            if (err instanceof VivaAuthError || (err instanceof VivaApiError && (err.httpStatus ?? 0) >= 500)) {
+                writeError(res, 503, VivaPluginError.authDown(err instanceof Error ? err.message : 'Viva service unavailable', err));
+                return;
+            }
+            if (err instanceof VivaApiError) {
+                const status = err.httpStatus ?? 502;
+                writeError(res, status >= 400 && status < 600 ? status : 502, VivaPluginError.apiError({
+                    message: err.message,
+                    vivaErrorMessage: err.message,
+                    cause: err,
+                }));
+                return;
+            }
+            Logger.error(`[AdminSources] retrieveConnectedAccount failed for id=${id}: ${String(err)}`, VIVA_LOG_CONTEXT);
+            writeError(res, 500, VivaPluginError.internalError('Unexpected error', err));
+            return;
+        }
+        if (account.verified !== true || account.merchantId == null) {
+            const err = VivaPluginError.accountNotVerified(`Connected account ${id} is not verified yet (verified=${String(account.verified)}, ` +
+                `merchantId=${account.merchantId == null ? 'null' : 'set'}). ` +
+                `Wait for webhook 8194 or POST /viva/admin/connected-accounts/${id}/reconcile.`);
+            writeError(res, 409, err);
+            return;
+        }
+        // 4. Build Reseller Basic client scoped to THIS connected merchant.
+        //    Per AUTH.md §1.2: the MerchantId slot of Reseller Basic is the
+        //    connected merchant's UUID (account.merchantId), NOT the platform's
+        //    merchant id (isv.reseller.merchantId — unused here despite the name).
+        const basic = new BasicAuthClient({
+            authVariant: 'reseller',
+            environment: isv.environment,
+            resellerId: isv.reseller.resellerId,
+            merchantId: account.merchantId,
+            resellerApiKey: isv.reseller.resellerApiKey,
+        });
+        const sources = new IsvSources(basic);
+        // 5. Dispatch on kind.
+        try {
+            const response = parsed.kind === 'ecommerce'
+                ? await sources.createEcommerceSource(parsed.input)
+                : await sources.createPhysicalSource(parsed.input);
+            res.writeHead(201, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({
+                sourceCode: response.sourceCode,
+                name: response.name ?? parsed.input.name,
+                kind: parsed.kind,
+            }));
+        }
+        catch (err) {
+            if (err instanceof VivaValidationError) {
+                writeError(res, 400, VivaPluginError.channelMisconfigured(err.message));
+                return;
+            }
+            if (err instanceof VivaApiError) {
+                const status = err.httpStatus;
+                if (typeof status === 'number' && status >= 400 && status < 500) {
+                    const rawCode = err.vivaCode !== undefined ? Number(err.vivaCode) : undefined;
+                    const opts = {
+                        message: err.message,
+                        vivaStatus: status,
+                        cause: err,
+                    };
+                    if (rawCode !== undefined && !Number.isNaN(rawCode)) {
+                        opts.vivaErrorCode = rawCode;
+                    }
+                    writeError(res, 422, VivaPluginError.sourceCreationFailed(opts));
+                    return;
+                }
+                if (typeof status === 'number' && status >= 500) {
+                    writeError(res, 503, VivaPluginError.authDown(err.message, err));
+                    return;
+                }
+                writeError(res, 502, VivaPluginError.apiError({
+                    message: err.message,
+                    vivaErrorMessage: err.message,
+                    cause: err,
+                }));
+                return;
+            }
+            Logger.error(`[AdminSources] createSource failed for id=${id}: ${String(err)}`, VIVA_LOG_CONTEXT);
+            writeError(res, 500, VivaPluginError.internalError('Unexpected error', err));
+        }
+    }
+};
+__decorate([
+    Post(':id/sources'),
+    Allow(Permission.SuperAdmin),
+    __param(0, Param('id')),
+    __param(1, Body()),
+    __param(2, Res()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, Object, Function]),
+    __metadata("design:returntype", Promise)
+], AdminSourcesController.prototype, "createSource", null);
+AdminSourcesController = __decorate([
+    Controller('viva/admin/connected-accounts'),
+    UseGuards(AuthGuard),
+    __param(0, Inject(VIVA_PLUGIN_OPTIONS)),
+    __param(1, Inject(VIVA_OAUTH2_STRATEGY_TOKEN)),
+    __metadata("design:paramtypes", [Object, Object])
+], AdminSourcesController);
+export { AdminSourcesController };
+//# sourceMappingURL=admin-sources.controller.js.map

package/dist/api/admin-sources.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-sources.controller.js","sourceRoot":"","sources":["../../src/api/admin-sources.controller.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;;;;;;;;;;;;;AAEH,OAAO,EACL,UAAU,EACV,IAAI,EACJ,KAAK,EACL,IAAI,EACJ,GAAG,EACH,MAAM,EACN,SAAS,GACV,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACrE,OAAO,EACL,WAAW,EACX,aAAa,EACb,UAAU,GACX,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AACvE,OAAO,EACL,YAAY,EACZ,aAAa,EACb,mBAAmB,GACpB,MAAM,sCAAsC,CAAC;AAO9C,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EACL,mBAAmB,EACnB,0BAA0B,EAC1B,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAmCzB,SAAS,SAAS,CAAC,GAAY;IAC7B,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,EAAE,CAAwB,CAAC;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QAChD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,6CAA6C;SACvD,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IACnC,IAAI,UAAU,KAAK,SAAS,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC/D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,6BAA6B;SACvC,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC7D,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAsD;YAC/D,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAoB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC1E,CAAC;QACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;IACzF,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC3E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC;IAC9F,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;IAC3F,CAAC;IAED,MAAM,SAAS,GAAuD;QACpE,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,GAAG,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,UAAoB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC;IACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,UAAU,CAAC,GAAmB,EAAE,MAAc,EAAE,GAAoB;IAC3E,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC9D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAIvE,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB;IAGd;IAEA;IAJnB,YAEmB,OAAiC,EAEjC,MAA0B;QAF1B,YAAO,GAAP,OAAO,CAA0B;QAEjC,WAAM,GAAN,MAAM,CAAoB;IAC1C,CAAC;IAEJ;;;;;OAKG;IACK,sBAAsB;QAG5B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,GAAG,EAAE,eAAe,CAAC,oBAAoB,CACvC,+FAA+F,CAChG;aACF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC3B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,GAAG,EAAE,eAAe,CAAC,0BAA0B,EAAE;aAClD,CAAC;QACJ,CAAC;QACD,OAAO;YACL,EAAE,EAAE,IAAI;YACR,GAAG,EAAE,IAAI,CAAC,OAET;SACF,CAAC;IACJ,CAAC;IAED,mEAAmE;IAC3D,gBAAgB;QACtB,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC;YAC/B,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,YAAY,EAAE,IAAI,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,OAAO,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,4EAA4E;IAC5E,kDAAkD;IAClD,4EAA4E;IAItE,AAAN,KAAK,CAAC,YAAY,CACH,EAAU,EACf,IAAa,EACd,GAAmB;QAE1B,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,oBAAoB,CAAC,gBAAgB,CAAC,CAAC,CAAC;YAC7E,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YACvC,OAAO;QACT,CAAC;QACD,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAErB,gBAAgB;QAChB,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;YACrF,OAAO;QACT,CAAC;QAED,+BAA+B;QAC/B,IAAI,OAAqE,CAAC;QAC1E,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACzC,OAAO,GAAG,MAAM,QAAQ,CAAC,wBAAwB,CAAC,EAAwB,CAAC,CAAC;QAC9E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,aAAa,IAAI,CAAC,GAAG,YAAY,YAAY,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAClG,UAAU,CACR,GAAG,EACH,GAAG,EACH,eAAe,CAAC,QAAQ,CACtB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,0BAA0B,EAC/D,GAAG,CACJ,CACF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,IAAI,GAAG,YAAY,YAAY,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC;gBACrC,UAAU,CACR,GAAG,EACH,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAC5C,eAAe,CAAC,QAAQ,CAAC;oBACvB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,gBAAgB,EAAE,GAAG,CAAC,OAAO;oBAC7B,KAAK,EAAE,GAAG;iBACX,CAAC,CACH,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,CAAC,KAAK,CACV,yDAAyD,EAAE,KAAK,MAAM,CAAC,GAAG,CAAC,EAAE,EAC7E,gBAAgB,CACjB,CAAC;YACF,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,aAAa,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,CAAC;YAC7E,OAAO;QACT,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI,IAAI,OAAO,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;YAC5D,MAAM,GAAG,GAAG,eAAe,CAAC,kBAAkB,CAC5C,qBAAqB,EAAE,kCAAkC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI;gBACnF,cAAc,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK;gBAC9D,gEAAgE,EAAE,aAAa,CAClF,CAAC;YACF,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,oEAAoE;QACpE,oEAAoE;QACpE,wEAAwE;QACxE,2EAA2E;QAC3E,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;YAChC,WAAW,EAAE,UAAU;YACvB,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,UAAU,EAAE,GAAG,CAAC,QAAQ,CAAC,UAAU;YACnC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,cAAc,EAAE,GAAG,CAAC,QAAQ,CAAC,cAAc;SAC5C,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;QAEtC,uBAAuB;QACvB,IAAI,CAAC;YACH,MAAM,QAAQ,GACZ,MAAM,CAAC,IAAI,KAAK,WAAW;gBACzB,CAAC,CAAC,MAAM,OAAO,CAAC,qBAAqB,CAAC,MAAM,CAAC,KAAK,CAAC;gBACnD,CAAC,CAAC,MAAM,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAEvD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;gBACb,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI;gBACxC,IAAI,EAAE,MAAM,CAAC,IAAI;aAClB,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;gBACvC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;gBACxE,OAAO;YACT,CAAC;YACD,IAAI,GAAG,YAAY,YAAY,EAAE,CAAC;gBAChC,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAAC;gBAC9B,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;oBAChE,MAAM,OAAO,GACX,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBAChE,MAAM,IAAI,GAA+D;wBACvE,OAAO,EAAE,GAAG,CAAC,OAAO;wBACpB,UAAU,EAAE,MAAM;wBAClB,KAAK,EAAE,GAAG;qBACX,CAAC;oBACF,IAAI,OAAO,KAAK,SAAS,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;wBACpD,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC;oBAC/B,CAAC;oBACD,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;oBACjE,OAAO;gBACT,CAAC;gBACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;oBAChD,UAAU,CACR,GAAG,EACH,GAAG,EACH,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAC3C,CAAC;oBACF,OAAO;gBACT,CAAC;gBACD,UAAU,CACR,GAAG,EACH,GAAG,EACH,eAAe,CAAC,QAAQ,CAAC;oBACvB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,gBAAgB,EAAE,GAAG,CAAC,OAAO;oBAC7B,KAAK,EAAE,GAAG;iBACX,CAAC,CACH,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,CAAC,KAAK,CACV,6CAA6C,EAAE,KAAK,MAAM,CAAC,GAAG,CAAC,EAAE,EACjE,gBAAgB,CACjB,CAAC;YACF,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,aAAa,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;CACF,CAAA;AApJO;IAFL,IAAI,CAAC,aAAa,CAAC;IACnB,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC;IAE1B,WAAA,KAAK,CAAC,IAAI,CAAC,CAAA;IACX,WAAA,IAAI,EAAE,CAAA;IACN,WAAA,GAAG,EAAE,CAAA;;;;0DAgJP;AA3MU,sBAAsB;IAFlC,UAAU,CAAC,+BAA+B,CAAC;IAC3C,SAAS,CAAC,SAAS,CAAC;IAGhB,WAAA,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAE3B,WAAA,MAAM,CAAC,0BAA0B,CAAC,CAAA;;GAJ1B,sBAAsB,CA4MlC"}

package/dist/api/shop-api.extension.d.ts

@@ -0,0 +1,15 @@
+/**
+ * api/shop-api.extension.ts — GraphQL Shop API schema extension.
+ *
+ * Adds the `cancelPayment(paymentId)` mutation to the Shop API.
+ * `Order` is Vendure's existing built-in entity; `ErrorResult` interface
+ * is already in scope from @vendure/core so `CancelPaymentError implements
+ * ErrorResult` is valid without re-declaring the interface.
+ *
+ * Wired into plugin via `shopApiExtensions.schema` (see plugin.ts).
+ *
+ * @see docs/plans/vendure-plugin-v0.md §"API Surface — Shop API extension"
+ * @see docs/plans/vendure-plugin-v0.md §"Build Plan — V8"
+ */
+export declare const shopApiExtensions: import("graphql").DocumentNode;
+//# sourceMappingURL=shop-api.extension.d.ts.map

package/dist/api/shop-api.extension.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shop-api.extension.d.ts","sourceRoot":"","sources":["../../src/api/shop-api.extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,eAAO,MAAM,iBAAiB,gCAmB5B,CAAC"}

package/dist/api/shop-api.extension.js

@@ -0,0 +1,35 @@
+/**
+ * api/shop-api.extension.ts — GraphQL Shop API schema extension.
+ *
+ * Adds the `cancelPayment(paymentId)` mutation to the Shop API.
+ * `Order` is Vendure's existing built-in entity; `ErrorResult` interface
+ * is already in scope from @vendure/core so `CancelPaymentError implements
+ * ErrorResult` is valid without re-declaring the interface.
+ *
+ * Wired into plugin via `shopApiExtensions.schema` (see plugin.ts).
+ *
+ * @see docs/plans/vendure-plugin-v0.md §"API Surface — Shop API extension"
+ * @see docs/plans/vendure-plugin-v0.md §"Build Plan — V8"
+ */
+import { parse } from 'graphql';
+export const shopApiExtensions = parse(`
+  extend type Mutation {
+    """
+    Cancel a Vendure payment by ID. Voids the Viva-side authorization
+    (DELETE /checkout/v2/orders/{orderCode}) AND transitions the order back
+    to AddingItems. Storefront calls this on ?paymentCancelled=1.
+    Permission: order owner (active customer or active anonymous order).
+    """
+    cancelPayment(paymentId: ID!): CancelPaymentResult!
+  }
+
+  union CancelPaymentResult = Order | CancelPaymentError
+
+  type CancelPaymentError implements ErrorResult {
+    errorCode: String!
+    message: String!
+    vivaErrorCode: Int
+    vivaErrorMessage: String
+  }
+`);
+//# sourceMappingURL=shop-api.extension.js.map

package/dist/api/shop-api.extension.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shop-api.extension.js","sourceRoot":"","sources":["../../src/api/shop-api.extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,CAAC;;;;;;;;;;;;;;;;;;;CAmBtC,CAAC,CAAC"}

package/dist/api/shop-api.resolver.d.ts

@@ -0,0 +1,42 @@
+/**
+ * api/shop-api.resolver.ts — VivaShopApiResolver
+ *
+ * Resolves the `cancelPayment(paymentId)` Shop API mutation.
+ *
+ * Authorization pattern (D5 + D8, §3 cancel ownership):
+ *   - Authenticated customer: ctx.activeUserId must match order.customer.user.id.
+ *   - Anonymous order: the session's active order (looked up via
+ *     OrderService.getActiveOrderForUser or by active-order token) must have the
+ *     same id as the payment's order. We load the active order for the current
+ *     session (ctx) and compare order ids — if they match, the caller owns it.
+ *   Returns CancelPaymentError { errorCode: 'AUTHORIZATION_FAILED' } when neither
+ *   condition is satisfied. Does NOT throw — returns the union error member per
+ *   Vendure GraphQL conventions.
+ *
+ * Idempotency on re-cancel:
+ *   The row-status guard (step 6) fires before the Viva DELETE call.
+ *   If viva_transaction.status is already 'cancelled', we return
+ *   CancelPaymentError('VIVA_PAYMENT_NOT_CANCELLABLE') immediately — no Viva
+ *   network call is made. If the row is NOT yet 'cancelled' but Viva 4xx with
+ *   "already cancelled", the handler's error map converts it to
+ *   CancelPaymentError('VIVA_API_ERROR'). Both paths are tested.
+ *
+ * @see docs/plans/vendure-plugin-v0.md §"API Surface — Shop API extension"
+ * @see docs/plans/vendure-plugin-v0.md §"Build Plan — V8"
+ * @see docs/plans/vendure-plugin-v0.md §D5, §D8
+ * @see docs/VENDURE-CONTRACT.MD §3
+ */
+import { RequestContext, OrderService, PaymentService, TransactionalConnection } from '@vendure/core';
+import { StateMachineService } from '../services/state-machine.service.js';
+import type { VivaPaymentPluginOptions } from '../types.js';
+export declare class VivaShopApiResolver {
+    private readonly orderService;
+    private readonly paymentService;
+    private readonly connection;
+    private readonly stateMachine;
+    private readonly options;
+    constructor(orderService: OrderService, paymentService: PaymentService, connection: TransactionalConnection, stateMachine: StateMachineService, options: VivaPaymentPluginOptions);
+    cancelPayment(paymentId: string, ctx: RequestContext): Promise<object>;
+    private _isOrderOwner;
+}
+//# sourceMappingURL=shop-api.resolver.d.ts.map

package/dist/api/shop-api.resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shop-api.resolver.d.ts","sourceRoot":"","sources":["../../src/api/shop-api.resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAIH,OAAO,EAEL,cAAc,EACd,YAAY,EACZ,cAAc,EACd,uBAAuB,EAExB,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAG3E,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AAgC5D,qBACa,mBAAmB;IAE5B,OAAO,CAAC,QAAQ,CAAC,YAAY;IAC7B,OAAO,CAAC,QAAQ,CAAC,cAAc;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,YAAY;IACA,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAJpC,YAAY,EAAE,YAAY,EAC1B,cAAc,EAAE,cAAc,EAC9B,UAAU,EAAE,uBAAuB,EACnC,YAAY,EAAE,mBAAmB,EACJ,OAAO,EAAE,wBAAwB;IAI3E,aAAa,CACE,SAAS,EAAE,MAAM,EAC7B,GAAG,EAAE,cAAc,GACzB,OAAO,CAAC,MAAM,CAAC;YAqJJ,aAAa;CA4B5B"}

package/dist/api/shop-api.resolver.js

@@ -0,0 +1,256 @@
+/**
+ * api/shop-api.resolver.ts — VivaShopApiResolver
+ *
+ * Resolves the `cancelPayment(paymentId)` Shop API mutation.
+ *
+ * Authorization pattern (D5 + D8, §3 cancel ownership):
+ *   - Authenticated customer: ctx.activeUserId must match order.customer.user.id.
+ *   - Anonymous order: the session's active order (looked up via
+ *     OrderService.getActiveOrderForUser or by active-order token) must have the
+ *     same id as the payment's order. We load the active order for the current
+ *     session (ctx) and compare order ids — if they match, the caller owns it.
+ *   Returns CancelPaymentError { errorCode: 'AUTHORIZATION_FAILED' } when neither
+ *   condition is satisfied. Does NOT throw — returns the union error member per
+ *   Vendure GraphQL conventions.
+ *
+ * Idempotency on re-cancel:
+ *   The row-status guard (step 6) fires before the Viva DELETE call.
+ *   If viva_transaction.status is already 'cancelled', we return
+ *   CancelPaymentError('VIVA_PAYMENT_NOT_CANCELLABLE') immediately — no Viva
+ *   network call is made. If the row is NOT yet 'cancelled' but Viva 4xx with
+ *   "already cancelled", the handler's error map converts it to
+ *   CancelPaymentError('VIVA_API_ERROR'). Both paths are tested.
+ *
+ * @see docs/plans/vendure-plugin-v0.md §"API Surface — Shop API extension"
+ * @see docs/plans/vendure-plugin-v0.md §"Build Plan — V8"
+ * @see docs/plans/vendure-plugin-v0.md §D5, §D8
+ * @see docs/VENDURE-CONTRACT.MD §3
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { Resolver, Mutation, Args } from '@nestjs/graphql';
+import { Inject } from '@nestjs/common';
+import { Ctx, RequestContext, OrderService, PaymentService, TransactionalConnection, Logger, } from '@vendure/core';
+import { StateMachineService } from '../services/state-machine.service.js';
+import { VivaPluginError } from '../util/error-envelope.js';
+import { VIVA_PLUGIN_OPTIONS, VIVA_LOG_CONTEXT } from '../constants.js';
+import { vivaPaymentMethodHandler } from '../payment-method-handler.js';
+// ---------------------------------------------------------------------------
+// Terminal statuses that cannot be cancelled
+// ---------------------------------------------------------------------------
+const TERMINAL_STATUSES = new Set(['captured', 'refunded', 'partially_refunded', 'failed', 'cancelled']);
+// ---------------------------------------------------------------------------
+// GraphQL union return types (plain objects with __typename for Vendure)
+// ---------------------------------------------------------------------------
+function cancelPaymentError(opts) {
+    return {
+        __typename: 'CancelPaymentError',
+        errorCode: opts.errorCode,
+        message: opts.message,
+        ...(opts.vivaErrorCode !== undefined ? { vivaErrorCode: opts.vivaErrorCode } : {}),
+        ...(opts.vivaErrorMessage !== undefined ? { vivaErrorMessage: opts.vivaErrorMessage } : {}),
+    };
+}
+// ---------------------------------------------------------------------------
+// Resolver
+// ---------------------------------------------------------------------------
+let VivaShopApiResolver = class VivaShopApiResolver {
+    orderService;
+    paymentService;
+    connection;
+    stateMachine;
+    options;
+    constructor(orderService, paymentService, connection, stateMachine, options) {
+        this.orderService = orderService;
+        this.paymentService = paymentService;
+        this.connection = connection;
+        this.stateMachine = stateMachine;
+        this.options = options;
+    }
+    async cancelPayment(paymentId, ctx) {
+        // -------------------------------------------------------------------------
+        // Step 1: load the Vendure Payment (with relations)
+        // -------------------------------------------------------------------------
+        let payment;
+        try {
+            payment = await this.paymentService.findOneOrThrow(ctx, paymentId, ['order']);
+        }
+        catch {
+            // Payment not found
+        }
+        if (!payment) {
+            return cancelPaymentError({
+                errorCode: 'VIVA_PAYMENT_NOT_CANCELLABLE',
+                message: 'Payment not found.',
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 2: load the Order (full record with customer.user relation)
+        // -------------------------------------------------------------------------
+        const orderStub = payment.order;
+        if (!orderStub) {
+            return cancelPaymentError({
+                errorCode: 'VIVA_PAYMENT_NOT_CANCELLABLE',
+                message: 'Payment is not associated with an order.',
+            });
+        }
+        const order = await this.orderService.findOne(ctx, orderStub.id, ['customer', 'customer.user']);
+        if (!order) {
+            return cancelPaymentError({
+                errorCode: 'VIVA_PAYMENT_NOT_CANCELLABLE',
+                message: 'Order not found.',
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 3: Authorization — order owner check
+        //
+        // Case A — Authenticated customer: ctx.activeUserId matches order.customer.user.id
+        // Case B — Anonymous order: order matches the session's active order
+        //          (Vendure stores activeOrderId / activeOrder.code on session)
+        // -------------------------------------------------------------------------
+        const isAuthorized = await this._isOrderOwner(ctx, order);
+        if (!isAuthorized) {
+            return cancelPaymentError({
+                errorCode: 'AUTHORIZATION_FAILED',
+                message: 'You may only cancel your own payments.',
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 4: load viva_transaction row
+        // -------------------------------------------------------------------------
+        const vivaRow = await this.stateMachine.getVivaTransaction(ctx, ctx.channelId, paymentId);
+        // -------------------------------------------------------------------------
+        // Step 5: row missing or no vivaOrderCode
+        // -------------------------------------------------------------------------
+        if (!vivaRow || !vivaRow.vivaOrderCode) {
+            return cancelPaymentError({
+                errorCode: 'VIVA_PAYMENT_NOT_CANCELLABLE',
+                message: 'No Viva order code found — payment may not have been initiated.',
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 6: already-terminal status guard (row-level, no Viva call needed)
+        // -------------------------------------------------------------------------
+        if (TERMINAL_STATUSES.has(vivaRow.status)) {
+            return cancelPaymentError({
+                errorCode: 'VIVA_PAYMENT_NOT_CANCELLABLE',
+                message: `Payment is already in terminal state: ${vivaRow.status}.`,
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 7: invoke the payment handler's cancelPayment (voids Viva auth +
+        //         updates viva_transaction.status = 'cancelled')
+        // -------------------------------------------------------------------------
+        try {
+            // cancelPayment on the handler throws VivaPluginError on failure
+            await vivaPaymentMethodHandler.cancelPaymentFn(ctx, order, payment, {});
+        }
+        catch (err) {
+            if (err instanceof VivaPluginError) {
+                return cancelPaymentError({
+                    errorCode: err.code,
+                    message: err.message,
+                    ...(err.vivaErrorCode !== undefined ? { vivaErrorCode: err.vivaErrorCode } : {}),
+                    ...(err.vivaErrorMessage !== undefined ? { vivaErrorMessage: err.vivaErrorMessage } : {}),
+                });
+            }
+            // Unexpected error — surface as internal
+            const msg = err instanceof Error ? err.message : String(err);
+            Logger.error(`[cancelPayment] Unexpected error for paymentId=${paymentId}: ${msg}`, VIVA_LOG_CONTEXT);
+            return cancelPaymentError({
+                errorCode: 'VIVA_INTERNAL_ERROR',
+                message: 'An unexpected error occurred while cancelling the payment.',
+            });
+        }
+        // -------------------------------------------------------------------------
+        // Step 8: transition Order back to AddingItems
+        // -------------------------------------------------------------------------
+        const refreshedOrder = await this.orderService.findOne(ctx, order.id);
+        if (refreshedOrder && refreshedOrder.state !== 'AddingItems') {
+            try {
+                await this.orderService.transitionToState(ctx, order.id, 'AddingItems');
+            }
+            catch (err) {
+                // Race with webhook sweep — if already AddingItems treat as idempotent success
+                const msg = err instanceof Error ? err.message : String(err);
+                Logger.warn(`[cancelPayment] transitionToState('AddingItems') failed for order ${String(order.id)}: ${msg}. ` +
+                    `Treating as idempotent (order may already be AddingItems).`, VIVA_LOG_CONTEXT);
+                // Re-check current state
+                const recheckOrder = await this.orderService.findOne(ctx, order.id);
+                if (recheckOrder && recheckOrder.state !== 'AddingItems') {
+                    return cancelPaymentError({
+                        errorCode: 'VIVA_INTERNAL_ERROR',
+                        message: `Failed to transition order to AddingItems: ${msg}`,
+                    });
+                }
+            }
+        }
+        // -------------------------------------------------------------------------
+        // Step 9: return the updated Order
+        // -------------------------------------------------------------------------
+        const finalOrder = await this.orderService.findOne(ctx, order.id);
+        return { ...(finalOrder ?? order), __typename: 'Order' };
+    }
+    // ---------------------------------------------------------------------------
+    // Private: authorization helper
+    //
+    // Vendure anonymous-order pattern:
+    //   OrderService.getActiveOrderForUser(ctx) returns the session's current
+    //   active order (keyed by session token, not customer). We compare by id.
+    //   For authenticated users, ctx.activeUserId is available.
+    // ---------------------------------------------------------------------------
+    async _isOrderOwner(ctx, order) {
+        // Case A: authenticated customer
+        if (ctx.activeUserId) {
+            const orderCustomerUserId = order.customer?.user?.id;
+            if (orderCustomerUserId !== undefined && orderCustomerUserId !== null) {
+                return String(ctx.activeUserId) === String(orderCustomerUserId);
+            }
+            // Customer exists but user relation missing — fall through to active-order check
+        }
+        // Case B: anonymous order — compare with session's active order
+        try {
+            const activeOrder = await this.orderService.getActiveOrderForUser(ctx, ctx.session?.user?.id);
+            if (activeOrder && String(activeOrder.id) === String(order.id)) {
+                return true;
+            }
+        }
+        catch {
+            // getActiveOrderForUser may throw if no session — treat as unauthorized
+        }
+        // Case B fallback: check activeOrderId on session (Vendure stores this on CachedSession)
+        const sessionActiveOrderId = ctx.session?.activeOrderId;
+        if (sessionActiveOrderId !== undefined && sessionActiveOrderId !== null) {
+            return String(sessionActiveOrderId) === String(order.id);
+        }
+        return false;
+    }
+};
+__decorate([
+    Mutation(),
+    __param(0, Args('paymentId')),
+    __param(1, Ctx()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, RequestContext]),
+    __metadata("design:returntype", Promise)
+], VivaShopApiResolver.prototype, "cancelPayment", null);
+VivaShopApiResolver = __decorate([
+    Resolver(),
+    __param(4, Inject(VIVA_PLUGIN_OPTIONS)),
+    __metadata("design:paramtypes", [OrderService,
+        PaymentService,
+        TransactionalConnection,
+        StateMachineService, Object])
+], VivaShopApiResolver);
+export { VivaShopApiResolver };
+//# sourceMappingURL=shop-api.resolver.js.map