includio-cms 0.15.0 → 0.15.2

package/dist/shop/adapters/payu/client.js

@@ -0,0 +1,78 @@
+export function payuBaseUrl(env) {
+    return env === 'production' ? 'https://secure.payu.com' : 'https://secure.snd.payu.com';
+}
+export class PayuClient {
+    opts;
+    cachedToken = null;
+    fetchImpl;
+    constructor(opts) {
+        this.opts = opts;
+        this.fetchImpl = opts.fetch ?? fetch;
+    }
+    get base() {
+        return payuBaseUrl(this.opts.environment);
+    }
+    async getAccessToken() {
+        const now = Date.now();
+        if (this.cachedToken && this.cachedToken.expiresAt > now + 30_000) {
+            return this.cachedToken.token;
+        }
+        const res = await this.fetchImpl(`${this.base}/pl/standard/user/oauth/authorize`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+                grant_type: 'client_credentials',
+                client_id: this.opts.clientId,
+                client_secret: this.opts.clientSecret
+            })
+        });
+        if (!res.ok) {
+            throw new Error(`PayU OAuth failed: ${res.status}`);
+        }
+        const data = (await res.json());
+        if (!data.access_token)
+            throw new Error('PayU OAuth returned no access_token');
+        this.cachedToken = {
+            token: data.access_token,
+            expiresAt: now + (data.expires_in ?? 43200) * 1000
+        };
+        return data.access_token;
+    }
+    async createOrder(payload) {
+        const token = await this.getAccessToken();
+        const res = await this.fetchImpl(`${this.base}/api/v2_1/orders`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                'Content-Type': 'application/json',
+                Accept: 'application/json'
+            },
+            body: JSON.stringify(payload),
+            redirect: 'manual'
+        });
+        // PayU returns 302 by default with a JSON body (manual redirect is used to read it).
+        if (res.status !== 302 && !res.ok) {
+            throw new Error(`PayU createOrder failed: ${res.status}`);
+        }
+        const data = (await res.json());
+        if (data.status && data.status.statusCode && data.status.statusCode !== 'SUCCESS') {
+            throw new Error(`PayU createOrder status ${data.status.statusCode}`);
+        }
+        if (!data.redirectUri || !data.orderId) {
+            throw new Error('PayU createOrder missing redirectUri or orderId');
+        }
+        return { redirectUri: data.redirectUri, orderId: data.orderId };
+    }
+    async getOrder(payuOrderId) {
+        const token = await this.getAccessToken();
+        const res = await this.fetchImpl(`${this.base}/api/v2_1/orders/${encodeURIComponent(payuOrderId)}`, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+                Accept: 'application/json'
+            }
+        });
+        if (!res.ok)
+            throw new Error(`PayU getOrder failed: ${res.status}`);
+        return res.json();
+    }
+}

package/dist/shop/adapters/payu/index.d.ts

@@ -0,0 +1,24 @@
+import type { I18nText, PaymentAdapter } from '../../types.js';
+import { type PayuEnvironment } from './client.js';
+export interface PayuAdapterOptions {
+    posId: string;
+    clientId: string;
+    clientSecret: string;
+    secondKey: string;
+    environment?: PayuEnvironment;
+    /**
+     * Absolute URL PayU will POST notifications to, e.g.
+     * `https://yourshop.com/api/shop/webhooks/payu`.
+     */
+    notifyUrl: string;
+    /**
+     * Absolute URL template customer is redirected to after payment. Supports
+     * `{orderNumber}`, `{orderId}`, `{accessToken}`, `{language}`. If omitted,
+     * falls back to `shop.orderViewUrl` (must then be absolute).
+     */
+    continueUrl?: string;
+    id?: string;
+    label?: I18nText;
+    fetch?: typeof fetch;
+}
+export declare function payuAdapter(opts: PayuAdapterOptions): PaymentAdapter;

package/dist/shop/adapters/payu/index.js

@@ -0,0 +1,88 @@
+import { getOrderById } from '../../server/orders.js';
+import { requireShopConfig } from '../../server/db.js';
+import { buildOrderViewUrl } from '../../server/order-access-url.js';
+import { PayuClient } from './client.js';
+import { buildPayuOrderPayload, splitFullName } from './payload.js';
+import { verifyPayuSignature } from './signature.js';
+import { mapPayuStatus } from './status-map.js';
+const DEFAULT_LABEL = { pl: 'Płatność online (PayU)', en: 'Online payment (PayU)' };
+export function payuAdapter(opts) {
+    const env = opts.environment ?? 'sandbox';
+    const client = new PayuClient({
+        clientId: opts.clientId,
+        clientSecret: opts.clientSecret,
+        environment: env,
+        fetch: opts.fetch
+    });
+    const id = opts.id ?? 'payu';
+    return {
+        id,
+        label: opts.label ?? DEFAULT_LABEL,
+        async createPayment(order, ctx) {
+            const shop = requireShopConfig();
+            const continueTemplate = opts.continueUrl ?? shop.orderViewUrl;
+            if (!/^https?:\/\//i.test(continueTemplate)) {
+                throw new Error('payuAdapter: continueUrl (or shop.orderViewUrl) must be an absolute URL.');
+            }
+            // Hydrate buyer details from stored order (customerName/phone not on OrderRef)
+            const full = await getOrderById(order.id);
+            const names = splitFullName(full?.customerName);
+            const continueUrl = buildOrderViewUrl(continueTemplate, {
+                orderNumber: order.number,
+                orderId: order.id,
+                accessToken: full?.accessToken ?? '',
+                language: ctx?.language ?? full?.language ?? null
+            });
+            const payload = buildPayuOrderPayload({
+                order,
+                posId: opts.posId,
+                notifyUrl: opts.notifyUrl,
+                continueUrl,
+                customerIp: ctx?.customerIp ?? '127.0.0.1',
+                buyer: {
+                    firstName: names.firstName,
+                    lastName: names.lastName,
+                    phone: full?.customerPhone ?? undefined,
+                    language: ctx?.language ?? full?.language ?? undefined
+                }
+            });
+            const { redirectUri, orderId } = await client.createOrder(payload);
+            return {
+                status: 'redirect',
+                redirectUrl: redirectUri,
+                providerRef: orderId
+            };
+        },
+        async getStatus(providerRef) {
+            const data = (await client.getOrder(providerRef));
+            const first = Array.isArray(data.orders) ? data.orders[0] : undefined;
+            if (!first)
+                throw new Error('PayU getStatus: no order returned');
+            return {
+                orderNumber: first.extOrderId ?? '',
+                status: mapPayuStatus(first.status ?? 'PENDING'),
+                providerRef: first.orderId ?? providerRef,
+                raw: data
+            };
+        },
+        async handleWebhook(req) {
+            const rawBody = await req.text();
+            const headerValue = req.headers.get('OpenPayU-Signature') ?? req.headers.get('openpayu-signature');
+            if (!verifyPayuSignature(rawBody, headerValue, opts.secondKey)) {
+                throw new Error('PayU signature verification failed');
+            }
+            const parsed = JSON.parse(rawBody);
+            const extOrderId = parsed.order?.extOrderId;
+            const payuOrderId = parsed.order?.orderId ?? '';
+            const status = parsed.order?.status ?? 'PENDING';
+            if (!extOrderId)
+                throw new Error('PayU webhook missing extOrderId');
+            return {
+                orderNumber: extOrderId,
+                status: mapPayuStatus(status),
+                providerRef: payuOrderId,
+                raw: parsed
+            };
+        }
+    };
+}

package/dist/shop/adapters/payu/payload.d.ts

@@ -0,0 +1,48 @@
+import type { OrderRef } from '../../types.js';
+export interface PayuBuyer {
+    email: string;
+    phone?: string;
+    firstName?: string;
+    lastName?: string;
+    language?: string;
+}
+export interface PayuOrderPayload {
+    notifyUrl: string;
+    continueUrl: string;
+    customerIp: string;
+    merchantPosId: string;
+    description: string;
+    currencyCode: string;
+    totalAmount: string;
+    extOrderId: string;
+    buyer: PayuBuyer;
+    products: Array<{
+        name: string;
+        unitPrice: string;
+        quantity: string;
+    }>;
+}
+export interface BuildPayuPayloadInput {
+    order: OrderRef;
+    posId: string;
+    notifyUrl: string;
+    continueUrl: string;
+    customerIp: string;
+    description?: string;
+    buyer?: Omit<PayuBuyer, 'email'> & {
+        email?: string;
+    };
+}
+/**
+ * Split a single "Imię Nazwisko" string into first/last name heuristically.
+ * Anything after the first whitespace is lastName; if no space, everything is firstName.
+ */
+export declare function splitFullName(name: string | null | undefined): {
+    firstName?: string;
+    lastName?: string;
+};
+/**
+ * Build the order body expected by POST /api/v2_1/orders.
+ * Amounts are in integer minor units (grosze) — same as our stored totalGross.
+ */
+export declare function buildPayuOrderPayload(input: BuildPayuPayloadInput): PayuOrderPayload;

package/dist/shop/adapters/payu/payload.js

@@ -0,0 +1,48 @@
+/**
+ * Split a single "Imię Nazwisko" string into first/last name heuristically.
+ * Anything after the first whitespace is lastName; if no space, everything is firstName.
+ */
+export function splitFullName(name) {
+    const trimmed = (name ?? '').trim();
+    if (!trimmed)
+        return {};
+    const firstSpace = trimmed.search(/\s/);
+    if (firstSpace === -1)
+        return { firstName: trimmed };
+    return {
+        firstName: trimmed.slice(0, firstSpace),
+        lastName: trimmed.slice(firstSpace + 1).trim() || undefined
+    };
+}
+/**
+ * Build the order body expected by POST /api/v2_1/orders.
+ * Amounts are in integer minor units (grosze) — same as our stored totalGross.
+ */
+export function buildPayuOrderPayload(input) {
+    const { order } = input;
+    const buyer = {
+        email: input.buyer?.email ?? order.customerEmail,
+        phone: input.buyer?.phone,
+        firstName: input.buyer?.firstName,
+        lastName: input.buyer?.lastName,
+        language: input.buyer?.language
+    };
+    return {
+        notifyUrl: input.notifyUrl,
+        continueUrl: input.continueUrl,
+        customerIp: input.customerIp,
+        merchantPosId: input.posId,
+        description: input.description ?? `Order ${order.number}`,
+        currencyCode: order.currency,
+        totalAmount: String(order.totalGross),
+        extOrderId: order.number,
+        buyer,
+        products: [
+            {
+                name: `Order ${order.number}`,
+                unitPrice: String(order.totalGross),
+                quantity: '1'
+            }
+        ]
+    };
+}

package/dist/shop/adapters/payu/signature.d.ts

@@ -0,0 +1,12 @@
+interface ParsedSignatureHeader {
+    sender?: string;
+    signature?: string;
+    algorithm?: string;
+}
+export declare function parseSignatureHeader(header: string | null): ParsedSignatureHeader;
+/**
+ * Verify a PayU webhook signature.
+ * Signature format (MD5): MD5(rawBody + secondKey) compared against header `signature=` value.
+ */
+export declare function verifyPayuSignature(rawBody: string, header: string | null, secondKey: string): boolean;
+export {};

package/dist/shop/adapters/payu/signature.js

@@ -0,0 +1,50 @@
+import { createHash, timingSafeEqual } from 'node:crypto';
+export function parseSignatureHeader(header) {
+    if (!header)
+        return {};
+    const parts = header.split(';');
+    const out = {};
+    for (const part of parts) {
+        const [rawKey, rawValue] = part.split('=');
+        if (!rawKey || rawValue == null)
+            continue;
+        const key = rawKey.trim();
+        const value = rawValue.trim();
+        if (key === 'sender')
+            out.sender = value;
+        else if (key === 'signature')
+            out.signature = value;
+        else if (key === 'algorithm')
+            out.algorithm = value;
+    }
+    return out;
+}
+function md5Hex(input) {
+    return createHash('md5').update(input, 'utf8').digest('hex');
+}
+function hexEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    try {
+        return timingSafeEqual(Buffer.from(a, 'utf8'), Buffer.from(b, 'utf8'));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify a PayU webhook signature.
+ * Signature format (MD5): MD5(rawBody + secondKey) compared against header `signature=` value.
+ */
+export function verifyPayuSignature(rawBody, header, secondKey) {
+    if (!secondKey)
+        return false;
+    const parsed = parseSignatureHeader(header);
+    if (!parsed.signature)
+        return false;
+    const algo = (parsed.algorithm ?? 'MD5').toUpperCase();
+    if (algo !== 'MD5')
+        return false;
+    const expected = md5Hex(rawBody + secondKey).toLowerCase();
+    return hexEqual(expected, parsed.signature.toLowerCase());
+}

package/dist/shop/adapters/payu/status-map.d.ts

@@ -0,0 +1,3 @@
+import type { PaymentEvent } from '../../types.js';
+export type PayuStatus = 'NEW' | 'PENDING' | 'WAITING_FOR_CONFIRMATION' | 'COMPLETED' | 'CANCELED' | 'REJECTED';
+export declare function mapPayuStatus(status: string): PaymentEvent['status'];

package/dist/shop/adapters/payu/status-map.js

@@ -0,0 +1,14 @@
+export function mapPayuStatus(status) {
+    switch (status.toUpperCase()) {
+        case 'COMPLETED':
+            return 'paid';
+        case 'CANCELED':
+        case 'REJECTED':
+            return 'paymentRejected';
+        case 'NEW':
+        case 'PENDING':
+        case 'WAITING_FOR_CONFIRMATION':
+        default:
+            return 'pending';
+    }
+}

package/dist/shop/cart/order-token-cookie.d.ts

@@ -0,0 +1,9 @@
+import type { CartCookies } from './types.js';
+export declare const ORDER_TOKEN_COOKIE_NAME = "aria_shop_order";
+export interface OrderTokenCookieValue {
+    number: string;
+    token: string;
+}
+export declare function writeOrderTokenCookie(cookies: CartCookies, value: OrderTokenCookieValue): void;
+export declare function readOrderTokenCookie(cookies: CartCookies): OrderTokenCookieValue | null;
+export declare function clearOrderTokenCookie(cookies: CartCookies): void;

package/dist/shop/cart/order-token-cookie.js

@@ -0,0 +1,40 @@
+export const ORDER_TOKEN_COOKIE_NAME = 'aria_shop_order';
+const MAX_AGE_SECONDS = 60 * 30;
+function encode(value) {
+    const json = JSON.stringify(value);
+    return typeof btoa === 'function' ? btoa(json) : Buffer.from(json, 'utf8').toString('base64');
+}
+function decode(raw) {
+    try {
+        const json = typeof atob === 'function' ? atob(raw) : Buffer.from(raw, 'base64').toString('utf8');
+        const parsed = JSON.parse(json);
+        if (!parsed || typeof parsed !== 'object')
+            return null;
+        const number = parsed.number;
+        const token = parsed.token;
+        if (typeof number !== 'string' || typeof token !== 'string')
+            return null;
+        return { number, token };
+    }
+    catch {
+        return null;
+    }
+}
+export function writeOrderTokenCookie(cookies, value) {
+    cookies.set(ORDER_TOKEN_COOKIE_NAME, encode(value), {
+        path: '/',
+        maxAge: MAX_AGE_SECONDS,
+        httpOnly: true,
+        sameSite: 'lax',
+        secure: false
+    });
+}
+export function readOrderTokenCookie(cookies) {
+    const raw = cookies.get(ORDER_TOKEN_COOKIE_NAME);
+    if (!raw)
+        return null;
+    return decode(raw);
+}
+export function clearOrderTokenCookie(cookies) {
+    cookies.delete(ORDER_TOKEN_COOKIE_NAME, { path: '/' });
+}

package/dist/shop/client/index.d.ts

@@ -1,4 +1,5 @@
 import type { CartSnapshot } from '../cart/types.js';
+import type { OrderStatus } from '../types.js';
 export interface ShopClientOptions {
     baseUrl?: string;
     fetch?: typeof fetch;
@@ -7,12 +8,14 @@ export interface ShippingMethodPublic {
     id: string;
     name: Record<string, string>;
     description: Record<string, string> | null;
+    /** Netto w PLN (number, ≤6dp). Przed 0.15.2 było w groszach — od 0.15.2 w PLN. */
     price: number;
     vatRate: number;
     carrierType: string;
     conditions: {
         freeAbove?: number;
     } | null;
+    allowedPaymentMethods: string[] | null;
 }
 export interface CheckoutInput {
     customerEmail: string;
@@ -32,9 +35,62 @@ export interface CheckoutInput {
 export interface CheckoutResult {
     orderId: string;
     orderNumber: string;
-    status: string;
+    accessToken: string;
+    status: OrderStatus;
     totalGross: number;
     currency: string;
+    paymentStatus: 'redirect' | 'manual' | 'error';
+    requiresPaymentRedirect: boolean;
+    redirectUrl: string | null;
+}
+export interface OrderDetailResponse {
+    order: {
+        id: string;
+        number: string;
+        status: OrderStatus;
+        currency: string;
+        customerEmail: string;
+        customerName: string | null;
+        customerPhone: string | null;
+        shippingAddress: Record<string, string> | null;
+        totalNet: number;
+        totalGross: number;
+        vatAmount: number;
+        shippingNet: number;
+        shippingGross: number;
+        paymentMethod: string | null;
+        carrierType: string | null;
+        carrierRef: string | null;
+        language: string | null;
+        createdAt: string;
+    };
+    items: Array<{
+        id: string;
+        variantId: string | null;
+        nameSnapshot: {
+            product?: string;
+            variant?: string;
+        };
+        skuSnapshot: string | null;
+        priceNetSnapshot: number;
+        priceGrossSnapshot: number;
+        vatRate: number;
+        qty: number;
+    }>;
+    statusHistory: Array<{
+        status: OrderStatus;
+        note: string | null;
+        changedAt: string;
+    }>;
+}
+export interface RefreshPaymentResult {
+    status: OrderStatus;
+    updated?: boolean;
+    noop?: boolean;
+}
+export interface RetryPaymentResult {
+    status: OrderStatus;
+    paymentStatus: 'redirect' | 'manual' | 'error';
     requiresPaymentRedirect: boolean;
     redirectUrl: string | null;
 }
@@ -54,6 +110,13 @@ export interface ShopClient {
     checkout: {
         submit(input: CheckoutInput): Promise<CheckoutResult>;
     };
+    orders: {
+        get(orderNumber: string, token?: string): Promise<OrderDetailResponse>;
+        refreshPayment(orderNumber: string, token?: string): Promise<RefreshPaymentResult>;
+        retryPayment(orderNumber: string, token?: string): Promise<RetryPaymentResult>;
+    };
 }
 export declare function createShopClient(options?: ShopClientOptions): ShopClient;
 export type { CartSnapshot, CartLine, CartItemRef } from '../cart/types.js';
+export { createOrderState } from './use-order.svelte.js';
+export type { OrderState, CreateOrderStateOptions, OrderPaymentPhase } from './use-order.svelte.js';

package/dist/shop/client/index.js

@@ -35,6 +35,15 @@ export function createShopClient(options = {}) {
         },
         checkout: {
             submit: (input) => call('POST', '/api/shop/checkout', input)
+        },
+        orders: {
+            get: (orderNumber, token) => call('GET', `/api/shop/orders/${encodeURIComponent(orderNumber)}${tokenQuery(token)}`),
+            refreshPayment: (orderNumber, token) => call('POST', `/api/shop/orders/${encodeURIComponent(orderNumber)}/refresh-payment${tokenQuery(token)}`),
+            retryPayment: (orderNumber, token) => call('POST', `/api/shop/orders/${encodeURIComponent(orderNumber)}/retry-payment${tokenQuery(token)}`)
         }
     };
 }
+function tokenQuery(token) {
+    return token ? `?token=${encodeURIComponent(token)}` : '';
+}
+export { createOrderState } from './use-order.svelte.js';

package/dist/shop/client/use-order.svelte.d.ts

@@ -0,0 +1,32 @@
+import { type OrderDetailResponse, type ShopClient } from './index.js';
+export type OrderPaymentPhase = 'idle' | 'polling' | 'retrying' | 'refreshing';
+export interface CreateOrderStateOptions {
+    number: string;
+    token?: string;
+    initialData?: OrderDetailResponse | null;
+    client?: ShopClient;
+    pollIntervalMs?: number;
+    pollTimeoutMs?: number;
+}
+declare class OrderStateImpl {
+    private readonly opts;
+    data: OrderDetailResponse | null;
+    loading: boolean;
+    error: Error | null;
+    phase: OrderPaymentPhase;
+    private readonly client;
+    private pollTimer;
+    private pollStopAt;
+    constructor(opts: CreateOrderStateOptions);
+    get status(): OrderDetailResponse['order']['status'] | null;
+    load(): Promise<void>;
+    refreshPayment(): Promise<void>;
+    /** Returns the redirect URL if the adapter produced one — caller is responsible for navigating. */
+    retry(): Promise<string | null>;
+    startPolling(): void;
+    stopPolling(): void;
+    dispose(): void;
+}
+export type OrderState = OrderStateImpl;
+export declare function createOrderState(opts: CreateOrderStateOptions): OrderState;
+export {};

package/dist/shop/client/use-order.svelte.js

@@ -0,0 +1,105 @@
+import { createShopClient } from './index.js';
+const DEFAULT_POLL_INTERVAL = 5000;
+const DEFAULT_POLL_TIMEOUT = 120_000;
+const POLLING_STATUSES = new Set(['new', 'awaitingPayment']);
+class OrderStateImpl {
+    opts;
+    data = $state(null);
+    loading = $state(false);
+    error = $state(null);
+    phase = $state('idle');
+    client;
+    pollTimer = null;
+    pollStopAt = 0;
+    constructor(opts) {
+        this.opts = opts;
+        this.client = opts.client ?? createShopClient();
+        if (opts.initialData)
+            this.data = opts.initialData;
+    }
+    get status() {
+        return this.data?.order.status ?? null;
+    }
+    async load() {
+        this.loading = true;
+        this.error = null;
+        try {
+            this.data = await this.client.orders.get(this.opts.number, this.opts.token);
+        }
+        catch (err) {
+            this.error = err instanceof Error ? err : new Error(String(err));
+        }
+        finally {
+            this.loading = false;
+        }
+    }
+    async refreshPayment() {
+        this.phase = 'refreshing';
+        try {
+            const result = await this.client.orders.refreshPayment(this.opts.number, this.opts.token);
+            if (result.updated || (this.data && result.status !== this.data.order.status)) {
+                await this.load();
+            }
+        }
+        catch (err) {
+            this.error = err instanceof Error ? err : new Error(String(err));
+        }
+        finally {
+            this.phase = 'idle';
+        }
+    }
+    /** Returns the redirect URL if the adapter produced one — caller is responsible for navigating. */
+    async retry() {
+        this.phase = 'retrying';
+        this.error = null;
+        try {
+            const result = await this.client.orders.retryPayment(this.opts.number, this.opts.token);
+            if (result.requiresPaymentRedirect && result.redirectUrl) {
+                return result.redirectUrl;
+            }
+            await this.load();
+            return null;
+        }
+        catch (err) {
+            this.error = err instanceof Error ? err : new Error(String(err));
+            return null;
+        }
+        finally {
+            this.phase = 'idle';
+        }
+    }
+    startPolling() {
+        if (this.pollTimer)
+            return;
+        const interval = this.opts.pollIntervalMs ?? DEFAULT_POLL_INTERVAL;
+        const timeout = this.opts.pollTimeoutMs ?? DEFAULT_POLL_TIMEOUT;
+        this.pollStopAt = Date.now() + timeout;
+        this.phase = 'polling';
+        this.pollTimer = setInterval(async () => {
+            if (Date.now() >= this.pollStopAt) {
+                this.stopPolling();
+                return;
+            }
+            const current = this.data?.order.status;
+            if (!current || !POLLING_STATUSES.has(current)) {
+                this.stopPolling();
+                return;
+            }
+            await this.refreshPayment();
+        }, interval);
+    }
+    stopPolling() {
+        if (this.pollTimer) {
+            clearInterval(this.pollTimer);
+            this.pollTimer = null;
+        }
+        if (this.phase === 'polling')
+            this.phase = 'idle';
+    }
+    dispose() {
+        this.stopPolling();
+    }
+}
+export function createOrderState(opts) {
+    return new OrderStateImpl(opts);
+}