npm - medusa-paystack - Versions diffs - 0.1.0 - Mend

medusa-paystack 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.medusa/server/src/admin/index.js +22 -0
package/.medusa/server/src/admin/index.mjs +23 -0
package/.medusa/server/src/providers/paystack/index.js +6 -0
package/.medusa/server/src/providers/paystack/lib.js +51 -0
package/.medusa/server/src/providers/paystack/service.js +160 -0
package/AGENTS.md +147 -0
package/LICENSE +21 -0
package/README.md +202 -0
package/package.json +52 -0

package/.medusa/server/src/admin/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+const widgetModule = { widgets: [] };
+const routeModule = {
+  routes: []
+};
+const menuItemModule = {
+  menuItems: []
+};
+const formModule = { customFields: {} };
+const displayModule = {
+  displays: {}
+};
+const i18nModule = { resources: {} };
+const plugin = {
+  widgetModule,
+  routeModule,
+  menuItemModule,
+  formModule,
+  displayModule,
+  i18nModule
+};
+module.exports = plugin;

package/.medusa/server/src/admin/index.mjs ADDED Viewed

@@ -0,0 +1,23 @@
+const widgetModule = { widgets: [] };
+const routeModule = {
+  routes: []
+};
+const menuItemModule = {
+  menuItems: []
+};
+const formModule = { customFields: {} };
+const displayModule = {
+  displays: {}
+};
+const i18nModule = { resources: {} };
+const plugin = {
+  widgetModule,
+  routeModule,
+  menuItemModule,
+  formModule,
+  displayModule,
+  i18nModule
+};
+export {
+  plugin as default
+};

package/.medusa/server/src/providers/paystack/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+import { ModuleProvider, Modules } from "@medusajs/framework/utils";
+import PaystackProviderService from "./service";
+export default ModuleProvider(Modules.PAYMENT, {
+    services: [PaystackProviderService],
+});
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi8uLi9zcmMvcHJvdmlkZXJzL3BheXN0YWNrL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxjQUFjLEVBQUUsT0FBTyxFQUFFLE1BQU0sMkJBQTJCLENBQUM7QUFDcEUsT0FBTyx1QkFBdUIsTUFBTSxXQUFXLENBQUM7QUFFaEQsZUFBZSxjQUFjLENBQUMsT0FBTyxDQUFDLE9BQU8sRUFBRTtJQUM3QyxRQUFRLEVBQUUsQ0FBQyx1QkFBdUIsQ0FBQztDQUNwQyxDQUFDLENBQUMifQ==

package/.medusa/server/src/providers/paystack/lib.js ADDED Viewed

@@ -0,0 +1,51 @@
+import { createHmac, timingSafeEqual } from "crypto";
+export function verifyPaystackSignature(rawBody, signature, secret) {
+    const expected = createHmac("sha512", secret).update(rawBody, "utf8").digest("hex");
+    if (expected.length !== signature.length)
+        return false;
+    try {
+        return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
+    }
+    catch {
+        return false;
+    }
+}
+export function webhookAction(eventName, eventData, signatureValid) {
+    if (!signatureValid)
+        return { action: "not_supported" };
+    if (eventName === "charge.success") {
+        const sid = eventData.metadata?.session_id;
+        if (!sid)
+            return { action: "not_supported" };
+        return {
+            action: "captured",
+            data: { session_id: sid, amount: (eventData.amount ?? 0) / 100 },
+        };
+    }
+    return { action: "not_supported" };
+}
+export function assertChargeMatches(args) {
+    if (args.status !== "success")
+        return { ok: false, reason: `status ${args.status}` };
+    if (args.currency.toUpperCase() !== args.expectedCurrency.toUpperCase())
+        return { ok: false, reason: `currency ${args.currency}` };
+    if (args.amount !== args.expectedAmount)
+        return { ok: false, reason: `amount ${args.amount} != ${args.expectedAmount}` };
+    return { ok: true };
+}
+export function makeReference(seed, prefix = "") {
+    return `${prefix}${seed}`;
+}
+export function buildInitializePayload(args) {
+    return {
+        email: args.email,
+        amount: Math.round(args.amount * 100),
+        currency: args.currencyCode.toUpperCase(),
+        reference: args.reference,
+        metadata: { session_id: args.sessionId },
+    };
+}
+export function buildRefundPayload(reference, amount) {
+    return { transaction: reference, amount: Math.round(amount * 100) };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibGliLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vc3JjL3Byb3ZpZGVycy9wYXlzdGFjay9saWIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFVBQVUsRUFBRSxlQUFlLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFFckQsTUFBTSxVQUFVLHVCQUF1QixDQUNyQyxPQUFlLEVBQ2YsU0FBaUIsRUFDakIsTUFBYztJQUVkLE1BQU0sUUFBUSxHQUFHLFVBQVUsQ0FBQyxRQUFRLEVBQUUsTUFBTSxDQUFDLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxNQUFNLENBQUMsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDcEYsSUFBSSxRQUFRLENBQUMsTUFBTSxLQUFLLFNBQVMsQ0FBQyxNQUFNO1FBQUUsT0FBTyxLQUFLLENBQUM7SUFDdkQsSUFBSSxDQUFDO1FBQ0gsT0FBTyxlQUFlLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7SUFDeEUsQ0FBQztJQUFDLE1BQU0sQ0FBQztRQUNQLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztBQUNILENBQUM7QUFZRCxNQUFNLFVBQVUsYUFBYSxDQUMzQixTQUE2QixFQUM3QixTQUEyQixFQUMzQixjQUF1QjtJQUV2QixJQUFJLENBQUMsY0FBYztRQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsZUFBZSxFQUFFLENBQUM7SUFFeEQsSUFBSSxTQUFTLEtBQUssZ0JBQWdCLEVBQUUsQ0FBQztRQUNuQyxNQUFNLEdBQUcsR0FBRyxTQUFTLENBQUMsUUFBUSxFQUFFLFVBQVUsQ0FBQztRQUMzQyxJQUFJLENBQUMsR0FBRztZQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsZUFBZSxFQUFFLENBQUM7UUFDN0MsT0FBTztZQUNMLE1BQU0sRUFBRSxVQUFVO1lBQ2xCLElBQUksRUFBRSxFQUFFLFVBQVUsRUFBRSxHQUFHLEVBQUUsTUFBTSxFQUFFLENBQUMsU0FBUyxDQUFDLE1BQU0sSUFBSSxDQUFDLENBQUMsR0FBRyxHQUFHLEVBQUU7U0FDakUsQ0FBQztJQUNKLENBQUM7SUFFRCxPQUFPLEVBQUUsTUFBTSxFQUFFLGVBQWUsRUFBRSxDQUFDO0FBQ3JDLENBQUM7QUFFRCxNQUFNLFVBQVUsbUJBQW1CLENBQUMsSUFNbkM7SUFDQyxJQUFJLElBQUksQ0FBQyxNQUFNLEtBQUssU0FBUztRQUFFLE9BQU8sRUFBRSxFQUFFLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxVQUFVLElBQUksQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDO0lBQ3JGLElBQUksSUFBSSxDQUFDLFFBQVEsQ0FBQyxXQUFXLEVBQUUsS0FBSyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsV0FBVyxFQUFFO1FBQ3JFLE9BQU8sRUFBRSxFQUFFLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxZQUFZLElBQUksQ0FBQyxRQUFRLEVBQUUsRUFBRSxDQUFDO0lBQzVELElBQUksSUFBSSxDQUFDLE1BQU0sS0FBSyxJQUFJLENBQUMsY0FBYztRQUNyQyxPQUFPLEVBQUUsRUFBRSxFQUFFLEtBQUssRUFBRSxNQUFNLEVBQUUsVUFBVSxJQUFJLENBQUMsTUFBTSxPQUFPLElBQUksQ0FBQyxjQUFjLEVBQUUsRUFBRSxDQUFDO0lBQ2xGLE9BQU8sRUFBRSxFQUFFLEVBQUUsSUFBSSxFQUFFLENBQUM7QUFDdEIsQ0FBQztBQUVELE1BQU0sVUFBVSxhQUFhLENBQUMsSUFBWSxFQUFFLE1BQU0sR0FBRyxFQUFFO0lBQ3JELE9BQU8sR0FBRyxNQUFNLEdBQUcsSUFBSSxFQUFFLENBQUM7QUFDNUIsQ0FBQztBQUVELE1BQU0sVUFBVSxzQkFBc0IsQ0FBQyxJQU10QztJQU9DLE9BQU87UUFDTCxLQUFLLEVBQUUsSUFBSSxDQUFDLEtBQUs7UUFDakIsTUFBTSxFQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUM7UUFDckMsUUFBUSxFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsV0FBVyxFQUFFO1FBQ3pDLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztRQUN6QixRQUFRLEVBQUUsRUFBRSxVQUFVLEVBQUUsSUFBSSxDQUFDLFNBQVMsRUFBRTtLQUN6QyxDQUFDO0FBQ0osQ0FBQztBQUVELE1BQU0sVUFBVSxrQkFBa0IsQ0FDaEMsU0FBaUIsRUFDakIsTUFBYztJQUVkLE9BQU8sRUFBRSxXQUFXLEVBQUUsU0FBUyxFQUFFLE1BQU0sRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUMsRUFBRSxDQUFDO0FBQ3RFLENBQUMifQ==

package/.medusa/server/src/providers/paystack/service.js ADDED Viewed

@@ -0,0 +1,160 @@
+import { AbstractPaymentProvider } from "@medusajs/framework/utils";
+import { assertChargeMatches, buildInitializePayload, buildRefundPayload, makeReference, verifyPaystackSignature, webhookAction, } from "./lib";
+const PAYSTACK_API = "https://api.paystack.co";
+class PaystackProviderService extends AbstractPaymentProvider {
+    constructor(cradle, options) {
+        super(cradle, options);
+        this.options_ = options ?? {};
+    }
+    get secretKey() {
+        return this.options_?.secret_key ?? process.env.PAYSTACK_SECRET_KEY ?? "";
+    }
+    authHeader() {
+        return {
+            Authorization: `Bearer ${this.secretKey}`,
+            "Content-Type": "application/json",
+        };
+    }
+    async initiatePayment(input) {
+        const { amount, currency_code, context } = input;
+        const data = input.data;
+        const email = context?.customer?.email ??
+            (typeof data?.email === "string" ? data.email : undefined);
+        if (!email) {
+            throw new Error("Paystack: a customer email is required to initiate payment");
+        }
+        const seed = `${Date.now()}-${Math.random().toString(36).slice(2)}`;
+        const reference = makeReference(seed, this.options_.reference_prefix);
+        const payload = buildInitializePayload({
+            amount: Number(amount),
+            currencyCode: currency_code,
+            email,
+            reference,
+            sessionId: data?.session_id,
+        });
+        const res = await fetch(`${PAYSTACK_API}/transaction/initialize`, {
+            method: "POST",
+            headers: this.authHeader(),
+            body: JSON.stringify(payload),
+        });
+        const json = await res.json();
+        if (!json.status || !json.data) {
+            throw new Error(`Paystack initiate failed: ${json.message}`);
+        }
+        const { access_code, authorization_url } = json.data;
+        return {
+            id: reference,
+            data: {
+                reference,
+                access_code,
+                authorization_url,
+                amount: Number(amount),
+                currency: currency_code.toUpperCase(),
+            },
+        };
+    }
+    async authorizePayment(input) {
+        const data = input.data ?? {};
+        const reference = data.reference;
+        if (!reference)
+            return { status: "error", data };
+        const res = await fetch(`${PAYSTACK_API}/transaction/verify/${encodeURIComponent(reference)}`, { headers: this.authHeader() });
+        const json = await res.json();
+        if (!json.status || !json.data)
+            return { status: "error", data };
+        const { status, currency, amount } = json.data;
+        const expectedAmount = Math.round(Number(data.amount ?? 0) * 100);
+        const expectedCurrency = String(data.currency ?? "").toUpperCase();
+        const check = assertChargeMatches({
+            status,
+            currency,
+            amount,
+            expectedAmount,
+            expectedCurrency,
+        });
+        if (!check.ok) {
+            return { status: "error", data: { ...data, ...json.data, reason: check.reason } };
+        }
+        return { status: "captured", data: { ...data, ...json.data } };
+    }
+    async capturePayment(input) {
+        // Paystack auto-captures on transaction success; this is a no-op.
+        return { data: input.data };
+    }
+    async getPaymentStatus(input) {
+        const data = input.data ?? {};
+        const reference = data.reference;
+        if (!reference)
+            return { status: "pending" };
+        const res = await fetch(`${PAYSTACK_API}/transaction/verify/${encodeURIComponent(reference)}`, { headers: this.authHeader() });
+        const json = await res.json();
+        if (!json.status || !json.data)
+            return { status: "error" };
+        switch (json.data.status) {
+            case "success":
+                return { status: "captured" };
+            case "failed":
+            case "reversed":
+                return { status: "error" };
+            case "abandoned":
+                return { status: "canceled" };
+            default:
+                return { status: "pending" };
+        }
+    }
+    async refundPayment(input) {
+        const data = input.data ?? {};
+        const reference = data.reference;
+        const res = await fetch(`${PAYSTACK_API}/refund`, {
+            method: "POST",
+            headers: this.authHeader(),
+            body: JSON.stringify(buildRefundPayload(reference, Number(input.amount))),
+        });
+        const json = (await res.json());
+        if (!res.ok || !json.status) {
+            throw new Error(`Paystack refund failed: ${json.message ?? `HTTP ${res.status}`}`);
+        }
+        return { data };
+    }
+    async cancelPayment(input) {
+        // Paystack has no explicit cancel API for pending transactions.
+        return { data: input.data };
+    }
+    async deletePayment(input) {
+        return { data: input.data };
+    }
+    async retrievePayment(input) {
+        const data = input.data ?? {};
+        const reference = data.reference;
+        if (!reference)
+            return { data };
+        const res = await fetch(`${PAYSTACK_API}/transaction/verify/${encodeURIComponent(reference)}`, { headers: this.authHeader() });
+        const json = await res.json();
+        if (!json.status || !json.data)
+            return { data };
+        return { data: { ...data, ...json.data } };
+    }
+    async updatePayment(input) {
+        // Re-initiate to refresh the session when amount/currency changes;
+        // forward input.data so session_id is preserved in Paystack metadata.
+        const result = await this.initiatePayment({
+            amount: input.amount,
+            currency_code: input.currency_code,
+            context: input.context,
+            data: input.data,
+        });
+        return { data: result.data };
+    }
+    async getWebhookActionAndData(payload) {
+        const { data, rawData, headers } = payload;
+        const signature = headers["x-paystack-signature"] ?? "";
+        const raw = Buffer.isBuffer(rawData) ? rawData.toString("utf8") : String(rawData);
+        const signatureValid = verifyPaystackSignature(raw, signature, this.secretKey);
+        const event = data;
+        const eventData = (event.data ?? {});
+        return webhookAction(event.event, eventData, signatureValid);
+    }
+}
+PaystackProviderService.identifier = "paystack";
+export default PaystackProviderService;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VydmljZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uL3NyYy9wcm92aWRlcnMvcGF5c3RhY2svc2VydmljZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFzQkEsT0FBTyxFQUFFLHVCQUF1QixFQUFFLE1BQU0sMkJBQTJCLENBQUM7QUFDcEUsT0FBTyxFQUNMLG1CQUFtQixFQUNuQixzQkFBc0IsRUFDdEIsa0JBQWtCLEVBQ2xCLGFBQWEsRUFHYix1QkFBdUIsRUFDdkIsYUFBYSxHQUNkLE1BQU0sT0FBTyxDQUFDO0FBT2YsTUFBTSxZQUFZLEdBQUcseUJBQXlCLENBQUM7QUFFL0MsTUFBTSx1QkFBd0IsU0FBUSx1QkFBd0M7SUFLNUUsWUFBWSxNQUErQixFQUFFLE9BQXdCO1FBQ25FLEtBQUssQ0FBQyxNQUFNLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFDdkIsSUFBSSxDQUFDLFFBQVEsR0FBRyxPQUFPLElBQUksRUFBRSxDQUFDO0lBQ2hDLENBQUM7SUFFRCxJQUFZLFNBQVM7UUFDbkIsT0FBTyxJQUFJLENBQUMsUUFBUSxFQUFFLFVBQVUsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLG1CQUFtQixJQUFJLEVBQUUsQ0FBQztJQUM1RSxDQUFDO0lBRU8sVUFBVTtRQUNoQixPQUFPO1lBQ0wsYUFBYSxFQUFFLFVBQVUsSUFBSSxDQUFDLFNBQVMsRUFBRTtZQUN6QyxjQUFjLEVBQUUsa0JBQWtCO1NBQ25DLENBQUM7SUFDSixDQUFDO0lBRUQsS0FBSyxDQUFDLGVBQWUsQ0FBQyxLQUEyQjtRQUMvQyxNQUFNLEVBQUUsTUFBTSxFQUFFLGFBQWEsRUFBRSxPQUFPLEVBQUUsR0FBRyxLQUFLLENBQUM7UUFDakQsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLElBQTJDLENBQUM7UUFFL0QsTUFBTSxLQUFLLEdBQ1QsT0FBTyxFQUFFLFFBQVEsRUFBRSxLQUFLO1lBQ3hCLENBQUMsT0FBTyxJQUFJLEVBQUUsS0FBSyxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1lBQ1gsTUFBTSxJQUFJLEtBQUssQ0FBQyw0REFBNEQsQ0FBQyxDQUFDO1FBQ2hGLENBQUM7UUFFRCxNQUFNLElBQUksR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ3BFLE1BQU0sU0FBUyxHQUFHLGFBQWEsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1FBRXRFLE1BQU0sT0FBTyxHQUFHLHNCQUFzQixDQUFDO1lBQ3JDLE1BQU0sRUFBRSxNQUFNLENBQUMsTUFBTSxDQUFDO1lBQ3RCLFlBQVksRUFBRSxhQUFhO1lBQzNCLEtBQUs7WUFDTCxTQUFTO1lBQ1QsU0FBUyxFQUFFLElBQUksRUFBRSxVQUFnQztTQUNsRCxDQUFDLENBQUM7UUFFSCxNQUFNLEdBQUcsR0FBRyxNQUFNLEtBQUssQ0FBQyxHQUFHLFlBQVkseUJBQXlCLEVBQUU7WUFDaEUsTUFBTSxFQUFFLE1BQU07WUFDZCxPQUFPLEVBQUUsSUFBSSxDQUFDLFVBQVUsRUFBRTtZQUMxQixJQUFJLEVBQUUsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUM7U0FDOUIsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxJQUFJLEdBQXlCLE1BQU0sR0FBRyxDQUFDLElBQUksRUFBRSxDQUFDO1FBRXBELElBQUksQ0FBQyxJQUFJLENBQUMsTUFBTSxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQy9CLE1BQU0sSUFBSSxLQUFLLENBQUMsNkJBQTZCLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1FBQy9ELENBQUM7UUFFRCxNQUFNLEVBQUUsV0FBVyxFQUFFLGlCQUFpQixFQUFFLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQztRQUNyRCxPQUFPO1lBQ0wsRUFBRSxFQUFFLFNBQVM7WUFDYixJQUFJLEVBQUU7Z0JBQ0osU0FBUztnQkFDVCxXQUFXO2dCQUNYLGlCQUFpQjtnQkFDakIsTUFBTSxFQUFFLE1BQU0sQ0FBQyxNQUFNLENBQUM7Z0JBQ3RCLFFBQVEsRUFBRSxhQUFhLENBQUMsV0FBVyxFQUFFO2FBQ3RDO1NBQ0YsQ0FBQztJQUNKLENBQUM7SUFFRCxLQUFLLENBQUMsZ0JBQWdCLENBQUMsS0FBNEI7UUFDakQsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDOUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQW1CLENBQUM7UUFDM0MsSUFBSSxDQUFDLFNBQVM7WUFBRSxPQUFPLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztRQUVqRCxNQUFNLEdBQUcsR0FBRyxNQUFNLEtBQUssQ0FDckIsR0FBRyxZQUFZLHVCQUF1QixrQkFBa0IsQ0FBQyxTQUFTLENBQUMsRUFBRSxFQUNyRSxFQUFFLE9BQU8sRUFBRSxJQUFJLENBQUMsVUFBVSxFQUFFLEVBQUUsQ0FDL0IsQ0FBQztRQUNGLE1BQU0sSUFBSSxHQUEyQixNQUFNLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUN0RCxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJO1lBQUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUM7UUFFakUsTUFBTSxFQUFFLE1BQU0sRUFBRSxRQUFRLEVBQUUsTUFBTSxFQUFFLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQztRQUMvQyxNQUFNLGNBQWMsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxJQUFJLENBQUMsQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO1FBQ2xFLE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxRQUFRLElBQUksRUFBRSxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7UUFFbkUsTUFBTSxLQUFLLEdBQUcsbUJBQW1CLENBQUM7WUFDaEMsTUFBTTtZQUNOLFFBQVE7WUFDUixNQUFNO1lBQ04sY0FBYztZQUNkLGdCQUFnQjtTQUNqQixDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsS0FBSyxDQUFDLEVBQUUsRUFBRSxDQUFDO1lBQ2QsT0FBTyxFQUFFLE1BQU0sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEVBQUUsR0FBRyxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsSUFBSSxFQUFFLE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQztRQUNwRixDQUFDO1FBQ0QsT0FBTyxFQUFFLE1BQU0sRUFBRSxVQUFVLEVBQUUsSUFBSSxFQUFFLEVBQUUsR0FBRyxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQztJQUNqRSxDQUFDO0lBRUQsS0FBSyxDQUFDLGNBQWMsQ0FBQyxLQUEwQjtRQUM3QyxrRUFBa0U7UUFDbEUsT0FBTyxFQUFFLElBQUksRUFBRSxLQUFLLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDOUIsQ0FBQztJQUVELEtBQUssQ0FBQyxnQkFBZ0IsQ0FBQyxLQUE0QjtRQUNqRCxNQUFNLElBQUksR0FBRyxLQUFLLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUM5QixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsU0FBK0IsQ0FBQztRQUN2RCxJQUFJLENBQUMsU0FBUztZQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLENBQUM7UUFFN0MsTUFBTSxHQUFHLEdBQUcsTUFBTSxLQUFLLENBQ3JCLEdBQUcsWUFBWSx1QkFBdUIsa0JBQWtCLENBQUMsU0FBUyxDQUFDLEVBQUUsRUFDckUsRUFBRSxPQUFPLEVBQUUsSUFBSSxDQUFDLFVBQVUsRUFBRSxFQUFFLENBQy9CLENBQUM7UUFDRixNQUFNLElBQUksR0FBMkIsTUFBTSxHQUFHLENBQUMsSUFBSSxFQUFFLENBQUM7UUFDdEQsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSTtZQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsT0FBTyxFQUFFLENBQUM7UUFFM0QsUUFBUSxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1lBQ3pCLEtBQUssU0FBUztnQkFDWixPQUFPLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxDQUFDO1lBQ2hDLEtBQUssUUFBUSxDQUFDO1lBQ2QsS0FBSyxVQUFVO2dCQUNiLE9BQU8sRUFBRSxNQUFNLEVBQUUsT0FBTyxFQUFFLENBQUM7WUFDN0IsS0FBSyxXQUFXO2dCQUNkLE9BQU8sRUFBRSxNQUFNLEVBQUUsVUFBVSxFQUFFLENBQUM7WUFDaEM7Z0JBQ0UsT0FBTyxFQUFFLE1BQU0sRUFBRSxTQUFTLEVBQUUsQ0FBQztRQUNqQyxDQUFDO0lBQ0gsQ0FBQztJQUVELEtBQUssQ0FBQyxhQUFhLENBQUMsS0FBeUI7UUFDM0MsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDOUIsTUFBTSxTQUFTLEdBQUcsSUFBSSxDQUFDLFNBQW1CLENBQUM7UUFFM0MsTUFBTSxHQUFHLEdBQUcsTUFBTSxLQUFLLENBQUMsR0FBRyxZQUFZLFNBQVMsRUFBRTtZQUNoRCxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU8sRUFBRSxJQUFJLENBQUMsVUFBVSxFQUFFO1lBQzFCLElBQUksRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLGtCQUFrQixDQUFDLFNBQVMsRUFBRSxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUM7U0FDMUUsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxJQUFJLEdBQUcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBMEMsQ0FBQztRQUV6RSxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksS0FBSyxDQUNiLDJCQUEyQixJQUFJLENBQUMsT0FBTyxJQUFJLFFBQVEsR0FBRyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQ2xFLENBQUM7UUFDSixDQUFDO1FBQ0QsT0FBTyxFQUFFLElBQUksRUFBRSxDQUFDO0lBQ2xCLENBQUM7SUFFRCxLQUFLLENBQUMsYUFBYSxDQUFDLEtBQXlCO1FBQzNDLGdFQUFnRTtRQUNoRSxPQUFPLEVBQUUsSUFBSSxFQUFFLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUM5QixDQUFDO0lBRUQsS0FBSyxDQUFDLGFBQWEsQ0FBQyxLQUF5QjtRQUMzQyxPQUFPLEVBQUUsSUFBSSxFQUFFLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUM5QixDQUFDO0lBRUQsS0FBSyxDQUFDLGVBQWUsQ0FBQyxLQUEyQjtRQUMvQyxNQUFNLElBQUksR0FBRyxLQUFLLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUM5QixNQUFNLFNBQVMsR0FBRyxJQUFJLENBQUMsU0FBK0IsQ0FBQztRQUN2RCxJQUFJLENBQUMsU0FBUztZQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztRQUVoQyxNQUFNLEdBQUcsR0FBRyxNQUFNLEtBQUssQ0FDckIsR0FBRyxZQUFZLHVCQUF1QixrQkFBa0IsQ0FBQyxTQUFTLENBQUMsRUFBRSxFQUNyRSxFQUFFLE9BQU8sRUFBRSxJQUFJLENBQUMsVUFBVSxFQUFFLEVBQUUsQ0FDL0IsQ0FBQztRQUNGLE1BQU0sSUFBSSxHQUEyQixNQUFNLEdBQUcsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUN0RCxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJO1lBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxDQUFDO1FBQ2hELE9BQU8sRUFBRSxJQUFJLEVBQUUsRUFBRSxHQUFHLElBQUksRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDO0lBQzdDLENBQUM7SUFFRCxLQUFLLENBQUMsYUFBYSxDQUFDLEtBQXlCO1FBQzNDLG1FQUFtRTtRQUNuRSxzRUFBc0U7UUFDdEUsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsZUFBZSxDQUFDO1lBQ3hDLE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTTtZQUNwQixhQUFhLEVBQUUsS0FBSyxDQUFDLGFBQWE7WUFDbEMsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPO1lBQ3RCLElBQUksRUFBRSxLQUFLLENBQUMsSUFBSTtTQUNqQixDQUFDLENBQUM7UUFDSCxPQUFPLEVBQUUsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUMvQixDQUFDO0lBRUQsS0FBSyxDQUFDLHVCQUF1QixDQUMzQixPQUEwQztRQUUxQyxNQUFNLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxPQUFPLEVBQUUsR0FBRyxPQUFPLENBQUM7UUFDM0MsTUFBTSxTQUFTLEdBQUksT0FBTyxDQUFDLHNCQUFzQixDQUFZLElBQUksRUFBRSxDQUFDO1FBQ3BFLE1BQU0sR0FBRyxHQUFHLE1BQU0sQ0FBQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUNsRixNQUFNLGNBQWMsR0FBRyx1QkFBdUIsQ0FBQyxHQUFHLEVBQUUsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUUvRSxNQUFNLEtBQUssR0FBRyxJQUEwRCxDQUFDO1FBQ3pFLE1BQU0sU0FBUyxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksSUFBSSxFQUFFLENBSWxDLENBQUM7UUFFRixPQUFPLGFBQWEsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUFFLFNBQVMsRUFBRSxjQUFjLENBQUMsQ0FBQztJQUMvRCxDQUFDOztBQXBNTSxrQ0FBVSxHQUFHLFVBQVUsQ0FBQztBQXVNakMsZUFBZSx1QkFBdUIsQ0FBQyJ9

package/AGENTS.md ADDED Viewed

@@ -0,0 +1,147 @@
+# AGENTS.md — integrating `medusa-paystack`
+Audience: an AI coding agent (Claude Code, Cursor, etc.) adding Paystack payments to
+a user's **Medusa v2** store. Treat this as a checklist. Exact values matter — copy
+them verbatim.
+## What this package is
+- A **Paystack payment provider for Medusa v2** (targets `@medusajs/medusa` **2.16.x**).
+- It is a **payment module provider**, resolved at `medusa-paystack/providers/paystack`.
+  Provider `identifier` = `paystack`.
+- It charges in the **cart's own `currency_code`** — no FX/conversion. The merchant's
+  Paystack account must be enabled for those currencies (Paystack supports GHS, NGN,
+  ZAR, USD, KES).
+## The one thing agents get wrong
+This plugin is the **server side only**. It renders **no checkout UI** — no Medusa
+payment provider does (the official Stripe plugin is the same). If you only register
+the provider, the customer **cannot pay**. You MUST also implement the storefront
+step (Section 4), or checkout is broken. Do not report the task complete after
+Section 2.
+## Gather first
+- `PAYSTACK_SECRET_KEY` (backend) and the Paystack **public** key (storefront).
+  Test keys look like `sk_test_…` / `pk_test_…`.
+- Confirm the backend is on Medusa **2.16.x**: `npm ls @medusajs/medusa`.
+- Identify the storefront app (Next.js Medusa starter, custom, etc.) and whether it
+  uses `@medusajs/js-sdk`.
+## 1. Install (in the Medusa backend)
+```bash
+npm install medusa-paystack
+```
+## 2. Register the provider — `medusa-config.ts`
+Add it to the **payment module's `providers` array**. Do NOT put it in the top-level
+`plugins` array, and do NOT register it as a standalone module.
+```ts
+{
+  resolve: "@medusajs/medusa/payment",
+  options: {
+    providers: [
+      {
+        resolve: "medusa-paystack/providers/paystack",
+        id: "paystack",
+        options: {
+          secret_key: process.env.PAYSTACK_SECRET_KEY,
+          // reference_prefix: "MY-", // optional, default ""
+        },
+      },
+    ],
+  },
+}
+```
+If a `@medusajs/medusa/payment` block already exists, **append** to its `providers`
+array — do not create a second payment module.
+The provider's runtime id becomes `pp_<identifier>_<id>` = **`pp_paystack_paystack`**.
+The storefront and webhook depend on this exact string. If you choose a different
+`id`, update Sections 4 and 5 to match (`pp_paystack_<id>` and
+`/hooks/payment/paystack_<id>`).
+## 3. Environment (backend `.env`)
+```
+PAYSTACK_SECRET_KEY=sk_test_xxx
+```
+## 4. Storefront — REQUIRED, do not skip
+Without this, the provider is registered but no payment can be taken.
+- Install the popup lib in the **storefront** app: `npm install @paystack/inline-js`.
+- Expose the **public** key to the browser, e.g.
+  `NEXT_PUBLIC_PAYSTACK_PUBLIC_KEY=pk_test_xxx`.
+- Implement a pay button with this flow (using `@medusajs/js-sdk`):
+  1. `sdk.store.payment.initiatePaymentSession(cart, { provider_id: "pp_paystack_paystack", data: { email } })`
+     — **email is required**; Paystack rejects a session without one.
+  2. Read `access_code` from the session whose `provider_id === "pp_paystack_paystack"`.
+  3. `new PaystackPop().resumeTransaction(access_code, { onSuccess, onCancel, onError })`
+     (from `@paystack/inline-js`). Alternatively redirect the browser to the
+     session's `authorization_url`.
+  4. On success: `await sdk.store.cart.complete(cartId)` → creates the order.
+Copy the full, working component from this package's **README → "Storefront
+integration"** and adapt the env-var names to the project. The README also documents
+the redirect-based alternative.
+## 5. Webhook
+In the Paystack dashboard, set the webhook URL to:
+```
+https://<backend-host>/hooks/payment/paystack_paystack
+```
+The path segment is `<identifier>_<id>` = `paystack_paystack`. The provider verifies
+`x-paystack-signature` (HMAC-SHA512 over the raw body with the secret key) and
+captures the session on `charge.success`.
+## 6. Enable for regions
+Add **Paystack** as a payment provider to each region that should accept it: Admin →
+**Settings → Regions**, or via the Admin API.
+## 7. Verify before reporting done
+- Backend boots with no errors (`npx medusa develop` or the project's dev command).
+- Admin shows Paystack as an available provider on a region.
+- A test checkout with Paystack **test** keys: pay button → Paystack popup → success
+  → order created in Admin.
+- Webhook: replay a `charge.success` from the Paystack dashboard and confirm the
+  payment session captures.
+## Do / Don't
+- DO pass the customer email into `initiatePaymentSession` `data`.
+- DO use the exact `provider_id` `pp_paystack_paystack` in the storefront and the
+  matching `/hooks/payment/paystack_paystack` webhook path.
+- DON'T add `medusa-paystack` to the top-level `plugins` array — it's a payment
+  provider, registered under the payment module's `providers`.
+- DON'T pre-convert amounts to subunits — Medusa passes **major-unit** amounts and
+  the provider multiplies by 100 internally.
+- DON'T hardcode a currency — the provider uses the cart's `currency_code`.
+- DON'T treat the client `onSuccess` as proof of payment — the server re-verifies
+  status, amount, and currency in `authorizePayment` during `cart.complete`.
+## Options reference
+| Option | Required | Default | Notes |
+| --- | --- | --- | --- |
+| `secret_key` | yes | `process.env.PAYSTACK_SECRET_KEY` | server API calls + webhook signature verification |
+| `reference_prefix` | no | `""` | prepended to generated transaction references |
+## Provider methods (reference)
+`initiatePayment` (creates the Paystack transaction), `authorizePayment` (verifies
+status/amount/currency), `capturePayment` (no-op — Paystack auto-captures on
+success), `getPaymentStatus`, `refundPayment`, `cancelPayment`/`deletePayment`
+(no-ops), `updatePayment` (re-initiates the session), `getWebhookActionAndData`
+(signature check + `charge.success` → capture).

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 nuette
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,202 @@
+# medusa-paystack
+A [Paystack](https://paystack.com) payment provider for **Medusa v2**.
+Unlike store-specific forks, this provider charges in the **cart's own currency**
+(`currency_code`). Paystack natively supports GHS, NGN, ZAR, USD, and KES — make
+sure your Paystack account is enabled for the currencies your store sells in. This
+plugin does **not** perform any currency conversion.
+## Requirements
+- Medusa **2.16.x**
+- A Paystack secret key
+## Install
+```bash
+npm install medusa-paystack
+```
+## Configure
+Add the provider to the Payment Module in your `medusa-config.ts`:
+```ts
+module.exports = defineConfig({
+  modules: [
+    {
+      resolve: "@medusajs/medusa/payment",
+      options: {
+        providers: [
+          {
+            resolve: "medusa-paystack/providers/paystack",
+            id: "paystack",
+            options: {
+              secret_key: process.env.PAYSTACK_SECRET_KEY,
+              // reference_prefix: "MY-", // optional, default ""
+            },
+          },
+        ],
+      },
+    },
+  ],
+})
+```
+### Options
+| Option | Required | Default | Description |
+| --- | --- | --- | --- |
+| `secret_key` | yes | `process.env.PAYSTACK_SECRET_KEY` | Paystack secret key, used for API calls and webhook signature verification. |
+| `reference_prefix` | no | `""` | Prefix prepended to generated transaction references. |
+## Enable in the admin
+In **Settings → Regions**, add **Paystack** as a payment provider for each region
+that should accept it.
+## Storefront integration
+This plugin is the **server-side** half of the payment flow. Like every Medusa
+payment provider (including the official Stripe plugin), it renders **no checkout
+UI** — your storefront drives the payment, then completes the cart. The plugin's
+job is to start the Paystack transaction and then securely verify the status,
+amount, currency, and webhook signature on the server. A storefront cannot accept
+payment with the plugin alone; you must add the steps below.
+The flow your storefront implements:
+1. **Initialize a payment session** on the cart, selecting this provider. The
+   provider returns Paystack's `access_code` (and `authorization_url`) in the
+   session's `data`.
+2. **Collect payment** with Paystack — open Paystack Inline with the `access_code`,
+   or redirect the browser to `authorization_url`.
+3. **Complete the cart** on success — this triggers the provider's server-side
+   verification and creates the order.
+### Prerequisites
+- Your **Paystack public key** exposed to the browser (e.g.
+  `NEXT_PUBLIC_PAYSTACK_PUBLIC_KEY`). The plugin uses the *secret* key on the
+  server; the storefront only needs the *public* key.
+- The Medusa JS SDK (`@medusajs/js-sdk`) with your publishable API key.
+- For the inline popup: `npm install @paystack/inline-js`.
+> **`provider_id`** is `pp_<identifier>_<id>` — `pp_paystack_` plus the `id` you set
+> in `medusa-config.ts`. With `id: "paystack"` it is `pp_paystack_paystack`.
+### Example (React / Next.js)
+```tsx
+"use client";
+import { useState } from "react";
+import Medusa from "@medusajs/js-sdk";
+const sdk = new Medusa({
+  baseUrl: process.env.NEXT_PUBLIC_MEDUSA_BACKEND_URL!,
+  publishableKey: process.env.NEXT_PUBLIC_MEDUSA_PUBLISHABLE_KEY!,
+});
+const PROVIDER_ID = "pp_paystack_paystack"; // must match pp_<identifier>_<id>
+export function PayWithPaystack({ cartId, email }: { cartId: string; email: string }) {
+  const [error, setError] = useState<string>();
+  const [loading, setLoading] = useState(false);
+  async function pay() {
+    setLoading(true);
+    setError(undefined);
+    try {
+      // 1. Initialize the Paystack payment session on the cart.
+      //    Paystack requires a customer email — pass it in `data`.
+      const { cart } = await sdk.store.cart.retrieve(cartId);
+      const { payment_collection } = await sdk.store.payment.initiatePaymentSession(
+        cart,
+        { provider_id: PROVIDER_ID, data: { email } }
+      );
+      const session = payment_collection.payment_sessions?.find(
+        (s) => s.provider_id === PROVIDER_ID
+      );
+      const accessCode = session?.data?.access_code as string | undefined;
+      if (!accessCode) throw new Error("No access_code returned from the payment session");
+      // 2. Open Paystack Inline with the access code.
+      const mod = await import("@paystack/inline-js");
+      const PaystackPop = (mod.default ?? mod) as new () => {
+        resumeTransaction(
+          accessCode: string,
+          cb: {
+            onSuccess?: () => void;
+            onCancel?: () => void;
+            onError?: (e: { message: string }) => void;
+          }
+        ): void;
+      };
+      new PaystackPop().resumeTransaction(accessCode, {
+        onSuccess: async () => {
+          // 3. Complete the cart -> runs the provider's server-side verification
+          //    (status + amount + currency) and creates the order.
+          const res = await sdk.store.cart.complete(cartId);
+          if (res.type === "order") {
+            window.location.href = `/order/confirmed/${res.order.id}`;
+          } else {
+            setError(res.error?.message ?? "Order could not be completed.");
+          }
+        },
+        onCancel: () => setError("Payment cancelled — your cart is still saved."),
+        onError: (e) => setError(e.message),
+      });
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Could not start payment.");
+      setLoading(false);
+    }
+  }
+  return (
+    <div>
+      {error && <p role="alert">{error}</p>}
+      <button onClick={pay} disabled={loading}>
+        {loading ? "Starting…" : "Pay with Paystack"}
+      </button>
+    </div>
+  );
+}
+```
+The same three SDK calls work in any frontend framework — only the
+`@paystack/inline-js` popup call is Paystack-specific.
+### Redirect instead of inline
+If you prefer a full-page redirect over the popup, skip `@paystack/inline-js`:
+read `authorization_url` from the session `data`, send the browser there, and on
+return to your callback page call `sdk.store.cart.complete(cartId)`.
+> The server is always authoritative: `cart.complete` runs the provider's
+> `authorizePayment`, which re-checks the transaction status, amount, and currency
+> with Paystack before the order is created. Never treat the client `onSuccess` as
+> proof of payment on its own.
+## Webhook
+Create a webhook in your Paystack dashboard pointing at your Medusa server's payment
+webhook endpoint for this provider:
+```
+https://your-backend.com/hooks/payment/paystack_paystack
+```
+The path segment is `<identifier>_<id>` — the provider's identifier (`paystack`)
+joined with the `id` from your `medusa-config.ts`. With `id: "paystack"` the segment
+is `paystack_paystack`; had you registered the provider with `id: "main"`, the path
+would be `/hooks/payment/paystack_main`.
+The provider verifies the `x-paystack-signature` (HMAC-SHA512 over the raw body using
+your secret key) and captures the payment session on `charge.success`.
+## License
+MIT

package/package.json ADDED Viewed

@@ -0,0 +1,52 @@
+{
+  "name": "medusa-paystack",
+  "version": "0.1.0",
+  "description": "Paystack payment provider for Medusa v2",
+  "author": "nuette",
+  "license": "MIT",
+  "keywords": [
+    "medusa-plugin",
+    "medusa-plugin-payment",
+    "medusa-v2",
+    "paystack",
+    "payment"
+  ],
+  "files": [
+    ".medusa/server",
+    "package.json",
+    "README.md",
+    "AGENTS.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "medusa plugin:build",
+    "dev": "medusa plugin:develop",
+    "typecheck": "tsc --noEmit",
+    "test": "jest",
+    "prepublishOnly": "medusa plugin:build"
+  },
+  "exports": {
+    "./package.json": "./package.json",
+    "./providers/*": "./.medusa/server/src/providers/*/index.js",
+    "./*": "./.medusa/server/src/*.js"
+  },
+  "devDependencies": {
+    "@medusajs/admin-sdk": "2.16.0",
+    "@medusajs/cli": "2.16.0",
+    "@medusajs/framework": "2.16.0",
+    "@medusajs/medusa": "2.16.0",
+    "@medusajs/test-utils": "2.16.0",
+    "@swc/core": "1.5.7",
+    "@swc/jest": "^0.2.36",
+    "@types/jest": "^29.5.12",
+    "@types/node": "^20.11.0",
+    "jest": "^29.7.0",
+    "typescript": "^5.6.0"
+  },
+  "peerDependencies": {
+    "@medusajs/framework": "2.16.0"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}