strapi-plugin-payone-provider 5.7.25 → 5.8.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-payone-provider",
-  "version": "5.7.25",
+  "version": "5.8.26",
   "description": "Strapi plugin for Payone payment gateway integration",
   "license": "MIT",
   "maintainers": [

package/server/controllers/payone.js

@@ -2,7 +2,11 @@
 
 const crypto = require("crypto");
 const PLUGIN_NAME = "strapi-plugin-payone-provider";
-const { rowsToCsv, csvToRows, TRANSACTION_ATTRS } = require("../utils/csvTransactions");
+const {
+  rowsToCsv,
+  csvToRows,
+  TRANSACTION_ATTRS
+} = require("../utils/csvTransactions");
 
 const getPayoneService = (strapi) => {
   return strapi.plugin(PLUGIN_NAME).service("payone");
@@ -84,8 +88,8 @@ module.exports = ({ strapi }) => ({
             googlePay: settings?.enableGooglePay,
             applePay: settings?.enableApplePay,
             sofort: settings?.enableSofort,
-            sepa: settings?.enableSepaDirectDebit,
-          },
+            sepa: settings?.enableSepaDirectDebit
+          }
         }
       };
     } catch (error) {
@@ -97,7 +101,7 @@ module.exports = ({ strapi }) => ({
     try {
       const bodyData = ctx.request.body?.data || ctx.request.body;
 
-      if (!bodyData || typeof bodyData !== 'object') {
+      if (!bodyData || typeof bodyData !== "object") {
         ctx.throw(400, "Invalid request body");
       }
 
@@ -106,7 +110,10 @@ module.exports = ({ strapi }) => ({
       if (bodyData.key === "***HIDDEN***" || !bodyData.key) {
         bodyData.key = currentSettings?.key;
       }
-      if (bodyData.serverApiSecret === "***HIDDEN***" || !bodyData.serverApiSecret) {
+      if (
+        bodyData.serverApiSecret === "***HIDDEN***" ||
+        !bodyData.serverApiSecret
+      ) {
         bodyData.serverApiSecret = currentSettings?.serverApiSecret;
       }
 
@@ -120,7 +127,7 @@ module.exports = ({ strapi }) => ({
   async preauthorization(ctx) {
     try {
       const params = ctx.request.body?.data || ctx.request.body;
-      if (!params || typeof params !== 'object') {
+      if (!params || typeof params !== "object") {
         ctx.throw(400, "Invalid request body");
       }
 
@@ -134,10 +141,7 @@ module.exports = ({ strapi }) => ({
   async authorization(ctx) {
     try {
       const params = ctx.request.body?.data || ctx.request.body;
-
-      if (!params || typeof params !== 'object') {
-        ctx.throw(400, "Invalid request body");
-      }
+      if (!params || typeof params !== "object") ctx.throw(400, "Invalid request body");
 
       const result = await getPayoneService(strapi).authorization(params);
       ctx.body = result;
@@ -150,7 +154,7 @@ module.exports = ({ strapi }) => ({
     try {
       const params = ctx.request.body?.data || ctx.request.body;
 
-      if (!params || typeof params !== 'object') {
+      if (!params || typeof params !== "object") {
         ctx.throw(400, "Invalid request body");
       }
 
@@ -165,7 +169,7 @@ module.exports = ({ strapi }) => ({
     try {
       const params = ctx.request.body?.data || ctx.request.body;
 
-      if (!params || typeof params !== 'object') {
+      if (!params || typeof params !== "object") {
         ctx.throw(400, "Invalid request body");
       }
 
@@ -201,7 +205,7 @@ module.exports = ({ strapi }) => ({
         data: result.data || [],
         meta: {
           pagination: result.pagination
-        },
+        }
       };
     } catch (error) {
       handleError(ctx, error);
@@ -210,25 +214,36 @@ module.exports = ({ strapi }) => ({
 
   async exportTransactions(ctx) {
     try {
-      const { filters: rawFilters = {}, format = "json", sort_by, sort_order } = ctx.query || {};
+      const {
+        filters: rawFilters = {},
+        format = "json",
+        sort_by,
+        sort_order
+      } = ctx.query || {};
       const filters = buildFiltersFromQuery(rawFilters);
       const data = await getPayoneService(strapi).getTransactionsForExport({
         filters,
         sort_by: sort_by || "createdAt",
-        sort_order: sort_order || "desc",
+        sort_order: sort_order || "desc"
       });
       const rows = Array.isArray(data) ? data : [];
       const fmt = (format || "json").toLowerCase();
 
       if (fmt === "csv") {
         ctx.set("Content-Type", "text/csv; charset=utf-8");
-        ctx.set("Content-Disposition", 'attachment; filename="transactions.csv"');
+        ctx.set(
+          "Content-Disposition",
+          'attachment; filename="transactions.csv"'
+        );
         ctx.body = rowsToCsv(rows, TRANSACTION_ATTRS);
         return;
       }
 
       ctx.set("Content-Type", "application/json");
-      ctx.set("Content-Disposition", 'attachment; filename="transactions.json"');
+      ctx.set(
+        "Content-Disposition",
+        'attachment; filename="transactions.json"'
+      );
       ctx.body = rows;
     } catch (error) {
       handleError(ctx, error);
@@ -238,7 +253,8 @@ module.exports = ({ strapi }) => ({
   async importTransactions(ctx) {
     try {
       const body = ctx.request.body;
-      if (!body || typeof body !== "object") ctx.throw(400, "Request body must be JSON");
+      if (!body || typeof body !== "object")
+        ctx.throw(400, "Request body must be JSON");
 
       let rows = [];
       if (Array.isArray(body)) {
@@ -248,18 +264,26 @@ module.exports = ({ strapi }) => ({
       } else if (body.format === "csv" && typeof body.data === "string") {
         rows = csvToRows(body.data);
       } else {
-        ctx.throw(400, "Body must be an array, { data: array }, or { format: 'csv', data: csvString }");
+        ctx.throw(
+          400,
+          "Body must be an array, { data: array }, or { format: 'csv', data: csvString }"
+        );
       }
 
       if (rows.length === 0) {
-        ctx.body = { imported: 0, failed: 0, errors: [], message: "No rows to import" };
+        ctx.body = {
+          imported: 0,
+          failed: 0,
+          errors: [],
+          message: "No rows to import"
+        };
         return;
       }
 
       const result = await getPayoneService(strapi).importTransactions(rows);
       ctx.body = {
         ...result,
-        message: `Imported ${result.imported}, failed ${result.failed}`,
+        message: `Imported ${result.imported}, failed ${result.failed}`
       };
     } catch (error) {
       handleError(ctx, error);
@@ -291,19 +315,22 @@ module.exports = ({ strapi }) => ({
 
       const callbackData = isGetRequest
         ? ctx.query
-        : (ctx.request.body || ctx.request.body?.data || ctx.request?.data);
+        : ctx.request.body || ctx.request.body?.data || ctx.request?.data;
 
-      const result = await getPayoneService(strapi).handle3DSCallback(callbackData, resultType);
+      const result = await getPayoneService(strapi).handle3DSCallback(
+        callbackData,
+        resultType
+      );
 
       if (isGetRequest) {
-        const isContentUI = currentPath.includes('/content-ui');
-        const basePath = isContentUI ? '/content-ui' : '/admin';
-        const pluginPath = '/plugins/strapi-plugin-payone-provider';
+        const isContentUI = currentPath.includes("/content-ui");
+        const basePath = isContentUI ? "/content-ui" : "/admin";
+        const pluginPath = "/plugins/strapi-plugin-payone-provider";
 
         const queryParams = new URLSearchParams();
-        queryParams.set('3ds', resultType);
-        if (result.txid) queryParams.set('txid', result.txid);
-        if (result.status) queryParams.set('status', result.status);
+        queryParams.set("3ds", resultType);
+        if (result.txid) queryParams.set("txid", result.txid);
+        if (result.status) queryParams.set("status", result.status);
 
         const redirectUrl = `${basePath}${pluginPath}?${queryParams.toString()}`;
         return ctx.redirect(redirectUrl);
@@ -320,14 +347,15 @@ module.exports = ({ strapi }) => ({
       const settings = await getPayoneService(strapi).getSettings();
       const applePayConfig = settings?.applePayConfig || {};
 
-      const params = ctx.request.body || ctx.request.body?.data || ctx.request?.data;
+      const params =
+        ctx.request.body || ctx.request.body?.data || ctx.request?.data;
 
       if (!params) {
         throw new Error("Request body is missing");
       }
 
       if (!params.domain && !params.domainName) {
-        params.domain = ctx.request.hostname || ctx.request.host || 'localhost';
+        params.domain = ctx.request.hostname || ctx.request.host || "localhost";
         params.domainName = params.domain;
       } else if (params.domain && !params.domainName) {
         params.domainName = params.domain;
@@ -346,28 +374,40 @@ module.exports = ({ strapi }) => ({
         params.countryCode = applePayConfig.countryCode || "DE";
       }
 
-      let result = await getPayoneService(strapi).validateApplePayMerchant(params);
+      let result =
+        await getPayoneService(strapi).validateApplePayMerchant(params);
 
       if (!result) {
-        throw new Error("Merchant validation returned null. Please check your Payone Apple Pay configuration.");
+        throw new Error(
+          "Merchant validation returned null. Please check your Payone Apple Pay configuration."
+        );
       }
 
       ctx.body = result;
     } catch (error) {
-      const errorStatus = error.status || (error.message?.includes('403') ? 403 : 500);
-
-      if (error.response || errorStatus === 403 || errorStatus === 401 || errorStatus >= 500) {
+      const errorStatus =
+        error.status || (error.message?.includes("403") ? 403 : 500);
+
+      if (
+        error.response ||
+        errorStatus === 403 ||
+        errorStatus === 401 ||
+        errorStatus >= 500
+      ) {
         strapi.log.error("[Apple Pay] Controller error:", {
           status: errorStatus,
           message: error.message
         });
       }
 
-      let errorMessage = error.message || "Apple Pay merchant validation failed";
-      let errorDetails = "Please check your Payone Apple Pay configuration in PMI (CONFIGURATION → PAYMENT PORTALS → [Your Portal] → Apple Pay). Ensure that Merchant ID (mid) is correctly configured and Apple Pay is enabled for your portal.";
+      let errorMessage =
+        error.message || "Apple Pay merchant validation failed";
+      let errorDetails =
+        "Please check your Payone Apple Pay configuration in PMI (CONFIGURATION → PAYMENT PORTALS → [Your Portal] → Apple Pay). Ensure that Merchant ID (mid) is correctly configured and Apple Pay is enabled for your portal.";
 
-      if (errorStatus === 403 || error.message?.includes('403')) {
-        errorDetails = "403 Forbidden: Authentication failed with Payone. " +
+      if (errorStatus === 403 || error.message?.includes("403")) {
+        errorDetails =
+          "403 Forbidden: Authentication failed with Payone. " +
           "Please check: 1) Your Payone credentials (aid, portalid, mid, key) in plugin settings, " +
           "2) Mode is set to 'live' (Apple Pay only works in live mode), " +
           "3) Your domain is registered with Payone Merchant Services, " +
@@ -392,7 +432,7 @@ module.exports = ({ strapi }) => ({
       const notificationData = ctx.request.body || {};
       await getPayoneService(strapi).processTransactionStatus(notificationData);
       console.warn("[Payone] Notification Status", {
-        ip: ctx.request.ip,
+        ip: ctx.request.ip
       });
     } catch (error) {
       strapi.log.error("[Payone TransactionStatus] Error:", error);
@@ -405,12 +445,15 @@ module.exports = ({ strapi }) => ({
 
   async hostedTokenizationJwt(ctx) {
     try {
-      const result = await getNewHostedTokenizationService(strapi).createHostedTokenizationJwt();
+      const result =
+        await getNewHostedTokenizationService(
+          strapi
+        ).createHostedTokenizationJwt();
       ctx.body = {
         data: {
           token: result?.token || null,
-          expirationDate: result?.expirationDate || null,
-        },
+          expirationDate: result?.expirationDate || null
+        }
       };
     } catch (error) {
       handleError(ctx, error);
@@ -428,8 +471,16 @@ module.exports = ({ strapi }) => ({
       }
 
       // Validate required settings
-      if (!settings?.aid || !settings?.mid || !settings?.portalid || !settings?.mode) {
-        ctx.throw(400, "Required settings (aid, mid, portalid, mode) are not configured");
+      if (
+        !settings?.aid ||
+        !settings?.mid ||
+        !settings?.portalid ||
+        !settings?.mode
+      ) {
+        ctx.throw(
+          400,
+          "Required settings (aid, mid, portalid, mode) are not configured"
+        );
       }
 
       // Construct the string from settings values

package/server/services/paymentService.js

@@ -1,7 +1,7 @@
 "use strict";
 
 const axios = require("axios");
-const { buildClientRequestParams, toFormData } = require("../utils/requestBuilder");
+const { buildClientRequestParams, toFormData, is3dsViable } = require("../utils/requestBuilder");
 const { addPaymentMethodParams } = require("../utils/paymentMethodParams");
 const { parseResponse, extractTxId, requires3DSRedirect, get3DSRedirectUrl } = require("../utils/responseParser");
 const { getSettings, validateSettings } = require("./settingsService");
@@ -37,14 +37,11 @@ const getInvoiceIdObject = (invoiceid) => {
 const sendRequest = async (strapi, params) => {
   try {
     const settings = await getSettings(strapi);
-
-    if (!validateSettings(settings)) {
-      throw new Error("Payone settings not configured");
-    }
+    if (!validateSettings(settings)) throw new Error("Payone settings not configured");
 
     const requestParams = buildClientRequestParams(settings, params, strapi.log);
-    const formData = toFormData(requestParams);
 
+    const formData = toFormData(requestParams);
     const response = await axios.post(POST_GATEWAY_URL, formData, {
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
       timeout: 30000
@@ -60,7 +57,6 @@ const sendRequest = async (strapi, params) => {
       responseData.requires3DSRedirect = true;
       responseData.redirectUrl = redirectUrl;
       responseData.is3DSRequired = is3DSRequiredError;
-
     }
 
     const errorMessage = responseData?.Error?.ErrorMessage || null;
@@ -96,8 +92,7 @@ const sendRequest = async (strapi, params) => {
 };
 
 const preauthorization = async (strapi, params) => {
-
-  const requiredParams = {
+  const requestParams = {
     request: "preauthorization",
     clearingtype: params.clearingtype,
     amount: params.amount,
@@ -115,14 +110,20 @@ const preauthorization = async (strapi, params) => {
     ...params
   };
 
+  const settings = await getSettings(strapi);
 
-  const updatedParams = addPaymentMethodParams(requiredParams, strapi.log);
-  return await sendRequest(strapi, updatedParams);
+  // Happnes only when CC-payment and 3DS is enabled and is Pre/Authorization request
+  if (is3dsViable(params, settings)) {
+    requestParams = await perform3DSCheck(strapi, requestParams);
+    if (!requestParams) throw new Error('3DS check failed');
+  }
+
+  requestParams = addPaymentMethodParams(requestParams, strapi.log);
+  return await sendRequest(strapi, requestParams);
 };
 
 const authorization = async (strapi, params) => {
-
-  const requiredParams = {
+  let requestParams = {
     request: "authorization",
     clearingtype: params.clearingtype,
     reference: params.reference,
@@ -138,8 +139,16 @@ const authorization = async (strapi, params) => {
     ...params
   };
 
-  const updatedParams = addPaymentMethodParams(requiredParams, strapi.log);
-  return await sendRequest(strapi, updatedParams);
+  const settings = await getSettings(strapi);
+
+  // Happnes only when CC-payment and 3DS is enabled and is Pre/Authorization request
+  if (is3dsViable(params, settings)) {
+    requestParams = await perform3DSCheck(strapi, requestParams);
+    if (!requestParams) throw new Error('3DS check failed');
+  }
+
+  requestParams = addPaymentMethodParams(requestParams, strapi.log);
+  return await sendRequest(strapi, requestParams);
 };
 
 const capture = async (strapi, params) => {
@@ -147,7 +156,6 @@ const capture = async (strapi, params) => {
     throw new Error("Transaction ID (txid) is required for capture");
   }
 
-
   const requiredParams = {
     request: "capture",
     txid: params.txid,
@@ -165,7 +173,6 @@ const refund = async (strapi, params) => {
     throw new Error("Transaction ID (txid) is required for refund");
   }
 
-
   const requiredParams = {
     request: "refund",
     txid: params.txid,
@@ -179,6 +186,39 @@ const refund = async (strapi, params) => {
   return await sendRequest(strapi, requiredParams);
 };
 
+/**
+ * Performs a 3DS check and returns the modified params
+ * The modified params include the pseudocardpan if the 3DS check is valid
+ * 
+ * @param strapi - Strapi instance
+ * @param params - Request params
+ * @returns The modified params
+ */
+const perform3DSCheck = async (strapi, params) => {
+  try {
+    const result = await sendRequest(strapi, {
+      ...params,
+      request: "3dscheck",
+      exiturl: params.successurl ?? '',
+    });
+
+    if (result?.errorCode || result?.errorMessage || result?.Status === 'Failed' || result?.Status === 'Invalid')
+      throw new Error('3DS check failed');
+
+    const modifiedParams = {
+      ...params,
+      pseudocardpan: result?.CreditCard?.PseudoCardPan,
+    };
+
+    if (result?.Status === 'Valid') modifiedParams.xid = result?.CreditCard?.ThreeDS?.Xid;
+
+    return modifiedParams;
+  } catch (error) {
+    strapi.log.error("3DS check error:", error);
+    return null;
+  }
+};
+
 const handle3DSCallback = async (strapi, callbackData, resultType = 'callback') => {
   try {
     const parsedData = callbackData && Object.keys(callbackData).length > 0
@@ -218,6 +258,7 @@ module.exports = {
   authorization,
   capture,
   refund,
-  handle3DSCallback
+  handle3DSCallback,
+  perform3DSCheck
 };
 

package/server/utils/requestBuilder.js

@@ -28,7 +28,7 @@ const buildClientRequestParams = (settings, params, logger = null) => {
   const isCreditCard = requestParams.clearingtype === "cc";
   const enable3DSecure = settings.enable3DSecure !== false;
 
-  if (isCreditCard && enable3DSecure && (params.request === "preauthorization" || params.request === "authorization")) {
+  if (is3dsViable(requestParams, settings)) {
     requestParams["3dsecure"] = "yes";
     requestParams.ecommercemode = params.ecommercemode || "internet";
 
@@ -93,8 +93,23 @@ const toFormData = (requestParams) => {
   return formData;
 };
 
+/**
+ * Checks if the request is viable for 3DS according to the settings
+ * 
+ * @param params - Request params
+ * @param settings - Set up in admin
+ * @returns 
+ */
+const is3dsViable = (params, settings) => {
+  const isCreditCard = params.clearingtype === "cc";
+  const enable3DSecure = settings.enable3DSecure !== false;
+
+  return isCreditCard && enable3DSecure && (params.request === "preauthorization" || params.request === "authorization")
+};
+
 module.exports = {
   buildClientRequestParams,
-  toFormData
+  toFormData,
+  is3dsViable
 };