Add PayPal webhook handling

2026-02-04 14:23:07 +01:00
parent 66c7131d79
commit 5c78ac00dd
12 changed files with 676 additions and 7 deletions
--- a/app/Services/Coupons/CouponRedemptionService.php
+++ b/app/Services/Coupons/CouponRedemptionService.php
@@ -31,7 +31,7 @@ class CouponRedemptionService
            return;
        }

-        $transactionId = Arr::get($payload, 'id') ?? $session->lemonsqueezy_order_id;
+        $transactionId = $this->resolveTransactionId($session, $payload);

        $context = $this->resolveRequestContext($session);
        $fraudSnapshot = $this->buildFraudSnapshot($context);
@@ -48,6 +48,7 @@ class CouponRedemptionService
            'metadata' => array_filter([
                'session_snapshot' => $session->coupon_snapshot,
                'payload' => $payload,
+                'provider' => $session->provider,
                'fraud' => $fraudSnapshot,
            ]),
            'redeemed_at' => now(),
@@ -74,6 +75,7 @@ class CouponRedemptionService

        $context = $this->resolveRequestContext($session);
        $fraudSnapshot = $this->buildFraudSnapshot($context);
+        $transactionId = $this->resolveTransactionId($session);

        CouponRedemption::query()->updateOrCreate(
            [
@@ -84,13 +86,14 @@ class CouponRedemptionService
                'tenant_id' => $session->tenant_id,
                'user_id' => $session->user_id,
                'package_id' => $session->package_id,
-                'lemonsqueezy_order_id' => $session->lemonsqueezy_order_id,
+                'lemonsqueezy_order_id' => $transactionId,
                'status' => CouponRedemption::STATUS_FAILED,
                'failure_reason' => $reason,
                'amount_discounted' => $session->amount_discount,
                'currency' => $session->currency ?? 'EUR',
                'metadata' => array_filter([
                    'session_snapshot' => $session->coupon_snapshot,
+                    'provider' => $session->provider,
                    'fraud' => $fraudSnapshot,
                ]),
            ]),
@@ -109,6 +112,24 @@ class CouponRedemptionService
        ], static fn ($value) => $value !== null && $value !== '');
    }

+    /**
+     * @param  array<string, mixed>  $payload
+     */
+    private function resolveTransactionId(CheckoutSession $session, array $payload = []): ?string
+    {
+        if ($session->provider === CheckoutSession::PROVIDER_PAYPAL) {
+            $paypalId = $session->paypal_capture_id
+                ?? $session->paypal_order_id
+                ?? Arr::get($payload, 'id');
+
+            return is_string($paypalId) && $paypalId !== '' ? $paypalId : null;
+        }
+
+        $lemonsqueezyId = Arr::get($payload, 'id') ?? $session->lemonsqueezy_order_id;
+
+        return is_string($lemonsqueezyId) && $lemonsqueezyId !== '' ? $lemonsqueezyId : null;
+    }
+
    /**
     * @param  array{ip_address?: string|null, device_id?: string|null, user_agent?: string|null}  $context
     * @return array<string, mixed>|null
--- a/app/Services/Coupons/CouponService.php
+++ b/app/Services/Coupons/CouponService.php
@@ -4,6 +4,7 @@ namespace App\Services\Coupons;

 use App\Enums\CouponStatus;
 use App\Enums\CouponType;
+use App\Models\CheckoutSession;
 use App\Models\Coupon;
 use App\Models\CouponRedemption;
 use App\Models\Package;
@@ -18,11 +19,11 @@ class CouponService
    /**
     * @return array{coupon: Coupon, pricing: array<string, mixed>, source: string}
     */
-    public function preview(string $code, Package $package, ?Tenant $tenant = null): array
+    public function preview(string $code, Package $package, ?Tenant $tenant = null, ?string $provider = null): array
    {
        $coupon = $this->findCouponForCode($code);

-        $this->ensureCouponCanBeApplied($coupon, $package, $tenant);
+        $this->ensureCouponCanBeApplied($coupon, $package, $tenant, $this->resolveProvider($provider));

        $pricing = $this->buildPricingBreakdown($coupon, $package, $tenant);

@@ -33,9 +34,9 @@ class CouponService
        ];
    }

-    public function ensureCouponCanBeApplied(Coupon $coupon, Package $package, ?Tenant $tenant = null): void
+    public function ensureCouponCanBeApplied(Coupon $coupon, Package $package, ?Tenant $tenant = null, ?string $provider = null): void
    {
-        if (! $coupon->lemonsqueezy_discount_id) {
+        if ($provider !== CheckoutSession::PROVIDER_PAYPAL && ! $coupon->lemonsqueezy_discount_id) {
            throw ValidationException::withMessages([
                'code' => __('marketing.coupon.errors.not_synced'),
            ]);
@@ -75,6 +76,17 @@ class CouponService
        }
    }

+    protected function resolveProvider(?string $provider): ?string
+    {
+        if ($provider && $provider !== '') {
+            return $provider;
+        }
+
+        $default = config('checkout.default_provider');
+
+        return is_string($default) && $default !== '' ? $default : null;
+    }
+
    protected function findCouponForCode(string $code): Coupon
    {
        $normalized = Str::upper(trim($code));
--- a/app/Services/PayPal/PayPalWebhookService.php
+++ b/app/Services/PayPal/PayPalWebhookService.php
@@ -0,0 +1,248 @@
+<?php
+
+namespace App\Services\PayPal;
+
+use App\Models\CheckoutSession;
+use App\Services\Checkout\CheckoutAssignmentService;
+use App\Services\Checkout\CheckoutSessionService;
+use App\Services\Coupons\CouponRedemptionService;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Log;
+
+class PayPalWebhookService
+{
+    public function __construct(
+        private readonly CheckoutSessionService $sessions,
+        private readonly CheckoutAssignmentService $assignment,
+        private readonly CouponRedemptionService $couponRedemptions,
+    ) {}
+
+    /**
+     * @param  array<string, mixed>  $event
+     */
+    public function handle(array $event): bool
+    {
+        $eventType = $event['event_type'] ?? null;
+        $resource = $event['resource'] ?? null;
+
+        if (! is_string($eventType) || ! is_array($resource)) {
+            return false;
+        }
+
+        $orderId = $this->resolveOrderId($eventType, $resource);
+        $session = $this->locateSession($orderId, $resource);
+
+        if (! $session) {
+            Log::info('[PayPalWebhook] session not resolved', [
+                'event_type' => $eventType,
+                'order_id' => $orderId,
+            ]);
+
+            return false;
+        }
+
+        $lockKey = 'checkout:webhook:paypal:'.($orderId ?: $session->id);
+        $lock = Cache::lock($lockKey, 30);
+
+        if (! $lock->get()) {
+            Log::info('[PayPalWebhook] lock busy', [
+                'order_id' => $orderId,
+                'session_id' => $session->id,
+            ]);
+
+            return true;
+        }
+
+        try {
+            if ($orderId && $session->paypal_order_id !== $orderId) {
+                $session->forceFill([
+                    'paypal_order_id' => $orderId,
+                    'provider' => CheckoutSession::PROVIDER_PAYPAL,
+                ])->save();
+            } elseif ($session->provider !== CheckoutSession::PROVIDER_PAYPAL) {
+                $session->forceFill(['provider' => CheckoutSession::PROVIDER_PAYPAL])->save();
+            }
+
+            $this->mergeProviderMetadata($session, [
+                'paypal_last_event' => $eventType,
+                'paypal_status' => $this->resolveStatus($resource),
+                'paypal_last_update_at' => now()->toIso8601String(),
+            ]);
+
+            return $this->applyEvent($session, $eventType, $resource, $event);
+        } finally {
+            $lock->release();
+        }
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     * @param  array<string, mixed>  $event
+     */
+    protected function applyEvent(CheckoutSession $session, string $eventType, array $resource, array $event): bool
+    {
+        $normalized = strtoupper($eventType);
+
+        if (in_array($normalized, ['PAYMENT.CAPTURE.COMPLETED', 'CHECKOUT.ORDER.COMPLETED'], true)) {
+            $captureId = $this->resolveCaptureId($resource, $normalized);
+            $totals = $this->resolveTotals($resource);
+            $status = strtoupper((string) ($resource['status'] ?? 'COMPLETED'));
+
+            $session->forceFill([
+                'paypal_capture_id' => $captureId ?: $session->paypal_capture_id,
+                'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
+                    'paypal_capture_id' => $captureId,
+                    'paypal_status' => $status,
+                    'paypal_totals' => $totals !== [] ? $totals : null,
+                    'paypal_captured_at' => now()->toIso8601String(),
+                ])),
+            ])->save();
+
+            if ($session->status !== CheckoutSession::STATUS_COMPLETED) {
+                $this->sessions->markProcessing($session, [
+                    'paypal_status' => $status,
+                    'paypal_capture_id' => $captureId,
+                ]);
+
+                $this->assignment->finalise($session, [
+                    'source' => 'paypal_webhook',
+                    'provider' => CheckoutSession::PROVIDER_PAYPAL,
+                    'provider_reference' => $captureId ?: $session->paypal_order_id,
+                    'payload' => $resource,
+                ]);
+
+                $this->sessions->markCompleted($session, now());
+                $this->couponRedemptions->recordSuccess($session, $resource);
+            }
+
+            return true;
+        }
+
+        if ($normalized === 'CHECKOUT.ORDER.APPROVED') {
+            if ($session->status !== CheckoutSession::STATUS_COMPLETED) {
+                $this->sessions->markRequiresCustomerAction($session, 'paypal_approved');
+            }
+
+            return true;
+        }
+
+        if ($normalized === 'PAYMENT.CAPTURE.PENDING') {
+            if ($session->status !== CheckoutSession::STATUS_COMPLETED) {
+                $this->sessions->markRequiresCustomerAction($session, 'paypal_pending');
+            }
+
+            return true;
+        }
+
+        if (in_array($normalized, ['PAYMENT.CAPTURE.DENIED', 'PAYMENT.CAPTURE.REFUNDED', 'CHECKOUT.ORDER.VOIDED'], true)) {
+            $reason = match ($normalized) {
+                'PAYMENT.CAPTURE.DENIED' => 'paypal_capture_denied',
+                'PAYMENT.CAPTURE.REFUNDED' => 'paypal_refunded',
+                'CHECKOUT.ORDER.VOIDED' => 'paypal_voided',
+                default => 'paypal_failed',
+            };
+
+            $this->sessions->markFailed($session, $reason);
+            $this->couponRedemptions->recordFailure($session, $reason);
+
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     */
+    protected function resolveOrderId(string $eventType, array $resource): ?string
+    {
+        if (str_starts_with(strtoupper($eventType), 'PAYMENT.CAPTURE.')) {
+            $relatedOrderId = Arr::get($resource, 'supplementary_data.related_ids.order_id');
+
+            return is_string($relatedOrderId) && $relatedOrderId !== '' ? $relatedOrderId : null;
+        }
+
+        $orderId = $resource['id'] ?? null;
+
+        return is_string($orderId) && $orderId !== '' ? $orderId : null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     */
+    protected function locateSession(?string $orderId, array $resource): ?CheckoutSession
+    {
+        if ($orderId) {
+            return CheckoutSession::query()
+                ->where('paypal_order_id', $orderId)
+                ->first();
+        }
+
+        $customId = Arr::get($resource, 'purchase_units.0.custom_id');
+
+        if (is_string($customId) && $customId !== '') {
+            return CheckoutSession::query()->find($customId);
+        }
+
+        return null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     */
+    protected function resolveCaptureId(array $resource, string $eventType): ?string
+    {
+        if (str_starts_with($eventType, 'PAYMENT.CAPTURE.')) {
+            $captureId = $resource['id'] ?? null;
+
+            return is_string($captureId) && $captureId !== '' ? $captureId : null;
+        }
+
+        $captureId = Arr::get($resource, 'purchase_units.0.payments.captures.0.id');
+
+        return is_string($captureId) && $captureId !== '' ? $captureId : null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     * @return array{currency?: string, total?: float}
+     */
+    protected function resolveTotals(array $resource): array
+    {
+        $amount = Arr::get($resource, 'amount')
+            ?? Arr::get($resource, 'purchase_units.0.payments.captures.0.amount')
+            ?? Arr::get($resource, 'purchase_units.0.amount');
+
+        if (! is_array($amount)) {
+            return [];
+        }
+
+        $currency = Arr::get($amount, 'currency_code');
+        $total = Arr::get($amount, 'value');
+
+        return array_filter([
+            'currency' => is_string($currency) ? strtoupper($currency) : null,
+            'total' => is_numeric($total) ? (float) $total : null,
+        ], static fn ($value) => $value !== null);
+    }
+
+    /**
+     * @param  array<string, mixed>  $resource
+     */
+    protected function resolveStatus(array $resource): ?string
+    {
+        $status = $resource['status'] ?? null;
+
+        return is_string($status) && $status !== '' ? strtoupper($status) : null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    protected function mergeProviderMetadata(CheckoutSession $session, array $data): void
+    {
+        $session->provider_metadata = array_merge($session->provider_metadata ?? [], $data);
+        $session->save();
+    }
+}
--- a/app/Services/PayPal/PayPalWebhookVerifier.php
+++ b/app/Services/PayPal/PayPalWebhookVerifier.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace App\Services\PayPal;
+
+use App\Services\PayPal\Exceptions\PayPalException;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+
+class PayPalWebhookVerifier
+{
+    public function __construct(private readonly PayPalClient $client) {}
+
+    /**
+     * @param  array<string, mixed>  $payload
+     */
+    public function verify(Request $request, array $payload): bool
+    {
+        $webhookId = config('services.paypal.webhook_id');
+
+        if (! is_string($webhookId) || $webhookId === '') {
+            if (app()->environment('production')) {
+                Log::warning('PayPal webhook verification skipped: webhook id missing.');
+            }
+
+            return true;
+        }
+
+        $signature = (string) $request->headers->get('PAYPAL-TRANSMISSION-SIG', '');
+
+        if ($signature === '') {
+            Log::warning('PayPal webhook missing signature header.', [
+                'header' => 'PAYPAL-TRANSMISSION-SIG',
+            ]);
+
+            return false;
+        }
+
+        $payload = array_filter([
+            'auth_algo' => $request->headers->get('PAYPAL-AUTH-ALGO'),
+            'cert_url' => $request->headers->get('PAYPAL-CERT-URL'),
+            'transmission_id' => $request->headers->get('PAYPAL-TRANSMISSION-ID'),
+            'transmission_sig' => $signature,
+            'transmission_time' => $request->headers->get('PAYPAL-TRANSMISSION-TIME'),
+            'webhook_id' => $webhookId,
+            'webhook_event' => $payload,
+        ], static fn ($value) => $value !== null && $value !== '');
+
+        try {
+            $response = $this->client->post('/v1/notifications/verify-webhook-signature', $payload);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal webhook verification failed', [
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+                'context' => $exception->context(),
+            ]);
+
+            return false;
+        }
+
+        return strtoupper((string) ($response['verification_status'] ?? '')) === 'SUCCESS';
+    }
+}