Add PayPal checkout provider

2026-02-04 12:18:14 +01:00
parent 56a39d0535
commit fc5dfb272c
33 changed files with 1586 additions and 571 deletions
--- a/app/Http/Controllers/Api/PackageController.php
+++ b/app/Http/Controllers/Api/PackageController.php
@@ -9,16 +9,18 @@ use App\Models\Package;
 use App\Models\PackagePurchase;
 use App\Models\TenantPackage;
 use App\Services\Checkout\CheckoutSessionService;
-use App\Services\LemonSqueezy\LemonSqueezyCheckoutService;
+use App\Services\PayPal\Exceptions\PayPalException;
+use App\Services\PayPal\PayPalOrderService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Validation\ValidationException;

 class PackageController extends Controller
 {
    public function __construct(
-        private readonly LemonSqueezyCheckoutService $lemonsqueezyCheckout,
+        private readonly PayPalOrderService $paypalOrders,
        private readonly CheckoutSessionService $sessions,
    ) {}

@@ -53,7 +55,7 @@ class PackageController extends Controller
        $request->validate([
            'package_id' => 'required|exists:packages,id',
            'type' => 'required|in:endcustomer,reseller',
-            'payment_method' => 'required|in:lemonsqueezy',
+            'payment_method' => 'required|in:paypal',
            'event_id' => 'nullable|exists:events,id', // For endcustomer
            'success_url' => 'nullable|url',
            'return_url' => 'nullable|url',
@@ -79,7 +81,7 @@ class PackageController extends Controller
    {
        $request->validate([
            'package_id' => 'required|exists:packages,id',
-            'lemonsqueezy_order_id' => 'required|string',
+            'paypal_order_id' => 'required|string',
        ]);

        $package = Package::findOrFail($request->package_id);
@@ -89,14 +91,14 @@ class PackageController extends Controller
            throw ValidationException::withMessages(['tenant' => 'Tenant not found.']);
        }

-        $provider = 'lemonsqueezy';
+        $provider = 'paypal';

        DB::transaction(function () use ($request, $package, $tenant, $provider) {
            PackagePurchase::create([
                'tenant_id' => $tenant->id,
                'package_id' => $package->id,
                'provider' => $provider,
-                'provider_id' => $request->input('lemonsqueezy_order_id'),
+                'provider_id' => $request->input('paypal_order_id'),
                'price' => $package->price,
                'type' => 'endcustomer_event',
                'purchased_at' => now(),
@@ -161,12 +163,14 @@ class PackageController extends Controller
        ], 201);
    }

-    public function createLemonSqueezyCheckout(Request $request): JsonResponse
+    public function createPayPalCheckout(Request $request): JsonResponse
    {
        $request->validate([
            'package_id' => 'required|exists:packages,id',
            'success_url' => 'nullable|url',
            'return_url' => 'nullable|url',
+            'cancel_url' => 'nullable|url',
+            'locale' => 'nullable|string|max:10',
        ]);

        $package = Package::findOrFail($request->integer('package_id'));
@@ -181,15 +185,11 @@ class PackageController extends Controller
            throw ValidationException::withMessages(['user' => 'User context missing.']);
        }

-        if (! $package->lemonsqueezy_variant_id) {
-            throw ValidationException::withMessages(['package_id' => 'Package is not linked to a Lemon Squeezy variant.']);
-        }
-
        $session = $this->sessions->createOrResume($user, $package, [
            'tenant' => $tenant,
        ]);

-        $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_LEMONSQUEEZY);
+        $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);

        $now = now();

@@ -201,30 +201,56 @@ class PackageController extends Controller
            'legal_version' => config('app.legal_version', $now->toDateString()),
        ])->save();

-        $payload = [
-            'success_url' => $request->input('success_url'),
-            'return_url' => $request->input('return_url'),
-            'metadata' => [
-                'checkout_session_id' => $session->id,
-                'legal_version' => $session->legal_version,
-                'accepted_terms' => true,
-            ],
-        ];
+        $successUrl = $request->input('success_url') ?? $request->input('return_url');
+        $cancelUrl = $request->input('cancel_url') ?? $request->input('return_url');
+        $paypalReturnUrl = route('paypal.return', absolute: true);

-        $checkout = $this->lemonsqueezyCheckout->createCheckout($tenant, $package, $payload);
+        try {
+            $order = $this->paypalOrders->createOrder($session, $package, [
+                'return_url' => $paypalReturnUrl,
+                'cancel_url' => $paypalReturnUrl,
+                'locale' => $request->input('locale'),
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal order creation failed (tenant)', [
+                'tenant_id' => $tenant->id,
+                'package_id' => $package->id,
+                'session_id' => $session->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            throw ValidationException::withMessages(['paypal' => 'PayPal checkout could not be created.']);
+        }
+
+        $orderId = $order['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages(['paypal' => 'PayPal order ID missing.']);
+        }
+
+        $approveUrl = $this->paypalOrders->resolveApproveUrl($order);

        $session->forceFill([
-            'lemonsqueezy_checkout_id' => $checkout['id'] ?? $session->lemonsqueezy_checkout_id,
+            'paypal_order_id' => $orderId,
            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
-                'lemonsqueezy_checkout_id' => $checkout['id'] ?? null,
-                'lemonsqueezy_checkout_url' => $checkout['checkout_url'] ?? null,
-                'lemonsqueezy_expires_at' => $checkout['expires_at'] ?? null,
+                'paypal_order_id' => $orderId,
+                'paypal_status' => $order['status'] ?? null,
+                'paypal_approve_url' => $approveUrl,
+                'paypal_success_url' => $successUrl,
+                'paypal_cancel_url' => $cancelUrl,
+                'paypal_created_at' => now()->toIso8601String(),
            ])),
        ])->save();

-        return response()->json(array_merge($checkout, [
+        $this->sessions->markRequiresCustomerAction($session, 'paypal_approval');
+
+        return response()->json([
+            'order_id' => $orderId,
+            'approve_url' => $approveUrl,
+            'status' => $order['status'] ?? null,
            'checkout_session_id' => $session->id,
-        ]));
+        ]);
    }

    public function checkoutSessionStatus(CheckoutSessionStatusRequest $request, CheckoutSession $session): JsonResponse
@@ -239,7 +265,9 @@ class PackageController extends Controller
            }
        }

-        $checkoutUrl = data_get($session->provider_metadata ?? [], 'lemonsqueezy_checkout_url');
+        $checkoutUrl = $session->provider === CheckoutSession::PROVIDER_PAYPAL
+            ? data_get($session->provider_metadata ?? [], 'paypal_approve_url')
+            : data_get($session->provider_metadata ?? [], 'lemonsqueezy_checkout_url');

        return response()->json([
            'status' => $session->status,
@@ -297,19 +325,44 @@ class PackageController extends Controller

    private function handlePaidPurchase(Request $request, Package $package, $tenant): JsonResponse
    {
-        if (! $package->lemonsqueezy_variant_id) {
-            throw ValidationException::withMessages(['package_id' => 'Package is not linked to a Lemon Squeezy variant.']);
+        $successUrl = $request->input('success_url') ?? $request->input('return_url');
+        $cancelUrl = $request->input('cancel_url') ?? $request->input('return_url');
+        $paypalReturnUrl = route('paypal.return', absolute: true);
+
+        try {
+            $session = $this->sessions->createOrResume($request->user(), $package, [
+                'tenant' => $tenant,
+            ]);
+            $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);
+
+            $order = $this->paypalOrders->createOrder($session, $package, [
+                'return_url' => $paypalReturnUrl,
+                'cancel_url' => $paypalReturnUrl,
+                'locale' => $request->input('locale'),
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal order creation failed (purchase)', [
+                'tenant_id' => $tenant->id,
+                'package_id' => $package->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            throw ValidationException::withMessages(['paypal' => 'PayPal checkout could not be created.']);
        }

-        $checkout = $this->lemonsqueezyCheckout->createCheckout($tenant, $package, [
-            'success_url' => $request->input('success_url'),
-            'return_url' => $request->input('return_url'),
-            'metadata' => array_filter([
-                'type' => $request->input('type'),
-                'event_id' => $request->input('event_id'),
-            ]),
-        ]);
+        $orderId = $order['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages(['paypal' => 'PayPal order ID missing.']);
+        }

-        return response()->json($checkout);
+        return response()->json([
+            'order_id' => $orderId,
+            'approve_url' => $this->paypalOrders->resolveApproveUrl($order),
+            'status' => $order['status'] ?? null,
+            'return_url' => $successUrl,
+            'cancel_url' => $cancelUrl,
+        ]);
    }
 }
--- a/app/Http/Controllers/CheckoutController.php
+++ b/app/Http/Controllers/CheckoutController.php
@@ -74,9 +74,11 @@ class CheckoutController extends Controller
                'error' => $facebookError,
                'profile' => $facebookProfile,
            ],
-            'lemonsqueezy' => [
-                'store_id' => config('lemonsqueezy.store_id'),
-                'test_mode' => config('lemonsqueezy.test_mode', false),
+            'paypal' => [
+                'client_id' => config('services.paypal.client_id'),
+                'currency' => config('checkout.currency', 'EUR'),
+                'intent' => 'capture',
+                'locale' => app()->getLocale(),
            ],
        ]);
    }
--- a/app/Http/Controllers/MarketingController.php
+++ b/app/Http/Controllers/MarketingController.php
@@ -13,7 +13,8 @@ use App\Models\TenantPackage;
 use App\Services\Checkout\CheckoutSessionService;
 use App\Services\Coupons\CouponService;
 use App\Services\GiftVouchers\GiftVoucherCheckoutService;
-use App\Services\LemonSqueezy\LemonSqueezyCheckoutService;
+use App\Services\PayPal\Exceptions\PayPalException;
+use App\Services\PayPal\PayPalOrderService;
 use App\Support\CheckoutRequestContext;
 use App\Support\CheckoutRoutes;
 use App\Support\Concerns\PresentsPackages;
@@ -41,7 +42,7 @@ class MarketingController extends Controller

    public function __construct(
        private readonly CheckoutSessionService $checkoutSessions,
-        private readonly LemonSqueezyCheckoutService $lemonsqueezyCheckout,
+        private readonly PayPalOrderService $paypalOrders,
        private readonly CouponService $coupons,
        private readonly GiftVoucherCheckoutService $giftVouchers,
    ) {}
@@ -194,16 +195,6 @@ class MarketingController extends Controller
            return redirect('/event-admin')->with('success', __('marketing.packages.free_assigned'));
        }

-        if (! $package->lemonsqueezy_variant_id) {
-            Log::warning('Package missing Lemon Squeezy variant id', ['package_id' => $package->id]);
-
-            return redirect()->route('packages', [
-                'locale' => app()->getLocale(),
-                'highlight' => $package->slug,
-            ])
-                ->with('error', __('marketing.packages.lemonsqueezy_not_configured'));
-        }
-
        $session = $this->checkoutSessions->createOrResume($user, $package, array_merge(
            CheckoutRequestContext::fromRequest($request),
            [
@@ -211,7 +202,7 @@ class MarketingController extends Controller
            ]
        ));

-        $this->checkoutSessions->selectProvider($session, CheckoutSession::PROVIDER_LEMONSQUEEZY);
+        $this->checkoutSessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);

        $now = now();

@@ -233,39 +224,61 @@ class MarketingController extends Controller
            }
        }

-        $checkout = $this->lemonsqueezyCheckout->createCheckout($tenant, $package, [
-            'success_url' => route('marketing.success', [
-                'locale' => app()->getLocale(),
-                'packageId' => $package->id,
-            ]),
-            'return_url' => route('packages', [
-                'locale' => app()->getLocale(),
-                'highlight' => $package->slug,
-            ]),
-            'metadata' => [
-                'checkout_session_id' => $session->id,
-                'coupon_code' => $couponCode,
-                'legal_version' => $session->legal_version,
-                'accepted_terms' => (bool) $session->accepted_terms_at,
-                'accepted_waiver' => $requiresWaiver && (bool) $session->digital_content_waiver_at,
-            ],
-            'discount_code' => $couponCode,
+        $successUrl = route('marketing.success', [
+            'locale' => app()->getLocale(),
+            'packageId' => $package->id,
+        ]);
+        $cancelUrl = route('packages', [
+            'locale' => app()->getLocale(),
+            'highlight' => $package->slug,
        ]);

+        try {
+            $checkout = $this->paypalOrders->createOrder($session, $package, [
+                'return_url' => route('paypal.return', absolute: true),
+                'cancel_url' => route('paypal.return', absolute: true),
+                'locale' => app()->getLocale(),
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal checkout failed', [
+                'package_id' => $package->id,
+                'tenant_id' => $tenant->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            throw ValidationException::withMessages([
+                'paypal' => __('marketing.packages.paypal_checkout_failed'),
+            ]);
+        }
+
+        $orderId = $checkout['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages([
+                'paypal' => __('marketing.packages.paypal_checkout_failed'),
+            ]);
+        }
+
+        $redirectUrl = $this->paypalOrders->resolveApproveUrl($checkout);
+
        $session->forceFill([
-            'lemonsqueezy_checkout_id' => $checkout['id'] ?? $session->lemonsqueezy_checkout_id,
+            'paypal_order_id' => $orderId,
            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
-                'lemonsqueezy_checkout_id' => $checkout['id'] ?? null,
-                'lemonsqueezy_checkout_url' => $checkout['checkout_url'] ?? null,
-                'lemonsqueezy_expires_at' => $checkout['expires_at'] ?? null,
+                'paypal_order_id' => $orderId,
+                'paypal_status' => $checkout['status'] ?? null,
+                'paypal_approve_url' => $redirectUrl,
+                'paypal_success_url' => $successUrl,
+                'paypal_cancel_url' => $cancelUrl,
+                'paypal_created_at' => now()->toIso8601String(),
            ])),
        ])->save();

-        $redirectUrl = $checkout['checkout_url'] ?? null;
+        $this->checkoutSessions->markRequiresCustomerAction($session, 'paypal_approval');

        if (! $redirectUrl) {
            throw ValidationException::withMessages([
-                'lemonsqueezy' => __('marketing.packages.lemonsqueezy_checkout_failed'),
+                'paypal' => __('marketing.packages.paypal_checkout_failed'),
            ]);
        }

--- a/app/Http/Controllers/PayPalCheckoutController.php
+++ b/app/Http/Controllers/PayPalCheckoutController.php
@@ -0,0 +1,223 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Http\Requests\PayPal\PayPalCaptureRequest;
+use App\Http\Requests\PayPal\PayPalCheckoutRequest;
+use App\Models\CheckoutSession;
+use App\Models\Package;
+use App\Services\Checkout\CheckoutAssignmentService;
+use App\Services\Checkout\CheckoutSessionService;
+use App\Services\Coupons\CouponService;
+use App\Services\PayPal\Exceptions\PayPalException;
+use App\Services\PayPal\PayPalOrderService;
+use App\Support\CheckoutRequestContext;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Str;
+use Illuminate\Validation\ValidationException;
+
+class PayPalCheckoutController extends Controller
+{
+    public function __construct(
+        private readonly PayPalOrderService $orders,
+        private readonly CheckoutSessionService $sessions,
+        private readonly CheckoutAssignmentService $assignment,
+        private readonly CouponService $coupons,
+    ) {}
+
+    public function create(PayPalCheckoutRequest $request): JsonResponse
+    {
+        $data = $request->validated();
+
+        $user = $request->user();
+        $tenant = $user?->tenant;
+
+        if (! $tenant) {
+            throw ValidationException::withMessages(['tenant' => 'Tenant context missing.']);
+        }
+
+        $package = Package::findOrFail((int) $data['package_id']);
+
+        $session = $this->sessions->createOrResume($user, $package, array_merge(
+            CheckoutRequestContext::fromRequest($request),
+            [
+                'tenant' => $tenant,
+                'locale' => $data['locale'] ?? null,
+            ]
+        ));
+
+        $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);
+
+        $now = now();
+        $session->forceFill([
+            'accepted_terms_at' => $now,
+            'accepted_privacy_at' => $now,
+            'accepted_withdrawal_notice_at' => $now,
+            'digital_content_waiver_at' => null,
+            'legal_version' => $this->resolveLegalVersion(),
+        ])->save();
+
+        $couponCode = Str::upper(trim((string) ($data['coupon_code'] ?? '')));
+
+        if ($couponCode !== '') {
+            $preview = $this->coupons->preview($couponCode, $package, $tenant);
+            $this->sessions->applyCoupon($session, $preview['coupon'], $preview['pricing']);
+        }
+
+        $successUrl = $data['return_url'] ?? null;
+        $cancelUrl = $data['cancel_url'] ?? $successUrl;
+        $paypalReturnUrl = route('paypal.return', absolute: true);
+
+        try {
+            $order = $this->orders->createOrder($session, $package, [
+                'return_url' => $paypalReturnUrl,
+                'cancel_url' => $paypalReturnUrl,
+                'locale' => $data['locale'] ?? $session->locale,
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal order creation failed', [
+                'session_id' => $session->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+                'context' => $exception->context(),
+            ]);
+
+            throw ValidationException::withMessages([
+                'paypal' => __('marketing.packages.paypal_checkout_failed', [], app()->getLocale())
+                    ?: 'Unable to create PayPal checkout.',
+            ]);
+        }
+
+        $orderId = $order['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages([
+                'paypal' => 'PayPal order ID missing.',
+            ]);
+        }
+
+        $approveUrl = $this->orders->resolveApproveUrl($order);
+
+        $session->forceFill([
+            'paypal_order_id' => $orderId,
+            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
+                'paypal_order_id' => $orderId,
+                'paypal_status' => $order['status'] ?? null,
+                'paypal_approve_url' => $approveUrl,
+                'paypal_success_url' => $successUrl,
+                'paypal_cancel_url' => $cancelUrl,
+                'paypal_created_at' => now()->toIso8601String(),
+            ])),
+        ])->save();
+
+        $this->sessions->markRequiresCustomerAction($session, 'paypal_approval');
+
+        return response()->json([
+            'order_id' => $orderId,
+            'approve_url' => $approveUrl,
+            'status' => $order['status'] ?? null,
+            'checkout_session_id' => $session->id,
+        ]);
+    }
+
+    public function capture(PayPalCaptureRequest $request): JsonResponse
+    {
+        $data = $request->validated();
+
+        $session = CheckoutSession::findOrFail($data['checkout_session_id']);
+        $orderId = (string) $data['order_id'];
+
+        if ($session->status === CheckoutSession::STATUS_COMPLETED) {
+            return response()->json([
+                'status' => $session->status,
+                'completed_at' => optional($session->completed_at)->toIso8601String(),
+                'checkout_session_id' => $session->id,
+            ]);
+        }
+
+        if ($session->provider !== CheckoutSession::PROVIDER_PAYPAL) {
+            $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);
+        }
+
+        try {
+            $capture = $this->orders->captureOrder($orderId, [
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal capture failed', [
+                'session_id' => $session->id,
+                'order_id' => $orderId,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+                'context' => $exception->context(),
+            ]);
+
+            $this->sessions->markFailed($session, 'paypal_capture_failed');
+
+            return response()->json([
+                'status' => CheckoutSession::STATUS_FAILED,
+                'checkout_session_id' => $session->id,
+            ], 422);
+        }
+
+        $status = strtoupper((string) ($capture['status'] ?? ''));
+        $captureId = $this->orders->resolveCaptureId($capture);
+        $totals = $this->orders->resolveTotals($capture);
+
+        $session->forceFill([
+            'paypal_order_id' => $orderId,
+            'paypal_capture_id' => $captureId,
+            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
+                'paypal_order_id' => $orderId,
+                'paypal_capture_id' => $captureId,
+                'paypal_status' => $status ?: null,
+                'paypal_totals' => $totals !== [] ? $totals : null,
+                'paypal_captured_at' => now()->toIso8601String(),
+            ])),
+        ])->save();
+
+        if ($status === 'COMPLETED') {
+            $this->sessions->markProcessing($session, [
+                'paypal_status' => $status,
+                'paypal_capture_id' => $captureId,
+            ]);
+
+            $this->assignment->finalise($session, [
+                'source' => 'paypal_capture',
+                'provider' => CheckoutSession::PROVIDER_PAYPAL,
+                'provider_reference' => $captureId ?? $orderId,
+                'payload' => $capture,
+            ]);
+
+            $this->sessions->markCompleted($session, now());
+
+            return response()->json([
+                'status' => CheckoutSession::STATUS_COMPLETED,
+                'completed_at' => optional($session->completed_at)->toIso8601String(),
+                'checkout_session_id' => $session->id,
+            ]);
+        }
+
+        if (in_array($status, ['PAYER_ACTION_REQUIRED', 'PENDING'], true)) {
+            $this->sessions->markRequiresCustomerAction($session, 'paypal_pending');
+
+            return response()->json([
+                'status' => CheckoutSession::STATUS_REQUIRES_CUSTOMER_ACTION,
+                'checkout_session_id' => $session->id,
+            ], 202);
+        }
+
+        $this->sessions->markFailed($session, 'paypal_'.$status);
+
+        return response()->json([
+            'status' => CheckoutSession::STATUS_FAILED,
+            'checkout_session_id' => $session->id,
+        ], 422);
+    }
+
+    protected function resolveLegalVersion(): string
+    {
+        return config('app.legal_version', now()->toDateString());
+    }
+}
--- a/app/Http/Controllers/PayPalReturnController.php
+++ b/app/Http/Controllers/PayPalReturnController.php
@@ -0,0 +1,136 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\CheckoutSession;
+use App\Services\Checkout\CheckoutAssignmentService;
+use App\Services\Checkout\CheckoutSessionService;
+use App\Services\PayPal\Exceptions\PayPalException;
+use App\Services\PayPal\PayPalOrderService;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Str;
+
+class PayPalReturnController extends Controller
+{
+    public function __construct(
+        private readonly PayPalOrderService $orders,
+        private readonly CheckoutSessionService $sessions,
+        private readonly CheckoutAssignmentService $assignment,
+    ) {}
+
+    public function __invoke(Request $request): RedirectResponse
+    {
+        $orderId = $this->resolveOrderId($request);
+        $fallback = $this->resolveFallbackUrl();
+
+        if (! $orderId) {
+            return redirect()->to($fallback);
+        }
+
+        $session = CheckoutSession::query()
+            ->where('paypal_order_id', $orderId)
+            ->first();
+
+        if (! $session) {
+            return redirect()->to($fallback);
+        }
+
+        $successUrl = data_get($session->provider_metadata ?? [], 'paypal_success_url');
+        $cancelUrl = data_get($session->provider_metadata ?? [], 'paypal_cancel_url');
+
+        if ($session->status === CheckoutSession::STATUS_COMPLETED) {
+            return redirect()->to($this->resolveSafeRedirect($successUrl, $fallback));
+        }
+
+        try {
+            $capture = $this->orders->captureOrder($orderId, [
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal return capture failed', [
+                'session_id' => $session->id,
+                'order_id' => $orderId,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            $this->sessions->markFailed($session, 'paypal_capture_failed');
+
+            return redirect()->to($this->resolveSafeRedirect($cancelUrl, $fallback));
+        }
+
+        $status = strtoupper((string) ($capture['status'] ?? ''));
+        $captureId = $this->orders->resolveCaptureId($capture);
+        $totals = $this->orders->resolveTotals($capture);
+
+        $session->forceFill([
+            'paypal_capture_id' => $captureId,
+            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
+                'paypal_status' => $status ?: null,
+                'paypal_capture_id' => $captureId,
+                'paypal_totals' => $totals !== [] ? $totals : null,
+                'paypal_captured_at' => now()->toIso8601String(),
+            ])),
+        ])->save();
+
+        if ($status === 'COMPLETED') {
+            $this->sessions->markProcessing($session, [
+                'paypal_status' => $status,
+                'paypal_capture_id' => $captureId,
+            ]);
+
+            $this->assignment->finalise($session, [
+                'source' => 'paypal_return',
+                'provider' => CheckoutSession::PROVIDER_PAYPAL,
+                'provider_reference' => $captureId ?? $orderId,
+                'payload' => $capture,
+            ]);
+
+            $this->sessions->markCompleted($session, now());
+
+            return redirect()->to($this->resolveSafeRedirect($successUrl, $fallback));
+        }
+
+        $this->sessions->markFailed($session, 'paypal_'.$status);
+
+        return redirect()->to($this->resolveSafeRedirect($cancelUrl, $fallback));
+    }
+
+    protected function resolveOrderId(Request $request): ?string
+    {
+        $candidate = $request->query('token') ?? $request->query('order_id');
+
+        if (! is_string($candidate) || $candidate === '') {
+            return null;
+        }
+
+        return $candidate;
+    }
+
+    protected function resolveFallbackUrl(): string
+    {
+        return rtrim((string) config('app.url', url('/')), '/') ?: url('/');
+    }
+
+    protected function resolveSafeRedirect(?string $target, string $fallback): string
+    {
+        if (! $target) {
+            return $fallback;
+        }
+
+        if (Str::startsWith($target, ['/'])) {
+            return $target;
+        }
+
+        $appHost = parse_url($fallback, PHP_URL_HOST);
+        $targetHost = parse_url($target, PHP_URL_HOST);
+
+        if ($appHost && $targetHost && Str::lower($appHost) === Str::lower($targetHost)) {
+            return $target;
+        }
+
+        return $fallback;
+    }
+}
--- a/app/Http/Requests/PayPal/PayPalCaptureRequest.php
+++ b/app/Http/Requests/PayPal/PayPalCaptureRequest.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace App\Http\Requests\PayPal;
+
+use App\Models\CheckoutSession;
+use Illuminate\Foundation\Http\FormRequest;
+
+class PayPalCaptureRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        $user = $this->user();
+
+        if (! $user) {
+            return false;
+        }
+
+        $sessionId = $this->input('checkout_session_id');
+
+        if (! is_string($sessionId) || $sessionId === '') {
+            return false;
+        }
+
+        $session = CheckoutSession::find($sessionId);
+
+        if (! $session) {
+            return false;
+        }
+
+        return (int) $session->user_id === (int) $user->id;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'checkout_session_id' => ['required', 'uuid', 'exists:checkout_sessions,id'],
+            'order_id' => ['required', 'string'],
+        ];
+    }
+
+    public function messages(): array
+    {
+        return [
+            'checkout_session_id.required' => 'Checkout-Session fehlt.',
+            'order_id.required' => 'Order ID fehlt.',
+        ];
+    }
+}
--- a/app/Http/Requests/PayPal/PayPalCheckoutRequest.php
+++ b/app/Http/Requests/PayPal/PayPalCheckoutRequest.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Http\Requests\PayPal;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class PayPalCheckoutRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return (bool) $this->user();
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'package_id' => ['required', 'exists:packages,id'],
+            'return_url' => ['nullable', 'url'],
+            'cancel_url' => ['nullable', 'url'],
+            'coupon_code' => ['nullable', 'string', 'max:64'],
+            'accepted_terms' => ['required', 'boolean', 'accepted'],
+            'locale' => ['nullable', 'string', 'max:10'],
+        ];
+    }
+
+    public function messages(): array
+    {
+        return [
+            'package_id.exists' => 'Das ausgewÃ¤hlte Paket ist ungÃ¼ltig.',
+            'accepted_terms.accepted' => 'Bitte akzeptiere die Nutzungsbedingungen.',
+        ];
+    }
+}
--- a/app/Models/CheckoutSession.php
+++ b/app/Models/CheckoutSession.php
@@ -32,6 +32,8 @@ class CheckoutSession extends Model

    public const PROVIDER_LEMONSQUEEZY = 'lemonsqueezy';

+    public const PROVIDER_PAYPAL = 'paypal';
+
    public const PROVIDER_FREE = 'free';

    /**
--- a/app/Services/Checkout/CheckoutAssignmentService.php
+++ b/app/Services/Checkout/CheckoutAssignmentService.php
@@ -69,7 +69,8 @@ class CheckoutAssignmentService
                ?? ($metadata['lemonsqueezy_order_id'] ?? $metadata['lemonsqueezy_checkout_id'] ? CheckoutSession::PROVIDER_LEMONSQUEEZY : null)
                ?? CheckoutSession::PROVIDER_FREE;

-            $totals = $this->resolveLemonSqueezyTotals($session, $options['payload'] ?? []);
+            $provider = $providerName ?: $session->provider;
+            $totals = $this->resolveProviderTotals($session, $options['payload'] ?? [], $provider);
            $currency = $totals['currency'] ?? $session->currency ?? $package->currency ?? 'EUR';
            $price = array_key_exists('total', $totals) ? $totals['total'] : (float) $session->amount_total;

@@ -88,7 +89,8 @@ class CheckoutAssignmentService
                        'payload' => $options['payload'] ?? null,
                        'checkout_session_id' => $session->id,
                        'consents' => $consents ?: null,
-                        'lemonsqueezy_totals' => $totals !== [] ? $totals : null,
+                        'lemonsqueezy_totals' => $provider === CheckoutSession::PROVIDER_LEMONSQUEEZY && $totals !== [] ? $totals : null,
+                        'paypal_totals' => $provider === CheckoutSession::PROVIDER_PAYPAL && $totals !== [] ? $totals : null,
                        'currency' => $currency,
                    ], static fn ($value) => $value !== null && $value !== ''),
                ]
@@ -219,6 +221,19 @@ class CheckoutAssignmentService
        ])->save();
    }

+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{currency?: string, subtotal?: float, discount?: float, tax?: float, total?: float}
+     */
+    protected function resolveProviderTotals(CheckoutSession $session, array $payload, ?string $provider): array
+    {
+        if ($provider === CheckoutSession::PROVIDER_PAYPAL) {
+            return $this->resolvePayPalTotals($session, $payload);
+        }
+
+        return $this->resolveLemonSqueezyTotals($session, $payload);
+    }
+
    /**
     * @param  array<string, mixed>  $payload
     * @return array{currency?: string, subtotal?: float, discount?: float, tax?: float, total?: float}
@@ -252,6 +267,34 @@ class CheckoutAssignmentService
        ], static fn ($value) => $value !== null);
    }

+    /**
+     * @param  array<string, mixed>  $payload
+     * @return array{currency?: string, total?: float}
+     */
+    protected function resolvePayPalTotals(CheckoutSession $session, array $payload): array
+    {
+        $metadataTotals = $session->provider_metadata['paypal_totals'] ?? null;
+
+        if (is_array($metadataTotals) && $metadataTotals !== []) {
+            return $metadataTotals;
+        }
+
+        $amount = Arr::get($payload, 'purchase_units.0.payments.captures.0.amount')
+            ?? Arr::get($payload, 'purchase_units.0.amount');
+
+        if (! is_array($amount)) {
+            return [];
+        }
+
+        $currency = Arr::get($amount, 'currency_code');
+        $total = Arr::get($amount, 'value');
+
+        return array_filter([
+            'currency' => is_string($currency) ? strtoupper($currency) : null,
+            'total' => is_numeric($total) ? (float) $total : null,
+        ], static fn ($value) => $value !== null);
+    }
+
    protected function convertMinorAmount(mixed $value): ?float
    {
        if ($value === null || $value === '') {
--- a/app/Services/Checkout/CheckoutSessionService.php
+++ b/app/Services/Checkout/CheckoutSessionService.php
@@ -74,6 +74,8 @@ class CheckoutSessionService
            $session->status = CheckoutSession::STATUS_DRAFT;
            $session->lemonsqueezy_checkout_id = null;
            $session->lemonsqueezy_order_id = null;
+            $session->paypal_order_id = null;
+            $session->paypal_capture_id = null;
            $session->provider_metadata = [];
            $session->failure_reason = null;
            $session->coupon()->dissociate();
@@ -117,10 +119,20 @@ class CheckoutSessionService
    {
        $provider = strtolower($provider);

-        if (! in_array($provider, [
-            CheckoutSession::PROVIDER_LEMONSQUEEZY,
-            CheckoutSession::PROVIDER_FREE,
-        ], true)) {
+        $configuredProviders = config('checkout.providers', []);
+        if (! is_array($configuredProviders) || $configuredProviders === []) {
+            $configuredProviders = [
+                CheckoutSession::PROVIDER_LEMONSQUEEZY,
+                CheckoutSession::PROVIDER_PAYPAL,
+                CheckoutSession::PROVIDER_FREE,
+            ];
+        }
+
+        if (! in_array(CheckoutSession::PROVIDER_FREE, $configuredProviders, true)) {
+            $configuredProviders[] = CheckoutSession::PROVIDER_FREE;
+        }
+
+        if (! in_array($provider, $configuredProviders, true)) {
            throw new RuntimeException("Unsupported checkout provider [{$provider}]");
        }

--- a/app/Services/PayPal/Exceptions/PayPalException.php
+++ b/app/Services/PayPal/Exceptions/PayPalException.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Services\PayPal\Exceptions;
+
+use RuntimeException;
+
+class PayPalException extends RuntimeException
+{
+    public function __construct(string $message, private readonly ?int $status = null, private readonly array $context = [])
+    {
+        parent::__construct($message, $status ?? 0);
+    }
+
+    public function status(): ?int
+    {
+        return $this->status;
+    }
+
+    public function context(): array
+    {
+        return $this->context;
+    }
+}
--- a/app/Services/PayPal/PayPalClient.php
+++ b/app/Services/PayPal/PayPalClient.php
@@ -0,0 +1,145 @@
+<?php
+
+namespace App\Services\PayPal;
+
+use App\Services\PayPal\Exceptions\PayPalException;
+use Illuminate\Http\Client\Factory as HttpFactory;
+use Illuminate\Http\Client\PendingRequest;
+use Illuminate\Http\Client\RequestException;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Str;
+
+class PayPalClient
+{
+    public function __construct(
+        private readonly HttpFactory $http,
+    ) {}
+
+    public function get(string $endpoint, array $query = [], array $headers = []): array
+    {
+        return $this->send('GET', $endpoint, [
+            'query' => $query,
+            'headers' => $headers,
+        ]);
+    }
+
+    public function post(string $endpoint, array|object $payload = [], array $headers = []): array
+    {
+        return $this->send('POST', $endpoint, [
+            'json' => $payload,
+            'headers' => $headers,
+        ]);
+    }
+
+    protected function send(string $method, string $endpoint, array $options = []): array
+    {
+        $request = $this->preparedRequest();
+
+        try {
+            $response = $request->send(strtoupper($method), ltrim($endpoint, '/'), $options);
+        } catch (RequestException $exception) {
+            throw new PayPalException(
+                $exception->getMessage(),
+                $exception->response?->status(),
+                $exception->response?->json() ?? []
+            );
+        }
+
+        if ($response->failed()) {
+            $body = $response->json() ?? [];
+            $message = Arr::get($body, 'message')
+                ?? Arr::get($body, 'details.0.description')
+                ?? sprintf('PayPal request failed with status %s', $response->status());
+
+            throw new PayPalException($message, $response->status(), $body);
+        }
+
+        return $response->json() ?? [];
+    }
+
+    protected function preparedRequest(): PendingRequest
+    {
+        $baseUrl = $this->baseUrl();
+        $token = $this->accessToken();
+
+        return $this->http
+            ->baseUrl($baseUrl)
+            ->withHeaders([
+                'Accept' => 'application/json',
+                'Content-Type' => 'application/json',
+                'User-Agent' => sprintf('FotospielApp/%s PayPalClient', app()->version()),
+            ])
+            ->withToken($token)
+            ->acceptJson()
+            ->asJson();
+    }
+
+    protected function accessToken(): string
+    {
+        $cacheKey = 'paypal:access_token';
+        $cached = Cache::get($cacheKey);
+
+        if (is_string($cached) && $cached !== '') {
+            return $cached;
+        }
+
+        $tokenResponse = $this->requestAccessToken();
+        $accessToken = Arr::get($tokenResponse, 'access_token');
+
+        if (! is_string($accessToken) || $accessToken === '') {
+            throw new PayPalException('PayPal access token missing from response.', null, $tokenResponse);
+        }
+
+        $expiresIn = (int) Arr::get($tokenResponse, 'expires_in', 0);
+        if ($expiresIn > 60) {
+            Cache::put($cacheKey, $accessToken, now()->addSeconds($expiresIn - 60));
+        }
+
+        return $accessToken;
+    }
+
+    protected function requestAccessToken(): array
+    {
+        $clientId = config('services.paypal.client_id');
+        $secret = config('services.paypal.secret');
+
+        if (! $clientId || ! $secret) {
+            throw new PayPalException('PayPal client credentials are not configured.');
+        }
+
+        $response = $this->http
+            ->baseUrl($this->baseUrl())
+            ->withBasicAuth($clientId, $secret)
+            ->asForm()
+            ->acceptJson()
+            ->post('/v1/oauth2/token', [
+                'grant_type' => 'client_credentials',
+            ]);
+
+        if ($response->failed()) {
+            $body = $response->json() ?? [];
+            $message = Arr::get($body, 'error_description')
+                ?? Arr::get($body, 'message')
+                ?? sprintf('PayPal OAuth failed with status %s', $response->status());
+
+            throw new PayPalException($message, $response->status(), $body);
+        }
+
+        return $response->json() ?? [];
+    }
+
+    protected function baseUrl(): string
+    {
+        $sandbox = (bool) config('services.paypal.sandbox', true);
+        $baseUrl = $sandbox ? 'https://api-m.sandbox.paypal.com' : 'https://api-m.paypal.com';
+
+        $baseUrl = trim($baseUrl);
+
+        if (! Str::startsWith($baseUrl, ['http://', 'https://'])) {
+            $baseUrl = 'https://'.ltrim($baseUrl, '/');
+        }
+
+        return rtrim($baseUrl, '/');
+    }
+}
--- a/app/Services/PayPal/PayPalOrderService.php
+++ b/app/Services/PayPal/PayPalOrderService.php
@@ -0,0 +1,161 @@
+<?php
+
+namespace App\Services\PayPal;
+
+use App\Models\CheckoutSession;
+use App\Models\Package;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Str;
+
+class PayPalOrderService
+{
+    public function __construct(private readonly PayPalClient $client) {}
+
+    /**
+     * @param  array{return_url?: string|null, cancel_url?: string|null, locale?: string|null, request_id?: string|null}  $options
+     * @return array<string, mixed>
+     */
+    public function createOrder(CheckoutSession $session, Package $package, array $options = []): array
+    {
+        $currency = strtoupper((string) ($session->currency ?: $package->currency ?: 'EUR'));
+        $total = $this->formatAmount((float) $session->amount_total);
+        $subtotal = $this->formatAmount((float) $session->amount_subtotal);
+        $discount = $this->formatAmount((float) $session->amount_discount);
+
+        $amount = [
+            'currency_code' => $currency,
+            'value' => $total,
+        ];
+
+        if ($subtotal !== null && $discount !== null) {
+            $amount['breakdown'] = [
+                'item_total' => [
+                    'currency_code' => $currency,
+                    'value' => $subtotal,
+                ],
+                'discount' => [
+                    'currency_code' => $currency,
+                    'value' => $discount,
+                ],
+            ];
+        }
+
+        $purchaseUnit = [
+            'reference_id' => 'package-'.$package->id,
+            'description' => Str::limit($package->name ?? 'Package', 127, ''),
+            'custom_id' => $session->id,
+            'amount' => $amount,
+        ];
+
+        $applicationContext = array_filter([
+            'brand_name' => config('app.name', 'Fotospiel'),
+            'landing_page' => 'NO_PREFERENCE',
+            'user_action' => 'PAY_NOW',
+            'shipping_preference' => 'NO_SHIPPING',
+            'locale' => $this->resolveLocale($options['locale'] ?? $session->locale),
+            'return_url' => $options['return_url'] ?? null,
+            'cancel_url' => $options['cancel_url'] ?? null,
+        ], static fn ($value) => $value !== null && $value !== '');
+
+        $payload = [
+            'intent' => 'CAPTURE',
+            'purchase_units' => [$purchaseUnit],
+            'application_context' => $applicationContext,
+        ];
+
+        $headers = [];
+        $requestId = $options['request_id'] ?? $session->id;
+        if (is_string($requestId) && $requestId !== '') {
+            $headers['PayPal-Request-Id'] = $requestId;
+        }
+
+        return $this->client->post('/v2/checkout/orders', $payload, $headers);
+    }
+
+    /**
+     * @param  array{request_id?: string|null}  $options
+     * @return array<string, mixed>
+     */
+    public function captureOrder(string $orderId, array $options = []): array
+    {
+        $headers = [];
+        $requestId = $options['request_id'] ?? null;
+        if (is_string($requestId) && $requestId !== '') {
+            $headers['PayPal-Request-Id'] = $requestId;
+        }
+
+        return $this->client->post(sprintf('/v2/checkout/orders/%s/capture', $orderId), [], $headers);
+    }
+
+    public function resolveApproveUrl(array $payload): ?string
+    {
+        $links = Arr::get($payload, 'links', []);
+        if (! is_array($links)) {
+            return null;
+        }
+
+        foreach ($links as $link) {
+            if (! is_array($link)) {
+                continue;
+            }
+
+            if (($link['rel'] ?? null) === 'approve') {
+                return is_string($link['href'] ?? null) ? $link['href'] : null;
+            }
+        }
+
+        return null;
+    }
+
+    public function resolveCaptureId(array $payload): ?string
+    {
+        $captureId = Arr::get($payload, 'purchase_units.0.payments.captures.0.id');
+
+        return is_string($captureId) && $captureId !== '' ? $captureId : null;
+    }
+
+    /**
+     * @return array{currency?: string, total?: float}
+     */
+    public function resolveTotals(array $payload): array
+    {
+        $amount = Arr::get($payload, 'purchase_units.0.payments.captures.0.amount')
+            ?? Arr::get($payload, 'purchase_units.0.amount');
+
+        if (! is_array($amount)) {
+            return [];
+        }
+
+        $currency = Arr::get($amount, 'currency_code');
+        $total = Arr::get($amount, 'value');
+
+        return array_filter([
+            'currency' => is_string($currency) ? strtoupper($currency) : null,
+            'total' => is_numeric($total) ? (float) $total : null,
+        ], static fn ($value) => $value !== null);
+    }
+
+    protected function resolveLocale(?string $locale): ?string
+    {
+        if (! $locale) {
+            return null;
+        }
+
+        $normalized = str_replace('_', '-', $locale);
+
+        return match (strtolower($normalized)) {
+            'de', 'de-de', 'de-at', 'de-ch' => 'de-DE',
+            'en', 'en-gb' => 'en-GB',
+            default => 'en-US',
+        };
+    }
+
+    protected function formatAmount(float $amount): ?string
+    {
+        if (! is_finite($amount)) {
+            return null;
+        }
+
+        return number_format($amount, 2, '.', '');
+    }
+}