Class: Www::PaymentsController

Inherits:

ApplicationController

• Object
• ActionController::Base
• ApplicationController
• Www::PaymentsController

Includes:

StripeCustomerManagement

Defined in:

app/controllers/www/payments_controller.rb

Constant Summary

Constants included from Controllers::AnalyticsEvents

Controllers::AnalyticsEvents::MAX_QUEUED_EVENTS, Controllers::AnalyticsEvents::SESSION_KEY

Constants included from Controllers::ErrorRendering

Controllers::ErrorRendering::NON_CONTENT_PATH_PREFIXES

Constants included from SeoHelper

SeoHelper::AWARDS, SeoHelper::CA_ADDRESS, SeoHelper::CA_BUSINESS_HOURS, SeoHelper::CA_CONTACT_POINT, SeoHelper::CA_CURRENCIES, SeoHelper::CA_DESCRIPTION, SeoHelper::CA_FOUNDING_DATE, SeoHelper::CA_GLOBAL_LOCATION_NUMBER, SeoHelper::CA_LEGAL_NAME, SeoHelper::CA_LOCAL_BUSINESS, SeoHelper::CA_ONLINE_STORE, SeoHelper::CA_RETURN_POLICY, SeoHelper::CA_SALES_DEPARTMENT, SeoHelper::CA_SERVICE_AREA, SeoHelper::CA_URL, SeoHelper::CA_VAT_ID, SeoHelper::CA_WAREHOUSE_DEPARTMENT, SeoHelper::CA_WAREHOUSE_HOURS, SeoHelper::COMPANY_EMAIL, SeoHelper::COMPANY_LOGO, SeoHelper::COMPANY_NAME, SeoHelper::COMPANY_SLOGAN, SeoHelper::EXPERTISE, SeoHelper::FAX_NUMBER, SeoHelper::GS1_COMPANY_PREFIX, SeoHelper::ISO6523_CODE, SeoHelper::PAYMENT_METHODS, SeoHelper::PHONE_NUMBER, SeoHelper::PRIMARY_NAICS, SeoHelper::REFUND_TYPE, SeoHelper::RETURN_FEES, SeoHelper::RETURN_METHOD, SeoHelper::RETURN_POLICY_CATEGORY, SeoHelper::SECONDARY_NAICS, SeoHelper::SOCIAL_PROFILES, SeoHelper::US_ADDRESS, SeoHelper::US_BUSINESS_HOURS, SeoHelper::US_CONTACT_POINT, SeoHelper::US_CURRENCIES, SeoHelper::US_DESCRIPTION, SeoHelper::US_FOUNDING_DATE, SeoHelper::US_GLOBAL_LOCATION_NUMBER, SeoHelper::US_IMAGE, SeoHelper::US_LEGAL_NAME, SeoHelper::US_LOCAL_BUSINESS, SeoHelper::US_ONLINE_STORE, SeoHelper::US_RETURN_POLICY, SeoHelper::US_SALES_DEPARTMENT, SeoHelper::US_SERVICE_AREA, SeoHelper::US_TAX_ID, SeoHelper::US_URL, SeoHelper::US_WAREHOUSE_DEPARTMENT, SeoHelper::US_WAREHOUSE_HOURS

Constants included from IconHelper

IconHelper::CUSTOM_ICON_MAP, IconHelper::CUSTOM_SVG_DIR, IconHelper::DEFAULT_FAMILY

Instance Method Summary

• #authorize_paypal_order ⇒ Object
• #complete_paypal_vault ⇒ Object
• #confirmation ⇒ Object
• #create ⇒ Object
• #create_payment_intent ⇒ Object
• #create_paypal_order ⇒ Object
• #new ⇒ Object
• #receipt_confirmation ⇒ Object
• #save_paypal_vault ⇒ Object

Methods inherited from ApplicationController

#account_impersonated?, #add_to_flash, #append_token, #bypass_forgery_protection?, #chat_enabled?, #cloudflare_cleared?, #default_catalog, #default_url_options, #enable_turbo_frames, #find_publication, #fix_invalid_accept_header, #init_js_utils, #is_globals_call?, #layout_by_resource, #locale_store, #redirect_to, #require_employee_for_crm, #set_base_host, #set_real_ip, #set_report_errors_for, #should_render_layout?, #stamp_impersonation_context, #warmlyyours_canada_ip?, #warmlyyours_ip?, #y

Methods included from Controllers::ReturnPathHandling

#check_for_return_path, #redirect_to_return_path_or_default

Methods included from Controllers::AnalyticsEvents

#consume_queued_analytics_events, #track_event

Methods included from Controllers::DeviceDetection

#device_detector, #is_ie?

Methods included from Controllers::SubdomainDetection

#is_crm_request?, #is_www_request?, #json_request?

Methods included from Controllers::TrackingDetection

#bot_request?, #gdpr_country?, #gdpr_country_data, #prevent_bots, #set_tracking_cookie, #track_visitor?

Methods included from Controllers::AcceleratedFileSending

#send_file_accelerated, #send_upload_accelerated

Methods included from Controllers::ErrorRendering

#excp_string, #mail_to_for_error_reporting, #render_400, #render_404, #render_406, #render_410, #render_500, #render_invalid_authenticity_token, #render_ip_spoof_error, #safe_referer_or_fallback

Methods included from Controllers::TurnstileVerification

#load_turnstile_script_tag, #turnstile_lazy_widget, #turnstile_script_tag, #turnstile_widget, #validate_turnstile!

Methods included from Controllers::CloudflareCaching

edge_cached, #edge_cached_action?, #reset_cloudflare_cache, #set_cloudflare_cache, #skip_session

Methods included from Controllers::Webpackable

#preload_webpack_fonts, #webpack_css_include, #webpack_css_url, #webpack_js_include, #wpd_is_running?

Methods included from Controllers::Localizable

#cloudflare_country_locale, #determine_request_locale, #geocoder_locale, #guest_user_locale_check, #locale_optional_www_auth_path?, #param_locale, #set_locale, #set_request_locale, #skip_localization?, #warmlyyours_ip_locale

Methods included from Controllers::Authenticable

#access_denied, #authenticate_account, #authenticate_account!, #authenticate_account_from_login_token!, #authenticate_account_from_token!, #check_is_a_manager, #check_is_a_sales_manager, #check_is_an_admin, #check_is_an_employee, #check_party, #clear_mismatched_guest_user, #create_guest_user, #credentials?, #current_or_guest_user, #current_or_guest_user_id_read_only, #current_user, #devise_mapping, #fully_logged_in?, #generate_bot_id, #guest_user, #identifiable?, #init_current_user, #initialize_guest, #load_context_user, #logging_in, #resource, #resource_name, #restrict_access_for_non_employees, #scrubbed_request_path, #user_object, #warn_on_session_guest_id_leak

Methods included from ApplicationHelper

#better_number_to_currency, #check_force_logout, #check_or_cross, #check_or_times, #error_messages, #general_disclaimer_on_product_installation_and_local_codes, #gridjs_from_html_table, #gridjs_table, #is_wy_ip, #line_break, #parent_layout, #pass_or_fail, #render_error_messages_list, #render_video_card, #resolved_auth_form_turbo_frame, #return_path_or, #safe_css_color, #set_return_path_if_present, #set_section_if_present, #tab_frame_id, #to_underscore, #track_page?, #turbo_section_wrapper, #turbo_tabs_request?, #url_on_same_domain_as_request, #widget_index_daily_focus_index_path, #working_hours?, #yes_or_no, #yes_or_no_highlighted, #yes_or_no_with_check_or_cross, #youtube_video

Methods included from UppyUploaderHelper

#file_uploader, #image_uploader, #large_file_uploader_s3, #lead_sketch_uploader, #rma_image_uploader, #rma_image_uploader_s3, #uppy_uploader, #video_uploader

Methods included from ImagesHelper

#image_asset_tag, #image_asset_url

Methods included from SeoHelper

#add_page_schema, #canada?, #company_social_links, #ensure_context_json, #json_ld_script_tag, #local_business_schema, #online_store_id, #online_store_schema, #page_main_entity, #page_main_entity_json, #render_auto_collection_page_schema, #render_collection_page_schema, #render_local_business_schema, #render_online_store_schema, #render_page_schemas, #render_page_video_schemas, #render_webpage_schema, #render_webpage_schema_with_collections, #usa?

Methods included from UrlsHelper

#catalog_breadcrumb_links, #catalog_link, #catalog_link_for_product_line, #catalog_link_for_sku, #cms_link, #delocalized_path, #path_to_sales_product_sku, #path_to_sales_product_sku_for_product_line, #path_to_sales_product_sku_for_product_line_slug, #product_line_from_catalog_link, #protocol_neutral_url, #sanitize_external_url, #valid_external_url?

Methods included from IconHelper

#account_nav_icon, #fa_icon, #star_rating_html

Instance Method Details

#authorize_paypal_order ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 160

def authorize_paypal_order
  paypal_order_id = params[:paypal_order_id]

  auth_response = Payment::Apis::Paypal.authorize_order(paypal_order_id)

  unless auth_response['_http_success']
    error_issue = auth_response.dig('details', 0, 'issue')
    if error_issue == 'INSTRUMENT_DECLINED'
      render json: { error: 'INSTRUMENT_DECLINED' }, status: :unprocessable_entity
      return
    end
    render json: { error: auth_response['message'] || 'Unable to authorize PayPal order' }, status: :unprocessable_entity
    return
  end

  purchase_unit = auth_response.dig('purchase_units', 0)
  authorization = purchase_unit&.dig('payments', 'authorizations', 0)
  payer = auth_response['payer']

  unless authorization
    render json: { error: 'No authorization found in PayPal response' }, status: :unprocessable_entity
    return
  end

  seller_protection = authorization.dig('seller_protection')
  funding_source = params[:funding_source]

  vault_data = auth_response.dig('payment_source', 'paypal', 'attributes', 'vault') ||
               auth_response.dig('payment_source', 'paypal', 'attribute', 'vault')
  store_paypal_vault_on_customer(vault_data, payer) if vault_data&.dig('id').present?

  pp_params = {
    'paypal_transaction_id' => authorization['id'],
    'category' => 'PayPal',
    'amount' => @order.balance,
    'currency' => @order.currency,
    'authorization_type' => 'paypal',
    'reference' => payer&.dig('email_address') || paypal_order_id,
    'email' => payer&.dig('email_address'),
    'remote_ip_address' => request.remote_ip,
    'paypal_metadata' => {
      'payer_id' => payer&.dig('payer_id'),
      'payer_name' => [payer&.dig('name', 'given_name'), payer&.dig('name', 'surname')].compact.join(' ').presence,
      'funding_source' => funding_source,
      'seller_protection' => seller_protection&.dig('status'),
      'seller_protection_dispute_categories' => seller_protection&.dig('dispute_categories'),
      'paypal_order_id' => paypal_order_id,
      'vault_id' => vault_data&.dig('id'),
      'vault_customer_id' => vault_data&.dig('customer', 'id')
    }.compact
  }

  res = Payment::OrderProcessor.new(@order, pp_params, current_account, request, true).process
  if %w[fully_authorized partially_authorized].include?(res.result)
    if res.result == 'fully_authorized'
      @order.reload.send_online_order_confirmation
      @order.support_cases.services.first.create_initial_service_activity if @order.is_smartfit_service?
      @order.create_smartinstall_ticket if @order.is_smartinstall_service?
      @order.create_smartfix_ticket if @order.is_smartfix_service?
      @order.create_smartguide_ticket if @order.is_smartguide_service?
      InternalMailer.smart_service_requested_notification(@order&.support_cases&.services&.first).deliver_later if @order.belongs_to_smartservice_group?
      InternalMailer.online_order_notification(@order).deliver_later
    end

    render json: { redirect_url: confirmation_payments_path(order_id: @order.encrypted_id) }
  else
    render json: { error: res.error || 'Unable to process PayPal payment' }, status: :unprocessable_entity
  end
end

#complete_paypal_vault ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 103

def complete_paypal_vault
  setup_token_id = params[:approval_session_id] || params[:token_id]

  unless setup_token_id.present?
    flash[:error] = 'PayPal vault approval was missing. Please try again.'
    redirect_to confirmation_payments_path(order_id: @order.encrypted_id) and return
  end

  response = Payment::Apis::Paypal.create_vault_payment_token(setup_token_id)

  if response['_http_success'] && response['id'].present?
    vault_id = response['id']
    customer_id = response.dig('customer', 'id')

    customer = @order.customer
    if customer.is_a?(Customer)
      customer.update(paypal_vault_token_id: vault_id, paypal_vault_customer_id: customer_id)
      Rails.logger.info("[PayPal Vault] Stored vault #{vault_id} for customer #{customer.id}")
    end
  else
    Rails.logger.error("[PayPal Vault] Payment token creation failed: status=#{response['_http_status']}, message=#{response['message']}")
    flash[:error] = 'Unable to save your PayPal account. Please try again.'
  end

  redirect_to confirmation_payments_path(order_id: @order.encrypted_id)
end

#confirmation ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 56

def confirmation
  # Security: User must have legitimate access to view this order
  #
  # Access is granted if EITHER:
  # 1. Order ID was encrypted (payment link from email - encryption IS the auth)
  # 2. Order belongs to current user's session (checkout flow)
  #
  # The is_checkout param is NOT trusted for security - it's just for analytics/UX
  #
  unless @order_id_was_encrypted || order_belongs_to_current_user?
    Rails.logger.warn "[SECURITY] Unauthorized order confirmation access: order_id=#{params[:order_id]}, user=#{@context_user&.id}, encrypted=#{@order_id_was_encrypted}"
    flash[:error] = "You don't have permission to view this order."
    redirect_to root_path and return
  end

  @order_track = @order # for google analytics tracking

  return if @order

  redirect_to my_cart_path
end

#create ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 39

def create
  if @invoice.present?
    process_invoice_payment(params[:payment])
  elsif @order.present?
    if @order.invoiced?
      # This is an order that has one or more invoices pending payment. It's different than a regular order
      # because this one is in invoiced state and needs special treatment. Only credit card direct purchase is allowed. No pre-authorizations.
      process_order_invoiced_payment(params[:payment])
    else
      # A payment can come from the standalone payment page, or checkout page. In WWW, since this is a WWW controller
      is_checkout = params[:checkout].to_b
      is_www = true
      process_payment(params[:payment], is_checkout, is_www)
    end
  end
end

#create_payment_intent ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 230

def create_payment_intent
  resource = @order || @invoice
  return render json: { error: 'Order or invoice not found' }, status: :not_found unless resource

  customer = resource.customer
  currency = resource.currency
  amount_cents = if @invoice.present?
                   (@invoice.balance * 100).to_i
                 elsif @order.present? && @order.invoiced?
                   amount = if params[:amount].present?
                              begin
                                BigDecimal(params[:amount])
                              rescue ArgumentError
                                return render json: { error: 'Invalid amount' }, status: :unprocessable_entity
                              end
                            else
                              @order.invoice_balance
                            end
                   return render json: { error: 'Amount must be between $0.01 and the invoice balance' }, status: :unprocessable_entity if amount <= 0 || amount > @order.invoice_balance

                   (amount * 100).to_i
                 else
                   (@order.balance * 100).to_i
                 end

  capture_method = @order.present? && !@order.invoiced? ? 'manual' : 'automatic'

  ensure_stripe_customer_id!(customer, currency) if customer.present? && capture_method == 'manual'

  description = if @invoice.present?
                  @invoice.reference_number
                elsif @order.present? && @order.invoiced?
                  refs = @order.invoices.unpaid.pluck(:reference_number)
                  refs.any? ? refs.join(' / ') : "Order #{@order.reference_number}"
                elsif @order.present?
                  @order.reference_number.present? ? "Order #{@order.reference_number}" : "Order ID #{@order.id}"
                end

  ref = @order&.reference_number || @invoice&.reference_number
  statement_descriptor = ref.present? ? "WarmlyYours #{ref}".truncate(22) : nil

  pi_params = {
    amount_cents: amount_cents,
    currency: currency,
    capture_method: capture_method,
    allow_redirects: 'always',
    description: description,
    statement_descriptor: statement_descriptor,
    metadata: {
      order_id: @order&.id,
      invoice_id: @invoice&.id,
      customer_id: customer&.id
    }
  }
  pi_params[:customer_id] = customer.stripe_customer_id if customer&.stripe_customer_id.present?

  pi_params[:setup_future_usage] = 'off_session' if capture_method == 'manual' && pi_params[:customer_id].present?

  begin
    pi = Payment::Apis::Stripe.create_payment_intent(**pi_params)
  rescue ::Stripe::StripeError => e
    raise unless pi_params[:setup_future_usage].present? && e.message.include?('not eligible')

    pi_params.delete(:setup_future_usage)
    pi = Payment::Apis::Stripe.create_payment_intent(**pi_params)
  end
  render json: { client_secret: pi.client_secret, payment_intent_id: pi.id }
rescue ::Stripe::StripeError => e
  render json: { error: e.message }, status: :unprocessable_entity
rescue StandardError => e
  bt = e.backtrace&.first(8)&.join("\n")
  Rails.logger.error("[create_payment_intent] #{e.class}: #{e.message}\n#{bt}")
  detail = Rails.env.local? ? "#{e.message}\n#{bt}" : e.message
  render json: { error: "Payment setup failed: #{detail}" }, status: :internal_server_error
end

#create_paypal_order ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 130

def create_paypal_order
  order_params = {
    amount: @order.balance,
    currency: @order.currency,
    intent: 'AUTHORIZE',
    description: "Order #{@order.reference_number}",
    shipping: paypal_shipping_address,
    metadata: { order_id: @order.id, invoice_id: @order.reference_number }
  }

  if @order.balance == @order.total
    order_params.merge!(
      subtotal: @order.subtotal,
      shipping_amount: @order.discounted_shipping_total,
      tax_amount: @order.tax_total,
      line_items: @order.line_items.non_shipping.map do |li|
        { name: li.name, sku: li.sku, quantity: li.quantity, amount: li.discounted_price }
      end
    )
  end

  response = Payment::Apis::Paypal.create_order(**order_params)

  if response['id'].present?
    render json: { paypal_order_id: response['id'] }
  else
    render json: { error: response['message'] || 'Unable to create PayPal order' }, status: :unprocessable_entity
  end
end

#new ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 9

def new
  if @invoice.present?
    # This is a receipt payment that contains one or multiple invoices or credit memos.
    @payment = Payment.new(customer: @invoice.customer)
    @payment_options = @invoice.online_payment_options
    render :new_invoice
  elsif @order.present? && @order.invoiced?
    # This is an order that has one or more invoices pending payment. It's different than a regular order
    # because this one is in invoiced state and needs special treatment. Only credit card direct purchase is allowed. No pre-authorizations.
    @payment_amount = params[:payment_amount].present? ? BigDecimal(params[:payment_amount]) : @order.invoice_balance

    # Validate payment amount
    if @payment_amount <= 0 || @payment_amount > @order.invoice_balance
      flash.now[:error] =
        "Payment amount must be between #{ActionController::Base.helpers.number_to_currency(0.01, unit: @order.currency_symbol)} and #{ActionController::Base.helpers.number_to_currency(@order.invoice_balance, unit: @order.currency_symbol)}"
      @payment_amount = @order.invoice_balance
    end

    @payment = Payment.new(amount: @payment_amount)
    @receipt = Receipt.new
    @payment_options = @order.payment_options('online_order_invoices')
    render :new_order_invoiced
  else
    # This is a regular online order. Can be a checkout or standalone payment page.
    @payment_options = @order.payment_options('online_order_payment')
    @payment = @order.payments.build(category: 'Credit Card')
    render :new
  end
end

#receipt_confirmation ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 78

def receipt_confirmation
  @receipt = Receipt.find(params[:receipt_id])
end

#save_paypal_vault ⇒ Object

# File 'app/controllers/www/payments_controller.rb', line 82

def save_paypal_vault
  return_url = complete_paypal_vault_payments_url(order_id: @order.encrypted_id)
  cancel_url = confirmation_payments_url(order_id: @order.encrypted_id)

  response = Payment::Apis::Paypal.create_vault_setup_token(return_url: return_url, cancel_url: cancel_url)

  if response['_http_success'] && response['id'].present?
    approve_link = response.dig('links')&.find { |l| l['rel'] == 'approve' }&.dig('href')
    if approve_link.present?
      redirect_to approve_link, allow_other_host: true
    else
      flash[:error] = 'Unable to start PayPal vault setup.'
      redirect_to confirmation_payments_path(order_id: @order.encrypted_id)
    end
  else
    Rails.logger.error("[PayPal Vault] Setup token failed: status=#{response['_http_status']}, message=#{response['message']}")
    flash[:error] = 'Unable to save PayPal. Please try again later.'
    redirect_to confirmation_payments_path(order_id: @order.encrypted_id)
  end
end