feat: Shopier payment integration with 3DS callback + unified checkout action

2026-04-30 21:57:51 +03:00
parent 196036c0d8
commit 00a8351f66
7 changed files with 466 additions and 12 deletions
@@ -21,8 +21,9 @@ import {
 } from "@/lib/appwrite/plan-limits";
 import {
  downgradeToFreeAction,
-  startMockCheckoutAction,
+  startCheckoutAction,
 } from "@/lib/appwrite/subscription-actions";
+import { isShopierEnabled } from "@/lib/payments/shopier";
 import { PLAN_CATALOG } from "@/lib/appwrite/subscription-types";
 import { requireTenant } from "@/lib/appwrite/tenant-guard";

@@ -79,6 +80,7 @@ export default async function PricingPage() {
  const isPro = currentPlan === "pro";
  const canManage = ctx.role === "owner";
  const usage = await getPlanUsage(ctx);
+  const shopierActive = isShopierEnabled();

  const resources: PlanResource[] = ["customers", "financeEntries", "software", "members"];

@@ -208,11 +210,11 @@ export default async function PricingPage() {
                    Sahip yetkisi gerekli
                  </Button>
                ) : tier.id === "pro" ? (
-                  <form action={startMockCheckoutAction} className="w-full">
+                  <form action={startCheckoutAction} className="w-full">
                    <input type="hidden" name="plan" value="pro" />
                    <Button type="submit" className="w-full" size="lg">
                      <Crown className="size-4" />
-                      Pro'ya geç (Test)
+                      {shopierActive ? "Pro'ya geç" : "Pro'ya geç (Test)"}
                    </Button>
                  </form>
                ) : (
@@ -278,15 +280,16 @@ export default async function PricingPage() {
        </div>
      </section>

+      {!shopierActive && (
        <Card className="bg-muted/20">
          <CardContent className="text-muted-foreground py-4 text-xs">
            <p>
              <span className="text-foreground font-medium">Test modu:</span> Pro plan şu anda mock
-            ödeme akışıyla çalışır. Shopier entegrasyonu yakında — gerçek tahsilat ancak entegrasyon
-            tamamlandıktan sonra başlayacak.
+              ödeme akışıyla çalışır. Shopier entegrasyonu aktif edilince gerçek tahsilat başlayacak.
            </p>
          </CardContent>
        </Card>
+      )}
    </div>
  );
 }
@@ -0,0 +1,49 @@
+import { redirect } from "next/navigation";
+
+import { getPaymentByOrderId } from "@/lib/appwrite/subscription-queries";
+import { PLAN_CATALOG } from "@/lib/appwrite/subscription-types";
+import { requireTenant } from "@/lib/appwrite/tenant-guard";
+import { buildShopierFormFields, SHOPIER_ENDPOINT } from "@/lib/payments/shopier";
+
+import { ShopierAutoSubmit } from "./shopier-auto-submit";
+
+export default async function ShopierRedirectPage({
+  params,
+}: {
+  params: Promise<{ orderId: string }>;
+}) {
+  const { orderId } = await params;
+  const ctx = await requireTenant();
+  if (ctx.role !== "owner") redirect("/settings/billing");
+
+  const payment = await getPaymentByOrderId(ctx.tenantId, orderId);
+  if (!payment || payment.provider !== "shopier") redirect("/settings/billing");
+  if (payment.status === "success") redirect("/settings/billing?upgraded=1");
+  if (payment.status === "failed") redirect("/settings/billing?cancelled=1");
+
+  const catalog = PLAN_CATALOG[payment.plan];
+
+  // Split full name into first + surname (best effort)
+  const nameParts = (ctx.user.name || ctx.user.email.split("@")[0]).trim().split(" ");
+  const buyerName = nameParts[0] ?? "Kullanıcı";
+  const buyerSurname = nameParts.slice(1).join(" ") || buyerName;
+
+  const fields = buildShopierFormFields({
+    orderId: payment.orderId,
+    amount: payment.amount,
+    currency: (payment.currency as "TRY" | "USD" | "EUR") ?? "TRY",
+    productName: `İşletmem ${catalog.name} Plan`,
+    buyerName,
+    buyerSurname,
+    buyerEmail: ctx.user.email,
+    buyerId: ctx.user.id,
+  });
+
+  return (
+    <ShopierAutoSubmit
+      action={SHOPIER_ENDPOINT}
+      fields={fields}
+      orderId={orderId}
+    />
+  );
+}
@@ -0,0 +1,67 @@
+import Link from "next/link";
+import { redirect } from "next/navigation";
+import { CheckCircle, Loader2, XCircle } from "lucide-react";
+
+import { Button } from "@/components/ui/button";
+import { getPaymentByOrderId } from "@/lib/appwrite/subscription-queries";
+import { requireTenant } from "@/lib/appwrite/tenant-guard";
+
+export default async function ShopierResultPage({
+  params,
+  searchParams,
+}: {
+  params: Promise<{ orderId: string }>;
+  searchParams: Promise<{ ok?: string }>;
+}) {
+  const { orderId } = await params;
+  const { ok } = await searchParams;
+  const ctx = await requireTenant();
+
+  const payment = await getPaymentByOrderId(ctx.tenantId, orderId);
+  if (!payment) redirect("/settings/billing");
+
+  // Callback may not have arrived yet — if Shopier said ok but DB still pending, show processing.
+  const shopierSaysOk = ok === "1";
+  const dbStatus = payment.status;
+
+  if (dbStatus === "success") {
+    redirect("/settings/billing?upgraded=1");
+  }
+  if (dbStatus === "failed" || (!shopierSaysOk && dbStatus === "pending")) {
+    return (
+      <div className="flex min-h-[60vh] flex-col items-center justify-center gap-6 px-6 text-center">
+        <XCircle className="text-destructive size-14" />
+        <div className="space-y-1">
+          <p className="text-lg font-semibold">Ödeme başarısız</p>
+          <p className="text-muted-foreground text-sm">
+            3D Secure doğrulaması reddedildi veya işlem iptal edildi.
+          </p>
+        </div>
+        <Button asChild variant="outline">
+          <Link href="/settings/billing">Geri dön</Link>
+        </Button>
+      </div>
+    );
+  }
+
+  // pending + shopierSaysOk → callback not yet received, auto-refresh
+  return (
+    <div className="flex min-h-[60vh] flex-col items-center justify-center gap-6 px-6 text-center">
+      <Loader2 className="text-primary size-14 animate-spin" />
+      <div className="space-y-1">
+        <p className="text-lg font-semibold">Ödeme işleniyor</p>
+        <p className="text-muted-foreground text-sm">
+          Bankadan onay bekleniyor, birkaç saniye içinde yönlendirileceksiniz.
+        </p>
+      </div>
+      {/* Meta refresh — simpler than polling for this rare in-between state */}
+      {/* eslint-disable-next-line @next/next/no-head-element */}
+      <meta httpEquiv="refresh" content="3" />
+      <Button asChild variant="ghost" size="sm">
+        <Link href={`/settings/billing/checkout/${orderId}/shopier/result?ok=1`}>
+          Yenile
+        </Link>
+      </Button>
+    </div>
+  );
+}
@@ -0,0 +1,46 @@
+"use client";
+
+import { useEffect, useRef } from "react";
+import { Loader2, Lock } from "lucide-react";
+
+type Props = {
+  action: string;
+  fields: Record<string, string>;
+  orderId: string;
+};
+
+export function ShopierAutoSubmit({ action, fields, orderId: _orderId }: Props) {
+  const formRef = useRef<HTMLFormElement>(null);
+
+  useEffect(() => {
+    // Small delay so the user sees the loading state before redirect
+    const t = setTimeout(() => {
+      formRef.current?.submit();
+    }, 800);
+    return () => clearTimeout(t);
+  }, []);
+
+  return (
+    <div className="flex min-h-[60vh] flex-col items-center justify-center gap-6">
+      <div className="flex flex-col items-center gap-3 text-center">
+        <div className="bg-primary/10 flex size-14 items-center justify-center rounded-full">
+          <Lock className="text-primary size-6" />
+        </div>
+        <div className="space-y-1">
+          <p className="text-lg font-semibold">Shopier ödeme sayfasına yönlendiriliyor</p>
+          <p className="text-muted-foreground text-sm">
+            Güvenli 3D Secure ödeme için Shopier&apos;e aktarılıyorsunuz…
+          </p>
+        </div>
+        <Loader2 className="text-muted-foreground size-5 animate-spin" />
+      </div>
+
+      {/* Hidden auto-submit form */}
+      <form ref={formRef} action={action} method="POST" className="hidden">
+        {Object.entries(fields).map(([name, value]) => (
+          <input key={name} type="hidden" name={name} value={value} />
+        ))}
+      </form>
+    </div>
+  );
+}
@@ -0,0 +1,112 @@
+import { NextRequest, NextResponse } from "next/server";
+import { Query } from "node-appwrite";
+
+import { logAudit } from "@/lib/appwrite/audit";
+import { DATABASE_ID, TABLES, type SubscriptionPayment } from "@/lib/appwrite/schema";
+import { createAdminClient } from "@/lib/appwrite/server";
+import {
+  verifyCallbackSignature,
+  type ShopierCallbackPayload,
+} from "@/lib/payments/shopier";
+
+const PRO_VALIDITY_DAYS = 30;
+
+export async function POST(req: NextRequest): Promise<NextResponse> {
+  // Shopier sends application/x-www-form-urlencoded
+  let body: Record<string, string>;
+  try {
+    const text = await req.text();
+    const params = new URLSearchParams(text);
+    body = Object.fromEntries(params.entries());
+  } catch {
+    return NextResponse.json({ error: "invalid body" }, { status: 400 });
+  }
+
+  const payload: ShopierCallbackPayload = {
+    platform_order_id: body.platform_order_id ?? "",
+    status: body.status ?? "",
+    installment_count: body.installment_count ?? "0",
+    random_nr: body.random_nr ?? "",
+    API_key: body.API_key ?? "",
+    signature: body.signature ?? "",
+  };
+
+  if (!verifyCallbackSignature(payload)) {
+    console.error("[shopier/callback] signature mismatch", { orderId: payload.platform_order_id });
+    return NextResponse.json({ error: "signature mismatch" }, { status: 403 });
+  }
+
+  const { tablesDB } = createAdminClient();
+
+  // Find the pending payment row
+  const result = await tablesDB.listRows({
+    databaseId: DATABASE_ID,
+    tableId: TABLES.subscriptionPayments,
+    queries: [
+      Query.equal("orderId", payload.platform_order_id),
+      Query.equal("provider", "shopier"),
+      Query.limit(1),
+    ],
+  });
+
+  const payment = result.rows[0] as unknown as SubscriptionPayment | undefined;
+  if (!payment) {
+    console.error("[shopier/callback] payment not found", payload.platform_order_id);
+    return NextResponse.json({ error: "payment not found" }, { status: 404 });
+  }
+
+  // Idempotency — already processed
+  if (payment.status === "success" || payment.status === "failed") {
+    return NextResponse.json({ ok: true });
+  }
+
+  const now = new Date();
+  const isSuccess = payload.status === "success";
+
+  await tablesDB.updateRow(DATABASE_ID, TABLES.subscriptionPayments, payment.$id, {
+    status: isSuccess ? "success" : "failed",
+    processedAt: now.toISOString(),
+    providerPayload: JSON.stringify({
+      shopier: true,
+      callbackStatus: payload.status,
+      installmentCount: payload.installment_count,
+    }),
+  });
+
+  if (isSuccess && payment.tenantId) {
+    // Fetch current tenant settings
+    const settingsResult = await tablesDB.listRows({
+      databaseId: DATABASE_ID,
+      tableId: TABLES.tenantSettings,
+      queries: [Query.equal("tenantId", payment.tenantId), Query.limit(1)],
+    });
+    const settings = settingsResult.rows[0] as unknown as { $id: string } | undefined;
+
+    if (settings) {
+      const expires = new Date(now.getTime() + PRO_VALIDITY_DAYS * 24 * 60 * 60 * 1000);
+      await tablesDB.updateRow(DATABASE_ID, TABLES.tenantSettings, settings.$id, {
+        plan: payment.plan,
+        planStartedAt: now.toISOString(),
+        planExpiresAt: expires.toISOString(),
+        lastPaymentId: payment.$id,
+      });
+    }
+
+    await logAudit({
+      tenantId: payment.tenantId,
+      userId: payment.createdBy,
+      action: "update",
+      entityType: "subscription_payment",
+      entityId: payment.$id,
+      changes: {
+        provider: "shopier",
+        status: "success",
+        plan: payment.plan,
+        installmentCount: payload.installment_count,
+      },
+    });
+  }
+
+  // Shopier expects a 200 OK response with no body (or just "OK")
+  return new NextResponse("OK", { status: 200 });
+}
@@ -11,6 +11,7 @@ import { DATABASE_ID, TABLES, type SubscriptionPayment, type TenantPlan } from "
 import { createAdminClient } from "./server";
 import { requireRole, requireTenant } from "./tenant-guard";
 import { PLAN_CATALOG } from "./subscription-types";
+import { isShopierEnabled } from "../payments/shopier";

 const PRO_VALIDITY_DAYS = 30;

@@ -218,3 +219,52 @@ export async function downgradeToFreeAction(): Promise<void> {
  revalidatePath("/settings/billing");
  redirect(`/settings/billing?downgraded=1`);
 }
+
+export async function startShopierCheckoutAction(formData: FormData): Promise<void> {
+  const plan = String(formData.get("plan") ?? "") as TenantPlan;
+  if (plan !== "pro") throw new Error("Geçersiz plan.");
+
+  const ctx = await requireTenant();
+  requireRole(ctx, ["owner"]);
+
+  const catalog = PLAN_CATALOG[plan];
+  const orderId = generateOrderId();
+
+  const { tablesDB } = createAdminClient();
+  await tablesDB.createRow(
+    DATABASE_ID,
+    TABLES.subscriptionPayments,
+    ID.unique(),
+    {
+      tenantId: ctx.tenantId,
+      createdBy: ctx.user.id,
+      orderId,
+      plan,
+      amount: catalog.price,
+      currency: catalog.currency,
+      status: "pending",
+      provider: "shopier",
+    },
+    teamRowPermissions(ctx.tenantId),
+  );
+
+  await logAudit({
+    tenantId: ctx.tenantId,
+    userId: ctx.user.id,
+    action: "create",
+    entityType: "subscription_payment",
+    entityId: orderId,
+    changes: { plan, amount: catalog.price, provider: "shopier" },
+  });
+
+  redirect(`/settings/billing/checkout/${orderId}/shopier`);
+}
+
+// Unified entry point — branches on PAYMENT_PROVIDER env variable.
+// Set PAYMENT_PROVIDER=shopier in production; leave unset (or "mock") for testing.
+export async function startCheckoutAction(formData: FormData): Promise<void> {
+  if (isShopierEnabled()) {
+    return startShopierCheckoutAction(formData);
+  }
+  return startMockCheckoutAction(formData);
+}
@@ -0,0 +1,127 @@
+import "server-only";
+
+import { createHmac, timingSafeEqual } from "crypto";
+
+export const SHOPIER_ENDPOINT = "https://www.shopier.com/ShowProduct/api_pay4.php";
+
+const API_KEY = process.env.SHOPIER_API_KEY ?? "";
+const API_SECRET = process.env.SHOPIER_API_SECRET ?? "";
+const WEBSITE_INDEX = process.env.SHOPIER_WEBSITE_INDEX ?? "1";
+
+// Callback base URL can be overridden with a tunnel URL for localhost testing.
+// e.g. SHOPIER_CALLBACK_BASE_URL=https://abc123.trycloudflare.com
+function callbackBaseUrl(): string {
+  return (
+    process.env.SHOPIER_CALLBACK_BASE_URL?.replace(/\/$/, "") ??
+    process.env.APP_URL?.replace(/\/$/, "") ??
+    "http://localhost:3000"
+  );
+}
+
+function appBaseUrl(): string {
+  return process.env.APP_URL?.replace(/\/$/, "") ?? "http://localhost:3000";
+}
+
+export type CurrencyCode = "TRY" | "USD" | "EUR";
+const CURRENCY_INDEX: Record<CurrencyCode, "0" | "1" | "2"> = {
+  TRY: "0",
+  USD: "1",
+  EUR: "2",
+};
+
+// Signature over: platform_order_id + total_order_value + currency + random_nr
+// Key: API_SECRET  |  Encoding: base64
+function signRequest(orderId: string, amount: string, currency: string, randomNr: string): string {
+  const message = orderId + amount + currency + randomNr;
+  return createHmac("sha256", API_SECRET).update(message).digest("base64");
+}
+
+export type ShopierCheckoutParams = {
+  orderId: string;
+  amount: number;
+  currency?: CurrencyCode;
+  productName: string;
+  buyerName: string;
+  buyerSurname: string;
+  buyerEmail: string;
+  buyerId: string;
+  buyerAccountAgeDays?: number;
+};
+
+export type ShopierFormFields = Record<string, string>;
+
+export function buildShopierFormFields(params: ShopierCheckoutParams): ShopierFormFields {
+  if (!API_KEY || !API_SECRET) {
+    throw new Error("SHOPIER_API_KEY ve SHOPIER_API_SECRET ortam değişkenleri eksik.");
+  }
+
+  const currency: CurrencyCode = params.currency ?? "TRY";
+  const currencyIndex = CURRENCY_INDEX[currency];
+  // Amount as string with exactly 2 decimal places ("299.00")
+  const amountStr = params.amount.toFixed(2);
+  // 8-digit random number
+  const randomNr = String(Math.floor(10000000 + Math.random() * 90000000));
+
+  const signature = signRequest(params.orderId, amountStr, currencyIndex, randomNr);
+
+  const base = callbackBaseUrl();
+  const appBase = appBaseUrl();
+
+  return {
+    API_key: API_KEY,
+    website_index: WEBSITE_INDEX,
+    platform_order_id: params.orderId,
+    product_name: params.productName,
+    product_type: "0", // 0 = digital/virtual
+    buyer_name: params.buyerName,
+    buyer_surname: params.buyerSurname,
+    buyer_email: params.buyerEmail,
+    buyer_account_age: String(params.buyerAccountAgeDays ?? 0),
+    buyer_id_nr: params.buyerId,
+    total_order_value: amountStr,
+    currency: currencyIndex,
+    current_language: "0", // 0 = TR
+    random_nr: randomNr,
+    signature,
+    // Server-to-server async callback — needs public URL (use cloudflared tunnel for localhost)
+    callbackUrl: `${base}/api/payments/shopier/callback`,
+    // User-facing redirect after 3DS
+    okUrl: `${appBase}/settings/billing/checkout/${params.orderId}/shopier/result?ok=1`,
+    failUrl: `${appBase}/settings/billing/checkout/${params.orderId}/shopier/result?ok=0`,
+  };
+}
+
+// ---------- Callback verification ----------
+
+export type ShopierCallbackPayload = {
+  platform_order_id: string;
+  status: string; // "success" | "fail"
+  installment_count: string;
+  random_nr: string;
+  API_key: string;
+  signature: string;
+};
+
+// Signature over: platform_order_id + status + installment_count + random_nr
+export function verifyCallbackSignature(payload: ShopierCallbackPayload): boolean {
+  if (!API_SECRET) return false;
+  const message =
+    payload.platform_order_id +
+    payload.status +
+    payload.installment_count +
+    payload.random_nr;
+  const expected = createHmac("sha256", API_SECRET).update(message).digest("base64");
+  try {
+    return timingSafeEqual(Buffer.from(expected), Buffer.from(payload.signature));
+  } catch {
+    return false;
+  }
+}
+
+export function isShopierEnabled(): boolean {
+  return (
+    process.env.PAYMENT_PROVIDER === "shopier" &&
+    Boolean(process.env.SHOPIER_API_KEY) &&
+    Boolean(process.env.SHOPIER_API_SECRET)
+  );
+}