[Bug] Fix amount change on checkout (#346)

| Q               | A
| --------------- | -----
| Branch?         | 1.6
| Bug fix?        | yes
| New feature?    | no
| Related tickets | n/a

Author: GSadee

UPGRADE.md

@@ -36,6 +36,36 @@
     )
     ```
 
+   `Sylius\PayPalPlugin\Controller\ProcessPayPalOrderAction`:
+    ```diff
+    public function __construct(
+        private readonly OrderRepositoryInterface $orderRepository,
+        private readonly CustomerRepositoryInterface $customerRepository,
+        private readonly FactoryInterface $customerFactory,
+        private readonly AddressFactoryInterface $addressFactory,
+        private readonly ObjectManager $orderManager,
+        private readonly StateMachineFactoryInterface|StateMachineInterface $stateMachineFactory,
+        private readonly PaymentStateManagerInterface $paymentStateManager,
+        private readonly CacheAuthorizeClientApiInterface $authorizeClientApi,
+        private readonly OrderDetailsApiInterface $orderDetailsApi,
+        private readonly OrderProviderInterface $orderProvider,
+    +   private readonly ?PaymentAmountVerifierInterface $paymentAmountVerifier = null,
+    )
+    ```
+
+   `Sylius\PayPalPlugin\Controller\CompletePayPalOrderFromPaymentPageAction`:
+    ```diff
+    public function __construct(
+        private readonly PaymentStateManagerInterface $paymentStateManager,
+        private readonly UrlGeneratorInterface $router,
+        private readonly OrderProviderInterface $orderProvider,
+        private readonly FactoryInterface|StateMachineInterface $stateMachine,
+        private readonly ObjectManager $orderManager,
+    +   private readonly ?PaymentAmountVerifierInterface $paymentAmountVerifier = null,
+    +   private readonly ?OrderProcessorInterface $orderProcessor = null,
+    )
+    ```
+
 ### UPGRADE FROM 1.5.1 to 1.6.0
 
 1. Support for Sylius 1.13 has been added, it is now the recommended Sylius version to use.

spec/Payum/Action/CaptureActionSpec.php

@@ -66,6 +66,7 @@ function it_authorizes_seller_send_create_order_request_and_sets_order_response_
             'status' => StatusAction::STATUS_CAPTURED,
             'paypal_order_id' => '123123',
             'reference_id' => 'UUID',
+            'payment_amount' => 1000,
         ])->shouldBeCalled();
 
         $this->execute($request);

src/Controller/CompletePayPalOrderFromPaymentPageAction.php

@@ -19,8 +19,11 @@
 use Sylius\Abstraction\StateMachine\WinzouStateMachineAdapter;
 use Sylius\Component\Core\Model\PaymentInterface;
 use Sylius\Component\Core\OrderCheckoutTransitions;
+use Sylius\Component\Order\Processor\OrderProcessorInterface;
+use Sylius\PayPalPlugin\Exception\PaymentAmountMismatchException;
 use Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface;
 use Sylius\PayPalPlugin\Provider\OrderProviderInterface;
+use Sylius\PayPalPlugin\Verifier\PaymentAmountVerifierInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -34,6 +37,8 @@ public function __construct(
         private readonly OrderProviderInterface $orderProvider,
         private readonly FactoryInterface|StateMachineInterface $stateMachine,
         private readonly ObjectManager $orderManager,
+        private readonly ?PaymentAmountVerifierInterface $paymentAmountVerifier = null,
+        private readonly ?OrderProcessorInterface $orderProcessor = null,
     ) {
         if ($this->stateMachine instanceof FactoryInterface) {
             trigger_deprecation(
@@ -46,6 +51,22 @@ public function __construct(
                 ),
             );
         }
+        if (null === $this->paymentAmountVerifier) {
+            trigger_deprecation(
+                'sylius/paypal-plugin',
+                '1.6',
+                'Not passing an instance of "%s" as the fifth argument is deprecated and will be prohibited in 3.0.',
+                PaymentAmountVerifierInterface::class,
+            );
+        }
+        if (null === $this->orderProcessor) {
+            trigger_deprecation(
+                'sylius/paypal-plugin',
+                '1.6',
+                'Not passing an instance of "%s" as the sixth argument is deprecated and will be prohibited in 3.0.',
+                OrderProcessorInterface::class,
+            );
+        }
     }
 
     public function __invoke(Request $request): Response
@@ -56,6 +77,26 @@ public function __invoke(Request $request): Response
         /** @var PaymentInterface $payment */
         $payment = $order->getLastPayment(PaymentInterface::STATE_PROCESSING);
 
+        try {
+            if ($this->paymentAmountVerifier !== null) {
+                $this->paymentAmountVerifier->verify($payment);
+            } else {
+                $this->verify($payment);
+            }
+        } catch (PaymentAmountMismatchException) {
+            $this->paymentStateManager->cancel($payment);
+            $order->removePayment($payment);
+
+            if (null === $this->orderProcessor) {
+                throw new \RuntimeException('Order processor is required to process the order.');
+            }
+            $this->orderProcessor->process($order);
+
+            return new JsonResponse([
+                'return_url' => $this->router->generate('sylius_shop_checkout_complete', [], UrlGeneratorInterface::ABSOLUTE_URL),
+            ]);
+        }
+
         $this->paymentStateManager->complete($payment);
 
         $this->getStateMachine()->apply($order, OrderCheckoutTransitions::GRAPH, OrderCheckoutTransitions::TRANSITION_SELECT_PAYMENT);
@@ -78,4 +119,20 @@ private function getStateMachine(): StateMachineInterface
 
         return $this->stateMachine;
     }
+
+    private function verify(PaymentInterface $payment): void
+    {
+        $totalAmount = $this->getTotalPaymentAmountFromPaypal($payment);
+
+        if ($payment->getOrder()->getTotal() !== $totalAmount) {
+            throw new PaymentAmountMismatchException();
+        }
+    }
+
+    private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment): int
+    {
+        $details = $payment->getDetails();
+
+        return $details['payment_amount'] ?? 0;
+    }
 }

src/Controller/ProcessPayPalOrderAction.php

@@ -27,8 +27,10 @@
 use Sylius\Component\Resource\Factory\FactoryInterface;
 use Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface;
 use Sylius\PayPalPlugin\Api\OrderDetailsApiInterface;
+use Sylius\PayPalPlugin\Exception\PaymentAmountMismatchException;
 use Sylius\PayPalPlugin\Manager\PaymentStateManagerInterface;
 use Sylius\PayPalPlugin\Provider\OrderProviderInterface;
+use Sylius\PayPalPlugin\Verifier\PaymentAmountVerifierInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -46,6 +48,7 @@ public function __construct(
         private readonly CacheAuthorizeClientApiInterface $authorizeClientApi,
         private readonly OrderDetailsApiInterface $orderDetailsApi,
         private readonly OrderProviderInterface $orderProvider,
+        private readonly ?PaymentAmountVerifierInterface $paymentAmountVerifier = null,
     ) {
         if ($this->stateMachineFactory instanceof StateMachineFactoryInterface) {
             trigger_deprecation(
@@ -58,6 +61,16 @@ public function __construct(
                 ),
             );
         }
+        if (null === $this->paymentAmountVerifier) {
+            trigger_deprecation(
+                'sylius/paypal-plugin',
+                '1.6',
+                message: sprintf(
+                    'Not passing $paymentAmountVerifier to "%s" constructor is deprecated and will be prohibited in 3.0',
+                    self::class,
+                ),
+            );
+        }
     }
 
     public function __invoke(Request $request): Response
@@ -112,6 +125,18 @@ public function __invoke(Request $request): Response
 
         $this->orderManager->flush();
 
+        try {
+            if ($this->paymentAmountVerifier !== null) {
+                $this->paymentAmountVerifier->verify($payment, $data);
+            } else {
+                $this->verify($payment, $data);
+            }
+        } catch (PaymentAmountMismatchException) {
+            $this->paymentStateManager->cancel($payment);
+
+            return new JsonResponse(['orderID' => $order->getId()]);
+        }
+
         $this->paymentStateManager->create($payment);
         $this->paymentStateManager->process($payment);
 
@@ -152,4 +177,30 @@ private function getStateMachine(): StateMachineInterface
 
         return $this->stateMachineFactory;
     }
+
+    private function verify(PaymentInterface $payment, array $paypalOrderDetails): void
+    {
+        $totalAmount = $this->getTotalPaymentAmountFromPaypal($paypalOrderDetails);
+
+        if ($payment->getAmount() !== $totalAmount) {
+            throw new PaymentAmountMismatchException();
+        }
+    }
+
+    private function getTotalPaymentAmountFromPaypal(array $paypalOrderDetails): int
+    {
+        if (!isset($paypalOrderDetails['purchase_units']) || !is_array($paypalOrderDetails['purchase_units'])) {
+            return 0;
+        }
+
+        $totalAmount = 0;
+
+        foreach ($paypalOrderDetails['purchase_units'] as $unit) {
+            $stringAmount = $unit['amount']['value'] ?? '0';
+
+            $totalAmount += (int) ($stringAmount * 100);
+        }
+
+        return $totalAmount;
+    }
 }

src/Exception/PaymentAmountMismatchException.php

@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Sylius Sp. z o.o.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\PayPalPlugin\Exception;
+
+final class PaymentAmountMismatchException extends \Exception
+{
+    public function __construct()
+    {
+        parent::__construct('Order payment amount does not match the total amount from PayPal payment.');
+    }
+}

src/Payum/Action/CaptureAction.php

@@ -60,6 +60,7 @@ public function execute($request): void
                 'status' => StatusAction::STATUS_CAPTURED,
                 'paypal_order_id' => $content['id'],
                 'reference_id' => $referenceId,
+                'payment_amount' => $payment->getAmount(),
             ]);
         }
     }

src/Resources/config/services.xml

@@ -270,5 +270,8 @@
         <service id="Sylius\PayPalPlugin\Twig\OrderAddressExtension">
             <tag name="twig.extension" />
         </service>
+        
+        <service id="sylius_paypal.verifier.payment_amount" class="Sylius\PayPalPlugin\Verifier\PaymentAmountVerifier" />
+        <service id="Sylius\PayPalPlugin\Verifier\PaymentAmountVerifierInterface" alias="sylius_paypal.verifier.payment_amount" />
     </services>
 </container>

src/Resources/config/services/controller.xml

@@ -114,6 +114,7 @@
             <argument type="service" id="Sylius\PayPalPlugin\Api\CacheAuthorizeClientApiInterface" />
             <argument type="service" id="Sylius\PayPalPlugin\Api\OrderDetailsApiInterface" />
             <argument type="service" id="Sylius\PayPalPlugin\Provider\OrderProviderInterface" />
+            <argument type="service" id="sylius_paypal.verifier.payment_amount" />
         </service>
 
         <service id="Sylius\PayPalPlugin\Controller\UpdatePayPalOrderAction">
@@ -131,6 +132,8 @@
             <argument type="service" id="Sylius\PayPalPlugin\Provider\OrderProviderInterface" />
             <argument type="service" id="sylius_abstraction.state_machine" />
             <argument type="service" id="sylius.manager.order" />
+            <argument type="service" id="sylius_paypal.verifier.payment_amount" />
+            <argument type="service" id="sylius.order_processing.order_processor" />
         </service>
 
         <service id="Sylius\PayPalPlugin\Controller\PayPalPaymentOnErrorAction">

src/Verifier/PaymentAmountVerifier.php

@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Sylius Sp. z o.o.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\PayPalPlugin\Verifier;
+
+use Sylius\Component\Core\Model\PaymentInterface;
+use Sylius\PayPalPlugin\Exception\PaymentAmountMismatchException;
+
+final class PaymentAmountVerifier implements PaymentAmountVerifierInterface
+{
+    public function verify(PaymentInterface $payment, array $paypalOrderDetails = []): void
+    {
+        $totalAmount = $this->getTotalPaymentAmountFromPaypal($payment, $paypalOrderDetails);
+
+        if ($payment->getOrder()->getTotal() !== $totalAmount) {
+            throw new PaymentAmountMismatchException();
+        }
+    }
+
+    private function getTotalPaymentAmountFromPaypal(PaymentInterface $payment, array $paypalOrderDetails = []): int
+    {
+        if (empty($paypalOrderDetails)) {
+            return $this->getPaymentAmountFromDetails($payment);
+        }
+
+        if (!isset($paypalOrderDetails['purchase_units']) || !is_array($paypalOrderDetails['purchase_units'])) {
+            return 0;
+        }
+
+        $totalAmount = 0;
+
+        foreach ($paypalOrderDetails['purchase_units'] as $unit) {
+            $stringAmount = $unit['amount']['value'] ?? '0';
+            $totalAmount += (int) ($stringAmount * 100);
+        }
+
+        return $totalAmount;
+    }
+
+    private function getPaymentAmountFromDetails(PaymentInterface $payment): int
+    {
+        $details = $payment->getDetails();
+
+        return $details['payment_amount'] ?? 0;
+    }
+}

src/Verifier/PaymentAmountVerifierInterface.php

@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Sylius Sp. z o.o.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\PayPalPlugin\Verifier;
+
+use Sylius\Component\Core\Model\PaymentInterface;
+
+interface PaymentAmountVerifierInterface
+{
+    public function verify(PaymentInterface $payment, array $paypalOrderDetails = []): void;
+}