Panel/modules/billing/api/capture_order.php

<?php
require_once(__DIR__ . '/../includes/config.inc.php');
require_once(__DIR__ . '/../../../includes/database_mysqli.php');
$sandbox       = true; // flip to false for Live
$client_id     = 'AfvY_C2zA_hTHxHq7TIhtOeub4xBdySYrt_Hjj3d_WYQwjWI9NfOAVOTeResx2rgZ_nP5tOoxQSAHw8c';
$client_secret = 'EJ216np9cAj9n7KSddez3fLVxGe-zi4oKKKl1YGqPp88XIikr4Qzbxh0XW2as-V6LgdX-upjtQAg9dC0';

// Ensure all errors are logged, not output (to prevent JSON corruption)
ini_set('display_errors', '0');
error_reporting(E_ALL);

header('Content-Type: application/json');
$in = json_decode(file_get_contents('php://input'), true) ?: [];
$order_id = $in['order_id'] ?? null;
if (!$order_id) { http_response_code(400); echo json_encode(['error'=>'missing order_id']); exit; }

$api = $sandbox ? 'https://api-m.sandbox.paypal.com' : 'https://api-m.paypal.com';

$ch = curl_init("$api/v1/oauth2/token");
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_POSTFIELDS => 'grant_type=client_credentials',
  CURLOPT_HTTPHEADER => ['Accept: application/json'],
  CURLOPT_USERPWD => $client_id . ':' . $client_secret,
]);
$tok  = curl_exec($ch);
$http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http !== 200) { http_response_code(500); echo json_encode(['error'=>'oauth_fail']); exit; }
$access = json_decode($tok, true)['access_token'] ?? null;

$ch = curl_init("$api/v2/checkout/orders/$order_id/capture");
curl_setopt_array($ch, [
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_POST => true,
  CURLOPT_HTTPHEADER => [ 'Content-Type: application/json', 'Authorization: Bearer ' . $access ],
]);
$res  = curl_exec($ch);
$http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$curl_err = curl_error($ch);
curl_close($ch);

// Ensure logs folder exists and provide a helper to write debug info
$logDir = __DIR__ . '/../logs';
if (!is_dir($logDir)) @mkdir($logDir, 0755, true);
$logFile = $logDir . '/paypal_capture.log';
function capture_log($label, $data) {
    global $logFile;
    $entry = '[' . date('Y-m-d H:i:s') . '] ' . $label . "\n";
    if (is_array($data) || is_object($data)) $entry .= print_r($data, true);
    else $entry .= (string)$data;
    $entry .= "\n---\n";
    @file_put_contents($logFile, $entry, FILE_APPEND | LOCK_EX);
}

// Log the raw curl response for debugging
capture_log('paypal_curl_response_http_' . $http, $res === false ? "(curl failed) " . $curl_err : $res);

// Normalize response: ensure we always return valid JSON to the caller
if ($res === false || $res === '') {
    // Curl-level failure or empty body
    http_response_code(502);
    $out = ['error' => 'paypal_empty_response', 'http' => $http, 'curl_error' => $curl_err];
    capture_log('paypal_empty_response', $out);
    echo json_encode($out);
    exit;
}

// Attempt to decode PayPal response
$capture = json_decode($res, true);
if (json_last_error() !== JSON_ERROR_NONE) {
    // PayPal returned non-JSON / malformed response — return it as raw string inside JSON
    http_response_code(502);
    $out = ['error' => 'paypal_invalid_json', 'http' => $http, 'raw' => $res];
    capture_log('paypal_invalid_json', $out);
    echo json_encode($out);
    exit;
}

if ($http !== 201 && $http !== 200) {
    http_response_code($http);
    // Return structured JSON with PayPal's decoded response
    $out = ['error' => 'paypal_capture_failed', 'http' => $http, 'response' => $capture];
    capture_log('paypal_capture_failed', $out);
    echo json_encode($out);
    exit;
}

// Extract payment details
$txid = null;
capture_log('paypal_capture_success', $capture);
echo json_encode($capture);
if (isset($capture['purchase_units'][0]['payments']['captures'][0])) {
    $txid = $capture['purchase_units'][0]['payments']['captures'][0]['id'] ?? null;
}

// Get custom_id (should be invoice_id from cart.php)
$custom_id = $capture['purchase_units'][0]['custom_id'] ?? null;

if ($captureStatus === 'COMPLETED' && $custom_id) {
    // Connect to database
    $db = createDatabaseConnection($db_host, $db_user, $db_pass, $db_name, $db_port);
    if (!$db) {
        error_log('capture_order.php: DB connection failed');
        echo json_encode(['error' => 'db_connection_failed', 'status' => $captureStatus]);
        exit;
    }

    // Find all invoices with status='due' for this user (cart session)
    // For now, we'll mark ALL due invoices for the logged-in user as paid
    // TODO: Improve to match specific invoice_id from custom_id if cart sends it
    session_start();
    // Check both website_user_id and user_id for compatibility
    $user_id = isset($_SESSION['website_user_id']) ? intval($_SESSION['website_user_id']) : 
               (isset($_SESSION['user_id']) ? intval($_SESSION['user_id']) : 0);
    
    if ($user_id > 0) {
        // Mark all due invoices for this user as paid
        $now = date('Y-m-d H:i:s');
        $esc_txid = mysqli_real_escape_string($db, $txid);
        
        $updateInvoices = "UPDATE {$table_prefix}billing_invoices 
                          SET status='paid', paid_date='$now', payment_txid='$esc_txid', payment_method='paypal'
                          WHERE user_id=$user_id AND status='due'";
        mysqli_query($db, $updateInvoices);
        
        // Get all invoices we just marked paid
        $getInvoices = "SELECT * FROM {$table_prefix}billing_invoices WHERE user_id=$user_id AND payment_txid='$esc_txid'";
        $invoicesResult = mysqli_query($db, $getInvoices);
        
        // For each invoice, either create a new order or extend existing one (renewal)
        while ($inv = mysqli_fetch_assoc($invoicesResult)) {
            $invoice_id = intval($inv['invoice_id']);
            $existing_order_id = intval($inv['order_id'] ?? 0);
            $service_id = intval($inv['service_id']);
            $home_name = mysqli_real_escape_string($db, $inv['home_name']);
            $ip = intval($inv['ip']);
            $max_players = intval($inv['max_players']);
            $qty = intval($inv['qty']);
            $duration = mysqli_real_escape_string($db, $inv['invoice_duration']);
            $amount = floatval($inv['amount']);
            $rcon_pw = mysqli_real_escape_string($db, $inv['remote_control_password']);
            $ftp_pw = mysqli_real_escape_string($db, $inv['ftp_password']);
            
            // Check if this is a renewal (existing order_id > 0) or new order (order_id = 0)
            if ($existing_order_id > 0) {
                // RENEWAL: Extend the existing order's end_date
                // Calculate months to add based on qty and duration
                $months = 0;
                $q = intval($qty);
                $invdur = strtolower(trim($duration));
                if (strpos($invdur, 'year') !== false) {
                    $months = $q * 12;
                } else {
                    // default to months for anything else (month, monthly, etc.)
                    $months = $q;
                }
                
                // Get current end_date and extend it
                $getEndDate = "SELECT end_date FROM {$table_prefix}billing_orders WHERE order_id=$existing_order_id LIMIT 1";
                $endDateResult = mysqli_query($db, $getEndDate);
                if ($endDateResult && mysqli_num_rows($endDateResult) === 1) {
                    $endRow = mysqli_fetch_assoc($endDateResult);
                    $current_end = $endRow['end_date'] ?? date('Y-m-d H:i:s');
                    
                    // Extend from current end_date or now (whichever is later)
                    $extend_from = (strtotime($current_end) > time()) ? $current_end : date('Y-m-d H:i:s');
                    $dt = new DateTime($extend_from);
                    if ($months > 0) {
                        $dt->modify('+' . intval($months) . ' months');
                    }
                    $new_end_date = $dt->format('Y-m-d H:i:s');
                    
                    // Update order with new end_date and mark as paid/active
                    $updateOrder = "UPDATE {$table_prefix}billing_orders 
                                   SET end_date='$new_end_date', status='paid', payment_txid='$esc_txid', paid_ts='$now'
                                   WHERE order_id=$existing_order_id";
                    if (mysqli_query($db, $updateOrder)) {
                        error_log("capture_order.php: Extended order $existing_order_id end_date to $new_end_date for invoice $invoice_id");
                    } else {
                        error_log("capture_order.php: Failed to extend order $existing_order_id: " . mysqli_error($db));
                    }
                }
            } else {
                // NEW ORDER: Create a new order record
                // Calculate end_date based on qty * duration
                $end_date = date('Y-m-d H:i:s', strtotime("+$qty $duration"));
                
                // Insert order
                $insertOrder = "INSERT INTO {$table_prefix}billing_orders (
                    user_id, service_id, home_name, ip, max_players, qty, invoice_duration,
                    price, remote_control_password, ftp_password, status, order_date, end_date,
                    payment_txid, paid_ts
                ) VALUES (
                    $user_id, $service_id, '$home_name', $ip, $max_players, $qty, '$duration',
                    $amount, '$rcon_pw', '$ftp_pw', 'paid', '$now', '$end_date',
                    '$esc_txid', '$now'
                )";
                
                if (mysqli_query($db, $insertOrder)) {
                    $new_order_id = mysqli_insert_id($db);
                    
                    // Link invoice to order
                    $linkInvoice = "UPDATE {$table_prefix}billing_invoices SET order_id=$new_order_id WHERE invoice_id=$invoice_id";
                    mysqli_query($db, $linkInvoice);
                    
                    error_log("capture_order.php: Created order $new_order_id for invoice $invoice_id");
                } else {
                    error_log("capture_order.php: Failed to create order for invoice $invoice_id: " . mysqli_error($db));
                }
            }
        }
        
        mysqli_close($db);
    }
}

// Return the full PayPal response (normalized JSON) for proper processing
echo json_encode($capture);

?>