Change order: Resolve the shop order BEFORE calling the PayPal capture API.

Author: mariolorenz

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix orphaned oscpaypal_order rows with OSCPAYPALSTATUS=COMPLETED and empty OXORDERID. When `sess_challenge` was cleared before `captureOrder()` completed (e.g. by a concurrent cancel request), the capture flow proceeded and created tracking records that could not be matched by webhook processing. Added defense-in-depth validation at four levels: `AjaxPaymentController::captureOrder()` now aborts if the shop order cannot be resolved, `PayPalOrderCompletedSubscriber` rejects events with empty shopOrderId, `Payment::trackPayPalOrder()` throws on empty shopOrderId, and `OrderRepository::paypalOrderByOrderIdAndPayPalId()` refuses to create new records with empty shopOrderId.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix root cause of `sess_challenge` being cleared during active capture. `Payment::removeTemporaryOrder()` unconditionally deleted `sess_challenge` even when the cancel was blocked because PayPal had already approved/captured the payment. Now `sess_challenge` is only deleted when the cancel actually succeeds, keeping the session intact for the concurrent capture flow.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Add database fallback for shop order resolution in `AjaxPaymentController::captureOrder()`. If `sess_challenge` is missing, the shop order is now resolved via the persisted `oscpaypal_order` relationship using the PayPal order ID. Additionally rejects cancelled (storno) orders to prevent tracking against invalidated shop orders.
+- [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix PayPal capture executed before storno check in `AjaxPaymentController::captureOrder()`. The PayPal capture API call was made before validating whether the shop order had been cancelled, allowing funds to be captured for stornoed orders. Moved order resolution and storno check before the `capturePaymentForOrder()` call so that cancelled orders are rejected without contacting the PayPal API.
 - Fix duplicate order creation for stock-1 articles during PayPal checkout. After the AJAX `captureOrder()` flow completed, `PayPalOrderCompletedSubscriber` cleaned up the PayPal session (`PayPalSession::unsetPayPalSession()`). When the browser then redirected to the order confirmation page, `Order::finalizeOrder()` was called again. Because the PayPal session was already cleared, `isOrderExecutionInProgress()` returned false and the webhook-wait guard did not trigger — causing `parent::finalizeOrder()` to create a second shop order that failed stock validation. Added a guard in `Order::finalizeOrder()` that detects already-paid orders (via `isOrderPaid()` + `oxtransid`) and returns early without creating a duplicate.
 - [0007917](https://bugs.oxid-esales.com/view.php?id=7917): Fix tracking carrier country not restored on page reload. When a carrier from the "global" country group was saved, the country dropdown was reset to the order's shipping/billing country instead. Added `getCountryCodeByCarrierKey()` to `PayPalTrackingCarrierList` and `getEffectiveTrackingCountryCode()` to `OrderMain` to resolve the saved carrier's country and pre-select it in the dropdown.
 

metadata.php

@@ -69,7 +69,7 @@
         'en' => 'Use of the online payment service from PayPal. Documentation: <a href="https://docs.oxid-esales.com/modules/paypal-checkout/en/latest/" target="_blank">PayPal Checkout</a>'
     ],
     'thumbnail' => 'out/img/paypal.png',
-    'version' => '2.8.2-rc.3',
+    'version' => '2.8.2-rc.4',
     'author' => 'OXID eSales AG',
     'url' => 'https://www.oxid-esales.com',
     'email' => 'info@oxid-esales.com',

src/Controller/AjaxPaymentController.php

@@ -236,36 +236,9 @@ public function captureOrder(): void
             'paymentStatus' => 'error'
         ];
 
-        try {
-            //Verify 3D result if ACDC payment
-            if (!$scaValidator->verify3D($paymentId)) {
-                $this->outputJson([
-                    'status' => 'error',
-                    'message' => $language->translateString('OSC_PAYPAL_3DSECURITY_ERROR')
-                ]);
-            }
-
-            $capturePaymentForOrder = $orderService->capturePaymentForOrder(
-                '',
-                $payPalOrderId,
-                $request,
-                '',
-                Constants::PAYPAL_PARTNER_ATTRIBUTION_ID_PPCP
-            );
-            $capturePaymentForOrder->intent = OrderRequest::INTENT_CAPTURE;
-        } catch (ApiException $exception) {
-            $issue = $exception->getErrorIssue();
-            $translatedErrorMessage = $language->translateString(
-                'OSC_PAYPAL_' . $issue,
-                (int)$language->getBaseLanguage(),
-                false
-            );
-
-            $this->outputJson([
-                'status' => 'error',
-                'message' => $translatedErrorMessage
-            ]);
-        }
+        // Resolve the shop order BEFORE calling the PayPal capture API.
+        // This prevents capturing funds for an order that was cancelled
+        // between createOrder and onApprove (race condition).
         $shopOrderId = $this->orderRepository->fetchCurrentShopOrderId();
         $order = $this->orderRepository->fetchCurrentShopOrder();
 
@@ -286,10 +259,9 @@ public function captureOrder(): void
             }
         }
 
-        $basket = Registry::getSession()->getBasket();
-        $user = $basket->getUser();
-
         // Validate that a valid, non-cancelled shop order could be resolved.
+        // This check MUST happen before the PayPal capture API call to prevent
+        // capturing funds for a cancelled order.
         if (empty($shopOrderId) || !$order->isLoaded() || $order->getFieldData('oxstorno') == 1) {
             $this->logger->log(
                 'error',
@@ -303,6 +275,40 @@ public function captureOrder(): void
             return;
         }
 
+        try {
+            //Verify 3D result if ACDC payment
+            if (!$scaValidator->verify3D($paymentId)) {
+                $this->outputJson([
+                    'status' => 'error',
+                    'message' => $language->translateString('OSC_PAYPAL_3DSECURITY_ERROR')
+                ]);
+            }
+
+            $capturePaymentForOrder = $orderService->capturePaymentForOrder(
+                '',
+                $payPalOrderId,
+                $request,
+                '',
+                Constants::PAYPAL_PARTNER_ATTRIBUTION_ID_PPCP
+            );
+            $capturePaymentForOrder->intent = OrderRequest::INTENT_CAPTURE;
+        } catch (ApiException $exception) {
+            $issue = $exception->getErrorIssue();
+            $translatedErrorMessage = $language->translateString(
+                'OSC_PAYPAL_' . $issue,
+                (int)$language->getBaseLanguage(),
+                false
+            );
+
+            $this->outputJson([
+                'status' => 'error',
+                'message' => $translatedErrorMessage
+            ]);
+        }
+
+        $basket = Registry::getSession()->getBasket();
+        $user = $basket->getUser();
+
         $payPalCustomerId = null;
         if ($vaultPayment) {
             if (isset($capturePaymentForOrder->payment_source->paypal->attributes->vault->customer["id"])) {