use a fresh redirect URL so the JS does not rely on

the potentially stale shopThankYouPageUrl from the initial page render

Author: mariolorenz

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix root cause of `sess_challenge` being cleared during active capture. `Payment::removeTemporaryOrder()` unconditionally deleted `sess_challenge` even when the cancel was blocked because PayPal had already approved/captured the payment. Now `sess_challenge` is only deleted when the cancel actually succeeds, keeping the session intact for the concurrent capture flow.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Add database fallback for shop order resolution in `AjaxPaymentController::captureOrder()`. If `sess_challenge` is missing, the shop order is now resolved via the persisted `oscpaypal_order` relationship using the PayPal order ID. Additionally rejects cancelled (storno) orders to prevent tracking against invalidated shop orders.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix PayPal capture executed before storno check in `AjaxPaymentController::captureOrder()`. The PayPal capture API call was made before validating whether the shop order had been cancelled, allowing funds to be captured for stornoed orders. Moved order resolution and storno check before the `capturePaymentForOrder()` call so that cancelled orders are rejected without contacting the PayPal API.
+- [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix redirect to start page instead of thank-you page when the customer retries PayPal payment without reloading the checkout page. The `shopThankYouPageUrl` in the JS config was baked in at initial page render and became stale on retry. `captureOrder()` and `authorizePayment()` now return a fresh `redirectUrl` in the success response. `thankYouPageRedirect()` accepts an optional URL parameter and prefers the server-provided URL over the cached config value. Also consolidated all direct `window.location` assignments in the ACDC controller to use `thankYouPageRedirect()` so that `removeBeforeUnloadListener()` is called consistently before every redirect.
 - Fix duplicate order creation for stock-1 articles during PayPal checkout. After the AJAX `captureOrder()` flow completed, `PayPalOrderCompletedSubscriber` cleaned up the PayPal session (`PayPalSession::unsetPayPalSession()`). When the browser then redirected to the order confirmation page, `Order::finalizeOrder()` was called again. Because the PayPal session was already cleared, `isOrderExecutionInProgress()` returned false and the webhook-wait guard did not trigger — causing `parent::finalizeOrder()` to create a second shop order that failed stock validation. Added a guard in `Order::finalizeOrder()` that detects already-paid orders (via `isOrderPaid()` + `oxtransid`) and returns early without creating a duplicate.
 - [0007917](https://bugs.oxid-esales.com/view.php?id=7917): Fix tracking carrier country not restored on page reload. When a carrier from the "global" country group was saved, the country dropdown was reset to the order's shipping/billing country instead. Added `getCountryCodeByCarrierKey()` to `PayPalTrackingCarrierList` and `getEffectiveTrackingCountryCode()` to `OrderMain` to resolve the saved carrier's country and pre-select it in the dropdown.
 

assets/src/js/paypal-frontend.min.js

@@ -68,7 +68,7 @@
         'en' => 'Use of the online payment service from PayPal. Documentation: <a href="https://docs.oxid-esales.com/modules/paypal-checkout/en/latest/" target="_blank">PayPal Checkout</a>'
     ],
     'thumbnail' => 'img/paypal.png',
-    'version' => '3.7.2-rc.4',
+    'version' => '3.7.2-rc.5',
     'author' => 'OXID eSales AG',
     'url' => 'https://www.oxid-esales.com',
     'email' => 'info@oxid-esales.com',

metadata.php

@@ -54,7 +54,7 @@
                     return false;
                 }
 
-                window.location = PayPalPayment.getConfigValue('shopThankYouPageUrl');
+                PayPalPayment.thankYouPageRedirect();
             }
 
             if (result.payPalOrder.status === 'PAYER_ACTION_REQUIRED' || result.payPalOrder.status === 'APPROVED' ){
@@ -92,7 +92,7 @@
         };
 
         this.afterCaptureOrder = function (details) {
-            window.location = PayPalPayment.getConfigValue('shopThankYouPageUrl');
+            PayPalPayment.thankYouPageRedirect();
         };
 
         this.isCardFieldInvalid = function (name)

package-lock.json

@@ -139,9 +139,9 @@
             });
         };
 
-        this.thankYouPageRedirect = async function () {
+        this.thankYouPageRedirect = async function (redirectUrl) {
             PayPalPayment.removeBeforeUnloadListener();
-            window.location = PayPalPayment.getConfigValue('shopThankYouPageUrl');
+            window.location = redirectUrl || PayPalPayment.getConfigValue('shopThankYouPageUrl');
         };
 
         this.handlePaymentAuthorization = async function (details) {
@@ -160,7 +160,7 @@
             const result = await PayPalPayment.authorizeOrder(paypalOrderDetails);
 
             if (result.paymentStatus === 'success' ){
-                window.location = PayPalPayment.getConfigValue('shopThankYouPageUrl');
+                PayPalPayment.thankYouPageRedirect(result.redirectUrl);
                 return;
             }
 

resources/build/js/paypal-frontend-acdc-payment-controller.js

@@ -107,7 +107,7 @@
             });
 
             if (result.paymentStatus === 'success') {
-                PayPalPayment.thankYouPageRedirect();
+                PayPalPayment.thankYouPageRedirect(result.redirectUrl);
             }
         };
 

resources/build/js/paypal-frontend-payment-controller-base.js

@@ -348,6 +348,15 @@ public function captureOrder(): void
             if ($capturePaymentForOrder) {
                 $response['paymentStatus'] = $capturePaymentForOrder->getCapturePaymentStatus() ? 'success' : 'error';
             }
+
+            // Provide a fresh redirect URL so the JS does not rely on
+            // the potentially stale shopThankYouPageUrl from the initial
+            // page render (important when the user retries without F5).
+            $config = Registry::getConfig();
+            $session = Registry::getSession();
+            $stoken = $session->getSessionChallengeToken();
+            $response['redirectUrl'] = $config->getSslShopUrl()
+                . 'index.php?cl=thankyou&stoken=' . $stoken;
         }
 
         if ($response['paymentStatus'] === 'error') {
@@ -775,9 +784,14 @@ public function authorizePayment(): void
                 $completeOrderResult = $this->completeOrder(false);
 
                 if ($completeOrderResult["status"] === 'success') {
+                    $config = Registry::getConfig();
+                    $session = Registry::getSession();
+                    $stoken = $session->getSessionChallengeToken();
                     $this->outputJson([
                         'status' => 'success',
-                        'paymentStatus' => $authorizePaymentResult["paymentStatus"]
+                        'paymentStatus' => $authorizePaymentResult["paymentStatus"],
+                        'redirectUrl' => $config->getSslShopUrl()
+                            . 'index.php?cl=thankyou&stoken=' . $stoken,
                     ]);
                 }
             }