[0007916]: Two further adjustments to apply the bug scenario.

Author: mariolorenz

CHANGELOG.md

@@ -13,6 +13,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fix NoArticleException on product detail page when an out-of-stock variant (configured as "offline when sold out") is still in the basket. The installment banner template called `Basket::getArtStockInBasket()` which internally uses `getArticle(true)` and throws for offline articles. Simplified the banner amount calculation to always add the current product price to the basket total, removing the unnecessary basket iteration. Removed now unused `hasProductVariantInBasket()` method.
 - Fix module activation error after upgrade from <= v2.6.1: the old `Service\Logger.php` remained in `source/modules/` because composer does not remove deleted files on copy-based installs. Symfony's resource scanner tried to register the orphaned class and failed. Added an `exclude` for `src/Service/Logger.php` in `services.yaml`.
 - [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix orphaned oscpaypal_order rows with OSCPAYPALSTATUS=COMPLETED and empty OXORDERID. When `sess_challenge` was cleared before `captureOrder()` completed (e.g. by a concurrent cancel request), the capture flow proceeded and created tracking records that could not be matched by webhook processing. Added defense-in-depth validation at four levels: `AjaxPaymentController::captureOrder()` now aborts if the shop order cannot be resolved, `PayPalOrderCompletedSubscriber` rejects events with empty shopOrderId, `Payment::trackPayPalOrder()` throws on empty shopOrderId, and `OrderRepository::paypalOrderByOrderIdAndPayPalId()` refuses to create new records with empty shopOrderId.
+- [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Fix root cause of `sess_challenge` being cleared during active capture. `Payment::removeTemporaryOrder()` unconditionally deleted `sess_challenge` even when the cancel was blocked because PayPal had already approved/captured the payment. Now `sess_challenge` is only deleted when the cancel actually succeeds, keeping the session intact for the concurrent capture flow.
+- [0007916](https://bugs.oxid-esales.com/view.php?id=7916): Add database fallback for shop order resolution in `AjaxPaymentController::captureOrder()`. If `sess_challenge` is missing, the shop order is now resolved via the persisted `oscpaypal_order` relationship using the PayPal order ID. Additionally rejects cancelled (storno) orders to prevent tracking against invalidated shop orders.
 - [0007917](https://bugs.oxid-esales.com/view.php?id=7917): Fix tracking carrier country not restored on page reload. When a carrier from the "global" country group was saved, the country dropdown was reset to the order's shipping/billing country instead. Added `getCountryCodeByCarrierKey()` to `PayPalTrackingCarrierList` and `getEffectiveTrackingCountryCode()` to `OrderMain` to resolve the saved carrier's country and pre-select it in the dropdown.
 
 ## [2.8.1] - 2026-03-19

src/Controller/AjaxPaymentController.php

@@ -38,6 +38,7 @@
 use OxidSolutionCatalysts\PayPalApi\Model\Orders\OrderCaptureRequest;
 use OxidSolutionCatalysts\PayPalApi\Model\Orders\OrderRequest;
 use Psr\Log\LoggerInterface;
+use OxidSolutionCatalysts\PayPal\Exception\NotFound;
 use OxidSolutionCatalysts\PayPal\Event\PayPalOrderCompletedEvent;
 
 class AjaxPaymentController extends BaseController
@@ -267,16 +268,32 @@ public function captureOrder(): void
         }
         $shopOrderId = $this->orderRepository->fetchCurrentShopOrderId();
         $order = $this->orderRepository->fetchCurrentShopOrder();
+
+        // If session-based resolution failed (e.g. sess_challenge was cleared
+        // by a concurrent cancel request), fall back to the persisted
+        // relationship in oscpaypal_order via the PayPal order ID.
+        if (empty($shopOrderId) || !$order->isLoaded()) {
+            try {
+                $order = $this->orderRepository->getShopOrderByPayPalOrderId($payPalOrderId);
+                $shopOrderId = (string)$order->getId();
+                $this->logger->log(
+                    'info',
+                    'PayPal captureOrder: resolved shop order from DB fallback (sess_challenge was missing)',
+                    ['payPalOrderId' => $payPalOrderId, 'shopOrderId' => $shopOrderId]
+                );
+            } catch (NotFound $e) {
+                // Neither session nor DB could resolve the shop order
+            }
+        }
+
         $basket = Registry::getSession()->getBasket();
         $user = $basket->getUser();
 
-        // Validate that a valid shop order could be resolved from the session.
-        // If sess_challenge was cleared (e.g. by a concurrent cancel request),
-        // we must not proceed with tracking an orphaned PayPal capture.
-        if (empty($shopOrderId) || !$order->isLoaded()) {
+        // Validate that a valid, non-cancelled shop order could be resolved.
+        if (empty($shopOrderId) || !$order->isLoaded() || $order->getFieldData('oxstorno') == 1) {
             $this->logger->log(
                 'error',
-                'PayPal captureOrder: cannot resolve shop order from session (sess_challenge missing or order not loaded)',
+                'PayPal captureOrder: cannot resolve valid shop order (sess_challenge missing, DB fallback failed, or order cancelled)',
                 ['payPalOrderId' => $payPalOrderId, 'shopOrderId' => $shopOrderId]
             );
             $this->outputJson([

src/Service/Payment.php

@@ -471,12 +471,12 @@ public function removeTemporaryOrder(?string $orderId = ''): bool
             // because PayPal already approved/captured the payment.
             $cancelBlocked = !$deleted && $orderModel->getFieldData('oxstorno') != 1;
         }
-        $this->eshopSession->deleteVariable('sess_challenge');
-
-        // When cancel was blocked (PayPal already approved/captured), clean up
-        // the PayPal session so the customer can start a fresh order without
-        // being stuck on the old PayPal order ID.
         if ($cancelBlocked) {
+            // Cancel was blocked because PayPal already approved/captured the
+            // payment. Keep sess_challenge intact so the capture flow can still
+            // resolve the shop order from the session.
+            // Clean up the PayPal session so the customer can start a fresh
+            // order without being stuck on the old PayPal order ID.
             PayPalSession::unsetPayPalSession(false);
             // Clear the basket's reference to the old order so that a subsequent
             // PayPal order creation (e.g. via ProxyController) does not map
@@ -485,6 +485,10 @@ public function removeTemporaryOrder(?string $orderId = ''): bool
             if ($basket) {
                 $basket->setOrderId(null);
             }
+        } else {
+            // Only delete sess_challenge when the cancel was not blocked,
+            // i.e. the order was actually cancelled or never existed.
+            $this->eshopSession->deleteVariable('sess_challenge');
         }
 
         return $cancelBlocked;