answear · lukasz-falda · May 27, 2026 · May 26, 2026
diff --git a/src/Action/CaptureAction.php b/src/Action/CaptureAction.php
@@ -38,12 +38,14 @@ class CaptureAction implements ActionInterface, GenericTokenFactoryAwareInterfac
 
     public function __construct(
         private OrderRequestService $orderRequestService,
-        private PayMethodsRequestService $payMethodsRequestService
+        private PayMethodsRequestService $payMethodsRequestService,
     ) {
     }
 
     /**
      * @param Capture $request
+     *
+     * @throws HttpRedirect|IframeHttpRedirect|PayUException
      */
     public function execute($request): void
     {
@@ -66,21 +68,21 @@ public function execute($request): void
 
         $orderCreatedResponse = $this->orderRequestService->create($orderRequest, $configKey);
         $model->setPayUResponse($orderCreatedResponse);
-        if (StatusCode::Success === $orderCreatedResponse->status->statusCode) {
-            $this->updatePayment($model, $orderCreatedResponse, $firstModel, $token);
-            $request->setModel($model);
 
-            throw new HttpRedirect($orderCreatedResponse->redirectUri ?? $token->getAfterUrl());
-        }
+        $statusCode = $orderCreatedResponse->status->statusCode;
+        $httpRedirect = match (true) {
+            StatusCode::Success === $statusCode => new HttpRedirect($orderCreatedResponse->redirectUri ?? $token->getAfterUrl()),
+            (StatusCode::WarningContinue3ds === $statusCode && $orderCreatedResponse->iframeAllowed) => new IframeHttpRedirect($orderCreatedResponse->redirectUri),
+            StatusCode::WarningContinue3ds === $statusCode,
+            StatusCode::WarningContinueCVV === $statusCode => new HttpRedirect($orderCreatedResponse->redirectUri),
+            default => null,
+        };
 
-        if (StatusCode::WarningContinue3ds === $orderCreatedResponse->status->statusCode) {
+        if (null !== $httpRedirect) {
             $this->updatePayment($model, $orderCreatedResponse, $firstModel, $token);
             $request->setModel($model);
 
-            throw match($orderCreatedResponse->iframeAllowed) {
-                true => new IframeHttpRedirect($orderCreatedResponse->redirectUri),
-                default => new HttpRedirect($orderCreatedResponse->redirectUri),
-            };
+            throw $httpRedirect;
         }
 
         throw PayUException::withResponse(
@@ -103,7 +105,7 @@ private function updatePayment(
         Model $model,
         OrderCreatedResponse $orderCreatedResponse,
         PaymentInterface $payment,
-        TokenInterface $token
+        TokenInterface $token,
     ): void {
         $model->setOrderId($orderCreatedResponse->orderId);
         if ($payment instanceof Payment) {

diff --git a/tests/Integration/Action/CaptureActionTest.php b/tests/Integration/Action/CaptureActionTest.php
@@ -5,6 +5,7 @@
 namespace Answear\Payum\PayU\Tests\Integration\Action;
 
 use Answear\Payum\PayU\Action\CaptureAction;
+use Answear\Payum\PayU\Core\Reply\IframeHttpRedirect;
 use Answear\Payum\PayU\Enum\ChallengeRequestedType;
 use Answear\Payum\PayU\Enum\ModelFields;
 use Answear\Payum\PayU\Enum\PayMethodType;
@@ -28,6 +29,7 @@
 use Payum\Core\Request\GetHumanStatus;
 use Payum\Core\Security\GenericTokenFactory;
 use Payum\Core\Security\TokenInterface;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
@@ -201,6 +203,83 @@ public function captureWithFailResponseTest(): void
         self::assertTrue($withException);
     }
 
+    #[Test]
+    #[DataProvider('provideWarningContinue3dsData')]
+    public function captureWithWarningContinue3dsTest(bool $iframeAllowed, string $expectedRedirectClass): void
+    {
+        $redirectUri = 'http://redirect-3ds.url';
+
+        $captureAction = $this->getCaptureAction(
+            new OrderCreatedResponse(
+                new OrderCreatedStatus(
+                    StatusCode::WarningContinue3ds,
+                    'Wymagana autoryzacja 3DS.'
+                ),
+                $redirectUri,
+                'WZHF5FFDRJ140731GUEST000P01',
+                'vjis3d90tsozmuj0rjgs3i',
+                null,
+                $iframeAllowed
+            )
+        );
+
+        $captureToken = new Token();
+        $capture = new Capture($captureToken);
+        $capture->setModel(new \Answear\Payum\PayU\Tests\Payment());
+        $capture->setModel(FileTestUtil::decodeJsonFromFile(__DIR__ . '/data/details.json'));
+
+        $redirected = false;
+        try {
+            $captureAction->execute($capture);
+        } catch (HttpRedirect $httpRedirect) {
+            $redirected = true;
+            self::assertInstanceOf($expectedRedirectClass, $httpRedirect);
+            self::assertSame($redirectUri, $httpRedirect->getUrl());
+        }
+
+        self::assertTrue($redirected);
+    }
+
+    public static function provideWarningContinue3dsData(): iterable
+    {
+        yield 'iframe allowed' => [true, IframeHttpRedirect::class];
+        yield 'iframe not allowed' => [false, HttpRedirect::class];
+    }
+
+    #[Test]
+    public function captureWithWarningContinueCVVTest(): void
+    {
+        $redirectUri = 'http://redirect-cvv.url';
+
+        $captureAction = $this->getCaptureAction(
+            new OrderCreatedResponse(
+                new OrderCreatedStatus(
+                    StatusCode::WarningContinueCVV,
+                    'Wymagana weryfikacja CVV.'
+                ),
+                $redirectUri,
+                'WZHF5FFDRJ140731GUEST000P01',
+                'vjis3d90tsozmuj0rjgs3i'
+            )
+        );
+
+        $captureToken = new Token();
+        $capture = new Capture($captureToken);
+        $capture->setModel(new \Answear\Payum\PayU\Tests\Payment());
+        $capture->setModel(FileTestUtil::decodeJsonFromFile(__DIR__ . '/data/details.json'));
+
+        $redirected = false;
+        try {
+            $captureAction->execute($capture);
+        } catch (HttpRedirect $httpRedirect) {
+            $redirected = true;
+            self::assertNotInstanceOf(IframeHttpRedirect::class, $httpRedirect);
+            self::assertSame($redirectUri, $httpRedirect->getUrl());
+        }
+
+        self::assertTrue($redirected);
+    }
+
     #[Test]
     public function captureWithOrderIdFailsTest(): void
     {
@@ -276,7 +355,7 @@ static function ($request) use ($details) {
                                     ->willReturn($details ?? FileTestUtil::decodeJsonFromFile(__DIR__ . '/data/details.json'));
                             }
                             if ($payment instanceof PaymentInterface) {
-                                $payment->setDetails($details ?? FileTestUtil::decodeJsonFromFile(__DIR__ . '/data/details.json'));
+                                $payment->setDetails(new \ArrayObject($details ?? FileTestUtil::decodeJsonFromFile(__DIR__ . '/data/details.json')));
                             }
                         }