From dd931f8261ea94595ddec83e2f53cac354e1ba03 Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Fri, 19 Dec 2025 08:54:48 +0000
Subject: [PATCH] Changes

---
 src/pages/Checkout.tsx                      |   8 +-
 supabase/functions/pakasir-webhook/index.ts | 217 ++++++++++++++++++++
 2 files changed, 223 insertions(+), 2 deletions(-)
 create mode 100644 supabase/functions/pakasir-webhook/index.ts

diff --git a/src/pages/Checkout.tsx b/src/pages/Checkout.tsx
index 41d850a..edffe0b 100644
--- a/src/pages/Checkout.tsx
+++ b/src/pages/Checkout.tsx
@@ -22,8 +22,12 @@ const getPakasirApiKey = (): string => {
   return import.meta.env.VITE_PAKASIR_API_KEY || SANDBOX_API_KEY;
 };
 
-// TODO: Replace with actual Supabase Edge Function URL after creation
-const PAKASIR_CALLBACK_URL = "https://lovable.backoffice.biz.id/functions/v1/pakasir-webhook";
+// Edge function base URL - configurable via env with sensible default
+const getEdgeFunctionBaseUrl = (): string => {
+  return import.meta.env.VITE_SUPABASE_EDGE_URL || "https://lovable.backoffice.biz.id/functions/v1";
+};
+
+const PAKASIR_CALLBACK_URL = `${getEdgeFunctionBaseUrl()}/pakasir-webhook`;
 
 type PaymentMethod = "qris" | "paypal";
 type CheckoutStep = "cart" | "payment" | "waiting";
diff --git a/supabase/functions/pakasir-webhook/index.ts b/supabase/functions/pakasir-webhook/index.ts
new file mode 100644
index 0000000..eedc554
--- /dev/null
+++ b/supabase/functions/pakasir-webhook/index.ts
@@ -0,0 +1,217 @@
+import { serve } from "https://deno.land/std@0.190.0/http/server.ts";
+import { createClient } from "https://esm.sh/@supabase/supabase-js@2.49.1";
+
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type, x-pakasir-signature, x-callback-token",
+};
+
+// TODO: Set these in your Supabase Edge Function secrets
+const PAKASIR_WEBHOOK_SECRET = Deno.env.get("PAKASIR_WEBHOOK_SECRET") || "";
+const SUPABASE_URL = Deno.env.get("SUPABASE_URL")!;
+const SUPABASE_SERVICE_ROLE_KEY = Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!;
+
+// Email template placeholder - will be replaced with real provider later
+const ORDER_PAID_EMAIL_TEMPLATE = Deno.env.get("ORDER_PAID_EMAIL_TEMPLATE") || JSON.stringify({
+  subject: "Pembayaran Berhasil - {{order_id}}",
+  body: "Terima kasih! Pembayaran untuk pesanan {{order_id}} sebesar Rp {{amount}} telah berhasil. Anda sekarang memiliki akses ke: {{products}}."
+});
+
+interface PakasirWebhookPayload {
+  amount: number;
+  order_id: string;
+  project: string;
+  status: string;
+  payment_method?: string;
+  completed_at?: string;
+}
+
+// Placeholder email function - logs for now, will be replaced with real provider
+async function sendOrderPaidEmail(
+  userEmail: string,
+  order: { id: string; total_amount: number },
+  products: string[]
+): Promise<void> {
+  try {
+    const template = JSON.parse(ORDER_PAID_EMAIL_TEMPLATE);
+    
+    const subject = template.subject
+      .replace("{{order_id}}", order.id.substring(0, 8))
+      .replace("{{amount}}", order.total_amount.toLocaleString("id-ID"));
+    
+    const body = template.body
+      .replace("{{order_id}}", order.id.substring(0, 8))
+      .replace("{{amount}}", order.total_amount.toLocaleString("id-ID"))
+      .replace("{{products}}", products.join(", "));
+
+    console.log("[EMAIL] Would send to:", userEmail);
+    console.log("[EMAIL] Subject:", subject);
+    console.log("[EMAIL] Body:", body);
+    
+    // TODO: Replace with actual email provider call (e.g., Resend, SendGrid)
+    // await emailProvider.send({ to: userEmail, subject, body });
+  } catch (error) {
+    console.error("[EMAIL] Error preparing email:", error);
+  }
+}
+
+serve(async (req) => {
+  // Handle CORS preflight
+  if (req.method === "OPTIONS") {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    // Verify webhook signature if configured
+    const signature = req.headers.get("x-pakasir-signature") || req.headers.get("x-callback-token") || "";
+    
+    if (PAKASIR_WEBHOOK_SECRET && signature !== PAKASIR_WEBHOOK_SECRET) {
+      console.error("[WEBHOOK] Invalid signature");
+      return new Response(JSON.stringify({ error: "Invalid signature" }), {
+        status: 401,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    const payload: PakasirWebhookPayload = await req.json();
+    console.log("[WEBHOOK] Received payload:", JSON.stringify(payload));
+
+    // Validate required fields
+    if (!payload.order_id || !payload.status) {
+      console.error("[WEBHOOK] Missing required fields");
+      return new Response(JSON.stringify({ error: "Missing required fields" }), {
+        status: 400,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    // Only process completed payments
+    if (payload.status !== "completed") {
+      console.log("[WEBHOOK] Ignoring non-completed status:", payload.status);
+      return new Response(JSON.stringify({ message: "Status not completed, ignored" }), {
+        status: 200,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    // Create Supabase client with service role for admin access
+    const supabase = createClient(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
+
+    // Find the order by payment_reference or id
+    const { data: order, error: orderError } = await supabase
+      .from("orders")
+      .select("id, user_id, total_amount, payment_status")
+      .or(`payment_reference.eq.${payload.order_id},id.eq.${payload.order_id}`)
+      .single();
+
+    if (orderError || !order) {
+      console.error("[WEBHOOK] Order not found:", payload.order_id, orderError);
+      return new Response(JSON.stringify({ error: "Order not found" }), {
+        status: 404,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    // Skip if already paid
+    if (order.payment_status === "paid") {
+      console.log("[WEBHOOK] Order already paid:", order.id);
+      return new Response(JSON.stringify({ message: "Order already paid" }), {
+        status: 200,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    // Update order status
+    const { error: updateError } = await supabase
+      .from("orders")
+      .update({
+        payment_status: "paid",
+        status: "paid",
+        payment_provider: "pakasir",
+        payment_method: payload.payment_method || "unknown",
+        updated_at: new Date().toISOString(),
+      })
+      .eq("id", order.id);
+
+    if (updateError) {
+      console.error("[WEBHOOK] Failed to update order:", updateError);
+      return new Response(JSON.stringify({ error: "Failed to update order" }), {
+        status: 500,
+        headers: { ...corsHeaders, "Content-Type": "application/json" },
+      });
+    }
+
+    console.log("[WEBHOOK] Order updated to paid:", order.id);
+
+    // Get order items to grant access
+    const { data: orderItems, error: itemsError } = await supabase
+      .from("order_items")
+      .select("product_id, product:products(title)")
+      .eq("order_id", order.id);
+
+    if (itemsError) {
+      console.error("[WEBHOOK] Failed to fetch order items:", itemsError);
+    }
+
+    const productTitles: string[] = [];
+
+    // Grant user_access for each product
+    if (orderItems && orderItems.length > 0) {
+      for (const item of orderItems) {
+        const productId = item.product_id;
+        // Supabase joins can return array or single object depending on relationship
+        const productData = Array.isArray(item.product) ? item.product[0] : item.product;
+        
+        // Check if access already exists
+        const { data: existingAccess } = await supabase
+          .from("user_access")
+          .select("id")
+          .eq("user_id", order.user_id)
+          .eq("product_id", productId)
+          .maybeSingle();
+
+        if (!existingAccess) {
+          const { error: accessError } = await supabase
+            .from("user_access")
+            .insert({
+              user_id: order.user_id,
+              product_id: productId,
+            });
+
+          if (accessError) {
+            console.error("[WEBHOOK] Failed to grant access for product:", productId, accessError);
+          } else {
+            console.log("[WEBHOOK] Granted access for product:", productId);
+          }
+        }
+
+        if (productData?.title) {
+          productTitles.push(productData.title);
+        }
+      }
+    }
+
+    // Get user email for notification
+    const { data: profile } = await supabase
+      .from("profiles")
+      .select("email")
+      .eq("id", order.user_id)
+      .single();
+
+    // Send email notification (placeholder)
+    if (profile?.email) {
+      await sendOrderPaidEmail(profile.email, order, productTitles);
+    }
+
+    return new Response(JSON.stringify({ success: true, order_id: order.id }), {
+      status: 200,
+      headers: { ...corsHeaders, "Content-Type": "application/json" },
+    });
+  } catch (error) {
+    console.error("[WEBHOOK] Unexpected error:", error);
+    return new Response(JSON.stringify({ error: "Internal server error" }), {
+      status: 500,
+      headers: { ...corsHeaders, "Content-Type": "application/json" },
+    });
+  }
+});