race condition fixed, payment inside

2025-12-21 09:56:59 +01:00
parent 6741f5ed72
commit 67646c75a4
6 changed files with 714 additions and 30 deletions
--- a/app/api/payments/cancel-pending/route.ts
+++ b/app/api/payments/cancel-pending/route.ts
@@ -0,0 +1,81 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { cookies } from 'next/headers'
+import pool from '@/lib/db'
+
+// DELETE /api/payments/cancel-pending - Cancel a pending order (frees up inventory)
+export async function DELETE(request: NextRequest) {
+  try {
+    // Get buyer_id from session cookie
+    const cookieStore = await cookies()
+    const buyerIdCookie = cookieStore.get('buyer_id')?.value
+
+    if (!buyerIdCookie) {
+      return NextResponse.json(
+        { error: 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const buyer_id = parseInt(buyerIdCookie, 10)
+
+    const body = await request.json()
+    const { payment_id } = body
+
+    // Validate required fields
+    if (!payment_id) {
+      return NextResponse.json(
+        { error: 'Missing required field: payment_id' },
+        { status: 400 }
+      )
+    }
+
+    // Find the pending order
+    const [pendingRows] = await pool.execute(
+      'SELECT * FROM pending_orders WHERE payment_id = ? AND buyer_id = ?',
+      [payment_id, buyer_id]
+    )
+
+    const pendingOrders = pendingRows as any[]
+    if (pendingOrders.length === 0) {
+      return NextResponse.json(
+        { error: 'Pending order not found or already cancelled' },
+        { status: 404 }
+      )
+    }
+
+    const pendingOrder = pendingOrders[0]
+
+    // Check if payment has already been confirmed (sale exists)
+    const [salesRows] = await pool.execute(
+      'SELECT * FROM sales WHERE payment_id = ?',
+      [payment_id]
+    )
+    const sales = salesRows as any[]
+    if (sales.length > 0) {
+      // Payment already confirmed, don't delete pending order
+      // The IPN handler should have already deleted it, but if not, leave it
+      return NextResponse.json(
+        { error: 'Payment already confirmed. Cannot cancel.' },
+        { status: 400 }
+      )
+    }
+
+    // Delete the pending order (frees up inventory)
+    await pool.execute(
+      'DELETE FROM pending_orders WHERE payment_id = ? AND buyer_id = ?',
+      [payment_id, buyer_id]
+    )
+
+    return NextResponse.json({
+      message: 'Pending order cancelled successfully',
+      payment_id: payment_id,
+    })
+  } catch (error) {
+    console.error('Error cancelling pending order:', error)
+    return NextResponse.json(
+      { error: 'Failed to cancel pending order' },
+      { status: 500 }
+    )
+  }
+}
+