Separate document upload and payment processing

www/assets/js/paypal.js

@@ -8,6 +8,7 @@
   }
 
   const GAME_NAME = document.querySelector('input[id="game-name"]').value;
+  const GAME_ID = parseInt(document.querySelector('input[id="game-id"]').value);
   // const CSRF_TOKEN = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
 
   window.paypal
@@ -70,7 +71,9 @@
             method: "POST",
             headers: {
               // 'X-CSRF-TOKEN': CSRF_TOKEN,
+              "Content-Type": "application/x-www-form-urlencoded"
             },
+            body: `game_id=${GAME_ID}`
           });
 
           const orderData = await response.json();
@@ -101,14 +104,15 @@
               `<b>Payment successful!</b> (Transaction ID: ${transaction.id})`
             );
 
-            document.querySelector("input[name='tx-id']").removeAttribute('disabled');
-            document.querySelector("input[name='tx-id']").value = transaction.id;
             buttonsContainer.style.display = "none";
             // console.log(
             //   "Capture result",
             //   orderData,
             //   JSON.stringify(orderData, null, 2)
             // );
+            setTimeout(() => {
+              window.location.href = `/games/${GAME_ID}`;
+            }, 1000);
           }
         } catch (error) {
           console.error(error);

www/games/game.php

@@ -104,10 +104,15 @@ include "partials/head.php";
             <div class="flow">
                 <h2>Your Submission</h2>
                 <?php
+                $IS_PAID = $submission->transaction_id !== NULL;
                 switch ($participant_state) {
                     case 'GAME_OPEN_WITH_SUBMISSION': ?>
                     <p><a href='/docs/<?= $submission->hash ?>'><?= $submission->title ?></a></p>
+                    <?php if (!$IS_PAID) { ?><p>You have not yet paid for your submission.</p><?php } ?>
                     <p><a href="/games/<?= $game->id ?>/update" class='call-to-action'>Update submission</a></p>
+                    <?php if (!$IS_PAID) { ?>
+                        <p><a href="/games/<?= $game->id ?>/submit" class='call-to-action'>Pay submission fee</a></p>
+                    <?php } ?>
                     <?php break;
                     case 'GAME_OPEN_WITHOUT_SUBMISSION': ?>
                     <p>You haven't submitted work to this contest.</p>

www/games/process-order.php

@@ -143,6 +143,7 @@ function createOrder($cart)
  */
 function captureOrder($order_id)
 {
+    $game_id = $_POST["game_id"];
     $url = PAYPAL_BASE_URL . "/v2/checkout/orders/{$order_id}/capture";
     // Http::fake(function ($request) {
     //     // Capture and log request headers
@@ -175,9 +176,15 @@ function captureOrder($order_id)
     curl_close($ch);
 
     // Further processing ...
-    if ($response_code === 200) {
+    if ($response_code === 200 || $response_code === 201) {
         header("Content-Type: application/json");
+        $order_data = json_decode($response);
         http_response_code($response_code);
+        $transaction_id =
+            $order_data->purchase_units[0]->payments->captures[0]->id ??
+            ($order_data->purchase_units[0]->payments->authorizations[0]->id ??
+                "_");
+        update_submission($game_id, $transaction_id);
         echo $response;
         die();
     } else {
@@ -188,6 +195,25 @@ function captureOrder($order_id)
     }
 }
 
+/**
+ * @param string game_id
+ * @param string transaction_id
+ */
+function update_submission($game_id, $transaction_id)
+{
+    global $db;
+
+    $sql = "UPDATE submissions SET transaction_id = :transaction_id
+    WHERE game_id = :game_id AND member_id = :member_id";
+
+    $stmt = $db["data"]->prepare($sql);
+    $stmt->execute([
+        "game_id" => $game_id,
+        "member_id" => $_SESSION["account"]->id,
+        "transaction_id" => $transaction_id,
+    ]);
+}
+
 if (
     $_SERVER["REQUEST_METHOD"] === "POST" &&
     $_SERVER["REQUEST_URI"] === "/api/orders"

www/games/submit.php

@@ -9,15 +9,23 @@ if (!LOGGED_IN) {
 if (LOGGED_IN && isset($_GET["game"])) {
     $sql = "SELECT id FROM submissions
     WHERE game_id = :game_id AND member_id = :member_id";
-
     $stmt = $db["data"]->prepare($sql);
     $stmt->execute([
         "game_id" => $_GET["game"],
         "member_id" => $_SESSION["account"]->id,
     ]);
-
     $HAS_SUBMISSION = $stmt->fetch(PDO::FETCH_COLUMN) !== false;
-    if ($HAS_SUBMISSION) {
+
+    $sql = "SELECT transaction_id FROM submissions
+    WHERE game_id = :game_id AND member_id = :member_id";
+    $stmt = $db["data"]->prepare($sql);
+    $stmt->execute([
+        "game_id" => $_GET["game"],
+        "member_id" => $_SESSION["account"]->id,
+    ]);
+    $IS_PAID = $stmt->fetch(PDO::FETCH_COLUMN) !== NULL;
+
+    if ($HAS_SUBMISSION && $IS_PAID) {
         http_response_code(303);
         header("Location: /games/" . $_GET["game"] . "/update");
         die();
@@ -25,7 +33,6 @@ if (LOGGED_IN && isset($_GET["game"])) {
 
     $sql = "SELECT id, name, status_id FROM games
     WHERE id = :id";
-
     $stmt = $db["data"]->prepare($sql);
     $stmt->execute([
         "id" => $_GET["game"],
@@ -92,10 +99,6 @@ if ($_SERVER["REQUEST_METHOD"] === "POST"):
         $errors["game"] = "The chosen game doesn't exist.";
     }
 
-    if (!isset($_POST["tx-id"])) {
-        $errors["payment"] = "No transaction ID was provided.";
-    }
-
     if (count($errors) > 0) {
         if (!isset($errors["filesize"]) && !isset($errors["mimetype"])) {
             $errors["upload"] =
@@ -137,14 +140,14 @@ if ($_SERVER["REQUEST_METHOD"] === "POST"):
                     "hash" => $lookup_hash,
                     "doc_is_public" => $show_doc,
                     "name_is_public" => $show_name,
-                    "transaction_id" => $_POST["tx-id"],
+                    "transaction_id" => NULL,
                     "status" => 1,
                     "is_freeroll" => 0,
                     "created_at" => date("Y-m-d\TH:i:s\Z"),
                 ]);
 
                 http_response_code(303);
-                header("Location: /games/" . $_GET["game"]);
+                header("Location: /games/" . $_GET["game"] . "/submit");
             }
         } catch (Exception $e) {
             http_response_code(500);
@@ -166,7 +169,7 @@ include "partials/head.php";
         </header>
             <?php if (!LOGGED_IN) {
                 include "partials/login-form.php";
-            } else {
+            } else if (!$HAS_SUBMISSION) {
                 if (
                     http_response_code() === 400 ||
                     http_response_code() === 500
@@ -180,7 +183,7 @@ include "partials/head.php";
                 <form action="<?= $_SERVER[
                     "REQUEST_URI"
                 ] ?>" method="post" enctype="multipart/form-data" class="flow">
-                    <input type="hidden" id="game-name" value="<?= $game->name ?>" />
+                    <p><b>After submitting you work, you will be redirected to a payment page. Payment is required for inclusion in the contest.</b></p>
                     <?php if (
                         isset($errors) &&
                         isset($errors["account"])
@@ -273,29 +276,24 @@ include "partials/head.php";
                             <span>Display my document in the public results</span>
                             </label>
                     </fieldset>
-                    <fieldset>
-                        <legend>Payment</legend>
-                    <div class="flow">
-                        <p><b>Payment is required before a submission will be processed.</b></p>
-                        <p><mark id='paypal-errors' aria-live='polite'><?php if (
-                            isset($_POST["tx-id"])
-                        ) { ?><b>Payment successful!</b> (Transaction ID: <?= $_POST[
-    "tx-id"
-] ?>)<?php } ?></mark></p>
-                        <?php if (!isset($_POST["tx-id"])) { ?>
-                            <input type="hidden" name="tx-id"/>
-                    <div id="paypal-button-container"></div>
-                    </div>
-                    <!-- Initialize the JS-SDK -->
-                    <script
-                        src="https://www.paypal.com/sdk/js?merchant-id=LF2R8M5TKKHRL&client-id=<?= PAYPAL_CLIENT_ID ?>&currency=USD&components=buttons&enable-funding=card,venmo&disable-funding=paylater"
-                        data-sdk-integration-source="developer-studio"></script>
-                    <script src="/assets/js/paypal.js"></script>
-                    <?php } ?>
-                    </fieldset>
                     <button type="submit">Submit work</button>
                 </form>
             <?php
-            } ?>
+            } else if (!$IS_PAID) { ?>
+                <form class="flow">
+                    <aside class="alert">
+                        <p>Your manuscript submission has been processed.</p>
+                    </aside>
+                    <p><b>Payment is required for participation.</b></p>
+                    <input type="hidden" id="game-name" value="<?= $game->name ?>" />
+                    <input type="hidden" id="game-id" value="<?= $game->id ?>" />
+                    <p><mark id='paypal-errors' aria-live='polite'></mark></p>
+                    <div id="paypal-button-container"></div>
+                    <script
+                        src="https://www.paypal.com/sdk/js?merchant-id=LF2R8M5TKKHRL&client-id=<?= PAYPAL_CLIENT_ID ?>&currency=USD&components=buttons&enable-funding=card,venmo&disable-funding=paylater"
+                        data-sdk-integration-source="developer-studio"></script>
+                    <script src="/assets/js/paypal.js?ver=<?= time() ?>"></script>
+                </form>
+            <?php } ?>
         </main>
     <?php include "partials/footer.php"; ?>