* Copyright (C) 2018 Frédéric France * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ if (!defined('NOLOGIN')) { define("NOLOGIN", 1); // This means this output page does not require to be logged. } if (!defined('NOCSRFCHECK')) { define("NOCSRFCHECK", 1); // We accept to go on this page from external web site. } if (!defined('NOIPCHECK')) { define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip } if (!defined('NOBROWSERNOTIF')) { define('NOBROWSERNOTIF', '1'); } $entity = (!empty($_GET['entity']) ? (int) $_GET['entity'] : (!empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); if (is_numeric($entity)) { define("DOLENTITY", $entity); } // So log file will have a suffix if (!defined('USESUFFIXINLOG')) { define('USESUFFIXINLOG', '_stripeipn'); } // Load Dolibarr environment require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/ccountry.class.php'; require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/paiement/class/paiement.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/prelevement/class/bonprelevement.class.php'; require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; require_once DOL_DOCUMENT_ROOT.'/includes/stripe/stripe-php/init.php'; require_once DOL_DOCUMENT_ROOT.'/stripe/class/stripe.class.php'; // You can find your endpoint's secret in your webhook settings if (isset($_GET['connect'])) { if (isset($_GET['test'])) { $endpoint_secret = $conf->global->STRIPE_TEST_WEBHOOK_CONNECT_KEY; $service = 'StripeTest'; $servicestatus = 0; } else { $endpoint_secret = $conf->global->STRIPE_LIVE_WEBHOOK_CONNECT_KEY; $service = 'StripeLive'; $servicestatus = 1; } } else { if (isset($_GET['test'])) { $endpoint_secret = $conf->global->STRIPE_TEST_WEBHOOK_KEY; $service = 'StripeTest'; $servicestatus = 0; } else { $endpoint_secret = $conf->global->STRIPE_LIVE_WEBHOOK_KEY; $service = 'StripeLive'; $servicestatus = 1; } } if (!isModEnabled('stripe')) { httponly_accessforbidden('Module Stripe not enabled'); } if (empty($endpoint_secret)) { httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The WEBHOOK_KEY is not defined.', 400, 1); } if (!empty($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS)) { // We set the user to use for all ipn actions in Dolibarr $user = new User($db); $user->fetch($conf->global->STRIPE_USER_ACCOUNT_FOR_ACTIONS); $user->getrights(); } else { httponly_accessforbidden('Error: Setup of module Stripe not complete for mode '.dol_escape_htmltag($service).'. The STRIPE_USER_ACCOUNT_FOR_ACTIONS is not defined.', 400, 1); } // TODO Add a check on a security key /* * Actions */ $payload = @file_get_contents("php://input"); $sig_header = empty($_SERVER["HTTP_STRIPE_SIGNATURE"]) ? '' : $_SERVER["HTTP_STRIPE_SIGNATURE"]; $event = null; if (getDolGlobalString('STRIPE_DEBUG')) { $fh = fopen(DOL_DATA_ROOT.'/dolibarr_stripeipn_payload.log', 'w+'); if ($fh) { fwrite($fh, dol_print_date(dol_now('gmt'), 'standard').' IPN Called. HTTP_STRIPE_SIGNATURE='.$sig_header."\n"); fwrite($fh, $payload); fclose($fh); dolChmod(DOL_DATA_ROOT.'/dolibarr_stripeipn_payload.log'); } } $error = 0; try { $event = \Stripe\Webhook::constructEvent($payload, $sig_header, $endpoint_secret); } catch (UnexpectedValueException $e) { // Invalid payload httponly_accessforbidden('Invalid payload', 400); } catch (\Stripe\Exception\SignatureVerificationException $e) { httponly_accessforbidden('Invalid signature', 400); } catch (Exception $e) { httponly_accessforbidden('Error '.$e->getMessage(), 400); } // Do something with $event $langs->load("main"); if (isModEnabled('multicompany') && !empty($conf->stripeconnect->enabled) && is_object($mc)) { $sql = "SELECT entity"; $sql .= " FROM ".MAIN_DB_PREFIX."oauth_token"; $sql .= " WHERE service = '".$db->escape($service)."' and tokenstring LIKE '%".$db->escape($db->escapeforlike($event->account))."%'"; dol_syslog(get_class($db)."::fetch", LOG_DEBUG); $result = $db->query($sql); if ($result) { if ($db->num_rows($result)) { $obj = $db->fetch_object($result); $key = $obj->entity; } else { $key = 1; } } else { $key = 1; } $ret = $mc->switchEntity($key); } // list of action $stripe = new Stripe($db); // Subject $societeName = $conf->global->MAIN_INFO_SOCIETE_NOM; if (!empty($conf->global->MAIN_APPLICATION_TITLE)) { $societeName = $conf->global->MAIN_APPLICATION_TITLE; } top_httphead(); dol_syslog("***** Stripe IPN was called with event->type = ".$event->type); if ($event->type == 'payout.created') { $error = 0; $result = dolibarr_set_const($db, $service."_NEXTPAYOUT", date('Y-m-d H:i:s', $event->data->object->arrival_date), 'chaine', 0, '', $conf->entity); if ($result > 0) { $subject = $societeName.' - [NOTIFICATION] Stripe payout scheduled'; if (!empty($user->email)) { $sendto = dolGetFirstLastname($user->firstname, $user->lastname)." <".$user->email.">"; } else { $sendto = $conf->global->MAIN_INFO_SOCIETE_MAIL.'" <'.$conf->global->MAIN_INFO_SOCIETE_MAIL.'>'; } $replyto = $sendto; $sendtocc = ''; if (!empty($conf->global->ONLINE_PAYMENT_SENDEMAIL)) { $sendtocc = $conf->global->ONLINE_PAYMENT_SENDEMAIL.'" <'.$conf->global->ONLINE_PAYMENT_SENDEMAIL.'>'; } $message = "A bank transfer of ".price2num($event->data->object->amount / 100)." ".$event->data->object->currency." should arrive in your account the ".dol_print_date($event->data->object->arrival_date, 'dayhour'); $mailfile = new CMailFile( $subject, $sendto, $replyto, $message, array(), array(), array(), $sendtocc, '', 0, -1 ); $ret = $mailfile->sendfile(); return 1; } else { $error++; http_response_code(500); return -1; } } elseif ($event->type == 'payout.paid') { $error = 0; $result = dolibarr_set_const($db, $service."_NEXTPAYOUT", null, 'chaine', 0, '', $conf->entity); if ($result) { $langs->load("errors"); $dateo = dol_now(); $label = $event->data->object->description; $amount = $event->data->object->amount / 100; $amount_to = $event->data->object->amount / 100; require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $accountfrom = new Account($db); $accountfrom->fetch($conf->global->STRIPE_BANK_ACCOUNT_FOR_PAYMENTS); $accountto = new Account($db); $accountto->fetch($conf->global->STRIPE_BANK_ACCOUNT_FOR_BANKTRANSFERS); if (($accountto->id != $accountfrom->id) && empty($error)) { $bank_line_id_from = 0; $bank_line_id_to = 0; $result = 0; // By default, electronic transfert from bank to bank $typefrom = 'PRE'; $typeto = 'VIR'; if (!$error) { $bank_line_id_from = $accountfrom->addline($dateo, $typefrom, $label, -1 * price2num($amount), '', '', $user); } if (!($bank_line_id_from > 0)) { $error++; } if (!$error) { $bank_line_id_to = $accountto->addline($dateo, $typeto, $label, price2num($amount), '', '', $user); } if (!($bank_line_id_to > 0)) { $error++; } if (!$error) { $result = $accountfrom->add_url_line($bank_line_id_from, $bank_line_id_to, DOL_URL_ROOT.'/compta/bank/line.php?rowid=', '(banktransfert)', 'banktransfert'); } if (!($result > 0)) { $error++; } if (!$error) { $result = $accountto->add_url_line($bank_line_id_to, $bank_line_id_from, DOL_URL_ROOT.'/compta/bank/line.php?rowid=', '(banktransfert)', 'banktransfert'); } if (!($result > 0)) { $error++; } } $subject = $societeName.' - [NOTIFICATION] Stripe payout done'; if (!empty($user->email)) { $sendto = dolGetFirstLastname($user->firstname, $user->lastname)." <".$user->email.">"; } else { $sendto = $conf->global->MAIN_INFO_SOCIETE_MAIL.'" <'.$conf->global->MAIN_INFO_SOCIETE_MAIL.'>'; } $replyto = $sendto; $sendtocc = ''; if (!empty($conf->global->ONLINE_PAYMENT_SENDEMAIL)) { $sendtocc = $conf->global->ONLINE_PAYMENT_SENDEMAIL.'" <'.$conf->global->ONLINE_PAYMENT_SENDEMAIL.'>'; } $message = "A bank transfer of ".price2num($event->data->object->amount / 100)." ".$event->data->object->currency." has been done to your account the ".dol_print_date($event->data->object->arrival_date, 'dayhour'); $mailfile = new CMailFile( $subject, $sendto, $replyto, $message, array(), array(), array(), $sendtocc, '', 0, -1 ); $ret = $mailfile->sendfile(); return 1; } else { $error++; http_response_code(500); return -1; } } elseif ($event->type == 'customer.source.created') { //TODO: save customer's source } elseif ($event->type == 'customer.source.updated') { //TODO: update customer's source } elseif ($event->type == 'customer.source.delete') { //TODO: delete customer's source } elseif ($event->type == 'customer.deleted') { $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE key_account = '".$db->escape($event->data->object->id)."' and site='stripe'"; $db->query($sql); $db->commit(); } elseif ($event->type == 'payment_intent.succeeded') { // Called when making payment with PaymentIntent method ($conf->global->STRIPE_USE_NEW_CHECKOUT is on). //dol_syslog("object = ".var_export($event->data, true)); include_once DOL_DOCUMENT_ROOT . '/compta/paiement/class/paiement.class.php'; global $stripearrayofkeysbyenv; $error = 0; $object = $event->data->object; $TRANSACTIONID = $object->id; $ipaddress = $object->metadata->ipaddress; $now = dol_now(); $currencyCodeType = strtoupper($object->currency); $paymentmethodstripeid = $object->payment_method; $customer_id = $object->customer; $invoice_id = ""; $paymentTypeId = ""; $payment_amount = 0; dol_syslog("Try to find the payment in database for the payment id = ".$TRANSACTIONID); $sql = "SELECT pi.fk_facture, pi.fk_prelevement_bons, pi.amount, pi.type"; $sql .= " FROM llx_prelevement_demande as pi"; $sql .= " WHERE pi.ext_payment_id = '".$db->escape($TRANSACTIONID)."'"; $sql .= " AND pi.traite = '1'"; $sql .= " AND pi.ext_payment_site = '".$db->escape($service)."'"; $result = $db->query($sql); if ($result) { $obj = $db->fetch_object($result); if ($obj) { $invoice_id = $obj->fk_facture; $prelevement_bons_id = $obj->fk_prelevement_bons; $payment_amount = $obj->amount; $paymentTypeId = $obj->type; } } else { http_response_code(500); print $db->lasterror(); return -1; } $stripeacc = $stripearrayofkeysbyenv[$servicestatus]['secret_key']; dol_syslog("Get the Stripe payment object for the payment method id = ".json_encode($paymentmethodstripeid)); $s = new \Stripe\StripeClient($stripeacc); $paymentmethodstripe = $s->paymentMethods->retrieve($paymentmethodstripeid); $paymentTypeId = $paymentmethodstripe->type; if ($paymentTypeId == "ban" || $paymentTypeId == "sepa_debit") { $paymentTypeId = "PRE"; } elseif ($paymentTypeId == "card") { $paymentTypeId = "CB"; } if ($paymentTypeId == "PRE") { $paiement = new Paiement($db); $paiement->datepaye = $now; $paiement->date = $now; if ($currencyCodeType == $conf->currency) { $paiement->amounts = [$invoice_id => $payment_amount]; // Array with all payments dispatching with invoice id } else { $paiement->multicurrency_amounts = [$invoice_id => $payment_amount]; // Array with all payments dispatching $postactionmessages[] = 'Payment was done in a different currency than currency expected of company'; $ispostactionok = -1; // Not yet supported, so error $error++; } $paiement->paiementid = $paymentTypeId; $paiement->num_payment = ''; $paiement->note_public = ''; $paiement->note_private = 'StripeSepa payment ' . dol_print_date($now, 'standard') . ' using ' . $servicestatus . ($ipaddress ? ' from ip ' . $ipaddress : '') . ' - Transaction ID = ' . $TRANSACTIONID; $paiement->ext_payment_id = $TRANSACTIONID.':'.$customer_id.'@'.$stripearrayofkeysbyenv[$servicestatus]['publishable_key']; // May be we should store py_... instead of pi_... but we started with pi_... so we continue. $paiement->ext_payment_site = $service; $ispaymentdone = 0; $sql = "SELECT p.id FROM llx_paiement as p"; $sql .= " WHERE p.ext_payment_id = '".$db->escape($paiement->ext_payment_id)."'"; $sql .= " AND p.ext_payment_site = '".$db->escape($paiement->ext_payment_site)."'"; $result = $db->query($sql); if ($result) { if ($db->num_rows($result)) { $ispaymentdone = 1; dol_syslog('* Payment for ext_payment_id '.$paiement->ext_payment_id.' already done. We do not recreate the payment'); } } $db->begin(); if (!$error && !$ispaymentdone) { dol_syslog('* Record payment for invoice id ' . $invoice_id . '. It includes closing of invoice and regenerating document'); // This include closing invoices to 'paid' (and trigger including unsuspending) and regenerating document $paiement_id = $paiement->create($user, 1); if ($paiement_id < 0) { $postactionmessages[] = $paiement->error . ($paiement->error ? ' ' : '') . join("
\n", $paiement->errors); $ispostactionok = -1; $error++; } else { $postactionmessages[] = 'Payment created'; } dol_syslog("The payment has been created for invoice id " . $invoice_id); } if (!$error && isModEnabled('banque')) { $ispaymentdone = 0; $sql = "SELECT p.id, p.fk_bank FROM llx_paiement as p"; $sql .= " WHERE p.ext_payment_id = '".$db->escape($paiement->ext_payment_id)."'"; $sql .= " AND p.ext_payment_site = '".$db->escape($paiement->ext_payment_site)."'"; $sql .= " AND p.fk_bank <> 0"; $result = $db->query($sql); if ($result) { if ($db->num_rows($result)) { $ispaymentdone = 1; $obj = $db->fetch_object($result); dol_syslog('* Payment already linked to bank record '.$obj->fk_bank.' . We do not recrate the link'); } } if (!$ispaymentdone) { dol_syslog('* Add payment to bank'); // The bank used is the one defined into Stripe setup $bankaccountid = getDolGlobalInt("STRIPE_BANK_ACCOUNT_FOR_PAYMENTS"); if ($bankaccountid > 0) { $label = '(CustomerInvoicePayment)'; $result = $paiement->addPaymentToBank($user, 'payment', $label, $bankaccountid, $customer_id, ''); if ($result < 0) { $postactionmessages[] = $paiement->error . ($paiement->error ? ' ' : '') . join("
\n", $paiement->errors); $ispostactionok = -1; $error++; } else { $postactionmessages[] = 'Bank transaction of payment created (by makeStripeSepaRequest)'; } } else { $postactionmessages[] = 'Setup of bank account to use in module ' . $paymentmethod . ' was not set. No way to record the payment.'; $ispostactionok = -1; $error++; } } } if (!$error && isModEnabled('prelevement')) { $bon = new BonPrelevement($db); $idbon = 0; $sql = "SELECT dp.fk_prelevement_bons as idbon"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_demande as dp"; $sql .= " JOIN ".MAIN_DB_PREFIX."prelevement_bons as pb"; // Here we join to prevent modification of a prelevement bon already credited $sql .= " ON pb.rowid = dp.fk_prelevement_bons"; $sql .= " WHERE dp.fk_facture = ".((int) $invoice_id); $sql .= " AND dp.sourcetype = 'facture'"; $sql .= " AND dp.ext_payment_id = '".$db->escape($TRANSACTIONID)."'"; $sql .= " AND dp.traite = 1"; $sql .= " AND statut = ".((int) $bon::STATUS_TRANSFERED); // To be sure that it's not already credited $result = $db->query($sql); if ($result) { if ($db->num_rows($result)) { $obj = $db->fetch_object($result); $idbon = $obj->idbon; dol_syslog('* Set prelevement to credite'); } else { dol_syslog('* Prelevement not found or already credited'); } } else { $postactionmessages[] = $db->lasterror(); $ispostactionok = -1; $error++; } if (!$error && !empty($idbon)) { $sql = "UPDATE ".MAIN_DB_PREFIX."prelevement_bons"; $sql .= " SET fk_user_credit = ".((int) $user->id); $sql .= ", statut = ".((int) $bon::STATUS_CREDITED); $sql .= ", date_credit = '".$db->idate($now)."'"; $sql .= ", credite = 1"; $sql .= " WHERE rowid = ".((int) $idbon); $sql .= " AND statut = ".((int) $bon::STATUS_TRANSFERED); $result = $db->query($sql); if (!$result) { $postactionmessages[] = $db->lasterror(); $ispostactionok = -1; $error++; } } if (!$error && !empty($idbon)) { $sql = "UPDATE ".MAIN_DB_PREFIX."prelevement_lignes"; $sql .= " SET statut = 2"; $sql .= " WHERE fk_prelevement_bons = ".((int) $idbon); $result = $db->query($sql); if (!$result) { $postactionmessages[] = $db->lasterror(); $ispostactionok = -1; $error++; } } } if (!$error) { $db->commit(); http_response_code(200); return 1; } else { $db->rollback(); http_response_code(500); return -1; } } else { dol_syslog("The payment mode of this payment is ".$paymentTypeId.". This payment mode is not managed by the IPN"); } } elseif ($event->type == 'payment_intent.payment_failed') { dol_syslog("A try to make a payment has failed"); } elseif ($event->type == 'checkout.session.completed') { // Called when making payment with new Checkout method ($conf->global->STRIPE_USE_NEW_CHECKOUT is on). // TODO: create fees } elseif ($event->type == 'payment_method.attached') { require_once DOL_DOCUMENT_ROOT.'/societe/class/companypaymentmode.class.php'; require_once DOL_DOCUMENT_ROOT.'/societe/class/societeaccount.class.php'; $societeaccount = new SocieteAccount($db); $companypaymentmode = new CompanyPaymentMode($db); $idthirdparty = $societeaccount->getThirdPartyID($db->escape($event->data->object->customer), 'stripe', $servicestatus); if ($idthirdparty > 0) { // If the payment mode attached is to a stripe account owned by an external customer in societe_account (so a thirdparty that has a Stripe account), // we can create the payment mode $companypaymentmode->stripe_card_ref = $db->escape($event->data->object->id); $companypaymentmode->fk_soc = $idthirdparty; $companypaymentmode->bank = null; $companypaymentmode->label = null; $companypaymentmode->number = $db->escape($event->data->object->id); $companypaymentmode->last_four = $db->escape($event->data->object->card->last4); $companypaymentmode->card_type = $db->escape($event->data->object->card->branding); $companypaymentmode->proprio = $db->escape($event->data->object->billing_details->name); $companypaymentmode->exp_date_month = $db->escape($event->data->object->card->exp_month); $companypaymentmode->exp_date_year = $db->escape($event->data->object->card->exp_year); $companypaymentmode->cvn = null; $companypaymentmode->datec = $db->escape($event->data->object->created); $companypaymentmode->default_rib = 0; $companypaymentmode->type = $db->escape($event->data->object->type); $companypaymentmode->country_code = $db->escape($event->data->object->card->country); $companypaymentmode->status = $servicestatus; // TODO Check that a payment mode $companypaymentmode->stripe_card_ref does not exists yet to avoid to create duplicates // so we can remove the test on STRIPE_NO_DUPLICATE_CHECK if (getDolGlobalString('STRIPE_NO_DUPLICATE_CHECK')) { $db->begin(); $result = $companypaymentmode->create($user); if ($result < 0) { $error++; } if (!$error) { $db->commit(); } else { $db->rollback(); } } } } elseif ($event->type == 'payment_method.updated') { require_once DOL_DOCUMENT_ROOT.'/societe/class/companypaymentmode.class.php'; $companypaymentmode = new CompanyPaymentMode($db); $companypaymentmode->fetch(0, '', 0, '', " AND stripe_card_ref = '".$db->escape($event->data->object->id)."'"); if ($companypaymentmode->id > 0) { // If we found a payment mode with the ID $companypaymentmode->bank = null; $companypaymentmode->label = null; $companypaymentmode->number = $db->escape($event->data->object->id); $companypaymentmode->last_four = $db->escape($event->data->object->card->last4); $companypaymentmode->proprio = $db->escape($event->data->object->billing_details->name); $companypaymentmode->exp_date_month = $db->escape($event->data->object->card->exp_month); $companypaymentmode->exp_date_year = $db->escape($event->data->object->card->exp_year); $companypaymentmode->cvn = null; $companypaymentmode->datec = $db->escape($event->data->object->created); $companypaymentmode->default_rib = 0; $companypaymentmode->type = $db->escape($event->data->object->type); $companypaymentmode->country_code = $db->escape($event->data->object->card->country); $companypaymentmode->status = $servicestatus; $db->begin(); if (!$error) { $result = $companypaymentmode->update($user); if ($result < 0) { $error++; } } if (!$error) { $db->commit(); } else { $db->rollback(); } } } elseif ($event->type == 'payment_method.detached') { $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_rib WHERE number = '".$db->escape($event->data->object->id)."' and status = ".((int) $servicestatus); $db->query($sql); $db->commit(); } elseif ($event->type == 'charge.succeeded') { // TODO: create fees // TODO: Redirect to paymentok.php } elseif ($event->type == 'charge.failed') { // TODO: Redirect to paymentko.php } elseif (($event->type == 'source.chargeable') && ($event->data->object->type == 'three_d_secure') && ($event->data->object->three_d_secure->authenticated == true)) { // This event is deprecated. } // End of page. Default return HTTP code will be 200