flatrender/services/identity/FlatRender.IdentitySvc/Controllers/PaymentsController.cs

using FlatRender.IdentitySvc.Application.Services;
using FlatRender.IdentitySvc.Application.Services.Interfaces;
using FlatRender.IdentitySvc.Models.Requests;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace FlatRender.IdentitySvc.Controllers;

[ApiController]
[Route("v1")]
public class PaymentsController(IPaymentService paymentService) : ControllerBase
{
    // ── Helpers ───────────────────────────────────────────────────────────────────

    private Guid GetUserId() => Guid.Parse(
        User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value
        ?? User.FindFirst("sub")?.Value
        ?? throw new UnauthorizedAccessException());

    private bool IsAdmin => User.FindFirst("is_admin")?.Value == "true";

    // ── Listing ───────────────────────────────────────────────────────────────────

    /// <summary>GET /v1/payments — list the caller's payment history</summary>
    [Authorize]
    [HttpGet("payments")]
    public async Task<IActionResult> List(
        [FromQuery] int page = 1,
        [FromQuery] int page_size = 20)
        => Ok(await paymentService.GetUserPaymentsAsync(GetUserId(), page, page_size));

    /// <summary>GET /v1/payments/{id} — get a single payment</summary>
    [Authorize]
    [HttpGet("payments/{id:guid}")]
    public async Task<IActionResult> GetById(Guid id)
        => Ok(await paymentService.GetByIdAsync(id, GetUserId()));

    // ── ZarinPal flow ─────────────────────────────────────────────────────────────

    /// <summary>
    /// GET /v1/payments/gateway/zarinpal?payment_id={id}
    /// Initiates a ZarinPal payment and redirects the browser to zarinpal.com.
    /// Called from the frontend after PurchasePlan returns the redirect URL.
    /// </summary>
    [Authorize]
    [HttpGet("payments/gateway/zarinpal")]
    public async Task<IActionResult> InitiateZarinPal([FromQuery] Guid payment_id)
    {
        var redirectUrl = await paymentService.InitiateZarinPalAsync(payment_id, GetUserId());
        return Redirect(redirectUrl);
    }

    /// <summary>
    /// GET /v1/payments/callback/zarinpal?Authority={a}&amp;Status={s}
    /// ZarinPal calls this URL after the user completes (or cancels) payment.
    /// Verifies with ZarinPal, activates the plan, then redirects to the frontend.
    /// </summary>
    [AllowAnonymous]
    [HttpGet("payments/callback/zarinpal")]
    public async Task<IActionResult> ZarinPalCallback(
        [FromQuery] string Authority,
        [FromQuery] string Status)
    {
        var frontendUrl = await paymentService.HandleZarinPalCallbackAsync(Authority, Status);
        return Redirect(frontendUrl);
    }

    // ── FlatRender Pay broker flow ────────────────────────────────────────────────

    /// <summary>
    /// GET /v1/payments/callback/broker?payment_id={p}&amp;id={brokerTxn}&amp;status=&amp;sign=
    /// The broker redirects the user's browser here after payment. We confirm the
    /// transaction authoritatively via the broker inquiry API, activate the plan,
    /// then redirect to the frontend result page. Public (no JWT).
    /// </summary>
    [AllowAnonymous]
    [HttpGet("payments/callback/broker")]
    public async Task<IActionResult> BrokerCallback(
        [FromQuery] Guid payment_id,
        [FromQuery] string? id)
    {
        var frontendUrl = await paymentService.HandleBrokerCallbackAsync(payment_id, id ?? "");
        return Redirect(frontendUrl);
    }

    // ── SnapPay flow ──────────────────────────────────────────────────────────────

    /// <summary>
    /// GET /v1/payments/gateway/snappay?payment_id={id}
    /// Initiates a SnapPay payment and redirects the browser to snappay.ir.
    /// </summary>
    [Authorize]
    [HttpGet("payments/gateway/snappay")]
    public async Task<IActionResult> InitiateSnapPay([FromQuery] Guid payment_id)
    {
        var redirectUrl = await paymentService.InitiateSnapPayAsync(payment_id, GetUserId());
        return Redirect(redirectUrl);
    }

    /// <summary>
    /// GET /v1/payments/callback/snappay?paymentToken={t}&amp;shapSnapStatus={s}
    /// SnapPay calls this URL after the user completes (or cancels) payment.
    /// Verifies with SnapPay, activates the plan, then redirects to the frontend.
    /// </summary>
    [AllowAnonymous]
    [HttpGet("payments/callback/snappay")]
    public async Task<IActionResult> SnapPayCallback(
        [FromQuery] string paymentToken,
        [FromQuery] string shapSnapStatus)
    {
        var frontendUrl = await paymentService.HandleSnapPayCallbackAsync(paymentToken, shapSnapStatus);
        return Redirect(frontendUrl);
    }

    // ── Tara flow ─────────────────────────────────────────────────────────────────

    /// <summary>
    /// GET /v1/payments/gateway/tara?payment_id={id}
    /// Initiates a Tara payment and redirects the browser to tara.ir.
    /// </summary>
    [Authorize]
    [HttpGet("payments/gateway/tara")]
    public async Task<IActionResult> InitiateTara([FromQuery] Guid payment_id)
    {
        var redirectUrl = await paymentService.InitiateTaraAsync(payment_id, GetUserId());
        return Redirect(redirectUrl);
    }

    /// <summary>
    /// GET /v1/payments/callback/tara?token={t}&amp;status={s}
    /// Tara calls this URL after the user completes (or cancels) payment.
    /// Verifies with Tara, activates the plan, then redirects to the frontend.
    /// </summary>
    [AllowAnonymous]
    [HttpGet("payments/callback/tara")]
    public async Task<IActionResult> TaraCallback(
        [FromQuery] string token,
        [FromQuery] string status)
    {
        var frontendUrl = await paymentService.HandleTaraCallbackAsync(token, status);
        return Redirect(frontendUrl);
    }

    // ── Stripe webhook ────────────────────────────────────────────────────────────

    /// <summary>
    /// POST /v1/payments/webhook/stripe
    /// Receives Stripe webhook events.  Must be reachable from the public internet.
    /// Register this URL in your Stripe dashboard under Developers → Webhooks.
    /// </summary>
    [AllowAnonymous]
    [HttpPost("payments/webhook/stripe")]
    public async Task<IActionResult> StripeWebhook()
    {
        using var reader = new StreamReader(Request.Body);
        var payload   = await reader.ReadToEndAsync();
        var signature = Request.Headers["Stripe-Signature"].ToString();
        await paymentService.HandleStripeWebhookAsync(payload, signature);
        return Ok();
    }

    // ── Admin ─────────────────────────────────────────────────────────────────────

    /// <summary>
    /// POST /v1/admin/payments/{id}/refund
    /// Issues a refund for a payment. Admin-only.
    /// </summary>
    [Authorize]
    [HttpPost("admin/payments/{id:guid}/refund")]
    public async Task<IActionResult> Refund(Guid id, [FromBody] IssueRefundRequest request)
    {
        if (!IsAdmin) return Forbid();
        var result = await paymentService.IssueRefundAsync(
            id, request.AmountMinor, request.Reason, request.RefundTo);
        return Ok(result);
    }
}