Improve Mollie gateway: handle payment states, better error handling, session security

Copilot · nielsdrost7 · Copilot · commit 11cfdf8b59d7 · 2026-01-19T17:56:38.000Z
Co-authored-by: nielsdrost7 &lt;47660417+nielsdrost7@users.noreply.github.com&gt;
diff --git a/application/libraries/gateways/MollieLib.php b/application/libraries/gateways/MollieLib.php
@@ -4,8 +4,10 @@
     exit('No direct script access allowed');
 }
 
-use Omnipay\Omnipay;
+use Omnipay\Common\Exception\InvalidRequestException;
+use Omnipay\Common\Exception\InvalidResponseException;
 use Omnipay\Mollie\Gateway;
+use Omnipay\Omnipay;
 
 #[AllowDynamicProperties]
 class MollieLib
@@ -67,6 +69,20 @@ public function createPayment(array $payment_information): array
                     'message' => $response->getMessage(),
                 ];
             }
+        } catch (InvalidRequestException $e) {
+            log_message('error', 'Mollie library payment creation - invalid request: ' . $e->getMessage());
+
+            return [
+                'status'  => false,
+                'message' => 'Invalid payment request: ' . $e->getMessage(),
+            ];
+        } catch (InvalidResponseException $e) {
+            log_message('error', 'Mollie library payment creation - invalid response: ' . $e->getMessage());
+
+            return [
+                'status'  => false,
+                'message' => 'Invalid response from Mollie: ' . $e->getMessage(),
+            ];
         } catch (Exception $e) {
             log_message('error', 'Mollie library payment creation exception: ' . $e->getMessage());
 
@@ -96,6 +112,20 @@ public function getPayment(string $transaction_reference): array
                 'status'   => true,
                 'response' => $response,
             ];
+        } catch (InvalidRequestException $e) {
+            log_message('error', 'Mollie library get payment - invalid request: ' . $e->getMessage());
+
+            return [
+                'status'  => false,
+                'message' => 'Invalid payment fetch request: ' . $e->getMessage(),
+            ];
+        } catch (InvalidResponseException $e) {
+            log_message('error', 'Mollie library get payment - invalid response: ' . $e->getMessage());
+
+            return [
+                'status'  => false,
+                'message' => 'Invalid response from Mollie: ' . $e->getMessage(),
+            ];
         } catch (Exception $e) {
             log_message('error', 'Mollie library get payment failed: ' . $e->getMessage());
 
diff --git a/application/modules/guest/controllers/gateways/Mollie.php b/application/modules/guest/controllers/gateways/Mollie.php
@@ -54,10 +54,22 @@ public function mollie_create_payment($invoice_url_key)
 
         // Handle the payment creation
         if ($mollie_response['status']) {
-            // Save the transaction reference in session for callback
-            $this->session->set_userdata('mollie_transaction_ref', $mollie_response['reference']);
+            $transaction_ref = $mollie_response['reference'];
 
-            // Redirect to Mollie payment page
+            // Save the transaction reference in session for callback (backup)
+            $this->session->set_userdata('mollie_transaction_ref_' . $invoice_url_key, $transaction_ref);
+
+            // Record successful payment creation
+            $this->db->insert('ip_merchant_responses', [
+                'invoice_id'                   => $invoice->invoice_id,
+                'merchant_response_successful' => true,
+                'merchant_response_date'       => date('Y-m-d'),
+                'merchant_response_driver'     => 'mollie',
+                'merchant_response'            => 'Payment created, awaiting customer action',
+                'merchant_response_reference'  => 'transaction_ref: ' . $transaction_ref,
+            ]);
+
+            // Redirect to Mollie payment page with transaction ref in URL
             redirect($mollie_response['redirect_url']);
         } else {
             // Record the failed transaction
@@ -80,14 +92,28 @@ public function mollie_create_payment($invoice_url_key)
      * The callback endpoint called by Mollie after payment.
      *
      * @param string $invoice_url_key
+     * @param string $transaction_ref (optional, from URL parameter)
      *
      * @return void
      */
-    public function callback($invoice_url_key)
+    public function callback($invoice_url_key, $transaction_ref = null)
     {
+        $user_message = '';
+        $alert_type   = 'error';
+
         try {
-            // Get transaction reference from session
-            $transaction_ref = $this->session->userdata('mollie_transaction_ref');
+            // Retrieve the invoice first
+            $this->load->model('invoices/mdl_invoices');
+            $invoice = $this->mdl_invoices->where('ip_invoices.invoice_url_key', $invoice_url_key)->get()->row();
+
+            if ( ! $invoice) {
+                throw new Exception('Invoice not found');
+            }
+
+            // Get transaction reference from URL parameter or session (fallback)
+            if ( ! $transaction_ref) {
+                $transaction_ref = $this->session->userdata('mollie_transaction_ref_' . $invoice_url_key);
+            }
 
             if ( ! $transaction_ref) {
                 throw new Exception('No transaction reference found');
@@ -97,26 +123,23 @@ public function callback($invoice_url_key)
             $mollie_response = $this->lib_mollie->getPayment($transaction_ref);
 
             if ( ! $mollie_response['status']) {
-                throw new Exception('Failed to fetch payment details');
+                throw new Exception('Failed to fetch payment details: ' . ($mollie_response['message'] ?? 'Unknown error'));
             }
 
-            $payment = $mollie_response['response'];
+            $payment      = $mollie_response['response'];
+            $payment_data = $payment->getData();
+            $status       = $payment_data['status'] ?? 'unknown';
 
-            // Retrieve the invoice
-            $this->load->model('invoices/mdl_invoices');
-            $invoice = $this->mdl_invoices->where('ip_invoices.invoice_url_key', $invoice_url_key)->get()->row();
-
-            if (!$invoice) {
-                throw new Exception('Invoice not found');
+            // Verify the payment belongs to this invoice
+            $metadata = $payment_data['metadata'] ?? [];
+            if (isset($metadata['invoice_key']) && $metadata['invoice_key'] !== $invoice_url_key) {
+                throw new Exception('Payment does not belong to this invoice');
             }
 
-            // Check if payment was successful
-            $paid = $payment->isSuccessful();
-
-            if ($paid) {
-                // Save the payment
+            // Handle different payment states
+            if ($payment->isSuccessful()) {
+                // Payment successful - record it
                 $this->load->model('payments/mdl_payments');
-                $payment_data  = $payment->getData();
                 $payment_amount = isset($payment_data['amount']['value'])
                     ? (float) $payment_data['amount']['value']
                     : (float) $invoice->invoice_balance;
@@ -128,39 +151,53 @@ public function callback($invoice_url_key)
                     'payment_method_id' => get_setting('gateway_mollie_payment_method'),
                     'payment_note'      => trans('online_payment_intent_id') . ': ' . $transaction_ref,
                 ]);
+
+                $response_msg = 'Payment successful: ' . $status;
+                $user_message = sprintf(trans('online_payment_successful'), '#' . $invoice->invoice_number);
+                $alert_type   = 'success';
+                $success      = true;
+            } elseif ($payment->isPending()) {
+                // Payment is pending (e.g., bank transfer)
+                $response_msg = 'Payment pending: ' . $status;
+                $user_message = trans('online_payment_pending');
+                $alert_type   = 'info';
+                $success      = false;
+            } elseif ($payment->isCancelled()) {
+                // Payment was cancelled by user
+                $response_msg = 'Payment cancelled: ' . $status;
+                $user_message = trans('online_payment_cancelled');
+                $alert_type   = 'info';
+                $success      = false;
+            } else {
+                // Payment failed, expired, or other status
+                $response_msg = 'Payment ' . $status;
+                $user_message = trans('online_payment_failed');
+                $alert_type   = 'error';
+                $success      = false;
             }
 
             // Record merchant response
-            $response_msg = $paid ? 'Payment successful'
-                                  : 'Payment ' . ($payment->getData()['status'] ?? 'failed');
-
             $this->db->insert('ip_merchant_responses', [
                 'invoice_id'                   => $invoice->invoice_id,
-                'merchant_response_successful' => (int) $paid,
+                'merchant_response_successful' => (int) $success,
                 'merchant_response_date'       => date('Y-m-d'),
                 'merchant_response_driver'     => 'mollie',
                 'merchant_response'            => $response_msg,
                 'merchant_response_reference'  => 'transaction_ref: ' . $transaction_ref,
             ]);
 
-            // Notify user
-            if ($paid) {
-                $this->session->set_flashdata(
-                    'alert_success',
-                    sprintf(trans('online_payment_successful'), '#' . $invoice->invoice_number)
-                );
-            } else {
-                $this->session->set_flashdata(
-                    'alert_info',
-                    trans('online_payment_failed')
-                );
-            }
+            // Set user notification
+            $this->session->set_flashdata('alert_' . $alert_type, $user_message);
 
             // Clean up session
-            $this->session->unset_userdata('mollie_transaction_ref');
+            $this->session->unset_userdata('mollie_transaction_ref_' . $invoice_url_key);
         } catch (Error|Exception|ErrorException $e) {
-            // Log the error
-            log_message('error', 'Mollie callback exception: ' . $e->getMessage());
+            // Log the error with context
+            $error_context = 'Mollie callback exception for invoice ' . $invoice_url_key;
+            if (isset($transaction_ref)) {
+                $error_context .= ', transaction: ' . $transaction_ref;
+            }
+            log_message('error', $error_context . ' - ' . $e->getMessage());
 
             // Record error in merchant responses
             if (isset($invoice)) {
@@ -169,12 +206,17 @@ public function callback($invoice_url_key)
                     'merchant_response_successful' => false,
                     'merchant_response_date'       => date('Y-m-d'),
                     'merchant_response_driver'     => 'mollie',
-                    'merchant_response'            => 'Error: ' . $e->getMessage(),
-                    'merchant_response_reference'  => 'none',
+                    'merchant_response'            => 'Callback error: ' . $e->getMessage(),
+                    'merchant_response_reference'  => isset($transaction_ref) ? $transaction_ref : 'none',
                 ]);
             }
 
-            $this->session->set_flashdata('alert_error', trans('online_payment_error'));
+            // Provide more specific error message
+            $error_message = trans('online_payment_error');
+            if (str_contains($e->getMessage(), 'not found')) {
+                $error_message .= ' ' . trans('invoice_not_found');
+            }
+            $this->session->set_flashdata('alert_error', $error_message);
         } finally {
             // Redirect to invoice
             redirect('guest/view/invoice/' . $invoice_url_key);
