[IMP] payment, _*: add fpx for razorpay

_* = payment_razorpay

This commit introduces support for FPX as a payment method in the Razorpay.

Why this solution?
When using the Razorpay Orders API, specifying fpx as the payment method in the
payload results in an error: 'currency should be INR when method is fpx'.
This limitation prevents FPX from being used directly in the API call.

What is the solution?
To address this, FPX has been added to the FALLBACK_PAYMENT_METHOD_CODES. This
adjustment ensures that no specific payment method is included in the API
payload, allowing Razorpay to present the user with a payment form listing all
available methods. From there, the user can select FPX as their preferred
payment method.

task-4364895

closes odoo#192837

Signed-off-by: Shrey Mehta (shrm) <[email protected]>

Author: shrm-odoo

addons/payment/data/payment_provider_data.xml

@@ -330,12 +330,13 @@
         <field name="payment_method_ids"
                eval="[Command.set([
                          ref('payment.payment_method_card'),
+                         ref('payment.payment_method_emi_india'),
+                         ref('payment.payment_method_fpx'),
                          ref('payment.payment_method_netbanking'),
-                         ref('payment.payment_method_upi'),
-                         ref('payment.payment_method_wallets_india'),
                          ref('payment.payment_method_paylater_india'),
-                         ref('payment.payment_method_emi_india'),
                          ref('payment.payment_method_paynow'),
+                         ref('payment.payment_method_upi'),
+                         ref('payment.payment_method_wallets_india'),
                      ])]"
         />
     </record>

addons/payment_razorpay/const.py

@@ -115,9 +115,15 @@
 
 # The codes of payment methods that are not recognized by the orders API.
 FALLBACK_PAYMENT_METHOD_CODES = {
-    'wallets_india',
-    'paylater_india',
     'emi_india',
+    'fpx',
+    'paylater_india',
+    'wallets_india',
+}
+
+# The codes of payment methods that require redirection back to the website
+REDIRECT_PAYMENT_METHOD_CODES = {
+    'fpx',
 }
 
 # Mapping of payment method codes to Razorpay codes.

addons/payment_razorpay/controllers/main.py

@@ -17,8 +17,47 @@
 
 
 class RazorpayController(http.Controller):
+    _return_url = '/payment/razorpay/return'
     _webhook_url = '/payment/razorpay/webhook'
 
+    @http.route(
+        _return_url,
+        type='http',
+        auth='public',
+        methods=['POST'],
+        csrf=False,
+        save_session=False,
+    )
+    def razorpay_return_from_checkout(self, reference, **data):
+        """ Process the notification data sent by Razorpay after redirection from checkout.
+
+        The route is configured with save_session=False to prevent Odoo from creating a new session
+        when the user is redirected here via a POST request. Indeed, as the session cookie is
+        created without a `SameSite` attribute, some browsers that don't implement the recommended
+        default `SameSite=Lax` behavior will not include the cookie in the redirection request from
+        the payment provider to Odoo. However, the redirection to the /payment/status page will
+        satisfy any specification of the `SameSite` attribute, the session of the user will be
+        retrieved and with it the transaction which will be immediately post-processed.
+
+        :param str reference: The transaction reference embedded in the return URL.
+        :param dict data: The notification data.
+        """
+        _logger.info("Handling redirection from Razorpay with data:\n%s", pprint.pformat(data))
+        if all(f'razorpay_{key}' in data for key in ('order_id', 'payment_id', 'signature')):
+            # Check the integrity of the notification.
+            tx_sudo = request.env['payment.transaction'].sudo()._get_tx_from_notification_data(
+                'razorpay', {'description': reference}
+            )  # Use the same key as for webhook notifications' data.
+            self._verify_notification_signature(data, data.get('razorpay_signature'), tx_sudo)
+
+            # Handle the notification data.
+            tx_sudo._handle_notification_data('razorpay', data)
+        else:  # The customer cancelled the payment or the payment failed.
+            pass  # Don't try to process this case because the payment id was not provided.
+
+        # Redirect the user to the status page.
+        return request.redirect('/payment/status')
+
     @http.route(_webhook_url, type='http', methods=['POST'], auth='public', csrf=False)
     def razorpay_webhook(self):
         """ Process the notification data sent by Razorpay to the webhook.
@@ -42,7 +81,7 @@ def razorpay_webhook(self):
                     'razorpay', entity_data
                 )
                 self._verify_notification_signature(
-                    request.httprequest.data, received_signature, tx_sudo
+                    request.httprequest.data, received_signature, tx_sudo, is_redirect=False
                 )
 
                 # Handle the notification data.
@@ -52,13 +91,17 @@ def razorpay_webhook(self):
         return request.make_json_response('')
 
     @staticmethod
-    def _verify_notification_signature(notification_data, received_signature, tx_sudo):
+    def _verify_notification_signature(
+        notification_data, received_signature, tx_sudo, is_redirect=True
+    ):
         """ Check that the received signature matches the expected one.
 
         :param dict|bytes notification_data: The notification data.
         :param str received_signature: The signature to compare with the expected signature.
         :param recordset tx_sudo: The sudoed transaction referenced by the notification data, as a
                                   `payment.transaction` record
+        :param bool is_redirect: Whether the notification data should be treated as redirect data
+                                 or as coming from a webhook notification.
         :return: None
         :raise :class:`werkzeug.exceptions.Forbidden`: If the signatures don't match.
         """
@@ -68,7 +111,9 @@ def _verify_notification_signature(notification_data, received_signature, tx_sud
             raise Forbidden()
 
         # Compare the received signature with the expected signature.
-        expected_signature = tx_sudo.provider_id._razorpay_calculate_signature(notification_data)
+        expected_signature = tx_sudo.provider_id._razorpay_calculate_signature(
+            notification_data, is_redirect=is_redirect
+        )
         if (
             expected_signature is None
             or not hmac.compare_digest(received_signature, expected_signature)

addons/payment_razorpay/models/payment_provider.py

@@ -214,20 +214,29 @@ def _razorpay_make_request(self, endpoint, payload=None, method='POST', api_vers
             )
         return response.json()
 
-    def _razorpay_calculate_signature(self, data):
+    def _razorpay_calculate_signature(self, data, is_redirect=True):
         """ Compute the signature for the request's data according to the Razorpay documentation.
 
         See https://razorpay.com/docs/webhooks/validate-test#validate-webhooks.
 
         :param bytes data: The data to sign.
+        :param bool is_redirect: Whether the data should be treated as redirect data or as coming
+                                 from a webhook notification.
         :return: The calculated signature.
         :rtype: str
         """
-        secret = self.razorpay_webhook_secret
-        if not secret:
-            _logger.warning("Missing webhook secret; aborting signature calculation.")
-            return None
-        return hmac.new(secret.encode(), msg=data, digestmod=hashlib.sha256).hexdigest()
+        if is_redirect:
+            secret = self.razorpay_key_secret
+            signing_string = f'{data["razorpay_order_id"]}|{data["razorpay_payment_id"]}'
+            return hmac.new(
+                secret.encode(), msg=signing_string.encode(), digestmod=hashlib.sha256
+            ).hexdigest()
+        else:  # Notification data.
+            secret = self.razorpay_webhook_secret
+            if not secret:
+                _logger.warning("Missing webhook secret; aborting signature calculation.")
+                return None
+            return hmac.new(secret.encode(), msg=data, digestmod=hashlib.sha256).hexdigest()
 
     def _get_default_payment_method_codes(self):
         """ Override of `payment` to return the default payment method codes. """

addons/payment_razorpay/models/payment_transaction.py

@@ -6,12 +6,14 @@
 from datetime import datetime
 
 from dateutil.relativedelta import relativedelta
+from werkzeug.urls import url_encode, url_join
 
 from odoo import _, api, models
 from odoo.exceptions import UserError, ValidationError
 
 from odoo.addons.payment import utils as payment_utils
 from odoo.addons.payment_razorpay import const
+from odoo.addons.payment_razorpay.controllers.main import RazorpayController
 
 
 _logger = logging.getLogger(__name__)
@@ -45,6 +47,11 @@ def _get_specific_processing_values(self, processing_values):
             'razorpay_customer_id': customer_id,
             'is_tokenize_request': self.tokenize,
             'razorpay_order_id': order_id,
+            'callback_url': url_join(
+                self.provider_id.get_base_url(),
+                f'{RazorpayController._return_url}?{url_encode({"reference": self.reference})}'
+            ),
+            'redirect': self.payment_method_id.code in const.REDIRECT_PAYMENT_METHOD_CODES,
         }
 
     def _razorpay_create_customer(self):