import requests
from flask import Flask, request, render_template_string, jsonify
import json
import os
import hmac
import hashlib
import base64
import mysql.connector
from datetime import datetime
from dotenv import load_dotenv
from flask import redirect, session, url_for
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
# Initialize Flask Application
app = Flask(__name__)
print("--- INTERAC SERVER v2.0 (Multi-Store) ---")
# Load environment variables from .env file
load_dotenv(override=True)
# --- MAIL CONFIGURATION ---
MAIL_SERVER = os.getenv("MAIL_SERVER", "smtp.mandrillapp.com")
MAIL_PORT = int(os.getenv("MAIL_PORT", 587))
MAIL_USERNAME = os.getenv("MAIL_USERNAME")
MAIL_PASSWORD = os.getenv("MAIL_PASSWORD")
SMTP_FROM_EMAIL = os.getenv("SMTP_FROM_EMAIL", "no-reply@emtwerx.com")
# --- CONFIGURATION & CREDENTIALS ---
ZUM_USERNAME = os.getenv("ZUM_USERNAME")
ZUM_PASSWORD = os.getenv("ZUM_PASSWORD")
ZUM_ENV = os.getenv("ZUM_ENV")
ZUM_WEBHOOK_SECRET = os.getenv("ZUM_WEBHOOK_SECRET")
ZUM_WALLET_ID = os.getenv("ZUM_WALLET_ID")
ZUM_SECONDARY_WEBHOOK_URL = os.getenv("ZUM_SECONDARY_WEBHOOK_URL")
# --- DATABASE CONFIGURATION ---
DB_HOST = os.getenv("DB_HOST", "localhost")
DB_USER = os.getenv("DB_USER")
DB_PASSWORD = os.getenv("DB_PASSWORD")
DB_NAME = os.getenv("DB_NAME")
ADMIN_PASSWORD = os.getenv("ADMIN_PASSWORD", "admin123")
# Shopify App Credentials (from Partner Dashboard)
SHOPIFY_API_KEY = os.getenv("SHOPIFY_API_KEY")
SHOPIFY_API_SECRET = os.getenv("SHOPIFY_API_SECRET")
SHOPIFY_REDIRECT_URI = os.getenv("SHOPIFY_REDIRECT_URI", "https://conclude-party-paralyses.ngrok-free.dev/auth/callback")
SHOPIFY_SCOPES = "read_orders,write_orders,read_customers"
app.secret_key = os.getenv("FLASK_SECRET_KEY", "super-secret-key-123")
def verify_shopify_hmac(params, secret):
"""Verifies the HMAC signature from Shopify for security."""
hmac_val = params.get('hmac')
if not hmac_val:
return False
# Sort and join all parameters except hmac
sorted_params = sorted([(k, v) for k, v in params.items() if k != 'hmac'])
query_string = "&".join([f"{k}={v}" for k, v in sorted_params])
hash_val = hmac.new(
secret.encode('utf-8'),
query_string.encode('utf-8'),
hashlib.sha256
).hexdigest()
return hmac.compare_digest(hash_val, hmac_val)
def get_db_connection():
"""Establishes and returns a MySQL database connection."""
return mysql.connector.connect(
host=DB_HOST,
user=DB_USER,
password=DB_PASSWORD,
database=DB_NAME
)
def init_db():
"""Initializes the database tables if they don't exist."""
try:
conn = get_db_connection()
cursor = conn.cursor()
# Domains table (stores allowed shops and their per-store tokens)
cursor.execute("""
CREATE TABLE IF NOT EXISTS domains (
id INT AUTO_INCREMENT PRIMARY KEY,
domain VARCHAR(255) UNIQUE NOT NULL,
access_token VARCHAR(255),
status VARCHAR(50) DEFAULT 'active',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)
""")
# Migration: add access_token column if it doesn't exist yet
try:
cursor.execute("ALTER TABLE domains ADD COLUMN access_token VARCHAR(255)")
print("ā Migrated: Added 'access_token' column to domains table.")
except mysql.connector.Error as err:
if err.errno == 1060: # Column already exists ā safe to ignore
pass
else:
raise
conn.commit()
cursor.close()
conn.close()
print("ā Database Initialized (MySQL)")
except Exception as e:
print(f"ā Database Initialization Error: {e}")
init_db()
# --- API ENVIRONMENT SWITCHER ---
ZUM_API_URL = (
"https://api-sandbox.zumrails.com/api"
if ZUM_ENV == "test"
else "https://api-app.zumrails.com/api"
)
# --- SHOPIFY OAUTH ROUTES ---
@app.route('/auth')
def auth():
"""Starts the OAuth installation flow."""
shop = request.args.get('shop')
if not shop:
return "Missing shop parameter", 400
# Build the installation URL
install_url = (
f"https://{shop}/admin/oauth/authorize?"
f"client_id={SHOPIFY_API_KEY}&"
f"scope={SHOPIFY_SCOPES}&"
f"redirect_uri={SHOPIFY_REDIRECT_URI}"
)
print(f"š Redirecting to Shopify Auth: {install_url}")
return redirect(install_url)
@app.route('/auth/callback')
def auth_callback():
"""Handles the callback from Shopify and exchanges the code for a token."""
params = request.args.to_dict()
shop = params.get('shop')
code = params.get('code')
# 1. Verify Security (HMAC)
if not verify_shopify_hmac(params, SHOPIFY_API_SECRET):
print("ā SECURITY ALERT: Invalid HMAC in OAuth callback!")
return "Invalid signature", 401
# 2. Exchange code for permanent Access Token
token_url = f"https://{shop}/admin/oauth/access_token"
payload = {
"client_id": SHOPIFY_API_KEY,
"client_secret": SHOPIFY_API_SECRET,
"code": code
}
try:
resp = requests.post(token_url, json=payload)
data = resp.json()
access_token = data.get('access_token')
if access_token:
# 3. Save to database
conn = get_db_connection()
cursor = conn.cursor()
cursor.execute(
"INSERT INTO domains (domain, access_token, status) VALUES (%s, %s, 'active') "
"ON DUPLICATE KEY UPDATE access_token = VALUES(access_token), status = 'active'",
(shop, access_token)
)
conn.commit()
cursor.close()
conn.close()
print(f"ā App successfully installed on {shop}. Token saved.")
return f"
Installation Successful!
The app is now linked to {shop}. You can close this window.
"
else:
print(f"ā Failed to get access token: {data}")
return f"Error: {data.get('error_description', 'Unknown error')}", 400
except Exception as e:
print(f"ā OAuth Exchange Error: {e}")
return "Server Error during authentication", 500
def get_store_credentials(shop_domain):
"""
Returns (access_token, status) for a given shop domain from the DB.
Falls back to the global env-var token if no per-store token is stored.
"""
try:
conn = get_db_connection()
cursor = conn.cursor(dictionary=True)
cursor.execute(
"SELECT status, access_token FROM domains WHERE domain = %s",
(shop_domain,)
)
row = cursor.fetchone()
cursor.close()
conn.close()
if not row:
return None, None # Store not registered
token = row.get("access_token") or SHOPIFY_ACCESS_TOKEN # per-store token or fallback
return token, row["status"]
except Exception as e:
print(f"ā ļø get_store_credentials error: {e}")
return None, None
def get_order_details(order_id, shop_domain=None, access_token=None):
"""
Fetches verified order details from Shopify Admin API.
Returns (first_name, last_name, verified_amount).
Never trust URL params for amount ā always verify server-side.
"""
target_domain = shop_domain or SHOPIFY_DOMAIN
token = access_token or SHOPIFY_ACCESS_TOKEN
if not order_id or not token or not target_domain:
return "", "", None
try:
url = f"https://{target_domain}/admin/api/2024-01/orders/{order_id}.json"
headers = {"X-Shopify-Access-Token": token}
resp = requests.get(url, headers=headers, timeout=5)
print(f"š Shopify API [{resp.status_code}] for order {order_id} on {target_domain}")
if resp.status_code != 200:
print(f"ā ļø Shopify fetch failed: {resp.text[:200]}")
return "", "", None
order = resp.json().get("order", {})
# Always use presentment_money (the actual CAD amount the customer sees)
verified_amount = (
order.get("total_price_set", {})
.get("presentment_money", {})
.get("amount")
)
if not verified_amount or float(verified_amount) == 0:
verified_amount = order.get("total_price")
print(f"ā ļø Fell back to total_price: {verified_amount}")
# Name: billing ā shipping ā customer
for src in [
order.get("billing_address"),
order.get("shipping_address"),
order.get("customer")
]:
if src:
first = (src.get("first_name") or "").strip()
last = (src.get("last_name") or "").strip()
if first or last:
return first, last, verified_amount
return "", "", verified_amount
except Exception as e:
print(f"ā ļø get_order_details error: {e}")
return "", "", None
def verify_zum_signature(payload_bytes, signature):
"""Verifies that the webhook really came from Zum Rails."""
if not ZUM_WEBHOOK_SECRET:
return True # Skip if secret not configured (dev mode)
expected_signature = base64.b64encode(
hmac.new(
ZUM_WEBHOOK_SECRET.strip().encode("utf-8"),
payload_bytes,
hashlib.sha256
).digest()
).decode("utf-8")
return hmac.compare_digest(expected_signature, signature)
@app.route("/", methods=["GET", "POST"])
def test():
return "Working"
@app.route("/start-payment", methods=["GET", "POST"])
def start_payment():
# --- STEP 1: Extract data from URL ---
order_id = request.values.get("order_id")
amount = request.values.get("amount") # untrusted ā overwritten below
email = request.values.get("email")
shop_domain = request.values.get("shop")
first_name = request.values.get("first_name", "").strip()
last_name = request.values.get("last_name", "").strip()
# --- STEP 2: Domain validation + fetch per-store token ---
store_token, store_status = get_store_credentials(shop_domain)
if store_token is None:
return f"""
Store Not Registered
The store {shop_domain} is not authorized to use this payment gateway.
Please contact FintechWerx support for registration.
"""
if store_status != "active":
return """
Account Inactive
Your Interac payment service is currently inactive.
Please contact FintechWerx to reactivate your store.
"""
# --- STEP 3: Verify amount + fetch names from Shopify (server-side, correct token) ---
api_first, api_last, verified_amount = get_order_details(
order_id, shop_domain, store_token
)
if verified_amount:
amount = verified_amount
print(f"ā Amount verified from Shopify: ${amount}")
else:
print(f"š« Order {order_id} not found on {shop_domain}. Blocking request.")
return """
Invalid Payment Link
This payment link is invalid or has expired.
Please return to the store and use the original link from your order confirmation.
"""
if api_first and not first_name:
first_name = api_first
if api_last and not last_name:
last_name = api_last
# --- STEP 4: Seamless mode ---
# --- STEP 5: Fallback form (POST submission) ---
if request.method == "POST":
email = request.form.get("email")
first_name = request.form.get("first_name", "").strip()
last_name = request.form.get("last_name", "").strip()
return process_zum_transaction(
order_id, amount, email, shop_domain, first_name, last_name
)
# --- STEP 6: Render form ---
if first_name or last_name:
name_section = f"""
ā ļø Important: The name above must exactly match the name registered
with your bank for Interac e-Transfer. Mismatched names may result in payment delays or rejection.
"""
else:
name_section = """
"""
return f"""
Interac Payment
Order #{order_id} | Total: ${amount}
We couldn't detect your email automatically. Please enter it below to receive the Interac payment request.
"""
def send_interac_email(to_email, amount, comment, payment_url):
"""
Sends the Interac payment request email to the customer
using the HTML template via Mandrill SMTP.
"""
try:
# Load and fill the HTML template
html_body = open("email_template.html").read()
html_body = (
html_body
.replace("{{amount}}", str(amount))
.replace("{{Comment}}", str(comment))
.replace("{{payment_url}}", str(payment_url))
)
msg = MIMEMultipart("alternative")
msg["Subject"] = f"Your Interac Payment Request ā ${amount}"
msg["From"] = f"FintechWerx <{SMTP_FROM_EMAIL}>"
msg["To"] = to_email
msg.attach(MIMEText(html_body, "html"))
with smtplib.SMTP(MAIL_SERVER, MAIL_PORT) as server:
server.ehlo()
server.starttls()
server.login(MAIL_USERNAME, MAIL_PASSWORD)
server.sendmail(SMTP_FROM_EMAIL, to_email, msg.as_string())
print(f"Email sent to {to_email} with payment URL: {payment_url}")
return True
except Exception as e:
print(f"Email send failed: {e}")
return False
def process_zum_transaction(order_id, amount, email, shop_domain=None, first_name="", last_name=""):
"""Authenticates with Zum Rails and sends the Interac payment request."""
print(f"š Sending Request to: {email} for ${amount}")
short_memo = str(order_id)[-15:]
zum_first = first_name if first_name else email.split("@")[0]
zum_last = last_name if last_name else "Shopify"
try:
# A. Authentication
auth_response = requests.post(f"{ZUM_API_URL}/authorize", json={
"Username": ZUM_USERNAME,
"Password": ZUM_PASSWORD
})
if auth_response.status_code != 200:
return f"
Auth Error
{auth_response.text}
"
token = auth_response.json().get("result", {}).get("Token")
# B. Send Transaction
headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
payload = {
"ZumRailsType": "AccountsReceivable",
"TransactionMethod": "Interac",
"Amount": float(amount),
"Memo": short_memo,
# shop_domain stored in Comment so webhook can look up the right store token
"Comment": f"Shopify Order #{order_id} | Store: {shop_domain}",
"InteracNotificationChannel": "email",
"WalletId": ZUM_WALLET_ID,
"User": {
"FirstName": zum_first,
"LastName": zum_last,
"Email": email
}
}
response = requests.post(f"{ZUM_API_URL}/transaction", json=payload, headers=headers)
result = response.json()
print("DEBUG RESPONSE:", result)
if response.status_code == 200 and not result.get("IsError"):
interac_url = result.get("result", {}).get("InteracUrl")
if interac_url:
# Build the comment shown in the email body
email_comment = f"Shopify Order #{order_id} via {shop_domain}"
email_sent = send_interac_email(
to_email=email,
amount=amount,
comment=email_comment,
payment_url=interac_url
)
if email_sent:
return redirect(interac_url)
else:
# Email failed ā fall back to redirect so customer isn't stuck
print("ā ļø Email failed ā falling back to direct redirect")
return redirect(interac_url)
# No InteracUrl in response (shouldn't happen in production)
return f"""
ā Request Sent!
We sent a payment request for ${amount}.
"""
else:
error_msg = (
result.get("responseException", {}).get("exceptionMessage")
or str(result.get("errors") or result.get("Message"))
)
return f"
Transaction Failed: {error_msg}
"
except Exception as e:
return f"
Server Error: {str(e)}
"
# ---------------------------------------------------------------------------
# WEBHOOK
# ---------------------------------------------------------------------------
def _parse_shop_from_comment(comment):
"""Extracts shop domain from Comment field: 'Shopify Order #X | Store: domain'"""
if comment and "Store:" in comment:
return comment.split("Store:")[-1].strip()
return None
def _get_token_for_shop(shop_domain):
"""Returns the access token for a shop domain (DB first, fallback to env var)."""
if not shop_domain:
return SHOPIFY_ACCESS_TOKEN
token, _ = get_store_credentials(shop_domain)
return token or SHOPIFY_ACCESS_TOKEN
@app.route("/webhook", methods=["POST"])
def webhook():
# --- Security: Verify Signature ---
signature = request.headers.get("zumrails-signature")
if not signature or not verify_zum_signature(request.data, signature):
print("ā SECURITY ALERT: Invalid Signature Received!")
return jsonify({"message": "Invalid Signature"}), 401
data = request.json
print("\nš WEBHOOK RECEIVED!")
# --- Data Forwarding ---
destinations = [
{"name": "Legacy PHP", "url": "https://payments.fintechwerx.com/order/zumrails/postback.php"},
{"name": "New Sandbox", "url": ZUM_SECONDARY_WEBHOOK_URL}
]
for dest in destinations:
if not dest["url"]:
continue
try:
print(f"ā”ļø Forwarding to {dest['name']}: {dest['url']}...")
f_headers = {"zumrails-signature": signature, "Content-Type": "application/json"}
fwd = requests.post(dest["url"], json=data, headers=f_headers, timeout=5)
print(f"ā {dest['name']} Status: {fwd.status_code}")
except Exception as e:
print(f"ā ļø Failed to forward to {dest['name']}: {e}")
# --- Logging ---
try:
with open("webhook_logs.json", "a") as f:
json.dump(data, f, indent=4)
f.write("\n,\n")
print("š Saved to webhook_logs.json")
except Exception as e:
print(f"Error saving log: {e}")
# --- Parse Data ---
inner_data = data.get("Data", {})
event_type = data.get("Event")
status = inner_data.get("TransactionStatus")
comment = inner_data.get("Comment", "")
print(f"š Status: {status} | Event: {event_type}")
# Identify which store this transaction belongs to
shop_domain = _parse_shop_from_comment(comment)
store_token = _get_token_for_shop(shop_domain)
target_domain = shop_domain or SHOPIFY_DOMAIN
print(f"šŖ Shop: {target_domain}")
# --- Status Handling ---
if event_type == "Succeeded" or status == "Completed":
order_id = inner_data.get("Memo")
amount = inner_data.get("Amount")
transaction_id = inner_data.get("Id")
if order_id:
print(f"ā Payment Succeeded for Order #{order_id}. Updating Shopify...")
mark_shopify_order_paid(order_id, amount, transaction_id, target_domain, store_token)
else:
print("ā ļø Payment completed, but Order ID (Memo) was missing.")
elif event_type == "Failed" or status in ["Failed", "Rejected", "Error"]:
reason = inner_data.get("FailedTransactionEvent") or "Unknown Error"
order_id = inner_data.get("Memo")
amount = inner_data.get("Amount")
print(f"ā Payment FAILED for Order #{order_id} | Reason: {reason}")
if order_id:
mark_shopify_order_failed(order_id, amount, reason, target_domain, store_token)
else:
print(f"ā¹ļø Transaction is in state: {status} (Ignored)")
return jsonify({"message": "Received"}), 200
def mark_shopify_order_paid(order_id, amount, transaction_id, shop_domain=None, access_token=None):
"""Updates Shopify Order to 'Paid' using the correct per-store credentials."""
target_domain = shop_domain or SHOPIFY_DOMAIN
token = access_token or SHOPIFY_ACCESS_TOKEN
url = f"https://{target_domain}/admin/api/2024-01/orders/{order_id}/transactions.json"
headers = {"X-Shopify-Access-Token": token, "Content-Type": "application/json"}
payload = {
"transaction": {
"kind": "capture",
"status": "success",
"amount": amount,
"gateway": "interac-manual",
"authorization": transaction_id
}
}
try:
response = requests.post(url, json=payload, headers=headers)
if response.status_code == 201:
print(f"š SUCCESS! Order #{order_id} Paid on {target_domain}. Ref: {transaction_id}")
else:
print(f"ā Shopify Update Failed: {response.text}")
except Exception as e:
print(f"ā Connection Error: {e}")
def mark_shopify_order_failed(order_id, amount, reason, shop_domain=None, access_token=None):
"""Tags a failed order on the correct Shopify store."""
target_domain = shop_domain or SHOPIFY_DOMAIN
token = access_token or SHOPIFY_ACCESS_TOKEN
url = f"https://{target_domain}/admin/api/2024-01/orders/{order_id}.json"
headers = {"X-Shopify-Access-Token": token, "Content-Type": "application/json"}
try:
get_response = requests.get(url, headers=headers)
order_data = get_response.json().get("order", {})
current_tags = order_data.get("tags", "")
except Exception:
current_tags = ""
new_tags = f"{current_tags}, Payment Failed, Interac Failed"
payload = {
"order": {
"id": order_id,
"tags": new_tags,
"note": f"ā ļø PAYMENT FAILED \nReason: {reason} \nAmount: {amount}",
}
}
try:
response = requests.put(url, json=payload, headers=headers)
if response.status_code == 200:
print(f"ā Shopify Updated: Order #{order_id} tagged as FAILED on {target_domain}.")
void_transaction(order_id, target_domain, token)
else:
print(f"ā Shopify Update Failed: {response.text}")
except Exception as e:
print(f"ā Connection Error: {e}")
def void_transaction(order_id, shop_domain=None, access_token=None):
"""Voids a pending transaction on the correct Shopify store."""
target_domain = shop_domain or SHOPIFY_DOMAIN
token = access_token or SHOPIFY_ACCESS_TOKEN
url = f"https://{target_domain}/admin/api/2024-01/orders/{order_id}/transactions.json"
headers = {"X-Shopify-Access-Token": token, "Content-Type": "application/json"}
requests.post(url, json={"transaction": {"kind": "void"}}, headers=headers)
# ---------------------------------------------------------------------------
# DASHBOARD & ADMIN ROUTES
# ---------------------------------------------------------------------------
@app.route("/login", methods=["GET", "POST"])
def login():
if request.method == "POST":
password = request.form.get("password")
if password == ADMIN_PASSWORD:
session["logged_in"] = True
return redirect(url_for("dashboard"))
return "