From ed5d27b1b7837023bf60a514e1daee763caf2ac0 Mon Sep 17 00:00:00 2001
From: cay <cay@joksch.ch>
Date: Sat, 11 Apr 2026 15:28:32 +0100
Subject: [PATCH] tzktz

---
 app.js               |  8 ++++++++
 routes/shop.route.js | 22 ++++++++++++++++------
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/app.js b/app.js
index c51fafb..b30782c 100644
--- a/app.js
+++ b/app.js
@@ -105,6 +105,14 @@ app.use(
 app.set("view engine", "ejs");
 app.set("views", path.join(__dirname, "views"));
 
+const shopRoutes    = require("./routes/shop.route");
+
+/* ========================
+   WICHTIG: Shop/Webhook VOR express.json()
+   registrieren – Stripe braucht raw body!
+======================== */
+app.use("/api", shopRoutes);
+
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(express.static(path.join(__dirname, "public")));
diff --git a/routes/shop.route.js b/routes/shop.route.js
index 4062a8c..6bcf1c1 100644
--- a/routes/shop.route.js
+++ b/routes/shop.route.js
@@ -51,7 +51,7 @@ router.post("/shop/checkout", requireLogin, async (req, res) => {
 
   try {
     const session = await stripe.checkout.sessions.create({
-      payment_method_types: ["card"],
+      payment_method_types: ["card", "paypal"],
       line_items: [{
         price_data: {
           currency: "eur",
@@ -108,19 +108,29 @@ router.post(
     }
 
     if (event.type === "checkout.session.completed") {
-      const session  = event.data.object;
-      const userId   = parseInt(session.metadata.userId);
-      const gems     = parseInt(session.metadata.gems);
+      const session   = event.data.object;
+      const userId    = parseInt(session.metadata.userId);
+      const gems      = parseInt(session.metadata.gems);
       const packageId = session.metadata.packageId;
 
       try {
-        /* Gems gutschreiben */
+        /* ── Idempotenz: bereits verarbeitet? ── */
+        const [[existing]] = await db.query(
+          "SELECT id FROM shop_purchases WHERE stripe_session_id = ?",
+          [session.id]
+        );
+        if (existing) {
+          console.log(`⚠️  Webhook bereits verarbeitet (ignoriert): ${session.id}`);
+          return res.json({ received: true });
+        }
+
+        /* ── Gems gutschreiben ── */
         await db.query(
           "UPDATE account_currency SET gems = gems + ? WHERE account_id = ?",
           [gems, userId]
         );
 
-        /* Kauf protokollieren */
+        /* ── Kauf protokollieren ── */
         await db.query(
           `INSERT INTO shop_purchases
              (user_id, package_id, gems, stripe_session_id, created_at)