tzktz

app.js

@@ -105,6 +105,14 @@ app.use(
 app.set("view engine", "ejs");
 app.set("views", path.join(__dirname, "views"));
 
+const shopRoutes    = require("./routes/shop.route");
+
+/* ========================
+   WICHTIG: Shop/Webhook VOR express.json()
+   registrieren – Stripe braucht raw body!
+======================== */
+app.use("/api", shopRoutes);
+
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(express.static(path.join(__dirname, "public")));

routes/shop.route.js

@@ -51,7 +51,7 @@ router.post("/shop/checkout", requireLogin, async (req, res) => {
 
   try {
     const session = await stripe.checkout.sessions.create({
-      payment_method_types: ["card"],
+      payment_method_types: ["card", "paypal"],
       line_items: [{
         price_data: {
           currency: "eur",
@@ -114,13 +114,23 @@ router.post(
       const packageId = session.metadata.packageId;
 
       try {
-        /* Gems gutschreiben */
+        /* ── Idempotenz: bereits verarbeitet? ── */
+        const [[existing]] = await db.query(
+          "SELECT id FROM shop_purchases WHERE stripe_session_id = ?",
+          [session.id]
+        );
+        if (existing) {
+          console.log(`⚠️  Webhook bereits verarbeitet (ignoriert): ${session.id}`);
+          return res.json({ received: true });
+        }
+
+        /* ── Gems gutschreiben ── */
         await db.query(
           "UPDATE account_currency SET gems = gems + ? WHERE account_id = ?",
           [gems, userId]
         );
 
-        /* Kauf protokollieren */
+        /* ── Kauf protokollieren ── */
         await db.query(
           `INSERT INTO shop_purchases
              (user_id, package_id, gems, stripe_session_id, created_at)