API credentials validation logic too fragile

[keatonmurray]

Currently using a conditional statement that checks if a client_id exists in the database to determine whether to update or create a new PayPal configuration record. This approach is fragile because:

• client_id values are encrypted, making them difficult to match accurately
• It assumes global uniqueness without user or context scoping
• It lacks support for sandbox/live mode distinction or multi-user environments

🔧 Temporary workaround:
Store client_id in plaintext to enable lookup, and use updateOrCreate() based on it.

✅ Permanent solution (post-authentication):
Once the authentication functionality is in place:

• Add user_id to the paypal_config table
• Update logic to updateOrCreate based on a composite key of user_id and mode
• Encrypt only the sensitive fields like secret, not identifiers
• Enforce uniqueness via database constraints (unique: [user_id, mode])

This will allow each authenticated user to have their own set of PayPal credentials scoped by environment (sandbox or live), with secure and reliable logic.

📌 Related feature: user authentication and session management
📌 Related table: paypal_config