Skip to content

Payment tests, account status, smartRoutes#828

Merged
BilalG1 merged 61 commits intodevfrom
payments-pr4-accounts
Aug 9, 2025
Merged

Payment tests, account status, smartRoutes#828
BilalG1 merged 61 commits intodevfrom
payments-pr4-accounts

Conversation

@BilalG1
Copy link
Contributor

@BilalG1 BilalG1 commented Aug 5, 2025
edited by coderabbitai bot
Loading

Important

Introduce comprehensive payment and subscription management with Stripe integration, including new models, API endpoints, UI components, and extensive tests.

  • Features:
    • Add Stripe integration for payments and subscriptions in apps/backend/src/lib/stripe.tsx and apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx.
    • Implement payment offers and items management in apps/backend/src/app/api/latest/payments.
    • Add UI components for payment management in apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments.
  • Models:
    • Add Subscription model in prisma/schema.prisma and prisma/migrations/20250805195319_subscriptions/migration.sql.
  • Tests:
    • Add end-to-end tests for payment APIs in apps/e2e/tests/backend/endpoints/api/v1/payments.
  • Configuration:
    • Update environment variables in .env.development and docker.compose.yaml for Stripe.
  • Misc:
    • Add new known errors related to payments in known-errors.tsx.

This description was created by Ellipsis for 972c248. You can customize this summary. It will automatically update as commits are pushed.

Summary by CodeRabbit

  • New Features

    • Introduced comprehensive payments and subscriptions management with Stripe integration.
    • Added UI for managing payment offers, items, and purchase URLs in the dashboard.
    • Implemented Stripe onboarding, purchase sessions, and return flow handling.
    • Added Stripe Connect and Elements integration with theme-aware UI components.

  • Bug Fixes

    • Enhanced validation and error handling for payments APIs and customer/item type consistency.

  • Tests

    • Added extensive end-to-end and backend tests for payments and purchase-related endpoints.

  • Chores

    • Updated environment variables and dependencies for Stripe support.
    • Added Stripe mock service to development Docker Compose.

  • Documentation

    • Extended schemas and types for payment offers, prices, items, and customer types.

N2D4 and others added 30 commits July 22, 2025 01:51
@N2D4
New payments
1798e52
@N2D4
Merge branch 'dev' into payments-release
d37c619
@N2D4
fixes
83fdba5
@N2D4
More changes
020336e
@N2D4
Fixes
9e589d9
@N2D4
Merge dev into payments-release
fef654e
@N2D4
Merge dev into payments-release
cbe2a08
@N2D4
Merge dev into payments-release
de48a50
@N2D4
Fixes
3a021cc
@N2D4
Merge branch 'dev' into payments-release
0736fd9
@N2D4
Fixes
cad3b39
@N2D4
TypeScript mess
57177be
@N2D4
more
6c17ed7
@N2D4
more
b23aee5
@N2D4
fixes
5c005de
@N2D4
fix
a7fb8ae
@N2D4
more fixes
3d1046f
@N2D4
fixes
5332b03
@N2D4
more fixes
a70f59d
@N2D4
More fixes
805c396
@N2D4
Merge branch 'dev' into payments-release
3ef091c
@N2D4
more fixes
00116c9
@N2D4
Merge branch 'dev' into payments-release
e027292
@N2D4
more
701987a
@N2D4
Merge branch 'dev' into payments-release
7c0d78c
@N2D4
More parts
ebd6e86
@N2D4 @coderabbitai
Apply suggestion from @coderabbitai[bot]
5686372 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@N2D4
Merge dev into payments-release
4d79129
@N2D4
Merge dev into payments-release
77a6358
@N2D4
Merge dev into payments-release
1ff14ff
@BilalG1 BilalG1 changed the base branch from payments-pr3-ui to dev August 8, 2025 21:36
@claude
Copy link
Contributor

claude bot commented Aug 8, 2025
edited
Loading

Claude encountered an error —— View job

I'll analyze this and get back to you.

@claude
Copy link
Contributor

claude bot commented Aug 8, 2025
edited
Loading

Claude finished @BilalG1's task —— View job

PR Review: Payment System Implementation

This is a comprehensive payment system implementation with significant changes across 52 files. Here's my detailed analysis focusing on code quality, security, performance, and test coverage:

🔴 Critical Issues

Database Schema & Migration Safety ⚠️

High Risk - Migration Will Fail: The migration 20250805195319_subscriptions/migration.sql has dangerous operations:

  • Creates Subscription table with NOT NULL columns without defaults
  • If existing subscription data exists, migration will fail
  • References CustomerType enum that may not exist yet
  • Recommendation: Add proper data migration steps and DEFAULT values

Security Vulnerabilities 🔐

Critical - Unsafe JSON.parse: In stripe.tsx:72,81, direct JSON.parse(subscription.metadata.offer) without error handling:

offer: JSON.parse(subscription.metadata.offer), // ❌ Will crash on invalid JSON

Fix: Use parseJson() from stack-shared/utils/json

Input Validation Issues:

  • validate-code/route.ts:31-32: Assumes offer.displayName/customerType exist but schema allows undefined
  • purchase-session/route.tsx:49: Uses Number(selectedPrice.USD) without validation - could result in NaN

Error Handling Problems 🚨

Webhook Reliability Issue: webhooks/route.tsx:80-82 catches all errors but always returns 200:

} catch (error) {
  captureError("stripe-webhook-receiver", error); // Silent failure
}
return { statusCode: 200, ... }; // Always success - Stripe may stop sending webhooks

🟡 Code Quality Issues

Performance Concerns ⚡

  • Sequential Processing: stripe.tsx:59 processes subscriptions sequentially instead of parallel
  • Hardcoded Currency: purchase-session/route.tsx:48 hardcodes "usd" instead of using dynamic currency
  • Product Creation Per Request: Creates new Stripe product for each subscription instead of reusing

API Design Issues 🏗️

  • Inconsistent Error Codes: Webhook returns 500 for missing account ID when 400 would be appropriate
  • Missing Rate Limiting: Payment endpoints lack rate limiting protection
  • No Idempotency: Subscription creation lacks idempotency keys

🟢 Positive Aspects

Test Coverage ✅

Comprehensive E2E Testing: 4 dedicated test files covering:

  • Purchase URL creation and validation
  • Item retrieval with proper error scenarios
  • Purchase session creation
  • Code validation with edge cases

Good Error Scenarios: Tests cover authentication failures, invalid IDs, customer type mismatches

Architecture 🏛️

Smart Route Handler Pattern: Consistent use of createSmartRouteHandler with proper request/response typing
Separation of Concerns: Clean separation between Stripe integration, payment logic, and API handlers
Environment Flexibility: Supports both real Stripe and mock Stripe for testing

🔧 Recommendations

Immediate Fixes Required:

  1. Fix migration: Add defaults and proper data migration steps
  2. Replace JSON.parse: Use safe parsing everywhere
  3. Add input validation: Validate all numeric inputs and required fields
  4. Fix webhook error handling: Return appropriate HTTP status codes

Performance Improvements:

  1. Parallelize subscription sync: Process multiple subscriptions concurrently
  2. Add caching: Cache frequently accessed configuration data
  3. Product reuse: Implement product caching/reuse strategy

Security Enhancements:

  1. Add rate limiting: Protect payment endpoints from abuse
  2. Implement idempotency: Prevent duplicate payments
  3. Audit logging: Log all payment operations for compliance

Overall Assessment

This is a well-structured payment system implementation with comprehensive testing, but contains several critical security and reliability issues that must be addressed before production deployment. The architecture is sound, but execution details need refinement.

Confidence Level: Medium - Good foundation with critical fixes needed

coderabbitai[bot]
coderabbitai bot reviewed Aug 8, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 28

♻️ Duplicate comments (10)
apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page.tsx (1)

13-15: params shouldn’t be a Promise

Next.js supplies params synchronously; typing it as Promise<Params> forces an unnecessary await and risks runtime misuse. Revert to { params: Params }.

apps/e2e/tests/backend/endpoints/api/v1/payments/items.test.ts (4)

5-12: Avoid direct JSON.stringify when overriding config
This was flagged in earlier reviews – use stringifyJson from stack-shared/utils/json for consistent escaping and error handling.

55-58: Construct URLs with new URL() instead of template literals

String interpolation can silently produce invalid URLs (double slashes, missing encoding).
Use the existing niceBackendFetch(new URL(...)) helper instead.

89-91: Same URL-construction issue as above.

125-127: Same URL-construction issue as above.

apps/e2e/tests/backend/endpoints/api/v1/payments/purchase-session.test.ts (1)

60-65: Empty client_secret weakens the test

Asserting that Stripe returns an empty string allows the happy-path tests to pass even when no session was created. Consider asserting expect.any(String) or a non-empty pattern so the test fails when stripe-mock (or prod) returns an unexpected value.

Also applies to: 82-85, 133-136

apps/e2e/tests/backend/backend-helpers.ts (1)

1110-1114: Use shared stringifyJson helper instead of JSON.stringify

Past reviews asked to standardise JSON serialisation for config overrides; please switch to stringifyJson(config) for consistency.

apps/e2e/tests/backend/endpoints/api/v1/payments/create-purchase-url.test.ts (1)

34-46: Use snake_case in JSON payloads for API-visible fields

serverOnlyserver_only, includedItemsincluded_items to stay consistent with REST naming conventions previously agreed on.

Also applies to: 84-96, 132-142

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx (1)

334-336: Silent discard still present – surface feedback to user

The updatePriceId branch still exits silently on duplicates. Prior review already flagged this; please show a toast or error so users know why the edit failed.

apps/backend/src/lib/payments.tsx (1)

42-47: Don’t overwrite per-price serverOnly flag

Every mapped price forces serverOnly: true, discarding the original server_only value from the inline offer. Preserve the caller’s intent:

-        serverOnly: true,
+        serverOnly: value.server_only ?? inlineOffer.server_only,
🧹 Nitpick comments (26)
apps/dashboard/.env (1)

7-7: Follow dotenv best practices: move before STACK_SECRET_SERVER_KEY and quote value

Addressing the linter hints and avoiding inline-comments-as-values pitfalls:

  • Place NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY before STACK_SECRET_SERVER_KEY.
  • Quote the value and move the comment to a separate line.

Apply:

-STACK_SECRET_SERVER_KEY=# enter your Stack secret client key here. For local development, do the same as above
-NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS=# a list of extra request headers to add to all Stack Auth API requests, as a JSON record
-NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY=# enter your Stripe publishable key here
+# enter your Stripe publishable key here
+NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY=""
+STACK_SECRET_SERVER_KEY=# enter your Stack secret client key here. For local development, do the same as above
+NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS=# a list of extra request headers to add to all Stack Auth API requests, as a JSON record

Note: Inline comments after = can be parsed as part of the value by some dotenv parsers—use a separate comment line as shown.

apps/dashboard/src/components/smart-form.tsx (1)

116-118: Good addition for number support; consider coercing to number to avoid string values in RHF.

RHF often keeps inputs as strings; coercing prevents subtle schema/type issues.

Suggestion (in NumberField implementation, outside this file):

// apps/dashboard/src/components/form-fields.tsx
<Input
  {...field}
  value={field.value ?? ""}
  onChange={(e) => field.onChange(e.target.value === "" ? undefined : Number(e.target.value))}
  inputMode="numeric"
  type="number"
  min={props.min}
  max={props.max}
/>
docker/dependencies/docker.compose.yaml (1)

170-170: Trim trailing spaces.

Line 170 has trailing whitespace. Clean it to satisfy YAML linters.

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx (1)

367-369: Avoid re-parsing env JSON on every item render

devFeaturesEnabledForProject(projectId) parses the env var each call; here it’s called per item during render. Compute it once per render instead:

  • Compute const devEnabled = useMemo(() => devFeaturesEnabledForProject(projectId), [projectId]) before the map.
  • Use if (item.requiresDevFeatureFlag && !devEnabled) return null;.

This reduces repeated parsing and improves clarity.

apps/dashboard/src/components/payments/stripe-theme-variables.ts (1)

58-60: Narrow the theme type and validate Stripe appearance variables

  • In apps/dashboard/src/components/payments/stripe-theme-variables.ts (line 58), change the signature from 
    (theme: string | undefined)
    to 
    (theme?: 'light' | 'dark')
  • Cross-check every key in darkAppearanceVariables and lightAppearanceVariables (e.g. colorSecondaryText, buttonSecondaryColorBackground, actionSecondaryTextDecorationColor, etc.) against the Stripe Elements Appearance Variables API (https://stripe.com/docs/stripe-js/elements/options#appearance-variables). Remove or rename any properties Stripe doesn’t support so your custom theme is fully honored.
apps/dashboard/src/app/(main)/purchase/[code]/page-client.tsx (1)

31-36: Pluralisation helper may double-plural

If interval[1] is already plural (“months”), "${interval[0]} ${interval[1]}s" becomes “3 monthss”. Consider a small map or inflection util instead of blindly appending “s”.

apps/backend/src/app/api/latest/internal/payments/stripe-widgets/account-session/route.ts (1)

30-42: Hard-coded features may violate least-privilege

Enabling refund_management, dispute_management, and capture_payments for every widget session might exceed what the UI needs. Consider passing requested components from the caller or scoping to the minimum required to reduce risk.

apps/dashboard/src/lib/utils.tsx (1)

20-29: Cache the parsed project-ID allow-list

parseJson(...) runs on every call, but the env var is static per process. Parse once at module top and reuse to avoid repeated JSON parsing and object allocations.

apps/dashboard/src/components/data-table/payment-offer-table.tsx (1)

31-35: Render “Free Trial” more clearly

freeTrial?.join(" ") collapses the tuple without context (e.g., “30 days”). Consider formatting as “30 days” / “1 month” for readability.

apps/dashboard/src/components/payments/stripe-elements-provider.tsx (1)

25-30: Memo deps could include the public key

loadStripe will be re-invoked when stripeAccountId changes but not when stripePublicKey changes (e.g. in tests with a different .env).
Consider adding stripePublicKey to the dependency array to keep the memo rule-of-thumb “list everything you read”.

apps/dashboard/src/app/(main)/purchase/return/page.tsx (1)

14-21: Unnecessary await

After fixing the prop type you can simplify:

-export default async function Page({ searchParams }: Props) {
-  const params = await searchParams;
+export default function Page({ searchParams: params }: Props) {
packages/template/src/lib/stack-app/customers/index.ts (2)

32-33: nonNegativeQuantity should be derived, not stored

Storing both quantity and nonNegativeQuantity risks them drifting out of sync.
Prefer a getter so the value is always consistent:

get nonNegativeQuantity(): number {
  return Math.max(0, this.quantity);
}

34-47: Return a value from mutator methods

increaseQuantity, decreaseQuantity, and tryDecreaseQuantity mutate state but return void.
Returning the new quantity (or a boolean for success) improves ergonomics and makes chaining easier.

-  increaseQuantity(amount: number): void,
+  increaseQuantity(amount: number): number,

-  decreaseQuantity(amount: number): void,
+  decreaseQuantity(amount: number): number,
apps/e2e/tests/backend/endpoints/api/v1/payments/items.test.ts (1)

5-12: Factor out updateConfig helper

updateConfig is re-declared in multiple test files. Extract it once in backend-helpers.ts to cut duplication and keep tests DRY.

Also applies to: 39-147

apps/backend/src/app/api/latest/internal/payments/setup/route.ts (1)

30-44: Make Stripe account creation idempotent

Concurrent calls when stripeAccountId is unset can create multiple connected accounts.
Use an idempotency key (e.g. tenancy ID) or lock at the DB layer to make this operation safe in the face of retries.

apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts (1)

33-37: Strip unsupported keys from offer.prices

value may contain properties other than currency codes (e.g. legacy fields).
After filterUndefined consider pickBy(value, (_, k) => SUPPORTED_CURRENCIES.some(c => c.code === k)) to ensure no extraneous data leaks to the client.

apps/dashboard/src/components/data-table/payment-item-table.tsx (1)

37-42: Render repeat interval more readably

join(" ") produces “1 month” as “1 month” but “3,month” would become “3 month”.
Consider formatting as ${count} ${unit} or using join(" ") only when the value is [count, unit]; otherwise show "Never".

packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts (2)

168-171: Cache refresh looks correct but consider refreshing dependent caches too

Refreshing _configOverridesCache after updateConfig will give consumers the new values, but getProject()/useProject() still serve the old config snapshot cached in _adminProjectCache.
If callers depend on project.config.* immediately after an override, consider refreshing _adminProjectCache as well (or invalidating both in one helper) to avoid subtle stale-data bugs.

501-514: Expose raw Stripe objects carefully

The three new payment helpers correctly delegate to the interface, but:

  1. createStripeWidgetAccountSession() returns the raw Stripe‐secret field in snake_case. For consumer ergonomics keep external API camelCase (clientSecret) and keep the raw response internal.
  2. createPurchaseUrl() returns a string yet does no basic URL validation; if the backend ever changes shape this will silently return undefined. A trivial try { new URL(url) } guard (or z.string().url() zod check) would fail fast.

Both are small polish items but will save debugging time.

apps/backend/src/app/api/latest/payments/purchases/create-purchase-url/route.ts (1)

40-44: Race-condition & uniqueness on Stripe customer search

customers.search can return multiple hits if duplicate metadata slipped in.
Currently the code silently takes data[0]. To guarantee idempotency you may:

if (stripeCustomerSearch.data.length > 1) {
  throw new StackAssertionError("Multiple Stripe customers share the same customerId metadata");
}

(or enforce uniqueness with metadata[‘customerId’]: ‘${id}’ AND email:\'...').

apps/dashboard/src/components/payments/checkout.tsx (2)

31-39: Missing loading / double-click guard

handleSubmit is async but the button stays enabled; double-clicking will fire two parallel submissions and may create duplicate Stripe PaymentIntents.
Add a processing state to disable the button until confirmPayment resolves.

45-51: Unnecessary type-cast masks real Stripe error objects

Casting the result of confirmPayment to { error?: StripeError } discards other fields; TypeScript already exposes PaymentIntentResult.
Prefer:

const { error } = await stripe.confirmPayment({});

and rely on the provided type.

packages/stack-shared/src/interface/admin-interface.ts (1)

471-516: Consistency & validation improvements for new payment endpoints

The three new helpers look good; a couple of minor suggestions:

  1. Return camelCase (clientSecret) in createStripeWidgetAccountSession() for consistency with the rest of the interface.
  2. createPurchaseUrl() swallows non-200 responses – a 4xx from the backend will produce result.url === undefined and callers will get "undefined". Consider checking response.ok and throwing a typed error early.

These tweaks align the interface with existing patterns elsewhere in the file.

apps/backend/prisma/schema.prisma (1)

712-726: Unify enum value casing

Existing enums use ALL_CAPS (ONE_TIME_PASSWORD). Newly added CustomerType/SubscriptionStatus introduce USER/active etc. Mixed casing hampers readability and code-search. Consider either:

a) ACTIVE | TRIALING | CANCELED …
b) keep lower-camel everywhere.

Pick one style and apply consistently.

apps/backend/src/lib/stripe.tsx (1)

17-28: Avoid re-creating Stripe clients on every call

getStackStripe and getStripeForAccount instantiate a new Stripe object each time. This is thread-safe but wasteful; cache per-process singletons instead.

-export const getStackStripe = () => new Stripe(stripeSecretKey, stripeConfig);
+let stackStripe: Stripe | undefined;
+export const getStackStripe = () => stackStripe ??= new Stripe(stripeSecretKey, stripeConfig);

Apply a similar memoisation for account-scoped clients keyed by accountId.

Also applies to: 30-32

packages/stack-shared/src/config/schema.ts (1)

116-121: Validate Stripe account prerequisites

stripeAccountSetupComplete can be true even when stripeAccountId is missing.
Add a .when("stripeAccountSetupComplete", …) rule so an ID becomes mandatory once the flag is set.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2a5e166 and f728b71.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (51)
  • apps/backend/.env (1 hunks)
  • apps/backend/.env.development (1 hunks)
  • apps/backend/package.json (1 hunks)
  • apps/backend/prisma/migrations/20250805195319_subscriptions/migration.sql (1 hunks)
  • apps/backend/prisma/schema.prisma (2 hunks)
  • apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx (1 hunks)
  • apps/backend/src/app/api/latest/internal/payments/setup/route.ts (1 hunks)
  • apps/backend/src/app/api/latest/internal/payments/stripe-widgets/account-session/route.ts (1 hunks)
  • apps/backend/src/app/api/latest/payments/items/[customer_id]/[item_id]/route.ts (1 hunks)
  • apps/backend/src/app/api/latest/payments/purchases/create-purchase-url/route.ts (1 hunks)
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx (1 hunks)
  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts (1 hunks)
  • apps/backend/src/app/api/latest/payments/purchases/verification-code-handler.tsx (1 hunks)
  • apps/backend/src/lib/payments.tsx (1 hunks)
  • apps/backend/src/lib/stripe.tsx (1 hunks)
  • apps/backend/src/route-handlers/smart-request.tsx (2 hunks)
  • apps/backend/src/route-handlers/verification-code-handler.tsx (3 hunks)
  • apps/dashboard/.env (1 hunks)
  • apps/dashboard/package.json (1 hunks)
  • apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx (1 hunks)
  • apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page.tsx (1 hunks)
  • apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx (2 hunks)
  • apps/dashboard/src/app/(main)/purchase/[code]/page-client.tsx (1 hunks)
  • apps/dashboard/src/app/(main)/purchase/[code]/page.tsx (1 hunks)
  • apps/dashboard/src/app/(main)/purchase/return/page-client.tsx (1 hunks)
  • apps/dashboard/src/app/(main)/purchase/return/page.tsx (1 hunks)
  • apps/dashboard/src/components/data-table/payment-item-table.tsx (1 hunks)
  • apps/dashboard/src/components/data-table/payment-offer-table.tsx (1 hunks)
  • apps/dashboard/src/components/form-fields.tsx (2 hunks)
  • apps/dashboard/src/components/payments/checkout.tsx (1 hunks)
  • apps/dashboard/src/components/payments/stripe-connect-provider.tsx (1 hunks)
  • apps/dashboard/src/components/payments/stripe-elements-provider.tsx (1 hunks)
  • apps/dashboard/src/components/payments/stripe-theme-variables.ts (1 hunks)
  • apps/dashboard/src/components/smart-form.tsx (2 hunks)
  • apps/dashboard/src/lib/env.tsx (2 hunks)
  • apps/dashboard/src/lib/utils.tsx (2 hunks)
  • apps/e2e/tests/backend/backend-helpers.ts (5 hunks)
  • apps/e2e/tests/backend/endpoints/api/v1/payments/create-purchase-url.test.ts (1 hunks)
  • apps/e2e/tests/backend/endpoints/api/v1/payments/items.test.ts (1 hunks)
  • apps/e2e/tests/backend/endpoints/api/v1/payments/purchase-session.test.ts (1 hunks)
  • apps/e2e/tests/backend/endpoints/api/v1/payments/validate-code.test.ts (1 hunks)
  • docker/dependencies/docker.compose.yaml (1 hunks)
  • packages/stack-shared/src/config/schema.ts (7 hunks)
  • packages/stack-shared/src/interface/admin-interface.ts (1 hunks)
  • packages/stack-shared/src/interface/crud/projects.ts (1 hunks)
  • packages/stack-shared/src/known-errors.tsx (2 hunks)
  • packages/stack-shared/src/schema-fields.ts (4 hunks)
  • packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts (2 hunks)
  • packages/template/src/lib/stack-app/apps/interfaces/admin-app.ts (1 hunks)
  • packages/template/src/lib/stack-app/customers/index.ts (1 hunks)
  • packages/template/src/lib/stack-app/project-configs/index.ts (0 hunks)
💤 Files with no reviewable changes (1)
  • packages/template/src/lib/stack-app/project-configs/index.ts
🧰 Additional context used
📓 Path-based instructions (3)
**/.env.development

📄 CodeRabbit Inference Engine (CLAUDE.md)

Environment variables are pre-configured in .env.development files

Files:

  • apps/backend/.env.development
apps/backend/src/app/api/latest/**/*

📄 CodeRabbit Inference Engine (CLAUDE.md)

apps/backend/src/app/api/latest/**/*: Main API routes are located in /apps/backend/src/app/api/latest
The project uses a custom route handler system in the backend for consistent API responses

Files:

  • apps/backend/src/app/api/latest/payments/purchases/verification-code-handler.tsx
  • apps/backend/src/app/api/latest/internal/payments/stripe-widgets/account-session/route.ts
  • apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx
  • apps/backend/src/app/api/latest/payments/items/[customer_id]/[item_id]/route.ts
  • apps/backend/src/app/api/latest/internal/payments/setup/route.ts
  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx
  • apps/backend/src/app/api/latest/payments/purchases/create-purchase-url/route.ts
apps/backend/prisma/schema.prisma

📄 CodeRabbit Inference Engine (CLAUDE.md)

Database models use Prisma

Files:

  • apps/backend/prisma/schema.prisma
🧠 Learnings (4)
📚 Learning: 2025-08-04T22:25:51.260Z 
Learnt from: CR
PR: stack-auth/stack-auth#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T22:25:51.260Z
Learning: Applies to apps/backend/prisma/schema.prisma : Database models use Prisma

Applied to files:

  • packages/stack-shared/src/interface/crud/projects.ts
  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts
  • apps/backend/prisma/migrations/20250805195319_subscriptions/migration.sql
  • apps/backend/prisma/schema.prisma
  • packages/stack-shared/src/schema-fields.ts
📚 Learning: 2025-08-04T22:25:51.260Z 
Learnt from: CR
PR: stack-auth/stack-auth#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T22:25:51.260Z
Learning: Applies to **/.env.development : Environment variables are pre-configured in `.env.development` files

Applied to files:

  • apps/dashboard/src/lib/env.tsx
  • apps/backend/.env.development
  • apps/backend/.env
  • apps/dashboard/.env
📚 Learning: 2025-08-04T22:25:51.260Z 
Learnt from: CR
PR: stack-auth/stack-auth#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T22:25:51.260Z
Learning: Applies to apps/backend/src/app/api/latest/**/* : The project uses a custom route handler system in the backend for consistent API responses

Applied to files:

  • apps/backend/src/app/api/latest/internal/payments/stripe-widgets/account-session/route.ts
  • apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx
  • apps/backend/src/app/api/latest/payments/items/[customer_id]/[item_id]/route.ts
  • apps/backend/src/app/api/latest/internal/payments/setup/route.ts
  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx
  • apps/backend/src/app/api/latest/payments/purchases/create-purchase-url/route.ts
  • apps/backend/src/route-handlers/verification-code-handler.tsx
📚 Learning: 2025-08-04T22:25:51.260Z 
Learnt from: CR
PR: stack-auth/stack-auth#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-04T22:25:51.260Z
Learning: Applies to apps/backend/src/app/api/latest/**/* : Main API routes are located in /apps/backend/src/app/api/latest

Applied to files:

  • apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx
  • apps/backend/src/app/api/latest/payments/items/[customer_id]/[item_id]/route.ts
🧬 Code Graph Analysis (7)
apps/dashboard/src/components/form-fields.tsx (2)
packages/stack-ui/src/components/ui/form.tsx (4)
  • FormField (171-171)
  • FormItem (171-171)
  • FormControl (170-170)
  • FormMessage (172-172)
packages/stack-ui/src/components/ui/input.tsx (1)
  • Input (10-41)
apps/dashboard/src/components/smart-form.tsx (1)
apps/dashboard/src/components/form-fields.tsx (1)
  • NumberField (305-342)
apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx (1)
apps/dashboard/src/lib/utils.tsx (1)
  • devFeaturesEnabledForProject (20-29)
apps/e2e/tests/backend/endpoints/api/v1/payments/items.test.ts (2)
apps/e2e/tests/backend/backend-helpers.ts (2)
  • updateConfig (1109-1117)
  • niceBackendFetch (107-165)
apps/e2e/tests/helpers.ts (1)
  • it (10-10)
apps/dashboard/src/lib/utils.tsx (2)
packages/stack-shared/src/utils/json.tsx (1)
  • parseJson (72-74)
apps/dashboard/src/lib/env.tsx (1)
  • getPublicEnvVar (49-59)
packages/stack-shared/src/config/schema.ts (3)
packages/stack-shared/src/schema-fields.ts (7)
  • yupObject (245-249)
  • yupString (185-188)
  • yupBoolean (193-196)
  • yupRecord (281-320)
  • userSpecifiedIdSchema (373-373)
  • offerSchema (506-524)
  • yupNumber (189-192)
packages/stack-shared/src/utils/objects.tsx (1)
  • typedFromEntries (281-283)
packages/stack-shared/src/utils/currencies.tsx (1)
  • SUPPORTED_CURRENCIES (11-47)
packages/stack-shared/src/schema-fields.ts (2)
packages/stack-shared/src/utils/currencies.tsx (1)
  • SUPPORTED_CURRENCIES (11-47)
packages/stack-shared/src/utils/objects.tsx (1)
  • typedFromEntries (281-283)
🪛 Gitleaks (8.27.2)
apps/backend/.env.development

51-51: Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.

(jwt)

docker/dependencies/docker.compose.yaml

176-176: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.

(stripe-access-token)

🪛 dotenv-linter (3.3.0)
apps/backend/.env

[warning] 69-69: [ValueWithoutQuotes] This value needs to be surrounded in quotes

[warning] 70-70: [ValueWithoutQuotes] This value needs to be surrounded in quotes

apps/dashboard/.env

[warning] 7-7: [UnorderedKey] The NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY key should go before the STACK_SECRET_SERVER_KEY key

[warning] 7-7: [ValueWithoutQuotes] This value needs to be surrounded in quotes

🪛 YAMLlint (1.37.1)
docker/dependencies/docker.compose.yaml

[error] 170-170: trailing spaces

(trailing-spaces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)
  • GitHub Check: claude-review
  • GitHub Check: build (22.x)
  • GitHub Check: all-good
  • GitHub Check: docker
  • GitHub Check: docker
  • GitHub Check: restart-dev-and-test
  • GitHub Check: build (22.x)
  • GitHub Check: lint_and_build (latest)
  • GitHub Check: setup-tests
  • GitHub Check: Security Check
🔇 Additional comments (13)
apps/backend/src/route-handlers/smart-request.tsx (2)

42-42: Raw body attachment looks good

The addition of bodyBuffer to SmartRequest is appropriate for webhook signature verification and other raw-body use cases.

317-317: No outdated createSmartRequest calls detected; Stripe webhook body handled correctly

  • All createSmartRequest call sites now pass three arguments, so there are no two-arg invocations remaining.
  • The Stripe webhook handler in apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx decodes fullReq.bodyBuffer to a string (textBody) before calling stripe.webhooks.constructEvent, satisfying the requirement for a string or Buffer.
  • There is no logging of the raw bodyBuffer.

– Everything looks good here.

apps/dashboard/src/lib/env.tsx (1)

21-21: Env var wiring for Stripe publishable key is correct

Added to both _inlineEnvVars and _postBuildEnvVars with shape parity via satisfies. Confirmed downstream handling of missing values:

  • apps/dashboard/src/components/payments/stripe-elements-provider.tsx
    • Throws via throwErr("NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY is missing!")
  • apps/dashboard/src/components/payments/stripe-connect-provider.tsx
    • Throws via throwErr("No Stripe publishable key found")
  • apps/dashboard/src/app/(main)/purchase/return/page-client.tsx
    • Falls back to an empty string ("")

All usages guard against undefined at runtime. LGTM.

apps/dashboard/package.json (1)

34-37: Stripe peer dependencies verified as compatible with React 19 / Next.js 15

All peer dependencies were checked and align with React 19 support:

  • @stripe/connect-js@3.3.27: no peerDependencies
  • @stripe/react-connect-js@3.3.24:
    • react >=16.8.0
    • react-dom >=16.8.0
    • @stripe/connect-js >=3.3.24
  • @stripe/react-stripe-js@3.8.1:
    • react >=16.8.0 <20.0.0
    • react-dom >=16.8.0 <20.0.0
    • @stripe/stripe-js >=1.44.1 <8.0.0
  • @stripe/stripe-js@7.7.0: no peerDependencies

React 19 falls within all declared ranges, and Next.js versions aren’t constrained by these packages. No runtime warnings or SSR issues are expected.

apps/dashboard/src/components/smart-form.tsx (1)

10-10: LGTM: NumberField import added.

Import is correct and matches the new number field rendering below.

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sidebar-layout.tsx (1)

9-9: Centralized dev-feature flag check — good change

Importing and using devFeaturesEnabledForProject improves consistency across the app.

apps/dashboard/src/components/payments/stripe-theme-variables.ts (1)

1-61: Stripe appearance theme variables look coherent

Dark/light palettes are consistent with the UI palette and return a stable object per theme. Good separation of concerns.

apps/dashboard/src/components/form-fields.tsx (1)

248-249: Minor JSX cleanup — ok
Self-closing SelectValue formatting looks fine.

apps/dashboard/src/app/(main)/purchase/[code]/page-client.tsx (1)

15-17: baseUrl construction can drop path segments

new URL("/api/v1", apiUrl) discards any existing path on apiUrl; if the env var already ends with /api, the result is wrong. Prefer new URL("payments/", apiUrl) or explicit string concat.

apps/dashboard/src/components/payments/stripe-elements-provider.tsx (1)

41-44: Guard against undefined theme

resolvedTheme can be undefined on first render; ensure appearanceVariablesForTheme copes with that or fall back to a default to avoid a run-time throw on initial paint.

apps/e2e/tests/backend/endpoints/api/v1/payments/validate-code.test.ts (1)

29-36: Good coverage for happy-path and error-path

Both invalid-code and valid-code scenarios are exercised, ensuring regression safety for the purchase flow.

apps/backend/src/app/api/latest/internal/payments/setup/route.ts (1)

28-28: Ensure dashboard base URL env var is set

NEXT_PUBLIC_STACK_DASHBOARD_URL must exist and be an absolute https URL.
If getEnvVariable throws, callers get a 500. Consider validating once at boot and failing fast.

packages/stack-shared/src/known-errors.tsx (1)

1417-1486: Good addition – covers the new payment validation cases

@claude
Copy link
Contributor

claude bot commented Aug 8, 2025
edited
Loading

Claude finished @BilalG1's task —— View job

I'll review this comprehensive payment system PR and provide detailed feedback on code quality, security, performance, and testing.

Review Tasks

  • Analyze database schema changes and migrations
  • Review core payment logic and Stripe integration
  • Examine API endpoints for security vulnerabilities
  • Assess error handling and edge cases
  • Review frontend components and user flows
  • Evaluate test coverage and quality
  • Check performance considerations
  • Compile comprehensive feedback

🔍 Comprehensive PR Review: Payment System Implementation

This PR introduces a sophisticated payment system with Stripe integration across 53 files. Here's my detailed analysis:

🔴 Critical Security & Reliability Issues

1. Database Migration Safety ⚠️ CRITICAL

File: apps/backend/prisma/migrations/20250805195319_subscriptions/migration.sql:11-26

The migration creates a Subscription table with several concerning issues:

  • NOT NULL columns without defaults - Will fail if any existing data exists
  • Missing foreign key constraints on customerId and tenancyId - Risk of orphaned records
  • No default for cancelAtPeriodEnd - Should default to false

Recommendation: Add proper migration steps, FK constraints, and sensible defaults.

2. JSON Parsing Vulnerabilities 🔐 CRITICAL

Files:

  • apps/backend/src/lib/stripe.tsx:72, 81
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:59
// ❌ Unsafe - Will crash on malformed JSON
offer: JSON.parse(subscription.metadata.offer)

// ✅ Safe approach
offer: parseJson(subscription.metadata.offer) // Use stack-shared/utils/json

Impact: Runtime crashes, potential DoS attacks through malformed JSON payloads.

3. Webhook Error Handling 🚨 HIGH

File: apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx:80-87

} catch (error) {
  captureError("stripe-webhook-receiver", error); // Silent failure
}
return { statusCode: 200, ... }; // Always returns 200!

Issue: Always returns 200 even on signature verification failure. Stripe will mark as "delivered" and never retry, masking configuration issues.

Fix: Return 400 for signature/verification errors, 500 for processing errors.

4. Input Validation Gaps ⚠️

Files:

  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts:31-32
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:49

Issues:

  • Schema allows undefined for required fields but handler assumes they exist
  • Number(selectedPrice.USD) without validation - could result in NaN
  • Currency conversion loses precision: Number("10.99") * 100 = 1098.999999...

5. Stripe API Integration Problems 🔧

File: apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:45, 62

expand: ['latest_invoice.confirmation_secret'], // ❌ Invalid path
const clientSecret = subscription.latest_invoice.confirmation_secret?.client_secret; // undefined

Issue: confirmation_secret doesn't exist on invoices. Should be:

expand: ['latest_invoice.payment_intent']
clientSecret = subscription.latest_invoice.payment_intent?.client_secret

🟡 Code Quality & Design Issues

6. Performance Concerns

  • Sequential Processing: stripe.tsx:59 processes subscriptions sequentially instead of parallel
  • Product Creation Per Request: Creates new Stripe product for each subscription instead of reusing
  • No Rate Limiting: Payment endpoints lack protection against abuse

7. Error Handling Inconsistencies

  • Missing null checks for subscription.offer in items route
  • Case sensitivity issues with CustomerType enum validation
  • Race conditions in Stripe account creation (concurrent requests)

8. Frontend Issues 💻

  • Missing loading states in checkout form (double-click protection)
  • Type casting masking real Stripe error objects
  • Incorrect URL construction with new URL("/api/v1", apiUrl) drops existing paths

🟢 Positive Aspects

Excellent Test Coverage

  • 4 comprehensive E2E test files covering all payment endpoints
  • Good error scenarios: Authentication failures, invalid IDs, edge cases
  • Integration testing: End-to-end purchase flows validated

Solid Architecture

  • Smart Route Handler Pattern: Consistent request/response typing
  • Separation of Concerns: Clean separation between Stripe, payments, and API layers
  • Environment Flexibility: Supports both real Stripe and mock for testing
  • Proper Schema Validation: Using Yup schemas throughout

Security Best Practices (where implemented)

  • Webhook signature verification
  • Proper tenancy isolation
  • Environment-based configuration

📊 Performance Analysis

  • Database: Proper indexing on subscription lookups
  • Caching: Could benefit from config caching for frequent lookups
  • Webhooks: Async processing pattern for subscription updates

🧪 Test Quality Assessment

Coverage: Excellent

  • All major API endpoints covered
  • Error cases well tested
  • Integration scenarios validated

Areas for improvement:

  • Could use more edge case testing for JSON parsing
  • Frontend component testing could be expanded

📋 Recommendations

Immediate (Pre-merge):

  1. Fix database migration with defaults and FK constraints
  2. Replace all JSON.parse with safe parsing utilities
  3. Correct Stripe API integration (payment intent expansion)
  4. Fix webhook error handling to return proper HTTP codes

Short-term:

  1. Add rate limiting to payment endpoints
  2. Implement proper error boundaries in frontend
  3. Add loading states and prevent double-submissions
  4. Parallelize subscription processing

Long-term:

  1. Implement product caching/reuse strategy
  2. Add comprehensive monitoring and alerting
  3. Consider implementing idempotency keys
  4. Add audit logging for compliance

🎯 Overall Assessment

Strengths: Well-architected system with excellent test coverage and clean separation of concerns.

Risks: Several critical security and reliability issues that must be addressed before production deployment.

Recommendation: Requires significant fixes before merge, but has solid foundation for a production payment system.

Priority: Fix critical security issues first, then address performance and UX improvements.

@claude
Copy link
Contributor

claude bot commented Aug 8, 2025
edited
Loading

Claude finished @BilalG1's task —— View job

I'll review this comprehensive payment system PR and provide detailed feedback on code quality, security, performance, and testing.

Review Tasks

  • Analyze database schema changes and migrations
  • Review core payment logic and Stripe integration
  • Examine API endpoints for security vulnerabilities
  • Assess error handling and edge cases
  • Review frontend components and user flows
  • Evaluate test coverage and quality
  • Check performance considerations
  • Compile comprehensive feedback

🔴 Critical Issues

Database Schema & Migration Safety ⚠️

High Risk - Migration Will Fail: The migration 20250805195319_subscriptions/migration.sql has dangerous operations:

  • Creates Subscription table with NOT NULL columns without defaults
  • If existing subscription data exists, migration will fail
  • References CustomerType enum that may not exist yet
  • Recommendation: Add proper data migration steps and DEFAULT values

Security Vulnerabilities 🔐

Critical - Unsafe JSON.parse: In stripe.tsx:72,81, direct JSON.parse(subscription.metadata.offer) without error handling:

offer: JSON.parse(subscription.metadata.offer), // ❌ Will crash on invalid JSON

Fix: Use parseJson() from stack-shared/utils/json

Input Validation Issues:

  • validate-code/route.ts:31-32: Assumes offer.displayName/customerType exist but schema allows undefined
  • purchase-session/route.tsx:49: Uses Number(selectedPrice.USD) without validation - could result in NaN

Error Handling Problems 🚨

Webhook Reliability Issue: webhooks/route.tsx:80-82 catches all errors but always returns 200:

} catch (error) {
  captureError("stripe-webhook-receiver", error); // Silent failure
}
return { statusCode: 200, ... }; // Always success - Stripe may stop sending webhooks

🟡 Code Quality Issues

Performance Concerns ⚡

  • Sequential Processing: stripe.tsx:59 processes subscriptions sequentially instead of parallel
  • Hardcoded Currency: purchase-session/route.tsx:48 hardcodes "usd" instead of using dynamic currency
  • Product Creation Per Request: Creates new Stripe product for each subscription instead of reusing

API Design Issues 🏗️

  • Inconsistent Error Codes: Webhook returns 500 for missing account ID when 400 would be appropriate
  • Missing Rate Limiting: Payment endpoints lack rate limiting protection
  • No Idempotency: Subscription creation lacks idempotency keys

🟢 Positive Aspects

Test Coverage ✅

Comprehensive E2E Testing: 4 dedicated test files covering:

  • Purchase URL creation and validation
  • Item retrieval with proper error scenarios
  • Purchase session creation
  • Code validation with edge cases

Good Error Scenarios: Tests cover authentication failures, invalid IDs, customer type mismatches

Architecture 🏛️

Smart Route Handler Pattern: Consistent use of createSmartRouteHandler with proper request/response typing
Separation of Concerns: Clean separation between Stripe integration, payment logic, and API handlers
Environment Flexibility: Supports both real Stripe and mock Stripe for testing

🔧 Recommendations

Immediate Fixes Required:

  1. Fix migration: Add defaults and proper data migration steps
  2. Replace JSON.parse: Use safe parsing everywhere
  3. Add input validation: Validate all numeric inputs and required fields
  4. Fix webhook error handling: Return appropriate HTTP status codes

Performance Improvements:

  1. Parallelize subscription sync: Process multiple subscriptions concurrently
  2. Add caching: Cache frequently accessed configuration data
  3. Product reuse: Implement product caching/reuse strategy

Security Enhancements:

  1. Add rate limiting: Protect payment endpoints from abuse
  2. Implement idempotency: Prevent duplicate payments
  3. Audit logging: Log all payment operations for compliance

Overall Assessment

This is a well-structured payment system implementation with comprehensive testing, but contains several critical security and reliability issues that must be addressed before production deployment. The architecture is sound, but execution details need refinement.

Confidence Level: Medium - Good foundation with critical fixes needed

coderabbitai[bot]
coderabbitai bot reviewed Aug 8, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
apps/e2e/tests/backend/endpoints/api/v1/auth/password/send-reset-code.test.ts (1)

23-40: Harden assertions: guard find() results and reduce brittleness of exact count

  • Use the existing mailbox variable for consistency.
  • Add explicit existence checks before snapshotting to avoid confusing failures if a subject is missing.
  • Consider asserting per-subject counts instead of messages.length === 2 to avoid brittleness if additional emails are sent in this flow.

Minimal improvement (keep length=2, add existence checks and reuse mailbox):

-  const messages = await backendContext.value.mailbox.fetchMessages({ noBody: true });
-  expect(messages.length).toBe(2);
-  expect(messages.find(m => m.subject.includes("Verify your email at Stack Dashboard"))).toMatchInlineSnapshot(`
+  const messages = await mailbox.fetchMessages({ noBody: true });
+  expect(messages.length).toBe(2);
+  const verifyMsg = messages.find(m => m.subject.includes("Verify your email at Stack Dashboard"));
+  const resetMsg = messages.find(m => m.subject.includes("Reset your password at Stack Dashboard"));
+  expect(verifyMsg).toBeDefined();
+  expect(resetMsg).toBeDefined();
+  expect(verifyMsg!).toMatchInlineSnapshot(`
     MailboxMessage {
       "from": "Stack Dashboard <noreply@example.com>",
       "subject": "Verify your email at Stack Dashboard",
       "to": ["<default-mailbox--<stripped UUID>@stack-generated.example.com>"],
       <some fields may have been hidden>,
     }
   `);
-  expect(messages.find(m => m.subject.includes("Reset your password at Stack Dashboard"))).toMatchInlineSnapshot(`
+  expect(resetMsg!).toMatchInlineSnapshot(`
     MailboxMessage {
       "from": "Stack Dashboard <noreply@example.com>",
       "subject": "Reset your password at Stack Dashboard",
       "to": ["<default-mailbox--<stripped UUID>@stack-generated.example.com>"],
       <some fields may have been hidden>,
     }
   `);

More robust alternative (avoid exact count; assert exactly one per subject):

-  const messages = await backendContext.value.mailbox.fetchMessages({ noBody: true });
-  expect(messages.length).toBe(2);
-  expect(messages.find(m => m.subject.includes("Verify your email at Stack Dashboard"))).toMatchInlineSnapshot(`
+  const messages = await mailbox.fetchMessages({ noBody: true });
+  const verifyMessages = messages.filter(m => m.subject.includes("Verify your email at Stack Dashboard"));
+  const resetMessages = messages.filter(m => m.subject.includes("Reset your password at Stack Dashboard"));
+  expect(verifyMessages).toHaveLength(1);
+  expect(resetMessages).toHaveLength(1);
+  expect(verifyMessages[0]).toMatchInlineSnapshot(`
     MailboxMessage {
       "from": "Stack Dashboard <noreply@example.com>",
       "subject": "Verify your email at Stack Dashboard",
       "to": ["<default-mailbox--<stripped UUID>@stack-generated.example.com>"],
       <some fields may have been hidden>,
     }
   `);
-  expect(messages.find(m => m.subject.includes("Reset your password at Stack Dashboard"))).toMatchInlineSnapshot(`
+  expect(resetMessages[0]).toMatchInlineSnapshot(`
     MailboxMessage {
       "from": "Stack Dashboard <noreply@example.com>",
       "subject": "Reset your password at Stack Dashboard",
       "to": ["<default-mailbox--<stripped UUID>@stack-generated.example.com>"],
       <some fields may have been hidden>,
     }
   `);

Optional: if the mailbox backend is eventually consistent, consider polling until both messages arrive (or a helper like waitForMessages) to avoid flakes.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f728b71 and 972c248.

📒 Files selected for processing (1)
  • apps/e2e/tests/backend/endpoints/api/v1/auth/password/send-reset-code.test.ts (1 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
apps/e2e/tests/backend/endpoints/api/v1/auth/password/send-reset-code.test.ts (1)
apps/e2e/tests/backend/backend-helpers.ts (1)
  • backendContext (34-56)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: build (22.x)
  • GitHub Check: build (22.x)
  • GitHub Check: restart-dev-and-test
  • GitHub Check: lint_and_build (latest)
  • GitHub Check: docker
  • GitHub Check: docker
  • GitHub Check: all-good
  • GitHub Check: setup-tests
  • GitHub Check: Security Check
🔇 Additional comments (1)
apps/e2e/tests/backend/endpoints/api/v1/auth/password/send-reset-code.test.ts (1)

23-40: Good move to per-message assertions over array snapshots

Asserting subjects individually is a solid improvement over snapshotting the whole array. This reduces flakiness from non-deterministic ordering and hidden fields.

@claude
Copy link
Contributor

claude bot commented Aug 8, 2025
edited
Loading

Claude finished @BilalG1's task —— View job

I'll review this comprehensive payment system PR and provide detailed feedback on code quality, security, performance, and testing.

Review Tasks

  • Analyze database schema changes and migrations
  • Review core payment logic and Stripe integration
  • Examine API endpoints for security vulnerabilities
  • Assess error handling and edge cases
  • Review frontend components and user flows
  • Evaluate test coverage and quality
  • Check performance considerations
  • Compile comprehensive feedback

🔍 Comprehensive PR Review: Payment System Implementation

This PR introduces a sophisticated payment system with Stripe integration across 53 files. Here's my detailed analysis:

🔴 Critical Security & Reliability Issues

1. Database Migration Safety ⚠️ CRITICAL

File: apps/backend/prisma/migrations/20250805195319_subscriptions/migration.sql:11-26

The migration creates a Subscription table with several concerning issues:

  • NOT NULL columns without defaults - Will fail if any existing data exists
  • Missing foreign key constraints on customerId and tenancyId - Risk of orphaned records
  • No default for cancelAtPeriodEnd - Should default to false

Recommendation: Add proper migration steps, FK constraints, and sensible defaults.

2. JSON Parsing Vulnerabilities 🔐 CRITICAL

Files:

  • apps/backend/src/lib/stripe.tsx:72, 81
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:59
// ❌ Unsafe - Will crash on malformed JSON
offer: JSON.parse(subscription.metadata.offer)

// ✅ Safe approach
offer: parseJson(subscription.metadata.offer) // Use stack-shared/utils/json

Impact: Runtime crashes, potential DoS attacks through malformed JSON payloads.

3. Webhook Error Handling 🚨 HIGH

File: apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx:80-87

} catch (error) {
  captureError("stripe-webhook-receiver", error); // Silent failure
}
return { statusCode: 200, ... }; // Always returns 200!

Issue: Always returns 200 even on signature verification failure. Stripe will mark as "delivered" and never retry, masking configuration issues.

Fix: Return 400 for signature/verification errors, 500 for processing errors.

4. Input Validation Gaps ⚠️

Files:

  • apps/backend/src/app/api/latest/payments/purchases/validate-code/route.ts:31-32
  • apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:49

Issues:

  • Schema allows undefined for required fields but handler assumes they exist
  • Number(selectedPrice.USD) without validation - could result in NaN
  • Currency conversion loses precision: Number("10.99") * 100 = 1098.999999...

5. Stripe API Integration Problems 🔧

File: apps/backend/src/app/api/latest/payments/purchases/purchase-session/route.tsx:45, 62

expand: ['latest_invoice.confirmation_secret'], // ❌ Invalid path
const clientSecret = subscription.latest_invoice.confirmation_secret?.client_secret; // undefined

Issue: confirmation_secret doesn't exist on invoices. Should be:

expand: ['latest_invoice.payment_intent']
clientSecret = subscription.latest_invoice.payment_intent?.client_secret

🟡 Code Quality & Design Issues

6. Performance Concerns

  • Sequential Processing: stripe.tsx:59 processes subscriptions sequentially instead of parallel
  • Product Creation Per Request: Creates new Stripe product for each subscription instead of reusing
  • No Rate Limiting: Payment endpoints lack protection against abuse

7. Error Handling Inconsistencies

  • Missing null checks for subscription.offer in items route
  • Case sensitivity issues with CustomerType enum validation
  • Race conditions in Stripe account creation (concurrent requests)

8. Frontend Issues 💻

  • Missing loading states in checkout form (double-click protection)
  • Type casting masking real Stripe error objects
  • Incorrect URL construction with new URL("/api/v1", apiUrl) drops existing paths

🟢 Positive Aspects

Excellent Test Coverage

  • 4 comprehensive E2E test files covering all payment endpoints
  • Good error scenarios: Authentication failures, invalid IDs, edge cases
  • Integration testing: End-to-end purchase flows validated

Solid Architecture

  • Smart Route Handler Pattern: Consistent request/response typing
  • Separation of Concerns: Clean separation between Stripe, payments, and API layers
  • Environment Flexibility: Supports both real Stripe and mock for testing
  • Proper Schema Validation: Using Yup schemas throughout

Security Best Practices (where implemented)

  • Webhook signature verification
  • Proper tenancy isolation
  • Environment-based configuration

📊 Performance Analysis

  • Database: Proper indexing on subscription lookups
  • Caching: Could benefit from config caching for frequent lookups
  • Webhooks: Async processing pattern for subscription updates

🧪 Test Quality Assessment

Coverage: Excellent

  • All major API endpoints covered
  • Error cases well tested
  • Integration scenarios validated

Areas for improvement:

  • Could use more edge case testing for JSON parsing
  • Frontend component testing could be expanded

📋 Recommendations

Immediate (Pre-merge):

  1. Fix database migration with defaults and FK constraints
  2. Replace all JSON.parse with safe parsing utilities
  3. Correct Stripe API integration (payment intent expansion)
  4. Fix webhook error handling to return proper HTTP codes

Short-term:

  1. Add rate limiting to payment endpoints
  2. Implement proper error boundaries in frontend
  3. Add loading states and prevent double-submissions
  4. Parallelize subscription processing

Long-term:

  1. Implement product caching/reuse strategy
  2. Add comprehensive monitoring and alerting
  3. Consider implementing idempotency keys
  4. Add audit logging for compliance

🎯 Overall Assessment

Strengths: Well-architected system with excellent test coverage and clean separation of concerns.

Risks: Several critical security and reliability issues that must be addressed before production deployment.

Recommendation: Requires significant fixes before merge, but has solid foundation for a production payment system.

Priority: Fix critical security issues first, then address performance and UX improvements.

@BilalG1 BilalG1 enabled auto-merge (squash) August 9, 2025 01:11
@BilalG1 BilalG1 merged commit 2b54151 into dev Aug 9, 2025
19 of 21 checks passed
@BilalG1 BilalG1 deleted the payments-pr4-accounts branch August 9, 2025 01:13
This was referenced Aug 19, 2025
Merged
Merged
Merged
Merged
Merged
@coderabbitai coderabbitai bot mentioned this pull request Aug 27, 2025
Merged
This was referenced Sep 20, 2025
Merged
Merged
This was referenced Sep 30, 2025
Merged
Merged
Merged
@coderabbitai coderabbitai bot mentioned this pull request Oct 10, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Nov 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@N2D4 N2D4 N2D4 approved these changes

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

+2 more reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@recurseml recurseml[bot] recurseml[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@BilalG1 BilalG1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BilalG1 @N2D4