apps/backend/prisma/schema.prisma (1)

798-810: Add idempotency and integrity constraints to OneTimePurchase (webhook retries, race safety).

Current model lacks Stripe intent linkage and uniqueness guards; concurrent webhook retries can duplicate entitlements.

Apply:

 model OneTimePurchase {
   id String @default(uuid()) @db.Uuid
   tenancyId String @db.Uuid
   customerId String
   customerType CustomerType
   offerId String?
   offer Json
-  quantity Int
-  createdAt DateTime @default(now())
+  quantity Int @default(1)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  // Stripe linkage for idempotency/reconciliation
+  stripePaymentIntentId String?
   creationSource PurchaseCreationSource

   @@id([tenancyId, id])
+  // Prevent duplicate recording of the same Stripe intent per tenancy
+  @@unique([tenancyId, stripePaymentIntentId])
+  // Enforce one OTP per customer per offer (NULL offerId allowed for inline offers)
+  @@unique([tenancyId, customerType, customerId, offerId])
+  // Query patterns used by validations
+  @@index([tenancyId, customerId, createdAt])
+  @@index([tenancyId, offerId])
 }

Optional (for scalable group rules): persist groupId alongside offer to avoid JSON scans and enable future uniqueness by group.

apps/backend/src/lib/payments.tsx (1)

164-182: Guard against malformed stored offer JSON when reading OTPs.

Casting p.offer without validation can break if legacy or corrupted rows exist. Add a light runtime guard to skip bad rows.

Apply:

-  for (const p of oneTimePurchases) {
-    const offer = p.offer as yup.InferType<typeof offerSchema>;
-    const inc = getOrUndefined(offer.includedItems, options.itemId);
+  for (const p of oneTimePurchases) {
+    if (!p.offer || typeof p.offer !== 'object' || !('includedItems' in (p.offer as any))) continue;
+    const inc = getOrUndefined((p.offer as any).includedItems ?? {}, options.itemId);

Optional: import and use offerSchema.validateSync for stricter safety (requires changing the type-only import to a value import).

apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx (3)

57-57: Guard JSON.parse for malformed metadata.offer.

Untrusted metadata can break the handler.

-      const offer = JSON.parse(metadata.offer || "{}");
+      let offer: unknown = {};
+      try {
+        offer = JSON.parse(metadata.offer ?? "{}");
+      } catch {
+        offer = {};
+      }

---

67-77: Make one-time purchase processing idempotent using PaymentIntent ID + transaction.

Without persisting payment_intent ID, retried webhooks will create duplicates. Store it and guard via unique index; perform writes in a single transaction.

-      await prisma.oneTimePurchase.create({
-        data: {
-          tenancyId: tenancy.id,
-          customerId: customerIdMeta,
-          customerType: typedToUppercase(customerTypeMeta),
-          offerId: metadata.offerId || null,
-          offer,
-          quantity: qty,
-          creationSource: "PURCHASE_PAGE",
-        },
-      });
+      await prisma.$transaction(async (tx) => {
+        const existing = await tx.oneTimePurchase.findFirst({
+          where: { tenancyId: tenancy.id, stripePaymentIntentId: object.id },
+          select: { id: true },
+        });
+        if (existing) return;
+        await tx.oneTimePurchase.create({
+          data: {
+            tenancyId: tenancy.id,
+            customerId: customerIdMeta,
+            customerType: typedToUppercase(customerTypeMeta),
+            offerId: metadata.offerId || null,
+            offer,
+            quantity: qty,
+            creationSource: "PURCHASE_PAGE",
+            stripePaymentIntentId: object.id,
+          },
+        });
+      });

Note: Requires the migration to add stripePaymentIntentId + unique index.

---

60-60: Sanitize quantity; current Math.max with Number can produce NaN and crash DB writes.

Math.max(1, NaN) => NaN; Prisma insert on integer column will fail.

-      const qty = Math.max(1, Number(metadata.purchaseQuantity || 1));
+      const rawQty = Number(metadata.purchaseQuantity);
+      const qty = Number.isFinite(rawQty) && rawQty >= 1 ? Math.floor(rawQty) : 1;

apps/backend/src/lib/payments.test.tsx (1)

782-883: Add tests for add-on guard and non-stackable quantity.

You’re missing assertions for:

• Blocking add-on when base offer absent.
• Rejecting quantity > 1 for non-stackable offers.

Example additions:

it('blocks add-on when base offer is missing', async () => {
  const tenancy = createMockTenancy({ items: {}, offers: {}, groups: { g1: { displayName: 'G1' } } });
  const prisma = createMockPrisma({ oneTimePurchase: { findMany: async () => [] }, subscription: { findMany: async () => [] } } as any);
  await expect(validatePurchaseSession({
    prisma, tenancy,
    codeData: {
      tenancyId: tenancy.id, customerId: 'cust-1', offerId: 'addon',
      offer: {
        displayName: 'Addon', groupId: 'g1', customerType: 'custom',
        freeTrial: undefined, serverOnly: false, stackable: false,
        prices: 'include-by-default', includedItems: {}, isAddOnTo: { base1: true },
      },
    },
    priceId: 'price-any', quantity: 1,
  })).rejects.toThrowError('This offer is an add-on to an offer that the customer does not have');
});

it('rejects quantity > 1 for non-stackable offers', async () => {
  const tenancy = createMockTenancy({ items: {}, offers: {}, groups: {} });
  const prisma = createMockPrisma({ oneTimePurchase: { findMany: async () => [] }, subscription: { findMany: async () => [] } } as any);
  await expect(validatePurchaseSession({
    prisma, tenancy,
    codeData: {
      tenancyId: tenancy.id, customerId: 'cust-1', offerId: 'off',
      offer: { displayName: 'O', groupId: undefined, customerType: 'custom',
        freeTrial: undefined, serverOnly: false, stackable: false,
        prices: 'include-by-default', includedItems: {}, isAddOnTo: false },
    },
    priceId: 'price-any', quantity: 2,
  })).rejects.toThrowError('This offer is not stackable; quantity must be 1');
});

apps/backend/src/lib/payments.tsx (1)

433-442: Group-level OTP guard relies on JSON; consider persisting groupId.

Reading groupId from JSON for every row is fine short-term. For scale, denormalize groupId into OneTimePurchase to avoid JSON reads and enable future uniqueness-by-group if needed.

apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx (1)

12-31: Separate subscription vs payment_intent events for clarity.

subscriptionChangedEvents currently includes payment_intent.*; consider splitting arrays or renaming to avoid confusion.

-const subscriptionChangedEvents = [
+const subscriptionChangedEvents = [
   "checkout.session.completed",
   "customer.subscription.created",
   ...
-  "payment_intent.succeeded",
-  "payment_intent.payment_failed",
-  "payment_intent.canceled",
 ] as const;
+
+const paymentIntentEvents = [
+  "payment_intent.succeeded",
+  "payment_intent.payment_failed",
+  "payment_intent.canceled",
+] as const;

Also applies to: 82-94

apps/backend/src/app/api/latest/internal/payments/test-mode-purchase-session/route.tsx (2)

51-63: Optional: wrap DB write in a short transaction to avoid partial writes under concurrent requests.

Low risk in TEST_MODE, but a transaction reduces flakiness if multiple admins hit the endpoint simultaneously.

-      await prisma.oneTimePurchase.create({
-        data: {
-          tenancyId: auth.tenancy.id,
-          customerId: data.customerId,
-          customerType: typedToUppercase(data.offer.customerType),
-          offerId: data.offerId,
-          offer: data.offer,
-          quantity,
-          creationSource: "TEST_MODE",
-        },
-      });
+      await prisma.$transaction((tx) =>
+        tx.oneTimePurchase.create({
+          data: {
+            tenancyId: auth.tenancy.id,
+            customerId: data.customerId,
+            customerType: typedToUppercase(data.offer.customerType),
+            offerId: data.offerId,
+            offer: data.offer,
+            quantity,
+            creationSource: "TEST_MODE",
+          },
+        })
+      );

---

65-79: Cancellation + creation ordering is fine; consider transactional DB update for the create path only.

External Stripe calls can’t be wrapped in Prisma transactions, but using a transaction for the subsequent Prisma create keeps DB state consistent if multiple conflicting requests happen.

Also applies to: 83-97

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

apps/e2e/tests/backend/endpoints/api/v1/stripe-webhooks.test.ts (1)

57-67: Revisit 200 on invalid signature.

Returning 2xx for invalid signatures can mask signature failures. If intentional, ensure no side-effects are applied on bad sigs and document rationale.

Would you like a follow-up test that asserts no ItemQuantityChange/OneTimePurchase is written when signature is invalid?

apps/e2e/tests/backend/backend-helpers.ts (1)

98-98: Narrow the “metadata” skip to Stripe payloads only.

Skipping every metadata object can hide snake_case regressions in our own APIs. Limit the skip to Stripe’s req/res paths.

Apply:

-      if (["client_metadata", "server_metadata", "options_json", "credential", "authentication_response", "metadata"].includes(key)) continue;
+      // Allow external payload blobs where camelCase is expected (e.g., Stripe .data.object.metadata)
+      if (["client_metadata", "server_metadata", "options_json", "credential", "authentication_response"].includes(key)) continue;
+      if (key === "metadata" && (path === "req.body.data.object" || path === "res.body.data.object")) continue;

apps/backend/prisma/schema.prisma (1)

798-812: Add updatedAt and useful indexes; consider enforcing quantity > 0.

Operationally handy for reconciliation and queries; minor integrity guard.

Apply:

 model OneTimePurchase {
   id String @default(uuid()) @db.Uuid
   tenancyId String @db.Uuid
   customerId String
   customerType CustomerType
   offerId String?
   offer Json
   quantity Int
   stripePaymentIntentId String?
   createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
   creationSource PurchaseCreationSource

   @@id([tenancyId, id])
   @@unique([tenancyId, stripePaymentIntentId])
+  @@index([tenancyId, customerId, createdAt])
+  @@index([tenancyId, offerId])
 }

Optionally add a DB check in the migration: CHECK (quantity > 0).

apps/backend/prisma/migrations/20250911230246_one_time_purchase/migration.sql (1)

5-22: Add updatedAt, query indexes, and a quantity check.

Keeps parity with other models and speeds common lookups.

Apply:

 CREATE TABLE "OneTimePurchase" (
     "id" UUID NOT NULL,
     "tenancyId" UUID NOT NULL,
     "customerId" TEXT NOT NULL,
     "customerType" "CustomerType" NOT NULL,
     "offerId" TEXT,
     "offer" JSONB NOT NULL,
     "quantity" INTEGER NOT NULL,
     "stripePaymentIntentId" TEXT,
     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "creationSource" "PurchaseCreationSource" NOT NULL,

     CONSTRAINT "OneTimePurchase_pkey" PRIMARY KEY ("tenancyId","id")
 );
 
 -- CreateIndex
 CREATE UNIQUE INDEX "OneTimePurchase_tenancyId_stripePaymentIntentId_key" ON "OneTimePurchase"("tenancyId", "stripePaymentIntentId");
+CREATE INDEX "OneTimePurchase_customerId_createdAt_idx" ON "OneTimePurchase"("tenancyId","customerId","createdAt");
+CREATE INDEX "OneTimePurchase_offerId_idx" ON "OneTimePurchase"("tenancyId","offerId");
+ALTER TABLE "OneTimePurchase" ADD CONSTRAINT "OneTimePurchase_quantity_positive" CHECK ("quantity" > 0);

Note: Prisma @updatedat will keep updatedAt fresh on writes via Prisma.

apps/e2e/tests/backend/endpoints/api/v1/stripe-webhooks.test.ts (3)

12-25: Prefer Map for headers per guidelines.

Switch to Map and Object.fromEntries at the call site.

-  const headers: Record<string, string> = { "content-type": "application/json" };
+  const headers = new Map<string, string>([["content-type", "application/json"]]);
   if (!options?.omitSignature) {
     let header: string;
     if (options?.invalidSignature) {
       header = `t=${timestamp},v1=dead`;
     } else {
       const hmac = createHmac("sha256", options?.secret ?? stripeWebhookSecret);
       hmac.update(`${timestamp}.${JSON.stringify(payload)}`);
       const signature = hmac.digest("hex");
       header = `t=${timestamp},v1=${signature}`;
     }
-    headers["stripe-signature"] = header;
+    headers.set("stripe-signature", header);
   }
   return await niceBackendFetch("/api/latest/integrations/stripe/webhooks", {
     method: "POST",
-    headers,
+    headers: Object.fromEntries(headers),
     body: payload,
   });

---

41-43: Use inline snapshots for bodies in tests.

Aligns with our test guideline.

-  expect(res.body).toEqual({ received: true });
+  expect(res.body).toMatchInlineSnapshot(`
+    {
+      "received": true,
+    }
+  `);

Apply similarly to the other occurrences shown in this comment.

Also applies to: 53-55, 65-67, 86-88, 154-156, 158-160

---

161-167: Good dedup assertion.

Validates idempotency via quantity observation. Consider also asserting that a single OneTimePurchase exists if you expose an admin read endpoint.

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

apps/backend/src/lib/stripe-proxy.tsx (1)

35-37: Null handling in object check — guard against null to avoid Proxy TypeError

typeof value === "object" matches null, causing createStripeProxy(null, …) → runtime error. Add a null guard.

-      // Recurse into sub-objects
-      if (typeof value === "object") {
+      // Recurse into sub-objects (null-safe)
+      if (value && typeof value === "object") {
         return createStripeProxy(value as object, overrides, [...path, String(prop)]);
       }

apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx (1)

57-59: Harden parsing: safe JSON.parse and sanitize quantity

Malformed JSON in metadata.offer or non-numeric purchaseQuantity can throw/produce NaN and break the webhook.

-    const offer = JSON.parse(metadata.offer || "{}");
-    const qty = Math.max(1, Number(metadata.purchaseQuantity || 1));
+    let offer: any;
+    try {
+      offer = JSON.parse(metadata.offer ?? "{}");
+    } catch {
+      offer = {};
+    }
+    const rawQty = Number(metadata.purchaseQuantity);
+    const qty = Number.isFinite(rawQty) && rawQty >= 1 ? Math.floor(rawQty) : 1;

apps/backend/src/lib/stripe-proxy.tsx (2)

3-3: Consider Map over Record for overrides (guideline)

Per repo guideline, prefer ES6 Map for key–value collections. Optional refactor: type StripeOverridesMap = Map<string, Record<string, unknown>> and replace getOrUndefined with direct overrides.get(key).

---

1-1: Filename extension nit: .ts instead of .tsx

The file has no JSX. Rename to .ts for clarity.

apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx (2)

45-47: Remove stray console.log

Avoid noisy logs in hot webhook paths.

-    console.log("Processing1", mockData);

---

91-103: Prevent unnecessary subscription sync for one‑time PaymentIntents

payment_intent.* is in subscriptionChangedEvents, so you’ll also call syncStripeSubscriptions for one‑time purchases. Bail out for ONE_TIME intents to avoid extra Stripe calls.

   if (isSubscriptionChangedEvent(event)) {
+    // Skip subscription sync for one-time purchases
+    if (
+      event.type.startsWith("payment_intent.") &&
+      (event.data.object as any)?.metadata?.purchaseKind === "ONE_TIME"
+    ) {
+      return;
+    }
     const accountId = event.account;
     const customerId = event.data.object.customer;

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro