stack-auth · BilalG1 · Sep 13, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/apps/backend/prisma/migrations/20250911230246_one_time_purchase/migration.sql b/apps/backend/prisma/migrations/20250911230246_one_time_purchase/migration.sql
@@ -0,0 +1,21 @@
+-- CreateEnum
+ALTER TYPE "SubscriptionCreationSource" RENAME TO "PurchaseCreationSource";
+
+-- CreateTable
+CREATE TABLE "OneTimePurchase" (
+    "id" UUID NOT NULL,
+    "tenancyId" UUID NOT NULL,
+    "customerId" TEXT NOT NULL,
+    "customerType" "CustomerType" NOT NULL,
+    "offerId" TEXT,
+    "offer" JSONB NOT NULL,
+    "quantity" INTEGER NOT NULL,
+    "stripePaymentIntentId" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "creationSource" "PurchaseCreationSource" NOT NULL,
+
+    CONSTRAINT "OneTimePurchase_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "OneTimePurchase_tenancyId_stripePaymentIntentId_key" ON "OneTimePurchase"("tenancyId", "stripePaymentIntentId");
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
@@ -753,7 +753,7 @@ enum SubscriptionStatus {
   unpaid
 }
 
-enum SubscriptionCreationSource {
+enum PurchaseCreationSource {
   PURCHASE_PAGE
   TEST_MODE
 }
@@ -773,7 +773,7 @@ model Subscription {
   currentPeriodStart   DateTime
   cancelAtPeriodEnd    Boolean
 
-  creationSource SubscriptionCreationSource
+  creationSource PurchaseCreationSource
   createdAt      DateTime                   @default(now())
   updatedAt      DateTime                   @updatedAt
 
@@ -795,6 +795,22 @@ model ItemQuantityChange {
   @@index([tenancyId, customerId, expiresAt])
 }
 
+model OneTimePurchase {
+  id String @default(uuid()) @db.Uuid
+  tenancyId String @db.Uuid
+  customerId String
+  customerType CustomerType
+  offerId String?
+  offer Json
+  quantity Int
+  stripePaymentIntentId String?
+  createdAt DateTime @default(now())
+  creationSource PurchaseCreationSource
+
+  @@id([tenancyId, id])
+  @@unique([tenancyId, stripePaymentIntentId])
+}
+
 model DataVaultEntry {
   id        String   @default(uuid()) @db.Uuid
   tenancyId String   @db.Uuid

diff --git a/apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx b/apps/backend/src/app/api/latest/integrations/stripe/webhooks/route.tsx
@@ -1,8 +1,12 @@
-import { getStackStripe, syncStripeSubscriptions } from "@/lib/stripe";
+import { getStackStripe, getStripeForAccount, syncStripeSubscriptions } from "@/lib/stripe";
+import { getTenancy } from "@/lib/tenancies";
+import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { yupMixed, yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
+import { typedIncludes } from '@stackframe/stack-shared/dist/utils/arrays';
 import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
-import { StackAssertionError, captureError } from "@stackframe/stack-shared/dist/utils/errors";
+import { StackAssertionError, StatusError, captureError } from "@stackframe/stack-shared/dist/utils/errors";
+import { typedToUppercase } from "@stackframe/stack-shared/dist/utils/strings";
 import Stripe from "stripe";
 
 const subscriptionChangedEvents = [
@@ -30,6 +34,74 @@ const isSubscriptionChangedEvent = (event: Stripe.Event): event is Stripe.Event
   return subscriptionChangedEvents.includes(event.type as any);
 };
 
+async function processStripeWebhookEvent(event: Stripe.Event): Promise<void> {
+  const mockData = (event.data.object as any).stack_stripe_mock_data;
+  if (event.type === "payment_intent.succeeded" && event.data.object.metadata.purchaseKind === "ONE_TIME") {
+    const metadata = event.data.object.metadata;
+    const accountId = event.account;
+    if (!accountId) {
+      throw new StackAssertionError("Stripe webhook account id missing", { event });
+    }
+    console.log("Processing1", mockData);
+    const stripe = getStackStripe(mockData);
+    const account = await stripe.accounts.retrieve(accountId);
+    const tenancyId = account.metadata?.tenancyId;
+    if (!tenancyId) {
+      throw new StackAssertionError("Stripe account metadata missing tenancyId", { event });
+    }
+    const tenancy = await getTenancy(tenancyId);
+    if (!tenancy) {
+      throw new StackAssertionError("Tenancy not found", { event });
+    }
+    const prisma = await getPrismaClientForTenancy(tenancy);
+    const offer = JSON.parse(metadata.offer || "{}");
+    const qty = Math.max(1, Number(metadata.purchaseQuantity || 1));
+    const stripePaymentIntentId = event.data.object.id;
+    if (!metadata.customerId || !metadata.customerType) {
+      throw new StackAssertionError("Missing customer metadata for one-time purchase", { event });
+    }
+    if (!typedIncludes(["user", "team", "custom"] as const, metadata.customerType)) {
+      throw new StackAssertionError("Invalid customer type for one-time purchase", { event });
+    }
+    await prisma.oneTimePurchase.upsert({
+      where: {
+        tenancyId_stripePaymentIntentId: {
+          tenancyId: tenancy.id,
+          stripePaymentIntentId,
+        },
+      },
+      create: {
+        tenancyId: tenancy.id,
+        customerId: metadata.customerId,
+        customerType: typedToUppercase(metadata.customerType),
+        offerId: metadata.offerId || null,
+        stripePaymentIntentId,
+        offer,
+        quantity: qty,
+        creationSource: "PURCHASE_PAGE",
+      },
+      update: {
+        offerId: metadata.offerId || null,
+        offer,
+        quantity: qty,
+      }
+    });
+  }
+
+  if (isSubscriptionChangedEvent(event)) {
+    const accountId = event.account;
+    const customerId = event.data.object.customer;
+    if (!accountId) {
+      throw new StackAssertionError("Stripe webhook account id missing", { event });
+    }
+    if (typeof customerId !== 'string') {
+      throw new StackAssertionError("Stripe webhook bad customer id", { event });
+    }
+    const stripe = await getStripeForAccount({ accountId }, mockData);
+    await syncStripeSubscriptions(stripe, accountId, customerId);
+  }
+}
+
 export const POST = createSmartRouteHandler({
   metadata: {
     hidden: true,
@@ -47,38 +119,27 @@ export const POST = createSmartRouteHandler({
     body: yupMixed().defined(),
   }),
   handler: async (req, fullReq) => {
+    const stripe = getStackStripe();
+    let event: Stripe.Event;
     try {
-      const stripe = getStackStripe();
       const signature = req.headers["stripe-signature"][0];
-      if (!signature) {
-        throw new StackAssertionError("Missing stripe-signature header");
-      }
-
       const textBody = new TextDecoder().decode(fullReq.bodyBuffer);
-      const event = stripe.webhooks.constructEvent(
+      event = stripe.webhooks.constructEvent(
         textBody,
         signature,
         getEnvVariable("STACK_STRIPE_WEBHOOK_SECRET"),
       );
+    } catch {
+      throw new StatusError(400, "Invalid stripe-signature header");
+    }
 
-      if (event.type === "account.updated") {
-        if (!event.account) {
-          throw new StackAssertionError("Stripe webhook account id missing", { event });
-        }
-      } else if (isSubscriptionChangedEvent(event)) {
-        const accountId = event.account;
-        const customerId = (event.data.object as any).customer;
-        if (!accountId) {
-          throw new StackAssertionError("Stripe webhook account id missing", { event });
-        }
-        if (typeof customerId !== 'string') {
-          throw new StackAssertionError("Stripe webhook bad customer id", { event });
-        }
-        await syncStripeSubscriptions(accountId, customerId);
-      }
+    try {
+      await processStripeWebhookEvent(event);
     } catch (error) {
       captureError("stripe-webhook-receiver", error);
+      throw error;
     }
+
     return {
       statusCode: 200,
       bodyType: "json",

diff --git a/apps/backend/src/app/api/latest/internal/payments/test-mode-purchase-session/route.tsx b/apps/backend/src/app/api/latest/internal/payments/test-mode-purchase-session/route.tsx
@@ -1,13 +1,12 @@
 import { purchaseUrlVerificationCodeHandler } from "@/app/api/latest/payments/purchases/verification-code-handler";
-import { isActiveSubscription, validatePurchaseSession } from "@/lib/payments";
+import { validatePurchaseSession } from "@/lib/payments";
 import { getStripeForAccount } from "@/lib/stripe";
-import { getPrismaClientForTenancy, retryTransaction } from "@/prisma-client";
+import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
-import { SubscriptionCreationSource, SubscriptionStatus } from "@prisma/client";
+import { SubscriptionStatus } from "@prisma/client";
 import { adaptSchema, adminAuthTypeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { addInterval } from "@stackframe/stack-shared/dist/utils/dates";
-import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
-import { typedKeys } from "@stackframe/stack-shared/dist/utils/objects";
+import { StackAssertionError, StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 import { typedToUppercase } from "@stackframe/stack-shared/dist/utils/strings";
 
 export const POST = createSmartRouteHandler({
@@ -37,65 +36,50 @@ export const POST = createSmartRouteHandler({
       throw new StatusError(400, "Tenancy id does not match value from code data");
     }
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
-    const { selectedPrice, groupId, subscriptions } = await validatePurchaseSession({
+
+    const { selectedPrice, conflictingGroupSubscriptions } = await validatePurchaseSession({
       prisma,
       tenancy: auth.tenancy,
       codeData: data,
       priceId: price_id,
       quantity,
     });
-    if (groupId) {
-      for (const subscription of subscriptions) {
-        if (
-          subscription.id &&
-          subscription.offerId &&
-          subscription.offer.groupId === groupId &&
-          isActiveSubscription(subscription) &&
-          subscription.offer.prices !== "include-by-default" &&
-          (!data.offer.isAddOnTo || !typedKeys(data.offer.isAddOnTo).includes(subscription.offerId))
-        ) {
-          if (!selectedPrice?.interval) {
-            continue;
-          }
-          if (subscription.stripeSubscriptionId) {
-            const stripe = await getStripeForAccount({ tenancy: auth.tenancy });
-            await stripe.subscriptions.cancel(subscription.stripeSubscriptionId);
-          }
-          await retryTransaction(prisma, async (tx) => {
-            if (!subscription.stripeSubscriptionId && subscription.id) {
-              await tx.subscription.update({
-                where: {
-                  tenancyId_id: {
-                    tenancyId: auth.tenancy.id,
-                    id: subscription.id,
-                  },
-                },
-                data: {
-                  status: SubscriptionStatus.canceled,
-                },
-              });
-            }
-            await tx.subscription.create({
-              data: {
+    if (!selectedPrice) {
+      throw new StackAssertionError("Price not resolved for test mode purchase session");
+    }
+
+    if (!selectedPrice.interval) {
+      await prisma.oneTimePurchase.create({
+        data: {
+          tenancyId: auth.tenancy.id,
+          customerId: data.customerId,
+          customerType: typedToUppercase(data.offer.customerType),
+          offerId: data.offerId,
+          offer: data.offer,
+          quantity,
+          creationSource: "TEST_MODE",
+        },
+      });
+    } else {
+      // Cancel conflicting subscriptions for TEST_MODE as well, then create new TEST_MODE subscription
+      if (conflictingGroupSubscriptions.length > 0) {
+        const conflicting = conflictingGroupSubscriptions[0];
+        if (conflicting.stripeSubscriptionId) {
+          const stripe = await getStripeForAccount({ tenancy: auth.tenancy });
+          await stripe.subscriptions.cancel(conflicting.stripeSubscriptionId);
+        } else if (conflicting.id) {
+          await prisma.subscription.update({
+            where: {
+              tenancyId_id: {
                 tenancyId: auth.tenancy.id,
-                customerId: data.customerId,
-                customerType: typedToUppercase(data.offer.customerType),
-                status: SubscriptionStatus.active,
-                offerId: data.offerId,
-                offer: data.offer,
-                quantity,
-                currentPeriodStart: new Date(),
-                currentPeriodEnd: addInterval(new Date(), selectedPrice.interval!),
-                cancelAtPeriodEnd: false,
-                creationSource: SubscriptionCreationSource.TEST_MODE,
+                id: conflicting.id,
               },
-            });
+            },
+            data: { status: SubscriptionStatus.canceled },
           });
         }
       }
-    }
 
-    if (selectedPrice?.interval) {
       await prisma.subscription.create({
         data: {
           tenancyId: auth.tenancy.id,
@@ -106,9 +90,9 @@ export const POST = createSmartRouteHandler({
           offer: data.offer,
           quantity,
           currentPeriodStart: new Date(),
-          currentPeriodEnd: addInterval(new Date(), selectedPrice.interval),
+          currentPeriodEnd: addInterval(new Date(), selectedPrice.interval!),
           cancelAtPeriodEnd: false,
-          creationSource: SubscriptionCreationSource.TEST_MODE,
+          creationSource: "TEST_MODE",
         },
       });
     }