lib/billing/paypal.ts

import type { PlanKey } from "./plans";

const SANDBOX_BASE = "https://api-m.sandbox.paypal.com";
const base = () => process.env.PAYPAL_API_BASE ?? SANDBOX_BASE;
const appUrl = () => process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";

// Loudly warn (but don't throw — never break deploys) if PayPal is pointed at the
// sandbox while running in production. The sandbox default is fine for dev.
if (process.env.NODE_ENV === "production" && base().includes("sandbox.paypal.com")) {
  console.warn(
    "[paypal] WARNING: running against the PayPal SANDBOX in production. " +
      "Set PAYPAL_API_BASE=https://api-m.paypal.com for live billing."
  );
}

function creds(): { id: string; secret: string } {
  const id = process.env.PAYPAL_CLIENT_ID;
  const secret = process.env.PAYPAL_CLIENT_SECRET;
  if (!id || !secret) throw new Error("PayPal credentials are not set");
  return { id, secret };
}

export function isPaypalConfigured(): boolean {
  return !!(process.env.PAYPAL_CLIENT_ID && process.env.PAYPAL_CLIENT_SECRET);
}

async function accessToken(): Promise<string> {
  const { id, secret } = creds();
  const res = await fetch(`${base()}/v1/oauth2/token`, {
    method: "POST",
    headers: {
      Authorization: `Basic ${Buffer.from(`${id}:${secret}`).toString("base64")}`,
      "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "grant_type=client_credentials",
  });
  if (!res.ok) throw new Error(`PayPal token error ${res.status}`);
  const data = (await res.json()) as { access_token: string };
  return data.access_token;
}

export interface PaypalCustom {
  subjectId: string;
  subjectType: "user" | "organization";
  plan: PlanKey;
}

/** Create a PayPal subscription; returns the subscription id + approval URL. */
export async function createPaypalSubscription(args: {
  planId: string;
  custom: PaypalCustom;
}): Promise<{ id: string; approveUrl: string }> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions`, {
    method: "POST",
    headers: {
      Authorization: `Bearer ${token}`,
      "Content-Type": "application/json",
      Prefer: "return=representation",
    },
    body: JSON.stringify({
      plan_id: args.planId,
      custom_id: JSON.stringify(args.custom),
      application_context: {
        brand_name: "Podcast Distribution AI",
        user_action: "SUBSCRIBE_NOW",
        shipping_preference: "NO_SHIPPING",
        return_url: `${appUrl()}/billing?status=success&provider=paypal`,
        cancel_url: `${appUrl()}/billing?status=cancel`,
      },
    }),
  });
  if (!res.ok) {
    // Log the full upstream detail server-side, but never surface it to clients.
    console.error(`[paypal] create subscription ${res.status}: ${await res.text()}`);
    throw new Error("PayPal request failed");
  }
  const data = (await res.json()) as { id: string; links: { rel: string; href: string }[] };
  const approveUrl = data.links.find((l) => l.rel === "approve")?.href;
  if (!approveUrl) throw new Error("PayPal did not return an approval URL");
  return { id: data.id, approveUrl };
}

export async function getPaypalSubscription(id: string): Promise<Record<string, unknown>> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions/${id}`, {
    headers: { Authorization: `Bearer ${token}` },
  });
  if (!res.ok) throw new Error(`PayPal get subscription ${res.status}`);
  return res.json();
}

export async function cancelPaypalSubscription(id: string, reason = "Customer requested"): Promise<void> {
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/billing/subscriptions/${id}/cancel`, {
    method: "POST",
    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
    body: JSON.stringify({ reason }),
  });
  if (!res.ok && res.status !== 204) {
    // Log the full upstream detail server-side, but never surface it to clients.
    console.error(`[paypal] cancel subscription ${res.status}: ${await res.text()}`);
    throw new Error("PayPal request failed");
  }
}

/** Verify a PayPal webhook signature against PAYPAL_WEBHOOK_ID. */
export async function verifyPaypalWebhook(
  headers: Record<string, string | undefined>,
  rawBody: string
): Promise<boolean> {
  const webhookId = process.env.PAYPAL_WEBHOOK_ID;
  if (!webhookId) return false;
  const token = await accessToken();
  const res = await fetch(`${base()}/v1/notifications/verify-webhook-signature`, {
    method: "POST",
    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
    body: JSON.stringify({
      auth_algo: headers["paypal-auth-algo"],
      cert_url: headers["paypal-cert-url"],
      transmission_id: headers["paypal-transmission-id"],
      transmission_sig: headers["paypal-transmission-sig"],
      transmission_time: headers["paypal-transmission-time"],
      webhook_id: webhookId,
      webhook_event: JSON.parse(rawBody),
    }),
  });
  if (!res.ok) return false;
  const data = (await res.json()) as { verification_status: string };
  return data.verification_status === "SUCCESS";
}
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`import type { PlanKey } from "./plans";`

Comprehensive admin + user dashboards (production-ready) 2026-06-07 17:54:30 -04:00			`const SANDBOX_BASE = "https://api-m.sandbox.paypal.com";`
			`const base = () => process.env.PAYPAL_API_BASE ?? SANDBOX_BASE;`
fix: tolerate empty NEXT_PUBLIC_APP_URL during production build 2026-06-08 04:46:58 -04:00			`const appUrl = () => process.env.NEXT_PUBLIC_APP_URL \|\| "http://localhost:3000";`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00
Comprehensive admin + user dashboards (production-ready) 2026-06-07 17:54:30 -04:00			`// Loudly warn (but don't throw — never break deploys) if PayPal is pointed at the`
			`// sandbox while running in production. The sandbox default is fine for dev.`
			`if (process.env.NODE_ENV === "production" && base().includes("sandbox.paypal.com")) {`
			`console.warn(`
			`"[paypal] WARNING: running against the PayPal SANDBOX in production. " +`
			`"Set PAYPAL_API_BASE=https://api-m.paypal.com for live billing."`
			`);`
			`}`

Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`function creds(): { id: string; secret: string } {`
			`const id = process.env.PAYPAL_CLIENT_ID;`
			`const secret = process.env.PAYPAL_CLIENT_SECRET;`
			`if (!id \|\| !secret) throw new Error("PayPal credentials are not set");`
			`return { id, secret };`
			`}`

			`export function isPaypalConfigured(): boolean {`
			`return !!(process.env.PAYPAL_CLIENT_ID && process.env.PAYPAL_CLIENT_SECRET);`
			`}`

			`async function accessToken(): Promise<string> {`
			`const { id, secret } = creds();`
			const res = await fetch(`${base()}/v1/oauth2/token`, {
			`method: "POST",`
			`headers: {`
			Authorization: `Basic ${Buffer.from(`${id}:${secret}`).toString("base64")}`,
			`"Content-Type": "application/x-www-form-urlencoded",`
			`},`
			`body: "grant_type=client_credentials",`
			`});`
			if (!res.ok) throw new Error(`PayPal token error ${res.status}`);
			`const data = (await res.json()) as { access_token: string };`
			`return data.access_token;`
			`}`

			`export interface PaypalCustom {`
			`subjectId: string;`
			`subjectType: "user" \| "organization";`
			`plan: PlanKey;`
			`}`

			`/** Create a PayPal subscription; returns the subscription id + approval URL. */`
			`export async function createPaypalSubscription(args: {`
			`planId: string;`
			`custom: PaypalCustom;`
			`}): Promise<{ id: string; approveUrl: string }> {`
			`const token = await accessToken();`
			const res = await fetch(`${base()}/v1/billing/subscriptions`, {
			`method: "POST",`
			`headers: {`
			Authorization: `Bearer ${token}`,
			`"Content-Type": "application/json",`
			`Prefer: "return=representation",`
			`},`
			`body: JSON.stringify({`
			`plan_id: args.planId,`
			`custom_id: JSON.stringify(args.custom),`
			`application_context: {`
Rebrand PodcastYes -> Podcast Distribution AI (podcastdistributionai.com) 2026-06-20 20:12:43 -04:00			`brand_name: "Podcast Distribution AI",`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`user_action: "SUBSCRIBE_NOW",`
			`shipping_preference: "NO_SHIPPING",`
			return_url: `${appUrl()}/billing?status=success&provider=paypal`,
			cancel_url: `${appUrl()}/billing?status=cancel`,
			`},`
			`}),`
			`});`
Security & robustness hardening pass 2026-06-20 20:59:03 -04:00			`if (!res.ok) {`
			`// Log the full upstream detail server-side, but never surface it to clients.`
			console.error(`[paypal] create subscription ${res.status}: ${await res.text()}`);
			`throw new Error("PayPal request failed");`
			`}`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`const data = (await res.json()) as { id: string; links: { rel: string; href: string }[] };`
			`const approveUrl = data.links.find((l) => l.rel === "approve")?.href;`
			`if (!approveUrl) throw new Error("PayPal did not return an approval URL");`
			`return { id: data.id, approveUrl };`
			`}`

			`export async function getPaypalSubscription(id: string): Promise<Record<string, unknown>> {`
			`const token = await accessToken();`
			const res = await fetch(`${base()}/v1/billing/subscriptions/${id}`, {
			headers: { Authorization: `Bearer ${token}` },
			`});`
			if (!res.ok) throw new Error(`PayPal get subscription ${res.status}`);
			`return res.json();`
			`}`

			`export async function cancelPaypalSubscription(id: string, reason = "Customer requested"): Promise<void> {`
			`const token = await accessToken();`
			const res = await fetch(`${base()}/v1/billing/subscriptions/${id}/cancel`, {
			`method: "POST",`
			headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
			`body: JSON.stringify({ reason }),`
			`});`
			`if (!res.ok && res.status !== 204) {`
Security & robustness hardening pass 2026-06-20 20:59:03 -04:00			`// Log the full upstream detail server-side, but never surface it to clients.`
			console.error(`[paypal] cancel subscription ${res.status}: ${await res.text()}`);
			`throw new Error("PayPal request failed");`
Initial commit: PodcastYes — AI podcast platform 2026-06-07 03:58:32 -04:00			`}`
			`}`

			`/** Verify a PayPal webhook signature against PAYPAL_WEBHOOK_ID. */`
			`export async function verifyPaypalWebhook(`
			`headers: Record<string, string \| undefined>,`
			`rawBody: string`
			`): Promise<boolean> {`
			`const webhookId = process.env.PAYPAL_WEBHOOK_ID;`
			`if (!webhookId) return false;`
			`const token = await accessToken();`
			const res = await fetch(`${base()}/v1/notifications/verify-webhook-signature`, {
			`method: "POST",`
			headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
			`body: JSON.stringify({`
			`auth_algo: headers["paypal-auth-algo"],`
			`cert_url: headers["paypal-cert-url"],`
			`transmission_id: headers["paypal-transmission-id"],`
			`transmission_sig: headers["paypal-transmission-sig"],`
			`transmission_time: headers["paypal-transmission-time"],`
			`webhook_id: webhookId,`
			`webhook_event: JSON.parse(rawBody),`
			`}),`
			`});`
			`if (!res.ok) return false;`
			`const data = (await res.json()) as { verification_status: string };`
			`return data.verification_status === "SUCCESS";`
			`}`