2026-06-07 17:54:30 -04:00
|
|
|
import { z } from "zod";
|
2026-06-07 03:58:32 -04:00
|
|
|
import { upsertSubscription } from "../subscription";
|
|
|
|
|
import { planFromPaypalPlan } from "../catalog";
|
2026-06-07 17:54:30 -04:00
|
|
|
import { PLAN_ORDER, type PlanKey } from "../plans";
|
2026-06-07 03:58:32 -04:00
|
|
|
|
|
|
|
|
interface PaypalResource {
|
|
|
|
|
id?: string;
|
|
|
|
|
plan_id?: string;
|
|
|
|
|
custom_id?: string;
|
|
|
|
|
billing_info?: { next_billing_time?: string };
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interface PaypalEvent {
|
|
|
|
|
event_type: string;
|
|
|
|
|
resource: PaypalResource;
|
|
|
|
|
}
|
|
|
|
|
|
2026-06-07 17:54:30 -04:00
|
|
|
// custom_id is attacker-influenceable JSON; validate it strictly and never trust
|
|
|
|
|
// it to default to a paid plan.
|
|
|
|
|
const customSchema = z.object({
|
|
|
|
|
subjectId: z.string().min(1),
|
|
|
|
|
subjectType: z.enum(["user", "organization"]),
|
|
|
|
|
plan: z.enum(PLAN_ORDER as [PlanKey, ...PlanKey[]]),
|
|
|
|
|
});
|
|
|
|
|
|
2026-06-07 03:58:32 -04:00
|
|
|
function parseCustom(
|
|
|
|
|
custom?: string
|
|
|
|
|
): { subjectId: string; subjectType: "user" | "organization"; plan: PlanKey } | null {
|
|
|
|
|
if (!custom) return null;
|
2026-06-07 17:54:30 -04:00
|
|
|
let raw: unknown;
|
2026-06-07 03:58:32 -04:00
|
|
|
try {
|
2026-06-07 17:54:30 -04:00
|
|
|
raw = JSON.parse(custom);
|
2026-06-07 03:58:32 -04:00
|
|
|
} catch {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-06-07 17:54:30 -04:00
|
|
|
const parsed = customSchema.safeParse(raw);
|
|
|
|
|
if (!parsed.success) {
|
|
|
|
|
console.warn("[paypal] invalid custom_id payload, skipping");
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
return parsed.data;
|
2026-06-07 03:58:32 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
async function sync(resource: PaypalResource, status: string) {
|
|
|
|
|
const subId = resource.id;
|
|
|
|
|
if (!subId) return;
|
|
|
|
|
const custom = parseCustom(resource.custom_id);
|
|
|
|
|
const planFromId = resource.plan_id ? planFromPaypalPlan(resource.plan_id) : null;
|
|
|
|
|
const plan = (custom?.plan || planFromId || "free") as PlanKey;
|
|
|
|
|
const referenceId = custom?.subjectId;
|
|
|
|
|
if (!referenceId) {
|
|
|
|
|
console.warn("[paypal] subscription without custom subjectId, skipping", subId);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
await upsertSubscription({
|
|
|
|
|
provider: "paypal",
|
|
|
|
|
referenceId,
|
|
|
|
|
plan,
|
|
|
|
|
status,
|
|
|
|
|
paypalSubscriptionId: subId,
|
|
|
|
|
paypalPlanId: resource.plan_id ?? null,
|
|
|
|
|
periodEnd: resource.billing_info?.next_billing_time
|
|
|
|
|
? new Date(resource.billing_info.next_billing_time)
|
|
|
|
|
: null,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export async function handlePaypalEvent(event: PaypalEvent): Promise<void> {
|
|
|
|
|
switch (event.event_type) {
|
|
|
|
|
case "BILLING.SUBSCRIPTION.ACTIVATED":
|
|
|
|
|
case "BILLING.SUBSCRIPTION.UPDATED":
|
|
|
|
|
case "BILLING.SUBSCRIPTION.RE-ACTIVATED":
|
|
|
|
|
await sync(event.resource, "active");
|
|
|
|
|
break;
|
|
|
|
|
case "BILLING.SUBSCRIPTION.SUSPENDED":
|
|
|
|
|
await sync(event.resource, "paused");
|
|
|
|
|
break;
|
|
|
|
|
case "BILLING.SUBSCRIPTION.CANCELLED":
|
|
|
|
|
case "BILLING.SUBSCRIPTION.EXPIRED":
|
|
|
|
|
await sync(event.resource, "canceled");
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
