Comprehensive admin + user dashboards (production-ready)

2026-06-07 17:54:30 -04:00
parent 155507f21a
commit f033f00379
122 changed files with 7878 additions and 805 deletions
@@ -1,6 +1,7 @@
+import { z } from "zod";
 import { upsertSubscription } from "../subscription";
 import { planFromPaypalPlan } from "../catalog";
-import type { PlanKey } from "../plans";
+import { PLAN_ORDER, type PlanKey } from "../plans";

 interface PaypalResource {
  id?: string;
@@ -14,15 +15,30 @@ interface PaypalEvent {
  resource: PaypalResource;
 }

+// custom_id is attacker-influenceable JSON; validate it strictly and never trust
+// it to default to a paid plan.
+const customSchema = z.object({
+  subjectId: z.string().min(1),
+  subjectType: z.enum(["user", "organization"]),
+  plan: z.enum(PLAN_ORDER as [PlanKey, ...PlanKey[]]),
+});
+
 function parseCustom(
  custom?: string
 ): { subjectId: string; subjectType: "user" | "organization"; plan: PlanKey } | null {
  if (!custom) return null;
+  let raw: unknown;
  try {
-    return JSON.parse(custom);
+    raw = JSON.parse(custom);
  } catch {
    return null;
  }
+  const parsed = customSchema.safeParse(raw);
+  if (!parsed.success) {
+    console.warn("[paypal] invalid custom_id payload, skipping");
+    return null;
+  }
+  return parsed.data;
 }

 async function sync(resource: PaypalResource, status: string) {