WIP: Stripe integration

2023-01-14 06:43:44 -05:00 · 2023-01-14 06:43:44 -05:00 · 01fd4754f9
commit 01fd4754f9
parent 7007c0a0bd
20 changed files with 557 additions and 43 deletions
--- a/server/config.go
+++ b/server/config.go
@ -110,6 +110,8 @@ type Config struct {
 	VisitorAccountCreateLimitReplenish   time.Duration
 	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
 	BehindProxy                          bool
+	StripeKey                            string
+	StripeWebhookKey                     string
 	EnableWeb                            bool
 	EnableSignup                         bool // Enable creation of accounts via API and UI
 	EnableLogin                          bool
--- a/server/errors.go
+++ b/server/errors.go
@ -58,6 +58,8 @@ var (
 	errHTTPBadRequestJSONInvalid                     = &errHTTP{40024, http.StatusBadRequest, "invalid request: request body must be valid JSON", ""}
 	errHTTPBadRequestPermissionInvalid               = &errHTTP{40025, http.StatusBadRequest, "invalid request: incorrect permission string", ""}
 	errHTTPBadRequestMakesNoSenseForAdmin            = &errHTTP{40026, http.StatusBadRequest, "invalid request: this makes no sense for admins", ""}
+	errHTTPBadRequestNotAPaidUser                    = &errHTTP{40027, http.StatusBadRequest, "invalid request: not a paid user", ""}
+	errHTTPBadRequestInvalidStripeRequest            = &errHTTP{40028, http.StatusBadRequest, "invalid request: not a valid Stripe request", ""}
 	errHTTPNotFound                                  = &errHTTP{40401, http.StatusNotFound, "page not found", ""}
 	errHTTPUnauthorized                              = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", "https://ntfy.sh/docs/publish/#authentication"}
 	errHTTPForbidden                                 = &errHTTP{40301, http.StatusForbidden, "forbidden", "https://ntfy.sh/docs/publish/#authentication"}
--- a/server/server.go
+++ b/server/server.go
@ -36,6 +36,10 @@ import (

 /*
 	TODO
+		payments:
+		- handle overdue payment (-> downgrade after 7 days)
+		- delete stripe subscription when acocunt is deleted
+
 		Limits & rate limiting:
 			users without tier: should the stats be persisted? are they meaningful?
 				-> test that the visitor is based on the IP address!
@ -43,6 +47,7 @@ import (
 		update last_seen when API is accessed
 		Make sure account endpoints make sense for admins

+		triggerChange after publishing a message
 		UI:
 		- flicker of upgrade banner
 		- JS constants
@ -100,6 +105,11 @@ var (
 	accountSettingsPath            = "/v1/account/settings"
 	accountSubscriptionPath        = "/v1/account/subscription"
 	accountReservationPath         = "/v1/account/reservation"
+	accountBillingPortalPath       = "/v1/account/billing/portal"
+	accountBillingWebhookPath      = "/v1/account/billing/webhook"
+	accountCheckoutPath            = "/v1/account/checkout"
+	accountCheckoutSuccessTemplate = "/v1/account/checkout/success/{CHECKOUT_SESSION_ID}"
+	accountCheckoutSuccessRegex    = regexp.MustCompile(`/v1/account/checkout/success/(.+)$`)
 	accountReservationSingleRegex  = regexp.MustCompile(`/v1/account/reservation/([-_A-Za-z0-9]{1,64})$`)
 	accountSubscriptionSingleRegex = regexp.MustCompile(`^/v1/account/subscription/([-_A-Za-z0-9]{16})$`)
 	matrixPushPath                 = "/_matrix/push/v1/notify"
@ -362,6 +372,14 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 		return s.ensureUser(s.handleAccountReservationAdd)(w, r, v)
 	} else if r.Method == http.MethodDelete && accountReservationSingleRegex.MatchString(r.URL.Path) {
 		return s.ensureUser(s.handleAccountReservationDelete)(w, r, v)
+	} else if r.Method == http.MethodPost && r.URL.Path == accountCheckoutPath {
+		return s.ensureUser(s.handleAccountCheckoutSessionCreate)(w, r, v)
+	} else if r.Method == http.MethodGet && accountCheckoutSuccessRegex.MatchString(r.URL.Path) {
+		return s.ensureUserManager(s.handleAccountCheckoutSessionSuccessGet)(w, r, v) // No user context!
+	} else if r.Method == http.MethodPost && r.URL.Path == accountBillingPortalPath {
+		return s.ensureUser(s.handleAccountBillingPortalSessionCreate)(w, r, v)
+	} else if r.Method == http.MethodPost && r.URL.Path == accountBillingWebhookPath {
+		return s.ensureUserManager(s.handleAccountBillingWebhookTrigger)(w, r, v)
 	} else if r.Method == http.MethodGet && r.URL.Path == matrixPushPath {
 		return s.handleMatrixDiscovery(w)
 	} else if r.Method == http.MethodGet && staticRegex.MatchString(r.URL.Path) {
--- a/server/server_account.go
+++ b/server/server_account.go
@ -2,6 +2,14 @@ package server

 import (
 	"encoding/json"
+	"errors"
+	"github.com/stripe/stripe-go/v74"
+	portalsession "github.com/stripe/stripe-go/v74/billingportal/session"
+	"github.com/stripe/stripe-go/v74/checkout/session"
+	"github.com/stripe/stripe-go/v74/subscription"
+	"github.com/stripe/stripe-go/v74/webhook"
+	"github.com/tidwall/gjson"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/user"
 	"heckel.io/ntfy/util"
 	"net/http"
@ -9,6 +17,7 @@ import (

 const (
 	jsonBodyBytesLimit   = 4096
+	stripeBodyBytesLimit = 16384
 	subscriptionIDLength = 16
 	createdByAPI         = "api"
 )
@ -386,3 +395,226 @@ func (s *Server) handleAccountReservationDelete(w http.ResponseWriter, r *http.R
 	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
 	return nil
 }
+
+func (s *Server) handleAccountCheckoutSessionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	req, err := readJSONWithLimit[apiAccountTierChangeRequest](r.Body, jsonBodyBytesLimit)
+	if err != nil {
+		return err
+	}
+	tier, err := s.userManager.Tier(req.Tier)
+	if err != nil {
+		return err
+	}
+	if tier.StripePriceID == "" {
+		log.Info("Checkout: Downgrading to no tier")
+		return errors.New("not a paid tier")
+	} else if v.user.Billing != nil && v.user.Billing.StripeSubscriptionID != "" {
+		log.Info("Checkout: Changing tier and subscription to %s", tier.Code)
+
+		// Upgrade/downgrade tier
+		sub, err := subscription.Get(v.user.Billing.StripeSubscriptionID, nil)
+		if err != nil {
+			return err
+		}
+		params := &stripe.SubscriptionParams{
+			CancelAtPeriodEnd: stripe.Bool(false),
+			ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorCreateProrations)),
+			Items: []*stripe.SubscriptionItemsParams{
+				{
+					ID:    stripe.String(sub.Items.Data[0].ID),
+					Price: stripe.String(tier.StripePriceID),
+				},
+			},
+		}
+		_, err = subscription.Update(sub.ID, params)
+		if err != nil {
+			return err
+		}
+		response := &apiAccountCheckoutResponse{}
+		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			return err
+		}
+		return nil
+	} else {
+		// Checkout flow
+		log.Info("Checkout: No existing subscription, creating checkout flow")
+	}
+
+	successURL := s.config.BaseURL + accountCheckoutSuccessTemplate
+	var stripeCustomerID *string
+	if v.user.Billing != nil {
+		stripeCustomerID = &v.user.Billing.StripeCustomerID
+	}
+	params := &stripe.CheckoutSessionParams{
+		ClientReferenceID: &v.user.Name, // FIXME Should be user ID
+		Customer:          stripeCustomerID,
+		SuccessURL:        &successURL,
+		Mode:              stripe.String(string(stripe.CheckoutSessionModeSubscription)),
+		LineItems: []*stripe.CheckoutSessionLineItemParams{
+			{
+				Price:    stripe.String(tier.StripePriceID),
+				Quantity: stripe.Int64(1),
+			},
+		},
+	}
+	sess, err := session.New(params)
+	if err != nil {
+		return err
+	}
+	response := &apiAccountCheckoutResponse{
+		RedirectURL: sess.URL,
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) handleAccountCheckoutSessionSuccessGet(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	// We don't have a v.user in this endpoint, only a userManager!
+	matches := accountCheckoutSuccessRegex.FindStringSubmatch(r.URL.Path)
+	if len(matches) != 2 {
+		return errHTTPInternalErrorInvalidPath
+	}
+	sessionID := matches[1]
+	// FIXME how do I rate limit this?
+	sess, err := session.Get(sessionID, nil)
+	if err != nil {
+		log.Warn("Stripe: %s", err)
+		return errHTTPBadRequestInvalidStripeRequest
+	} else if sess.Customer == nil || sess.Subscription == nil || sess.ClientReferenceID == "" {
+		log.Warn("Stripe: Unexpected session, customer or subscription not found")
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	sub, err := subscription.Get(sess.Subscription.ID, nil)
+	if err != nil {
+		return err
+	} else if sub.Items == nil || len(sub.Items.Data) != 1 || sub.Items.Data[0].Price == nil {
+		log.Error("Stripe: Unexpected subscription, expected exactly one line item")
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	priceID := sub.Items.Data[0].Price.ID
+	tier, err := s.userManager.TierByStripePrice(priceID)
+	if err != nil {
+		return err
+	}
+	u, err := s.userManager.User(sess.ClientReferenceID)
+	if err != nil {
+		return err
+	}
+	if u.Billing == nil {
+		u.Billing = &user.Billing{}
+	}
+	u.Billing.StripeCustomerID = sess.Customer.ID
+	u.Billing.StripeSubscriptionID = sess.Subscription.ID
+	if err := s.userManager.ChangeBilling(u); err != nil {
+		return err
+	}
+	if err := s.userManager.ChangeTier(u.Name, tier.Code); err != nil {
+		return err
+	}
+	accountURL := s.config.BaseURL + "/account" // FIXME
+	http.Redirect(w, r, accountURL, http.StatusSeeOther)
+	return nil
+}
+
+func (s *Server) handleAccountBillingPortalSessionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	if v.user.Billing == nil {
+		return errHTTPBadRequestNotAPaidUser
+	}
+	params := &stripe.BillingPortalSessionParams{
+		Customer:  stripe.String(v.user.Billing.StripeCustomerID),
+		ReturnURL: stripe.String(s.config.BaseURL),
+	}
+	ps, err := portalsession.New(params)
+	if err != nil {
+		return err
+	}
+	response := &apiAccountBillingPortalRedirectResponse{
+		RedirectURL: ps.URL,
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) handleAccountBillingWebhookTrigger(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	// We don't have a v.user in this endpoint, only a userManager!
+	stripeSignature := r.Header.Get("Stripe-Signature")
+	if stripeSignature == "" {
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	body, err := util.Peek(r.Body, stripeBodyBytesLimit)
+	if err != nil {
+		return err
+	} else if body.LimitReached {
+		return errHTTPEntityTooLargeJSONBody
+	}
+	event, err := webhook.ConstructEvent(body.PeekedBytes, stripeSignature, s.config.StripeWebhookKey)
+	if err != nil {
+		log.Warn("Stripe: invalid request: %s", err.Error())
+		return errHTTPBadRequestInvalidStripeRequest
+	} else if event.Data == nil || event.Data.Raw == nil {
+		log.Warn("Stripe: invalid request, data is nil")
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	log.Info("Stripe: webhook event %s received", event.Type)
+	stripeCustomerID := gjson.GetBytes(event.Data.Raw, "customer")
+	if !stripeCustomerID.Exists() {
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	switch event.Type {
+	case "checkout.session.completed":
+		// Payment is successful and the subscription is created.
+		// Provision the subscription, save the customer ID.
+		return s.handleAccountBillingWebhookCheckoutCompleted(stripeCustomerID.String(), event.Data.Raw)
+	case "customer.subscription.updated":
+		return s.handleAccountBillingWebhookSubscriptionUpdated(stripeCustomerID.String(), event.Data.Raw)
+	case "invoice.paid":
+		// Continue to provision the subscription as payments continue to be made.
+		// Store the status in your database and check when a user accesses your service.
+		// This approach helps you avoid hitting rate limits.
+		return nil // FIXME
+	case "invoice.payment_failed":
+		// The payment failed or the customer does not have a valid payment method.
+		// The subscription becomes past_due. Notify your customer and send them to the
+		// customer portal to update their payment information.
+		return nil // FIXME
+	default:
+		log.Warn("Stripe: unhandled webhook %s", event.Type)
+		return nil
+	}
+}
+
+func (s *Server) handleAccountBillingWebhookCheckoutCompleted(stripeCustomerID string, event json.RawMessage) error {
+	log.Info("Stripe: checkout completed for customer %s", stripeCustomerID)
+	return nil
+}
+
+func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(stripeCustomerID string, event json.RawMessage) error {
+	status := gjson.GetBytes(event, "status")
+	priceID := gjson.GetBytes(event, "items.data.0.price.id")
+	if !status.Exists() || !priceID.Exists() {
+		return errHTTPBadRequestInvalidStripeRequest
+	}
+	log.Info("Stripe: customer %s: subscription updated to %s, with price %s", stripeCustomerID, status, priceID)
+	u, err := s.userManager.UserByStripeCustomer(stripeCustomerID)
+	if err != nil {
+		return err
+	}
+	tier, err := s.userManager.TierByStripePrice(priceID.String())
+	if err != nil {
+		return err
+	}
+	if err := s.userManager.ChangeTier(u.Name, tier.Code); err != nil {
+		return err
+	}
+	return nil
+}
--- a/server/types.go
+++ b/server/types.go
@ -295,3 +295,15 @@ type apiConfigResponse struct {
 	EnableReservations bool     `json:"enable_reservations"`
 	DisallowedTopics   []string `json:"disallowed_topics"`
 }
+
+type apiAccountTierChangeRequest struct {
+	Tier string `json:"tier"`
+}
+
+type apiAccountCheckoutResponse struct {
+	RedirectURL string `json:"redirect_url"`
+}
+
+type apiAccountBillingPortalRedirectResponse struct {
+	RedirectURL string `json:"redirect_url"`
+}