publishSyncEvent, Stripe endpoint changes

2023-01-16 16:35:37 -05:00 · 2023-01-16 16:35:37 -05:00 · 83de879894
commit 83de879894
parent 7faed3ee1e
14 changed files with 424 additions and 262 deletions
--- a/server/config.go
+++ b/server/config.go
@ -110,7 +110,7 @@ type Config struct {
 	VisitorAccountCreateLimitReplenish   time.Duration
 	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
 	BehindProxy                          bool
-	StripeKey                            string
+	StripeSecretKey                      string
 	StripeWebhookKey                     string
 	EnableWeb                            bool
 	EnableSignup                         bool // Enable creation of accounts via API and UI
--- a/server/server.go
+++ b/server/server.go
@ -40,12 +40,10 @@ import (
 		- send dunning emails when overdue
 		- payment methods
 		- unmarshal to stripe.Subscription instead of gjson
-		- Make ResetTier reset the stripe fields
 		- delete subscription when account deleted
-		- remove tier.paid
 		- add tier.visible
 		- fix tier selection boxes
-		- account sync after switching tiers
+		- delete messages + reserved topics on ResetTier

 		Limits & rate limiting:
 			users without tier: should the stats be persisted? are they meaningful?
@ -360,7 +358,7 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 	} else if r.Method == http.MethodGet && r.URL.Path == accountPath {
 		return s.handleAccountGet(w, r, v) // Allowed by anonymous
 	} else if r.Method == http.MethodDelete && r.URL.Path == accountPath {
-		return s.ensureUser(s.handleAccountDelete)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountDelete))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == accountPasswordPath {
 		return s.ensureUser(s.handleAccountPasswordChange)(w, r, v)
 	} else if r.Method == http.MethodPatch && r.URL.Path == accountTokenPath {
@ -368,27 +366,29 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 	} else if r.Method == http.MethodDelete && r.URL.Path == accountTokenPath {
 		return s.ensureUser(s.handleAccountTokenDelete)(w, r, v)
 	} else if r.Method == http.MethodPatch && r.URL.Path == accountSettingsPath {
-		return s.ensureUser(s.handleAccountSettingsChange)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountSettingsChange))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == accountSubscriptionPath {
-		return s.ensureUser(s.handleAccountSubscriptionAdd)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountSubscriptionAdd))(w, r, v)
 	} else if r.Method == http.MethodPatch && accountSubscriptionSingleRegex.MatchString(r.URL.Path) {
-		return s.ensureUser(s.handleAccountSubscriptionChange)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountSubscriptionChange))(w, r, v)
 	} else if r.Method == http.MethodDelete && accountSubscriptionSingleRegex.MatchString(r.URL.Path) {
-		return s.ensureUser(s.handleAccountSubscriptionDelete)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountSubscriptionDelete))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == accountReservationPath {
-		return s.ensureUser(s.handleAccountReservationAdd)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountReservationAdd))(w, r, v)
 	} else if r.Method == http.MethodDelete && accountReservationSingleRegex.MatchString(r.URL.Path) {
-		return s.ensureUser(s.handleAccountReservationDelete)(w, r, v)
+		return s.ensureUser(s.withAccountSync(s.handleAccountReservationDelete))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == accountBillingSubscriptionPath {
-		return s.ensureUser(s.handleAccountBillingSubscriptionChange)(w, r, v)
-	} else if r.Method == http.MethodDelete && r.URL.Path == accountBillingSubscriptionPath {
-		return s.ensureStripeCustomer(s.handleAccountBillingSubscriptionDelete)(w, r, v)
+		return s.ensurePaymentsEnabled(s.ensureUser(s.handleAccountBillingSubscriptionCreate))(w, r, v) // Account sync via incoming Stripe webhook
 	} else if r.Method == http.MethodGet && accountBillingSubscriptionCheckoutSuccessRegex.MatchString(r.URL.Path) {
-		return s.ensureUserManager(s.handleAccountCheckoutSessionSuccessGet)(w, r, v) // No user context!
+		return s.ensurePaymentsEnabled(s.ensureUserManager(s.handleAccountBillingSubscriptionCreateSuccess))(w, r, v) // No user context!
+	} else if r.Method == http.MethodPut && r.URL.Path == accountBillingSubscriptionPath {
+		return s.ensurePaymentsEnabled(s.ensureUser(s.handleAccountBillingSubscriptionUpdate))(w, r, v) // Account sync via incoming Stripe webhook
+	} else if r.Method == http.MethodDelete && r.URL.Path == accountBillingSubscriptionPath {
+		return s.ensurePaymentsEnabled(s.ensureStripeCustomer(s.handleAccountBillingSubscriptionDelete))(w, r, v) // Account sync via incoming Stripe webhook
 	} else if r.Method == http.MethodPost && r.URL.Path == accountBillingPortalPath {
-		return s.ensureStripeCustomer(s.handleAccountBillingPortalSessionCreate)(w, r, v)
+		return s.ensurePaymentsEnabled(s.ensureStripeCustomer(s.handleAccountBillingPortalSessionCreate))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == accountBillingWebhookPath {
-		return s.ensureUserManager(s.handleAccountBillingWebhook)(w, r, v)
+		return s.ensurePaymentsEnabled(s.ensureUserManager(s.handleAccountBillingWebhook))(w, r, v)
 	} else if r.Method == http.MethodGet && r.URL.Path == matrixPushPath {
 		return s.handleMatrixDiscovery(w)
 	} else if r.Method == http.MethodGet && staticRegex.MatchString(r.URL.Path) {
@ -1423,12 +1423,12 @@ func (s *Server) sendDelayedMessages() error {
 	for _, m := range messages {
 		var v *visitor
 		if s.userManager != nil && m.User != "" {
-			user, err := s.userManager.User(m.User)
+			u, err := s.userManager.User(m.User)
 			if err != nil {
 				log.Warn("%s Error sending delayed message: %s", logMessagePrefix(v, m), err.Error())
 				continue
 			}
-			v = s.visitorFromUser(user, m.Sender)
+			v = s.visitorFromUser(u, m.Sender)
 		} else {
 			v = s.visitorFromIP(m.Sender)
 		}
@ -1475,42 +1475,6 @@ func (s *Server) limitRequests(next handleFunc) handleFunc {
 	}
 }

-func (s *Server) ensureWebEnabled(next handleFunc) handleFunc {
-	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
-		if !s.config.EnableWeb {
-			return errHTTPNotFound
-		}
-		return next(w, r, v)
-	}
-}
-
-func (s *Server) ensureUserManager(next handleFunc) handleFunc {
-	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
-		if s.userManager == nil {
-			return errHTTPNotFound
-		}
-		return next(w, r, v)
-	}
-}
-
-func (s *Server) ensureUser(next handleFunc) handleFunc {
-	return s.ensureUserManager(func(w http.ResponseWriter, r *http.Request, v *visitor) error {
-		if v.user == nil {
-			return errHTTPUnauthorized
-		}
-		return next(w, r, v)
-	})
-}
-
-func (s *Server) ensureStripeCustomer(next handleFunc) handleFunc {
-	return s.ensureUser(func(w http.ResponseWriter, r *http.Request, v *visitor) error {
-		if v.user.Billing.StripeCustomerID == "" {
-			return errHTTPBadRequestNotAPaidUser
-		}
-		return next(w, r, v)
-	})
-}
-
 // transformBodyJSON peeks the request body, reads the JSON, and converts it to headers
 // before passing it on to the next handler. This is meant to be used in combination with handlePublish.
 func (s *Server) transformBodyJSON(next handleFunc) handleFunc {
--- a/server/server.yml
+++ b/server/server.yml
@ -164,12 +164,10 @@
 # - enable-signup allows users to sign up via the web app, or API
 # - enable-login allows users to log in via the web app, or API
 # - enable-reservations allows users to reserve topics (if their tier allows it)
-# - enable-payments enables payments integration [preliminary option, may change]
 #
 # enable-signup: false
 # enable-login: false
 # enable-reservations: false
-# enable-payments: false

 # Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh").
 #
@ -216,6 +214,16 @@
 # visitor-attachment-total-size-limit: "100M"
 # visitor-attachment-daily-bandwidth-limit: "500M"

+# Payments integration via Stripe
+#
+# - stripe-secret-key is the key used for the Stripe API communication. Setting this values
+#   enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys.
+# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe.
+#   Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks.
+#
+# stripe-secret-key:
+# stripe-webhook-key:
+
 # Log level, can be TRACE, DEBUG, INFO, WARN or ERROR
 # This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy".
 #
--- a/server/server_account.go
+++ b/server/server_account.go
@ -2,15 +2,18 @@ package server

 import (
 	"encoding/json"
+	"errors"
+	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/user"
 	"heckel.io/ntfy/util"
 	"net/http"
 )

 const (
-	jsonBodyBytesLimit   = 4096
-	subscriptionIDLength = 16
-	createdByAPI         = "api"
+	jsonBodyBytesLimit        = 4096
+	subscriptionIDLength      = 16
+	createdByAPI              = "api"
+	syncTopicAccountSyncEvent = "sync"
 )

 func (s *Server) handleAccountCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
@ -395,3 +398,37 @@ func (s *Server) handleAccountReservationDelete(w http.ResponseWriter, r *http.R
 	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
 	return nil
 }
+
+func (s *Server) publishSyncEvent(v *visitor) error {
+	if v.user == nil || v.user.SyncTopic == "" {
+		return nil
+	}
+	log.Trace("Publishing sync event to user %s's sync topic %s", v.user.Name, v.user.SyncTopic)
+	topics, err := s.topicsFromIDs(v.user.SyncTopic)
+	if err != nil {
+		return err
+	} else if len(topics) == 0 {
+		return errors.New("cannot retrieve sync topic")
+	}
+	syncTopic := topics[0]
+	messageBytes, err := json.Marshal(&apiAccountSyncTopicResponse{Event: syncTopicAccountSyncEvent})
+	if err != nil {
+		return err
+	}
+	m := newDefaultMessage(syncTopic.ID, string(messageBytes))
+	if err := syncTopic.Publish(v, m); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *Server) publishSyncEventAsync(v *visitor) {
+	go func() {
+		if v.user == nil || v.user.SyncTopic == "" {
+			return
+		}
+		if err := s.publishSyncEvent(v); err != nil {
+			log.Trace("Error publishing to user %s's sync topic %s: %s", v.user.Name, v.user.SyncTopic, err.Error())
+		}
+	}()
+}
--- a/server/server_middleware.go
+++ b/server/server_middleware.go
@ -0,0 +1,63 @@
+package server
+
+import (
+	"net/http"
+)
+
+func (s *Server) ensureWebEnabled(next handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if !s.config.EnableWeb {
+			return errHTTPNotFound
+		}
+		return next(w, r, v)
+	}
+}
+
+func (s *Server) ensureUserManager(next handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if s.userManager == nil {
+			return errHTTPNotFound
+		}
+		return next(w, r, v)
+	}
+}
+
+func (s *Server) ensureUser(next handleFunc) handleFunc {
+	return s.ensureUserManager(func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if v.user == nil {
+			return errHTTPUnauthorized
+		}
+		return next(w, r, v)
+	})
+}
+
+func (s *Server) ensurePaymentsEnabled(next handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if !s.config.EnablePayments {
+			return errHTTPNotFound
+		}
+		return next(w, r, v)
+	}
+}
+
+func (s *Server) ensureStripeCustomer(next handleFunc) handleFunc {
+	return s.ensureUser(func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if v.user.Billing.StripeCustomerID == "" {
+			return errHTTPBadRequestNotAPaidUser
+		}
+		return next(w, r, v)
+	})
+}
+
+func (s *Server) withAccountSync(next handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		if v.user == nil {
+			return next(w, r, v)
+		}
+		err := next(w, r, v)
+		if err == nil {
+			s.publishSyncEventAsync(v)
+		}
+		return err
+	}
+}
--- a/server/server_payments.go
+++ b/server/server_payments.go
@ -6,13 +6,14 @@ import (
 	"github.com/stripe/stripe-go/v74"
 	portalsession "github.com/stripe/stripe-go/v74/billingportal/session"
 	"github.com/stripe/stripe-go/v74/checkout/session"
+	"github.com/stripe/stripe-go/v74/customer"
 	"github.com/stripe/stripe-go/v74/subscription"
 	"github.com/stripe/stripe-go/v74/webhook"
 	"github.com/tidwall/gjson"
 	"heckel.io/ntfy/log"
-	"heckel.io/ntfy/user"
 	"heckel.io/ntfy/util"
 	"net/http"
+	"net/netip"
 	"time"
 )

@ -20,15 +21,13 @@ const (
 	stripeBodyBytesLimit = 16384
 )

-// handleAccountBillingSubscriptionChange facilitates all subscription/tier changes, including payment flows.
-//
-// FIXME this should be two functions!
-//
-// It handles two cases:
-// - Create subscription: Transition from a user without Stripe subscription to a paid subscription (Checkout flow)
-// - Change subscription: Switching between Stripe prices (& tiers) by changing the Stripe subscription
-func (s *Server) handleAccountBillingSubscriptionChange(w http.ResponseWriter, r *http.Request, v *visitor) error {
-	req, err := readJSONWithLimit[apiAccountTierChangeRequest](r.Body, jsonBodyBytesLimit)
+// handleAccountBillingSubscriptionCreate creates a Stripe checkout flow to create a user subscription. The tier
+// will be updated by a subsequent webhook from Stripe, once the subscription becomes active.
+func (s *Server) handleAccountBillingSubscriptionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	if v.user.Billing.StripeSubscriptionID != "" {
+		return errors.New("subscription already exists") //FIXME
+	}
+	req, err := readJSONWithLimit[apiAccountBillingSubscriptionChangeRequest](r.Body, jsonBodyBytesLimit)
 	if err != nil {
 		return err
 	}
@ -36,46 +35,21 @@ func (s *Server) handleAccountBillingSubscriptionChange(w http.ResponseWriter, r
 	if err != nil {
 		return err
 	}
-	if v.user.Billing.StripeSubscriptionID == "" && tier.StripePriceID != "" {
-		return s.handleAccountBillingSubscriptionAdd(w, v, tier)
-	} else if v.user.Billing.StripeSubscriptionID != "" {
-		return s.handleAccountBillingSubscriptionUpdate(w, v, tier)
+	if tier.StripePriceID == "" {
+		return errors.New("invalid tier") //FIXME
 	}
-	return errors.New("invalid state")
-}
-
-// handleAccountBillingSubscriptionDelete facilitates downgrading a paid user to a tier-less user,
-// and cancelling the Stripe subscription entirely
-func (s *Server) handleAccountBillingSubscriptionDelete(w http.ResponseWriter, r *http.Request, v *visitor) error {
-	if v.user.Billing.StripeCustomerID == "" {
-		return errHTTPBadRequestNotAPaidUser
-	}
-	if v.user.Billing.StripeSubscriptionID != "" {
-		_, err := subscription.Cancel(v.user.Billing.StripeSubscriptionID, nil)
-		if err != nil {
-			return err
-		}
-	}
-	if err := s.userManager.ResetTier(v.user.Name); err != nil {
-		return err
-	}
-	v.user.Billing.StripeSubscriptionID = ""
-	v.user.Billing.StripeSubscriptionStatus = ""
-	v.user.Billing.StripeSubscriptionPaidUntil = time.Unix(0, 0)
-	v.user.Billing.StripeSubscriptionCancelAt = time.Unix(0, 0)
-	if err := s.userManager.ChangeBilling(v.user); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *Server) handleAccountBillingSubscriptionAdd(w http.ResponseWriter, v *visitor, tier *user.Tier) error {
 	log.Info("Stripe: No existing subscription, creating checkout flow")
 	var stripeCustomerID *string
 	if v.user.Billing.StripeCustomerID != "" {
 		stripeCustomerID = &v.user.Billing.StripeCustomerID
+		stripeCustomer, err := customer.Get(v.user.Billing.StripeCustomerID, nil)
+		if err != nil {
+			return err
+		} else if stripeCustomer.Subscriptions != nil && len(stripeCustomer.Subscriptions.Data) > 0 {
+			return errors.New("customer cannot have more than one subscription") //FIXME
+		}
 	}
-	successURL := s.config.BaseURL + accountBillingSubscriptionCheckoutSuccessTemplate
+	successURL := s.config.BaseURL + "/account" //+ accountBillingSubscriptionCheckoutSuccessTemplate
 	params := &stripe.CheckoutSessionParams{
 		Customer:          stripeCustomerID, // A user may have previously deleted their subscription
 		ClientReferenceID: &v.user.Name,     // FIXME Should be user ID
@ -106,36 +80,7 @@ func (s *Server) handleAccountBillingSubscriptionAdd(w http.ResponseWriter, v *v
 	return nil
 }

-func (s *Server) handleAccountBillingSubscriptionUpdate(w http.ResponseWriter, v *visitor, tier *user.Tier) error {
-	log.Info("Stripe: Changing tier and subscription to %s", tier.Code)
-	sub, err := subscription.Get(v.user.Billing.StripeSubscriptionID, nil)
-	if err != nil {
-		return err
-	}
-	params := &stripe.SubscriptionParams{
-		CancelAtPeriodEnd: stripe.Bool(false),
-		ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorCreateProrations)),
-		Items: []*stripe.SubscriptionItemsParams{
-			{
-				ID:    stripe.String(sub.Items.Data[0].ID),
-				Price: stripe.String(tier.StripePriceID),
-			},
-		},
-	}
-	_, err = subscription.Update(sub.ID, params)
-	if err != nil {
-		return err
-	}
-	response := &apiAccountCheckoutResponse{}
-	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
-	if err := json.NewEncoder(w).Encode(response); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (s *Server) handleAccountCheckoutSessionSuccessGet(w http.ResponseWriter, r *http.Request, v *visitor) error {
+func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWriter, r *http.Request, _ *visitor) error {
 	// We don't have a v.user in this endpoint, only a userManager!
 	matches := accountBillingSubscriptionCheckoutSuccessRegex.FindStringSubmatch(r.URL.Path)
 	if len(matches) != 2 {
@ -183,6 +128,66 @@ func (s *Server) handleAccountCheckoutSessionSuccessGet(w http.ResponseWriter, r
 	return nil
 }

+// handleAccountBillingSubscriptionUpdate updates an existing Stripe subscription to a new price, and updates
+// a user's tier accordingly. This endpoint only works if there is an existing subscription.
+func (s *Server) handleAccountBillingSubscriptionUpdate(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	if v.user.Billing.StripeSubscriptionID != "" {
+		return errors.New("no existing subscription for user")
+	}
+	req, err := readJSONWithLimit[apiAccountBillingSubscriptionChangeRequest](r.Body, jsonBodyBytesLimit)
+	if err != nil {
+		return err
+	}
+	tier, err := s.userManager.Tier(req.Tier)
+	if err != nil {
+		return err
+	}
+	log.Info("Stripe: Changing tier and subscription to %s", tier.Code)
+	sub, err := subscription.Get(v.user.Billing.StripeSubscriptionID, nil)
+	if err != nil {
+		return err
+	}
+	params := &stripe.SubscriptionParams{
+		CancelAtPeriodEnd: stripe.Bool(false),
+		ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorCreateProrations)),
+		Items: []*stripe.SubscriptionItemsParams{
+			{
+				ID:    stripe.String(sub.Items.Data[0].ID),
+				Price: stripe.String(tier.StripePriceID),
+			},
+		},
+	}
+	_, err = subscription.Update(sub.ID, params)
+	if err != nil {
+		return err
+	}
+	response := &apiAccountCheckoutResponse{} // FIXME
+	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set("Access-Control-Allow-Origin", "*") // FIXME remove this
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		return err
+	}
+	return nil
+}
+
+// handleAccountBillingSubscriptionDelete facilitates downgrading a paid user to a tier-less user,
+// and cancelling the Stripe subscription entirely
+func (s *Server) handleAccountBillingSubscriptionDelete(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	if v.user.Billing.StripeCustomerID == "" {
+		return errHTTPBadRequestNotAPaidUser
+	}
+	if v.user.Billing.StripeSubscriptionID != "" {
+		params := &stripe.SubscriptionParams{
+			CancelAtPeriodEnd: stripe.Bool(true),
+		}
+		_, err := subscription.Update(v.user.Billing.StripeSubscriptionID, params)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (s *Server) handleAccountBillingPortalSessionCreate(w http.ResponseWriter, r *http.Request, v *visitor) error {
 	if v.user.Billing.StripeCustomerID == "" {
 		return errHTTPBadRequestNotAPaidUser
@ -206,8 +211,8 @@ func (s *Server) handleAccountBillingPortalSessionCreate(w http.ResponseWriter,
 	return nil
 }

-func (s *Server) handleAccountBillingWebhook(w http.ResponseWriter, r *http.Request, v *visitor) error {
-	// We don't have a v.user in this endpoint, only a userManager!
+func (s *Server) handleAccountBillingWebhook(w http.ResponseWriter, r *http.Request, _ *visitor) error {
+	// Note that the visitor (v) in this endpoint is the Stripe API, so we don't have v.user available
 	stripeSignature := r.Header.Get("Stripe-Signature")
 	if stripeSignature == "" {
 		return errHTTPBadRequestInvalidStripeRequest
@ -225,30 +230,27 @@ func (s *Server) handleAccountBillingWebhook(w http.ResponseWriter, r *http.Requ
 		return errHTTPBadRequestInvalidStripeRequest
 	}
 	log.Info("Stripe: webhook event %s received", event.Type)
-	stripeCustomerID := gjson.GetBytes(event.Data.Raw, "customer")
-	if !stripeCustomerID.Exists() {
-		return errHTTPBadRequestInvalidStripeRequest
-	}
 	switch event.Type {
 	case "customer.subscription.updated":
-		return s.handleAccountBillingWebhookSubscriptionUpdated(stripeCustomerID.String(), event.Data.Raw)
+		return s.handleAccountBillingWebhookSubscriptionUpdated(event.Data.Raw)
 	case "customer.subscription.deleted":
-		return s.handleAccountBillingWebhookSubscriptionDeleted(stripeCustomerID.String(), event.Data.Raw)
+		return s.handleAccountBillingWebhookSubscriptionDeleted(event.Data.Raw)
 	default:
 		return nil
 	}
 }

-func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(stripeCustomerID string, event json.RawMessage) error {
+func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(event json.RawMessage) error {
+	subscriptionID := gjson.GetBytes(event, "id")
+	customerID := gjson.GetBytes(event, "customer")
 	status := gjson.GetBytes(event, "status")
 	currentPeriodEnd := gjson.GetBytes(event, "current_period_end")
 	cancelAt := gjson.GetBytes(event, "cancel_at")
 	priceID := gjson.GetBytes(event, "items.data.0.price.id")
-	if !status.Exists() || !currentPeriodEnd.Exists() || !cancelAt.Exists() || !priceID.Exists() {
+	if !subscriptionID.Exists() || !status.Exists() || !currentPeriodEnd.Exists() || !cancelAt.Exists() || !priceID.Exists() {
 		return errHTTPBadRequestInvalidStripeRequest
 	}
-	log.Info("Stripe: customer %s: subscription updated to %s, with price %s", stripeCustomerID, status, priceID)
-	u, err := s.userManager.UserByStripeCustomer(stripeCustomerID)
+	u, err := s.userManager.UserByStripeCustomer(customerID.String())
 	if err != nil {
 		return err
 	}
@ -259,22 +261,25 @@ func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(stripeCustomerID
 	if err := s.userManager.ChangeTier(u.Name, tier.Code); err != nil {
 		return err
 	}
+	u.Billing.StripeSubscriptionID = subscriptionID.String()
 	u.Billing.StripeSubscriptionStatus = stripe.SubscriptionStatus(status.String())
 	u.Billing.StripeSubscriptionPaidUntil = time.Unix(currentPeriodEnd.Int(), 0)
 	u.Billing.StripeSubscriptionCancelAt = time.Unix(cancelAt.Int(), 0)
 	if err := s.userManager.ChangeBilling(u); err != nil {
 		return err
 	}
+	log.Info("Stripe: customer %s: subscription updated to %s, with price %s", customerID.String(), status, priceID)
+	s.publishSyncEventAsync(s.visitorFromUser(u, netip.IPv4Unspecified()))
 	return nil
 }

-func (s *Server) handleAccountBillingWebhookSubscriptionDeleted(stripeCustomerID string, event json.RawMessage) error {
-	status := gjson.GetBytes(event, "status")
-	if !status.Exists() {
+func (s *Server) handleAccountBillingWebhookSubscriptionDeleted(event json.RawMessage) error {
+	stripeCustomerID := gjson.GetBytes(event, "customer")
+	if !stripeCustomerID.Exists() {
 		return errHTTPBadRequestInvalidStripeRequest
 	}
-	log.Info("Stripe: customer %s: subscription deleted, downgrading to unpaid tier", stripeCustomerID)
-	u, err := s.userManager.UserByStripeCustomer(stripeCustomerID)
+	log.Info("Stripe: customer %s: subscription deleted, downgrading to unpaid tier", stripeCustomerID.String())
+	u, err := s.userManager.UserByStripeCustomer(stripeCustomerID.String())
 	if err != nil {
 		return err
 	}
@ -288,5 +293,6 @@ func (s *Server) handleAccountBillingWebhookSubscriptionDeleted(stripeCustomerID
 	if err := s.userManager.ChangeBilling(u); err != nil {
 		return err
 	}
+	s.publishSyncEventAsync(s.visitorFromUser(u, netip.IPv4Unspecified()))
 	return nil
 }
--- a/server/types.go
+++ b/server/types.go
@ -305,7 +305,7 @@ type apiConfigResponse struct {
 	DisallowedTopics   []string `json:"disallowed_topics"`
 }

-type apiAccountTierChangeRequest struct {
+type apiAccountBillingSubscriptionChangeRequest struct {
 	Tier string `json:"tier"`
 }

@ -316,3 +316,7 @@ type apiAccountCheckoutResponse struct {
 type apiAccountBillingPortalRedirectResponse struct {
 	RedirectURL string `json:"redirect_url"`
 }
+
+type apiAccountSyncTopicResponse struct {
+	Event string `json:"event"`
+}