eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d7e60ca7d4e58edbdfa59b9c06b6e07d58c108e
worldmonitor/api/create-checkout.ts
Elie Habib 62c043e8fd feat(checkout): in-page checkout on /pro + dashboard migration to edge endpoint (#2668) 
* feat(checkout): add /relay/create-checkout + internalCreateCheckout

Shared _createCheckoutSession helper used by both public createCheckout
(Convex auth) and internalCreateCheckout (trusted relay with userId).
Relay route in http.ts follows notification-channels pattern.

* feat(checkout): add /api/create-checkout edge gateway

Thin auth proxy: validates Clerk JWT, relays to Convex
/relay/create-checkout. CORS, POST only, no-store, 15s timeout.
Same CONVEX_SITE_URL fallback as notification-channels.

* feat(pro): add checkout service with Clerk + Dodo overlay

Lazy Clerk init, token retry, auto-resume after sign-in, in-flight
lock, doCheckout returns boolean for intent preservation.
Added @clerk/clerk-js + dodopayments-checkout deps.

* feat(pro): in-page checkout via Clerk sign-in + Dodo overlay

PricingSection CTA buttons call startCheckout() directly instead of
redirecting to dashboard. Dodo overlay initialized at App startup
with success banner + redirect to dashboard after payment.

* feat(checkout): migrate dashboard to /api/create-checkout edge endpoint

Replace ConvexClient.action(createCheckout) with fetch to edge endpoint.
Removes getConvexClient/getConvexApi/waitForConvexAuth dependency from
checkout. Returns Promise<boolean>. resumePendingCheckout only clears
intent on success. Token retry, in-flight lock, Sentry capture.

* fix(checkout): restore customer prefill + use origin returnUrl

P2-1: Extract email/name from Clerk JWT in validateBearerToken. Edge
gateway forwards them to Convex relay. Dodo checkout prefilled again.

P2-2: Dashboard returnUrl uses window.location.origin instead of
hardcoded canonical URL. Respects variant hosts (app.worldmonitor.app).

* fix(pro): guard ensureClerk concurrency, catch initOverlay import error

- ensureClerk: promise guard prevents duplicate Clerk instances on
  concurrent calls
- initOverlay: .catch() logs Dodo SDK import failures instead of
  unhandled rejection

* test(auth): add JWT customer prefill extraction tests

Verifies email/name are extracted from Clerk JWT payload for checkout
prefill. Tests both present and absent cases.
2026-04-04 12:35:23 +04:00

115 lines
3.4 KiB
TypeScript
Raw Blame History

/**
* Checkout session creation edge gateway.
*
* Thin auth proxy: validates Clerk bearer token, then relays to the
* Convex /relay/create-checkout HTTP action which runs the actual
* Dodo checkout session creation with all validation (returnUrl
* allowlist, HMAC signing, customer prefill).
*
* Used by both the /pro marketing page and the main dashboard.
*/
export const config = { runtime: 'edge' };
// @ts-expect-error — JS module, no declaration file
import { getCorsHeaders } from './_cors.js';
import { validateBearerToken } from '../server/auth-session';
const CONVEX_SITE_URL =
process.env.CONVEX_SITE_URL ??
(process.env.CONVEX_URL ?? '').replace('.convex.cloud', '.convex.site');
const RELAY_SHARED_SECRET = process.env.RELAY_SHARED_SECRET ?? '';
function json(body: unknown, status: number, cors: Record<string, string>): Response {
return new Response(JSON.stringify(body), {
status,
headers: {
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
...cors,
},
});
}
export default async function handler(req: Request): Promise<Response> {
const cors = getCorsHeaders(req) as Record<string, string>;
if (req.method === 'OPTIONS') {
return new Response(null, {
status: 204,
headers: {
...cors,
'Access-Control-Allow-Methods': 'POST, OPTIONS',
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
},
});
}
if (req.method !== 'POST') {
return json({ error: 'Method not allowed' }, 405, cors);
}
// Validate Clerk bearer token
const authHeader = req.headers.get('Authorization') ?? '';
const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
if (!token) return json({ error: 'Unauthorized' }, 401, cors);
const session = await validateBearerToken(token);
if (!session.valid || !session.userId) {
return json({ error: 'Unauthorized' }, 401, cors);
}
// Parse request body
let body: {
productId?: string;
returnUrl?: string;
discountCode?: string;
referralCode?: string;
};
try {
body = await req.json() as typeof body;
} catch {
return json({ error: 'Invalid JSON' }, 400, cors);
}
if (!body.productId || typeof body.productId !== 'string') {
return json({ error: 'productId is required' }, 400, cors);
}
if (!CONVEX_SITE_URL || !RELAY_SHARED_SECRET) {
return json({ error: 'Service unavailable' }, 503, cors);
}
// Relay to Convex
try {
const resp = await fetch(`${CONVEX_SITE_URL}/relay/create-checkout`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${RELAY_SHARED_SECRET}`,
},
body: JSON.stringify({
userId: session.userId,
email: session.email,
name: session.name,
productId: body.productId,
returnUrl: body.returnUrl,
discountCode: body.discountCode,
referralCode: body.referralCode,
}),
signal: AbortSignal.timeout(15_000),
});
const data = await resp.json();
if (!resp.ok) {
console.error('[create-checkout] Relay error:', resp.status, data);
return json({ error: data?.error || 'Checkout creation failed' }, 502, cors);
}
return json(data, 200, cors);
} catch (err) {
console.error('[create-checkout] Relay failed:', (err as Error).message);
return json({ error: 'Checkout service unavailable' }, 502, cors);
}
}
Reference in New Issue View Git Blame Copy Permalink