Task/improve Stripe checkout session verification (#6872)

* Improve verification of stripeCheckoutSessionId * Update changelog
2 days ago · 8e3778cc66
5 changed files with 51 additions and 22 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Randomized the placeholder in the assistant
 - Filtered out sectors with zero weight for ETF and mutual fund assets in the _Yahoo Finance_ data enhancer
 - Enabled the _Bull Dashboard_ in the admin control panel without requiring an environment variable (experimental)
+- Improved the verification of the _Stripe_ checkout session when creating a subscription
 - Relaxed the URL validation in the asset profile DTOs to accept both `HTTP` and `HTTPS` protocols
 - Relaxed the URL validation in the platform DTOs to accept both `HTTP` and `HTTPS` protocols
 - Extracted the page tabs to a reusable component
--- a/apps/api/src/app/subscription/subscription.controller.ts
+++ b/apps/api/src/app/subscription/subscription.controller.ts
@ -100,10 +100,12 @@ export class SubscriptionController {
      request.query.checkoutSessionId as string
    );

+    if (userId) {
      Logger.log(
        `Subscription for user '${userId}' has been created via Stripe`,
        'SubscriptionController'
      );
+    }

    response.redirect(
      `${this.configurationService.get(
--- a/apps/api/src/app/subscription/subscription.service.ts
+++ b/apps/api/src/app/subscription/subscription.service.ts
@ -17,7 +17,7 @@ import {
 } from '@ghostfolio/common/types';

 import { Injectable, Logger } from '@nestjs/common';
-import { Subscription } from '@prisma/client';
+import { Prisma, Subscription } from '@prisma/client';
 import { addMilliseconds, isBefore } from 'date-fns';
 import ms, { StringValue } from 'ms';
 import Stripe from 'stripe';
@ -108,11 +108,13 @@ export class SubscriptionService {
    duration = '1 year',
    durationExtension,
    price,
+    stripeCheckoutSessionId,
    userId
  }: {
    duration?: StringValue;
    durationExtension?: StringValue;
    price: number;
+    stripeCheckoutSessionId?: string;
    userId: string;
  }) {
    let expiresAt = addMilliseconds(new Date(), ms(duration));
@ -125,6 +127,7 @@ export class SubscriptionService {
      data: {
        expiresAt,
        price,
+        stripeCheckoutSessionId,
        user: {
          connect: {
            id: userId
@ -136,24 +139,41 @@ export class SubscriptionService {

  public async createSubscriptionViaStripe(aCheckoutSessionId: string) {
    try {
-      let durationExtension: StringValue;
-
      const session =
        await this.stripe.checkout.sessions.retrieve(aCheckoutSessionId);

+      if (session.payment_status !== 'paid' || session.status !== 'complete') {
+        throw new Error(
+          `Stripe Checkout Session '${aCheckoutSessionId}' has not been paid (status=${session.status}, payment_status=${session.payment_status})`
+        );
+      }
+
      const subscriptionOffer: SubscriptionOffer = JSON.parse(
        session.metadata.subscriptionOffer ?? '{}'
      );

-      if (subscriptionOffer) {
-        durationExtension = subscriptionOffer.durationExtension;
-      }
+      const durationExtension = subscriptionOffer?.durationExtension;

+      try {
        await this.createSubscription({
          durationExtension,
          price: session.amount_total / 100,
+          stripeCheckoutSessionId: session.id,
          userId: session.client_reference_id
        });
+      } catch (error) {
+        if (
+          error instanceof Prisma.PrismaClientKnownRequestError &&
+          error.code === 'P2002'
+        ) {
+          Logger.log(
+            `Stripe Checkout Session '${session.id}' has already been redeemed`,
+            'SubscriptionService'
+          );
+        } else {
+          throw error;
+        }
+      }

      return session.client_reference_id;
    } catch (error) {
--- a/prisma/migrations/20260516074856_added_stripe_checkout_session_to_subscription/migration.sql
+++ b/prisma/migrations/20260516074856_added_stripe_checkout_session_to_subscription/migration.sql
@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "Subscription" ADD COLUMN "stripeCheckoutSessionId" TEXT;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Subscription_stripeCheckoutSessionId_key" ON "Subscription"("stripeCheckoutSessionId");
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -240,6 +240,7 @@ model Subscription {
  expiresAt               DateTime
  id                      String   @id @default(uuid())
  price                   Float?
+  stripeCheckoutSessionId String?  @unique
  updatedAt               DateTime @updatedAt
  user                    User     @relation(fields: [userId], onDelete: Cascade, references: [id])
  userId                  String