tenseleyflow/shithub / 54c4e32

+// PRO04 note: this file is now subject-agnostic — it routes Stripe

+// webhook events to either org or user billing state based on the

+// resolved Principal. The file still lives under `handlers/orgs/`

+// for wiring continuity; a follow-up sprint moves it to

+// `handlers/billing/` once the SP-only callers are gone.

+

+	principal, err := h.resolvePrincipalFromCheckout(ctx, &session, customerID)

+	if err != nil {

+		return err

+	}

+	_, err = orgbilling.SetStripeCustomerForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principal, customerID)

+// resolvePrincipalFromCheckout walks the resolution chain for a

+// checkout.session.completed event. Order matches the spec:

+//  1. metadata.shithub_subject_kind + shithub_subject_id (PRO04 path)

+//  2. metadata.shithub_org_id (legacy SP03 path)

+//  3. client_reference_id parsed as int (legacy SP03 path)

+//  4. customer-id lookup against both tables

+//

+// Any path that yields a Principal returns immediately; the

+// fall-through error covers events that can't be matched at all.

+func (h *Handlers) resolvePrincipalFromCheckout(ctx context.Context, session *stripeapi.CheckoutSession, customerID string) (orgbilling.Principal, error) {

+	if p, ok := stripePrincipalFromMetadata(session.Metadata); ok {

+		return p, nil

+	}

+	if orgID := stripeOrgIDFromMetadata(session.Metadata); orgID != 0 {

+		return orgbilling.PrincipalForOrg(orgID), nil

+	}

+	if id, err := strconv.ParseInt(strings.TrimSpace(session.ClientReferenceID), 10, 64); err == nil && id > 0 {

+		// Legacy client_reference_id is org-only by convention.

+		return orgbilling.PrincipalForOrg(id), nil

+	}

+	if customerID != "" {

+		state, err := orgbilling.ResolvePrincipalByStripeCustomer(ctx, orgbilling.Deps{Pool: h.d.Pool}, customerID)

+		if err == nil {

+			return state.Principal, nil

+		}

+		if !errors.Is(err, orgbilling.ErrPrincipalNotFound) {

+			return orgbilling.Principal{}, err

+		}

+	}

+	return orgbilling.Principal{}, errors.New("stripe checkout.session.completed missing shithub subject metadata")

+}

+

+	principal, err := h.resolvePrincipalFromSubscription(ctx, &sub)

+	// Cross-kind price-id check: if the subscription's first item

+	// price doesn't match the expected price for the resolved kind,

+	// refuse to apply. A Pro price on an org subject (or Team on

+	// user) means metadata was misconfigured in the Stripe Dashboard;

+	// silently applying would corrupt the wrong table.

+	if err := h.guardPriceKindMatch(principal.Kind, &sub); err != nil {

+		return err

+	}

+		if _, err := orgbilling.SetStripeCustomerForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principal, customerID); err != nil {

+		_, err := orgbilling.MarkCanceledForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principal, event.ID)

+	_, err = orgbilling.ApplySubscriptionSnapshotForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, orgbilling.PrincipalSubscriptionSnapshot{

+		Principal:                principal,

+// resolvePrincipalFromSubscription walks the same chain as the

+// checkout resolver but starts from a subscription object.

+func (h *Handlers) resolvePrincipalFromSubscription(ctx context.Context, sub *stripeapi.Subscription) (orgbilling.Principal, error) {

+	if p, ok := stripePrincipalFromMetadata(sub.Metadata); ok {

+		return p, nil

+	}

+	if orgID := stripeOrgIDFromMetadata(sub.Metadata); orgID != 0 {

+		return orgbilling.PrincipalForOrg(orgID), nil

+	}

+	if customerID := stripeCustomerID(sub.Customer); customerID != "" {

+		state, err := orgbilling.ResolvePrincipalByStripeCustomer(ctx, orgbilling.Deps{Pool: h.d.Pool}, customerID)

+		if err == nil {

+			return state.Principal, nil

+		}

+		if !errors.Is(err, orgbilling.ErrPrincipalNotFound) {

+			return orgbilling.Principal{}, err

+		}

+	}

+	if subID := strings.TrimSpace(sub.ID); subID != "" {

+		state, err := orgbilling.ResolvePrincipalByStripeSubscription(ctx, orgbilling.Deps{Pool: h.d.Pool}, subID)

+		if err == nil {

+			return state.Principal, nil

+		}

+		if !errors.Is(err, orgbilling.ErrPrincipalNotFound) {

+			return orgbilling.Principal{}, err

+		}

+	}

+	return orgbilling.Principal{}, errors.New("stripe subscription does not map to a shithub subject")

+}

+

+// guardPriceKindMatch refuses to apply a subscription when the

+// price-id on its first line item doesn't match the expected price

+// for the resolved subject kind. Catches dashboard-side

+// misconfiguration before it writes the wrong table.

+//

+// The check requires the handler to know which price-id is Pro and

+// which is Team — that wiring lands via BillingPriceIDs(); a

+// non-configured client (Pro disabled) skips the check rather than

+// rejecting org events. PRO-disabled instances never see Pro

+// events, so the org path is unaffected.

+func (h *Handlers) guardPriceKindMatch(kind orgbilling.SubjectKind, sub *stripeapi.Subscription) error {

+	if sub == nil || sub.Items == nil || len(sub.Items.Data) == 0 || sub.Items.Data[0] == nil || sub.Items.Data[0].Price == nil {

+		// No price on the event — nothing to validate. Subsequent

+		// apply logic surfaces the missing-data error if needed.

+		return nil

+	}

+	priceID := strings.TrimSpace(sub.Items.Data[0].Price.ID)

+	teamPrice, proPrice := h.d.BillingPriceIDs()

+	switch kind {

+	case orgbilling.SubjectKindOrg:

+		if teamPrice != "" && priceID != "" && priceID != teamPrice {

+			if priceID == proPrice {

+				return fmt.Errorf("stripe subscription: Pro price %q applied to org subject — metadata likely misconfigured", priceID)

+			}

+			return fmt.Errorf("stripe subscription: price %q does not match expected team price %q for org subject", priceID, teamPrice)

+		}

+	case orgbilling.SubjectKindUser:

+		if proPrice != "" && priceID != "" && priceID != proPrice {

+			if priceID == teamPrice {

+				return fmt.Errorf("stripe subscription: Team price %q applied to user subject — metadata likely misconfigured", priceID)

+			}

+			return fmt.Errorf("stripe subscription: price %q does not match expected pro price %q for user subject", priceID, proPrice)

+		}

+	}

+	return nil

+}

+

+	principalState, err := h.resolvePrincipalStateFromInvoice(ctx, &inv)

+	if _, err := orgbilling.UpsertInvoiceForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principalState.Principal, orgbilling.InvoiceSnapshot{

+		_, err := orgbilling.MarkPastDueForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principalState.Principal, graceUntil, event.ID)

+		if principalState.SubscriptionStatus != orgbilling.SubscriptionStatusCanceled {

+			_, err := orgbilling.MarkPaymentSucceededForPrincipal(ctx, orgbilling.Deps{Pool: h.d.Pool}, principalState.Principal, event.ID)

+// resolvePrincipalStateFromInvoice resolves Principal AND fetches

+// the current billing state in one shot — the apply branch needs

+// the SubscriptionStatus to decide whether to flip payment-

+// succeeded transitions. Mirrors the legacy

+// resolveOrgStateFromInvoice but returns a kind-tagged Principal.

+func (h *Handlers) resolvePrincipalStateFromInvoice(ctx context.Context, inv *stripeapi.Invoice) (orgbilling.PrincipalState, error) {

+		state, err := orgbilling.ResolvePrincipalByStripeCustomer(ctx, orgbilling.Deps{Pool: h.d.Pool}, customerID)

+			return state, nil

+		if !errors.Is(err, orgbilling.ErrPrincipalNotFound) {

+			return orgbilling.PrincipalState{}, err

+		state, err := orgbilling.ResolvePrincipalByStripeSubscription(ctx, orgbilling.Deps{Pool: h.d.Pool}, subID)

+			return state, nil

+		if !errors.Is(err, orgbilling.ErrPrincipalNotFound) {

+			return orgbilling.PrincipalState{}, err

+	return orgbilling.PrincipalState{}, errors.New("stripe invoice does not map to a shithub subject")

+}

+

+// stripePrincipalFromMetadata reads the PRO04 subject metadata

+// keys. Returns ok=false when either key is missing or malformed —

+// the caller falls through to the legacy resolution chain.

+func stripePrincipalFromMetadata(metadata map[string]string) (orgbilling.Principal, bool) {

+	if len(metadata) == 0 {

+		return orgbilling.Principal{}, false

+	}

+	kind := orgbilling.SubjectKind(strings.TrimSpace(metadata[stripebilling.MetadataSubjectKind]))

+	if !kind.Valid() {

+		return orgbilling.Principal{}, false

+	}

+	rawID := strings.TrimSpace(metadata[stripebilling.MetadataSubjectID])

+	id, err := strconv.ParseInt(rawID, 10, 64)

+	if err != nil || id <= 0 {

+		return orgbilling.Principal{}, false

+	}

+	return orgbilling.Principal{Kind: kind, ID: id}, true

+// stripeOrgIDFromMetadata reads the legacy SP03 metadata key.

+// PRO04 keeps it for backward compatibility — existing org

+// subscriptions stamped before PRO04 deployed carry only this

+// key. Resolvers try the PRO04 keys first, fall back to this.

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package orgs

+

+import (

+	"testing"

+

+	orgbilling "github.com/tenseleyFlow/shithub/internal/billing"

+	"github.com/tenseleyFlow/shithub/internal/billing/stripebilling"

+)

+

+func TestStripePrincipalFromMetadataPRO04Keys(t *testing.T) {

+	t.Parallel()

+	m := map[string]string{

+		stripebilling.MetadataSubjectKind: "user",

+		stripebilling.MetadataSubjectID:   "42",

+	}

+	p, ok := stripePrincipalFromMetadata(m)

+	if !ok {

+		t.Fatal("expected ok=true for valid PRO04 metadata")

+	}

+	if !p.IsUser() || p.ID != 42 {

+		t.Errorf("user principal mismatch: %+v", p)

+	}

+}

+

+func TestStripePrincipalFromMetadataOrgKind(t *testing.T) {

+	t.Parallel()

+	m := map[string]string{

+		stripebilling.MetadataSubjectKind: "org",

+		stripebilling.MetadataSubjectID:   "7",

+	}

+	p, ok := stripePrincipalFromMetadata(m)

+	if !ok {

+		t.Fatal("expected ok=true for org PRO04 metadata")

+	}

+	if !p.IsOrg() || p.ID != 7 {

+		t.Errorf("org principal mismatch: %+v", p)

+	}

+}

+

+func TestStripePrincipalFromMetadataRejectsMissingKeys(t *testing.T) {

+	t.Parallel()

+	cases := []map[string]string{

+		nil,

+		{},

+		// Missing id.

+		{stripebilling.MetadataSubjectKind: "user"},

+		// Missing kind.

+		{stripebilling.MetadataSubjectID: "1"},

+		// Bogus kind.

+		{

+			stripebilling.MetadataSubjectKind: "alien",

+			stripebilling.MetadataSubjectID:   "1",

+		},

+		// Non-integer id.

+		{

+			stripebilling.MetadataSubjectKind: "user",

+			stripebilling.MetadataSubjectID:   "abc",

+		},

+		// Zero/negative id.

+		{

+			stripebilling.MetadataSubjectKind: "user",

+			stripebilling.MetadataSubjectID:   "0",

+		},

+		{

+			stripebilling.MetadataSubjectKind: "user",

+			stripebilling.MetadataSubjectID:   "-1",

+		},

+	}

+	for i, m := range cases {

+		if _, ok := stripePrincipalFromMetadata(m); ok {

+			t.Errorf("case %d: expected ok=false for %+v", i, m)

+		}

+	}

+}

+

+func TestStripeOrgIDFromMetadataLegacyKey(t *testing.T) {

+	t.Parallel()

+	m := map[string]string{stripebilling.MetadataOrgID: "99"}

+	if got := stripeOrgIDFromMetadata(m); got != 99 {

+		t.Errorf("legacy org id: got %d, want 99", got)

+	}

+	// Missing / bad ones return 0.

+	for _, m := range []map[string]string{

+		nil,

+		{},

+		{stripebilling.MetadataOrgID: ""},

+		{stripebilling.MetadataOrgID: "abc"},

+		{stripebilling.MetadataOrgID: "0"},

+		{stripebilling.MetadataOrgID: "-1"},

+	} {

+		if got := stripeOrgIDFromMetadata(m); got != 0 {

+			t.Errorf("expected 0 for %+v, got %d", m, got)

+		}

+	}

+}

+

+// Make sure the resolver chain prefers PRO04 keys over legacy when

+// both are present — defends against an old org's metadata being

+// re-stamped during Pro adoption.

+func TestStripePrincipalPRO04KeysPreferredOverLegacy(t *testing.T) {

+	t.Parallel()

+	m := map[string]string{

+		stripebilling.MetadataSubjectKind: "user",

+		stripebilling.MetadataSubjectID:   "42",

+		stripebilling.MetadataOrgID:       "7", // would route to org if used

+	}

+	p, ok := stripePrincipalFromMetadata(m)

+	if !ok || !p.IsUser() || p.ID != 42 {

+		t.Errorf("PRO04 user keys not preferred: got %+v ok=%v", p, ok)

+	}

+}

+

+// Mismatch guard: when the orchestrator constructs a Principal,

+// the kind and id must survive String() formatting (used in logs).

+func TestPrincipalStringRoundTrip(t *testing.T) {

+	t.Parallel()

+	if got := orgbilling.PrincipalForUser(99).String(); got != "user:99" {

+		t.Errorf("user string: %q", got)

+	}

+	if got := orgbilling.PrincipalForOrg(99).String(); got != "org:99" {

+		t.Errorf("org string: %q", got)

+	}

+}