feat:switch back to lemonsqueezy
This commit is contained in:
@@ -19,7 +19,7 @@ import { Route as IndexRouteImport } from './routes/index'
|
||||
import { Route as AdminIndexRouteImport } from './routes/admin/index'
|
||||
import { Route as ManageTokenRouteImport } from './routes/manage.$token'
|
||||
import { Route as AdminDrinkkaartRouteImport } from './routes/admin/drinkkaart'
|
||||
import { Route as ApiWebhookMollieRouteImport } from './routes/api/webhook/mollie'
|
||||
import { Route as ApiWebhookLemonsqueezyRouteImport } from './routes/api/webhook/lemonsqueezy'
|
||||
import { Route as ApiRpcSplatRouteImport } from './routes/api/rpc/$'
|
||||
import { Route as ApiAuthSplatRouteImport } from './routes/api/auth/$'
|
||||
|
||||
@@ -73,9 +73,9 @@ const AdminDrinkkaartRoute = AdminDrinkkaartRouteImport.update({
|
||||
path: '/admin/drinkkaart',
|
||||
getParentRoute: () => rootRouteImport,
|
||||
} as any)
|
||||
const ApiWebhookMollieRoute = ApiWebhookMollieRouteImport.update({
|
||||
id: '/api/webhook/mollie',
|
||||
path: '/api/webhook/mollie',
|
||||
const ApiWebhookLemonsqueezyRoute = ApiWebhookLemonsqueezyRouteImport.update({
|
||||
id: '/api/webhook/lemonsqueezy',
|
||||
path: '/api/webhook/lemonsqueezy',
|
||||
getParentRoute: () => rootRouteImport,
|
||||
} as any)
|
||||
const ApiRpcSplatRoute = ApiRpcSplatRouteImport.update({
|
||||
@@ -102,7 +102,7 @@ export interface FileRoutesByFullPath {
|
||||
'/admin/': typeof AdminIndexRoute
|
||||
'/api/auth/$': typeof ApiAuthSplatRoute
|
||||
'/api/rpc/$': typeof ApiRpcSplatRoute
|
||||
'/api/webhook/mollie': typeof ApiWebhookMollieRoute
|
||||
'/api/webhook/lemonsqueezy': typeof ApiWebhookLemonsqueezyRoute
|
||||
}
|
||||
export interface FileRoutesByTo {
|
||||
'/': typeof IndexRoute
|
||||
@@ -117,7 +117,7 @@ export interface FileRoutesByTo {
|
||||
'/admin': typeof AdminIndexRoute
|
||||
'/api/auth/$': typeof ApiAuthSplatRoute
|
||||
'/api/rpc/$': typeof ApiRpcSplatRoute
|
||||
'/api/webhook/mollie': typeof ApiWebhookMollieRoute
|
||||
'/api/webhook/lemonsqueezy': typeof ApiWebhookLemonsqueezyRoute
|
||||
}
|
||||
export interface FileRoutesById {
|
||||
__root__: typeof rootRouteImport
|
||||
@@ -133,7 +133,7 @@ export interface FileRoutesById {
|
||||
'/admin/': typeof AdminIndexRoute
|
||||
'/api/auth/$': typeof ApiAuthSplatRoute
|
||||
'/api/rpc/$': typeof ApiRpcSplatRoute
|
||||
'/api/webhook/mollie': typeof ApiWebhookMollieRoute
|
||||
'/api/webhook/lemonsqueezy': typeof ApiWebhookLemonsqueezyRoute
|
||||
}
|
||||
export interface FileRouteTypes {
|
||||
fileRoutesByFullPath: FileRoutesByFullPath
|
||||
@@ -150,7 +150,7 @@ export interface FileRouteTypes {
|
||||
| '/admin/'
|
||||
| '/api/auth/$'
|
||||
| '/api/rpc/$'
|
||||
| '/api/webhook/mollie'
|
||||
| '/api/webhook/lemonsqueezy'
|
||||
fileRoutesByTo: FileRoutesByTo
|
||||
to:
|
||||
| '/'
|
||||
@@ -165,7 +165,7 @@ export interface FileRouteTypes {
|
||||
| '/admin'
|
||||
| '/api/auth/$'
|
||||
| '/api/rpc/$'
|
||||
| '/api/webhook/mollie'
|
||||
| '/api/webhook/lemonsqueezy'
|
||||
id:
|
||||
| '__root__'
|
||||
| '/'
|
||||
@@ -180,7 +180,7 @@ export interface FileRouteTypes {
|
||||
| '/admin/'
|
||||
| '/api/auth/$'
|
||||
| '/api/rpc/$'
|
||||
| '/api/webhook/mollie'
|
||||
| '/api/webhook/lemonsqueezy'
|
||||
fileRoutesById: FileRoutesById
|
||||
}
|
||||
export interface RootRouteChildren {
|
||||
@@ -196,7 +196,7 @@ export interface RootRouteChildren {
|
||||
AdminIndexRoute: typeof AdminIndexRoute
|
||||
ApiAuthSplatRoute: typeof ApiAuthSplatRoute
|
||||
ApiRpcSplatRoute: typeof ApiRpcSplatRoute
|
||||
ApiWebhookMollieRoute: typeof ApiWebhookMollieRoute
|
||||
ApiWebhookLemonsqueezyRoute: typeof ApiWebhookLemonsqueezyRoute
|
||||
}
|
||||
|
||||
declare module '@tanstack/react-router' {
|
||||
@@ -271,11 +271,11 @@ declare module '@tanstack/react-router' {
|
||||
preLoaderRoute: typeof AdminDrinkkaartRouteImport
|
||||
parentRoute: typeof rootRouteImport
|
||||
}
|
||||
'/api/webhook/mollie': {
|
||||
id: '/api/webhook/mollie'
|
||||
path: '/api/webhook/mollie'
|
||||
fullPath: '/api/webhook/mollie'
|
||||
preLoaderRoute: typeof ApiWebhookMollieRouteImport
|
||||
'/api/webhook/lemonsqueezy': {
|
||||
id: '/api/webhook/lemonsqueezy'
|
||||
path: '/api/webhook/lemonsqueezy'
|
||||
fullPath: '/api/webhook/lemonsqueezy'
|
||||
preLoaderRoute: typeof ApiWebhookLemonsqueezyRouteImport
|
||||
parentRoute: typeof rootRouteImport
|
||||
}
|
||||
'/api/rpc/$': {
|
||||
@@ -308,7 +308,7 @@ const rootRouteChildren: RootRouteChildren = {
|
||||
AdminIndexRoute: AdminIndexRoute,
|
||||
ApiAuthSplatRoute: ApiAuthSplatRoute,
|
||||
ApiRpcSplatRoute: ApiRpcSplatRoute,
|
||||
ApiWebhookMollieRoute: ApiWebhookMollieRoute,
|
||||
ApiWebhookLemonsqueezyRoute: ApiWebhookLemonsqueezyRoute,
|
||||
}
|
||||
export const routeTree = rootRouteImport
|
||||
._addFileChildren(rootRouteChildren)
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { randomUUID } from "node:crypto";
|
||||
import { createHmac, randomUUID } from "node:crypto";
|
||||
import { creditRegistrationToAccount } from "@kk/api/routers/index";
|
||||
import { db } from "@kk/db";
|
||||
import { drinkkaart, drinkkaartTopup, registration } from "@kk/db/schema";
|
||||
@@ -7,106 +7,101 @@ import { env } from "@kk/env/server";
|
||||
import { createFileRoute } from "@tanstack/react-router";
|
||||
import { and, eq } from "drizzle-orm";
|
||||
|
||||
// Mollie payment object (relevant fields only)
|
||||
interface MolliePayment {
|
||||
id: string;
|
||||
status: string;
|
||||
amount: { value: string; currency: string };
|
||||
customerId?: string;
|
||||
metadata?: {
|
||||
registration_token?: string;
|
||||
type?: string;
|
||||
drinkkaartId?: string;
|
||||
userId?: string;
|
||||
// LemonSqueezy webhook payload types (order_created event)
|
||||
interface LemonSqueezyOrderCreatedPayload {
|
||||
meta: {
|
||||
event_name: string;
|
||||
custom_data?: {
|
||||
type?: string;
|
||||
registration_token?: string;
|
||||
drinkkaartId?: string;
|
||||
userId?: string;
|
||||
};
|
||||
};
|
||||
data: {
|
||||
id: string;
|
||||
attributes: {
|
||||
status: string;
|
||||
customer_id: number;
|
||||
total: number; // amount in cents
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
async function fetchMolliePayment(paymentId: string): Promise<MolliePayment> {
|
||||
const response = await fetch(
|
||||
`https://api.mollie.com/v2/payments/${paymentId}`,
|
||||
{
|
||||
headers: {
|
||||
Authorization: `Bearer ${env.MOLLIE_API_KEY}`,
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(
|
||||
`Failed to fetch Mollie payment ${paymentId}: ${response.status}`,
|
||||
);
|
||||
}
|
||||
|
||||
return response.json() as Promise<MolliePayment>;
|
||||
function verifyWebhookSignature(
|
||||
payload: string,
|
||||
signature: string,
|
||||
secret: string,
|
||||
): boolean {
|
||||
const hmac = createHmac("sha256", secret);
|
||||
hmac.update(payload);
|
||||
const digest = hmac.digest("hex");
|
||||
return signature === digest;
|
||||
}
|
||||
|
||||
async function handleWebhook({ request }: { request: Request }) {
|
||||
if (!env.MOLLIE_API_KEY) {
|
||||
console.error("MOLLIE_API_KEY not configured");
|
||||
if (!env.LEMON_SQUEEZY_WEBHOOK_SECRET) {
|
||||
console.error("LEMON_SQUEEZY_WEBHOOK_SECRET not configured");
|
||||
return new Response("Payment provider not configured", { status: 500 });
|
||||
}
|
||||
|
||||
// Mollie sends application/x-www-form-urlencoded with a single "id" field
|
||||
let paymentId: string | null = null;
|
||||
const payload = await request.text();
|
||||
const signature = request.headers.get("X-Signature");
|
||||
|
||||
if (!signature) {
|
||||
return new Response("Missing signature", { status: 401 });
|
||||
}
|
||||
|
||||
if (
|
||||
!verifyWebhookSignature(
|
||||
payload,
|
||||
signature,
|
||||
env.LEMON_SQUEEZY_WEBHOOK_SECRET,
|
||||
)
|
||||
) {
|
||||
return new Response("Invalid signature", { status: 401 });
|
||||
}
|
||||
|
||||
let event: LemonSqueezyOrderCreatedPayload;
|
||||
try {
|
||||
const body = await request.text();
|
||||
const params = new URLSearchParams(body);
|
||||
paymentId = params.get("id");
|
||||
event = JSON.parse(payload) as LemonSqueezyOrderCreatedPayload;
|
||||
} catch {
|
||||
return new Response("Invalid request body", { status: 400 });
|
||||
return new Response("Invalid JSON", { status: 400 });
|
||||
}
|
||||
|
||||
if (!paymentId) {
|
||||
return new Response("Missing payment id", { status: 400 });
|
||||
// Only handle order_created events
|
||||
if (event.meta.event_name !== "order_created") {
|
||||
return new Response("Event ignored", { status: 200 });
|
||||
}
|
||||
|
||||
// Fetch-to-verify: retrieve the actual payment from Mollie to confirm its
|
||||
// status. A malicious webhook cannot fake a paid status this way.
|
||||
let payment: MolliePayment;
|
||||
try {
|
||||
payment = await fetchMolliePayment(paymentId);
|
||||
} catch (err) {
|
||||
console.error("Failed to fetch Mollie payment:", err);
|
||||
return new Response("Failed to fetch payment", { status: 500 });
|
||||
}
|
||||
|
||||
// Only process paid payments
|
||||
if (payment.status !== "paid") {
|
||||
return new Response("Payment status ignored", { status: 200 });
|
||||
}
|
||||
|
||||
const metadata = payment.metadata;
|
||||
const orderId = event.data.id;
|
||||
const customerId = String(event.data.attributes.customer_id);
|
||||
const amountCents = event.data.attributes.total;
|
||||
const customData = event.meta.custom_data;
|
||||
|
||||
try {
|
||||
// -------------------------------------------------------------------------
|
||||
// Branch: Drinkkaart top-up
|
||||
// -------------------------------------------------------------------------
|
||||
if (metadata?.type === "drinkkaart_topup") {
|
||||
const { drinkkaartId, userId } = metadata;
|
||||
if (customData?.type === "drinkkaart_topup") {
|
||||
const { drinkkaartId, userId } = customData;
|
||||
if (!drinkkaartId || !userId) {
|
||||
console.error(
|
||||
"Missing drinkkaartId or userId in drinkkaart_topup payment metadata",
|
||||
"Missing drinkkaartId or userId in drinkkaart_topup custom_data",
|
||||
);
|
||||
return new Response("Missing drinkkaart data", { status: 400 });
|
||||
}
|
||||
|
||||
// Amount in cents — Mollie returns e.g. "10.00"; parse to integer cents
|
||||
const amountCents = Math.round(
|
||||
Number.parseFloat(payment.amount.value) * 100,
|
||||
);
|
||||
|
||||
// Idempotency: skip if already processed
|
||||
const existing = await db
|
||||
.select({ id: drinkkaartTopup.id })
|
||||
.from(drinkkaartTopup)
|
||||
.where(eq(drinkkaartTopup.molliePaymentId, payment.id))
|
||||
.where(eq(drinkkaartTopup.lemonsqueezyOrderId, orderId))
|
||||
.limit(1)
|
||||
.then((r) => r[0]);
|
||||
|
||||
if (existing) {
|
||||
console.log(
|
||||
`Drinkkaart topup already processed for payment ${payment.id}`,
|
||||
);
|
||||
console.log(`Drinkkaart topup already processed for order ${orderId}`);
|
||||
return new Response("OK", { status: 200 });
|
||||
}
|
||||
|
||||
@@ -141,7 +136,7 @@ async function handleWebhook({ request }: { request: Request }) {
|
||||
);
|
||||
|
||||
if (result.rowsAffected === 0) {
|
||||
// Return 500 so Mollie retries; idempotency check prevents double-credit
|
||||
// Return 500 so LemonSqueezy retries; idempotency check prevents double-credit
|
||||
console.error(
|
||||
`Drinkkaart optimistic lock conflict for ${drinkkaartId}`,
|
||||
);
|
||||
@@ -156,14 +151,14 @@ async function handleWebhook({ request }: { request: Request }) {
|
||||
balanceBefore,
|
||||
balanceAfter,
|
||||
type: "payment",
|
||||
molliePaymentId: payment.id,
|
||||
lemonsqueezyOrderId: orderId,
|
||||
adminId: null,
|
||||
reason: null,
|
||||
paidAt: new Date(),
|
||||
});
|
||||
|
||||
console.log(
|
||||
`Drinkkaart topup successful: drinkkaart=${drinkkaartId}, amount=${amountCents}c, payment=${payment.id}`,
|
||||
`Drinkkaart topup successful: drinkkaart=${drinkkaartId}, amount=${amountCents}c, order=${orderId}`,
|
||||
);
|
||||
|
||||
return new Response("OK", { status: 200 });
|
||||
@@ -172,9 +167,9 @@ async function handleWebhook({ request }: { request: Request }) {
|
||||
// -------------------------------------------------------------------------
|
||||
// Branch: Registration payment
|
||||
// -------------------------------------------------------------------------
|
||||
const registrationToken = metadata?.registration_token;
|
||||
const registrationToken = customData?.registration_token;
|
||||
if (!registrationToken) {
|
||||
console.error("No registration token in payment metadata");
|
||||
console.error("No registration token in order custom_data");
|
||||
return new Response("Missing registration token", { status: 400 });
|
||||
}
|
||||
|
||||
@@ -197,13 +192,14 @@ async function handleWebhook({ request }: { request: Request }) {
|
||||
.set({
|
||||
paymentStatus: "paid",
|
||||
paymentAmount: 0,
|
||||
molliePaymentId: payment.id,
|
||||
lemonsqueezyOrderId: orderId,
|
||||
lemonsqueezyCustomerId: customerId,
|
||||
paidAt: new Date(),
|
||||
})
|
||||
.where(eq(registration.managementToken, registrationToken));
|
||||
|
||||
console.log(
|
||||
`Payment successful for registration ${registrationToken}, payment ${payment.id}`,
|
||||
`Payment successful for registration ${registrationToken}, order ${orderId}`,
|
||||
);
|
||||
|
||||
// If this is a watcher with a drink card value, try to credit their
|
||||
@@ -254,7 +250,7 @@ async function handleWebhook({ request }: { request: Request }) {
|
||||
}
|
||||
}
|
||||
|
||||
export const Route = createFileRoute("/api/webhook/mollie")({
|
||||
export const Route = createFileRoute("/api/webhook/lemonsqueezy")({
|
||||
server: {
|
||||
handlers: {
|
||||
POST: handleWebhook,
|
||||
Reference in New Issue
Block a user