feat: complete payment flow, verify signature

Author: apsinghdev

apps/api/prisma/schema.prisma

@@ -13,12 +13,12 @@ model QueryCount {
 }
 
 model User {
-  id            String   @id @default(cuid())
-  email         String   @unique
+  id            String         @id @default(cuid())
+  email         String         @unique
   firstName     String
   authMethod    String
-  createdAt     DateTime @default(now())
-  lastLogin     DateTime @updatedAt
+  createdAt     DateTime       @default(now())
+  lastLogin     DateTime       @updatedAt
   accounts      Account[]
   payments      Payment[]
   subscriptions Subscription[]
@@ -53,8 +53,8 @@ model Payment {
   status            String
   createdAt         DateTime      @default(now())
   updatedAt         DateTime      @updatedAt
-  user              User          @relation(fields: [userId], references: [id], onDelete: Cascade)
   subscription      Subscription? @relation(fields: [subscriptionId], references: [id])
+  user              User          @relation(fields: [userId], references: [id], onDelete: Cascade)
 }
 
 model Subscription {
@@ -65,21 +65,20 @@ model Subscription {
   startDate DateTime  @default(now())
   endDate   DateTime
   autoRenew Boolean   @default(true)
-  user      User      @relation(fields: [userId], references: [id], onDelete: Cascade)
-  plan      Plan      @relation(fields: [planId], references: [id], onDelete: Cascade)
   payments  Payment[]
+  plan      Plan      @relation(fields: [planId], references: [id], onDelete: Cascade)
+  user      User      @relation(fields: [userId], references: [id], onDelete: Cascade)
 
   @@index([userId])
 }
 
 model Plan {
-  id          String   @id @default(cuid())
-  name        String   // e.g. "pro-monthly", "pro-yearly", "free"
-  interval    String   // "monthly" | "yearly"
-  price       Int      // amount in paise
-  currency    String   @default("INR")
-  createdAt   DateTime @default(now())
-  updatedAt   DateTime @updatedAt
-
+  id            String         @id @default(cuid())
+  name          String
+  interval      String
+  price         Int
+  currency      String         @default("INR")
+  createdAt     DateTime       @default(now())
+  updatedAt     DateTime       @updatedAt
   subscriptions Subscription[]
 }

apps/api/src/index.ts

@@ -11,6 +11,8 @@ import rateLimit from "express-rate-limit";
 import helmet from "helmet";
 import ipBlocker from "./middleware/ipBlock.js";
 import Razorpay from "razorpay";
+import crypto from "crypto";
+import { paymentService } from "./services/payment.service.js";
 
 dotenv.config();
 
@@ -58,7 +60,8 @@ const apiLimiter = rateLimit({
   legacyHeaders: false,
 });
 
-// Request size limits
+// Request size limits (except for webhook - needs raw body)
+app.use("/webhook/razorpay", express.raw({ type: "application/json" }));
 app.use(express.json({ limit: "10kb" }));
 app.use(express.urlencoded({ limit: "10kb", extended: true }));
 
@@ -95,6 +98,105 @@ app.get("/test", apiLimiter, (req: Request, res: Response) => {
   res.status(200).json({ status: "ok", message: "Test endpoint is working" });
 });
 
+// Razorpay Webhook Handler (Backup Flow)
+app.post("/webhook/razorpay", async (req: Request, res: Response) => {
+  try {
+    const webhookSecret = process.env.RAZORPAY_WEBHOOK_SECRET;
+    if (!webhookSecret) {
+      console.error("RAZORPAY_WEBHOOK_SECRET not configured");
+      return res.status(500).json({ error: "Webhook not configured" });
+    }
+
+    // Get signature from headers
+    const signature = req.headers["x-razorpay-signature"] as string;
+    if (!signature) {
+      return res.status(400).json({ error: "Missing signature" });
+    }
+
+    // Verify webhook signature
+    const body = req.body.toString();
+    const expectedSignature = crypto
+      .createHmac("sha256", webhookSecret)
+      .update(body)
+      .digest("hex");
+
+    const isValidSignature = crypto.timingSafeEqual(
+      Buffer.from(signature),
+      Buffer.from(expectedSignature)
+    );
+
+    if (!isValidSignature) {
+      console.error("Invalid webhook signature");
+      return res.status(400).json({ error: "Invalid signature" });
+    }
+
+    // Parse the event
+    const event = JSON.parse(body);
+    const eventType = event.event;
+
+    // Handle payment.captured event
+    if (eventType === "payment.captured") {
+      const payment = event.payload.payment.entity;
+
+      // Extract payment details
+      const razorpayPaymentId = payment.id;
+      const razorpayOrderId = payment.order_id;
+      const amount = payment.amount;
+      const currency = payment.currency;
+
+      // Get user ID from order notes (should be stored when creating order)
+      const notes = payment.notes || {};
+      const userId = notes.user_id;
+
+      if (!userId) {
+        console.error("User ID not found in payment notes");
+        return res.status(400).json({ error: "User ID not found" });
+      }
+
+      // Get plan ID from notes
+      const planId = notes.plan_id;
+      if (!planId) {
+        console.error("Plan ID not found in payment notes");
+        return res.status(400).json({ error: "Plan ID not found" });
+      }
+
+      try {
+        // Create payment record (with idempotency check)
+        const paymentRecord = await paymentService.createPaymentRecord(userId, {
+          razorpayPaymentId,
+          razorpayOrderId,
+          amount,
+          currency,
+        });
+
+        // Create subscription (with idempotency check)
+        await paymentService.createSubscription(
+          userId,
+          planId,
+          paymentRecord.id
+        );
+
+        console.log(
+          `✅ Webhook: Payment ${razorpayPaymentId} processed successfully`
+        );
+        return res.status(200).json({ status: "ok" });
+      } catch (error: any) {
+        console.error("Webhook payment processing error:", error);
+        // Return 200 to prevent Razorpay retries for application errors
+        return res
+          .status(200)
+          .json({ status: "ok", note: "Already processed" });
+      }
+    }
+
+    // Acknowledge other events
+    return res.status(200).json({ status: "ok" });
+  } catch (error: any) {
+    console.error("Webhook error:", error);
+    return res.status(500).json({ error: "Internal server error" });
+  }
+});
+
 // Connect to database
 prismaModule.connectDB();
 

apps/api/src/routers/payment.ts

@@ -4,26 +4,69 @@ import { TRPCError } from "@trpc/server";
 import { paymentService } from "../services/payment.service.js";
 
 const createOrderSchema = z.object({
-  amount: z.number().positive("Amount must be positive"),
-  currency: z
-    .string()
-    .min(3, "Currency must be at least 3 characters")
-    .max(3, "Currency must be 3 characters"),
+  planId: z.string().min(1, "Plan ID is required"),
   receipt: z.string().min(1, "Receipt is required"),
   notes: z.record(z.string(), z.string()).optional(),
 });
 
+const verifyPaymentSchema = z.object({
+  razorpay_payment_id: z.string().min(1, "Payment ID is required"),
+  razorpay_order_id: z.string().min(1, "Order ID is required"),
+  razorpay_signature: z.string().min(1, "Signature is required"),
+  planId: z.string().min(1, "Plan ID is required"),
+});
+
 export const paymentRouter = router({
   createOrder: protectedProcedure
     .input(createOrderSchema)
     .mutation(
-      async ({ input }: { input: z.infer<typeof createOrderSchema> }) => {
+      async ({
+        input,
+        ctx,
+      }: {
+        input: z.infer<typeof createOrderSchema>;
+        ctx: any;
+      }) => {
         try {
+          const userId = ctx.user?.id;
+          if (!userId) {
+            throw new TRPCError({
+              code: "UNAUTHORIZED",
+              message: "User not authenticated",
+            });
+          }
+
+          // Fetch plan from database to get the price
+          const plan = await paymentService.getPlan(input.planId);
+
+          if (!plan) {
+            throw new TRPCError({
+              code: "NOT_FOUND",
+              message: "Plan not found",
+            });
+          }
+
+          // Validate plan has required fields
+          if (!plan.price || !plan.currency) {
+            console.error("Plan missing required fields:", plan);
+            throw new TRPCError({
+              code: "BAD_REQUEST",
+              message: "Plan is missing price or currency information",
+            });
+          }
+
+          // Add user_id and plan_id to notes for webhook processing
+          const notesWithUserId = {
+            ...(input.notes || {}),
+            user_id: userId,
+            plan_id: input.planId,
+          };
+
           const result = await paymentService.createOrder({
-            amount: input.amount,
-            currency: input.currency,
+            amount: plan.price, // Use price from database
+            currency: plan.currency,
             receipt: input.receipt,
-            ...(input.notes && { notes: input.notes }),
+            notes: notesWithUserId,
           });
 
           // Check if it's an error response
@@ -52,4 +95,104 @@ export const paymentRouter = router({
         }
       }
     ),
+
+  verifyPayment: protectedProcedure
+    .input(verifyPaymentSchema)
+    .mutation(
+      async ({
+        input,
+        ctx,
+      }: {
+        input: z.infer<typeof verifyPaymentSchema>;
+        ctx: any;
+      }) => {
+        try {
+          const userId = ctx.user?.id;
+          if (!userId) {
+            throw new TRPCError({
+              code: "UNAUTHORIZED",
+              message: "User not authenticated",
+            });
+          }
+
+          // Fetch plan from database to get amount and currency
+          const plan = await paymentService.getPlan(input.planId);
+
+          if (!plan) {
+            throw new TRPCError({
+              code: "NOT_FOUND",
+              message: "Plan not found",
+            });
+          }
+
+          // Validate plan has required fields
+          if (!plan.price || !plan.currency) {
+            console.error("Plan missing required fields:", plan);
+            throw new TRPCError({
+              code: "BAD_REQUEST",
+              message: "Plan is missing price or currency information",
+            });
+          }
+
+          // Step 1: Verify signature first (fail fast if invalid)
+          const isValidSignature = paymentService.verifyPaymentSignature(
+            input.razorpay_order_id,
+            input.razorpay_payment_id,
+            input.razorpay_signature
+          );
+          if (!isValidSignature) {
+            throw new TRPCError({
+              code: "BAD_REQUEST",
+              message: "Invalid payment signature",
+            });
+          }
+
+          // Step 2: Create payment record (with idempotency check)
+          const payment = await paymentService.createPaymentRecord(userId, {
+            razorpayPaymentId: input.razorpay_payment_id,
+            razorpayOrderId: input.razorpay_order_id,
+            amount: plan.price, // Use price from database
+            currency: plan.currency,
+          });
+
+          // Step 3: Create/activate subscription
+          const subscription = await paymentService.createSubscription(
+            userId,
+            input.planId,
+            payment.id
+          );
+
+          return {
+            success: true,
+            message: "Payment verified and subscription activated",
+            payment: {
+              id: payment.id,
+              razorpayPaymentId: payment.razorpayPaymentId,
+              amount: payment.amount,
+              currency: payment.currency,
+              status: payment.status,
+            },
+            subscription: {
+              id: subscription.id,
+              status: subscription.status,
+              startDate: subscription.startDate,
+              endDate: subscription.endDate,
+            },
+          };
+        } catch (error: any) {
+          if (error instanceof TRPCError) {
+            throw error;
+          }
+
+          if (process.env.NODE_ENV !== "production") {
+            console.error("Payment verification error:", error);
+          }
+
+          throw new TRPCError({
+            code: "INTERNAL_SERVER_ERROR",
+            message: "Failed to verify payment",
+          });
+        }
+      }
+    ),
 });