fix: apply review suggestions

Author: apsinghdev

apps/api/package.json

@@ -35,6 +35,7 @@
     "helmet": "^7.2.0",
     "jsonwebtoken": "^9.0.2",
     "razorpay": "^2.9.6",
+    "superjson": "^2.2.5",
     "zeptomail": "^6.2.1",
     "zod": "^4.1.9"
   }

apps/api/src/constants/subscription.ts

@@ -0,0 +1,38 @@
+/**
+ * Subscription status constants matching Prisma SubscriptionStatus enum
+ * These are readonly string literals for type safety
+ */
+export const SUBSCRIPTION_STATUS = {
+  CREATED: "created",
+  AUTHENTICATED: "authenticated",
+  ACTIVE: "active",
+  PENDING: "pending",
+  HALTED: "halted",
+  CANCELLED: "cancelled",
+  COMPLETED: "completed",
+  EXPIRED: "expired",
+} as const;
+
+/**
+ * Payment status constants matching Prisma PaymentStatus enum
+ * These are readonly string literals for type safety
+ */
+export const PAYMENT_STATUS = {
+  CREATED: "created",
+  AUTHORIZED: "authorized",
+  CAPTURED: "captured",
+  REFUNDED: "refunded",
+  FAILED: "failed",
+} as const;
+
+/**
+ * Type for subscription status values
+ */
+export type SubscriptionStatusValue =
+  (typeof SUBSCRIPTION_STATUS)[keyof typeof SUBSCRIPTION_STATUS];
+
+/**
+ * Type for payment status values
+ */
+export type PaymentStatusValue =
+  (typeof PAYMENT_STATUS)[keyof typeof PAYMENT_STATUS];

apps/api/src/index.ts

@@ -13,6 +13,7 @@ import ipBlocker from "./middleware/ipBlock.js";
 import crypto from "crypto";
 import { paymentService } from "./services/payment.service.js";
 import { verifyToken } from "./utils/auth.js";
+import { SUBSCRIPTION_STATUS } from "./constants/subscription.js";
 
 dotenv.config();
 
@@ -118,7 +119,7 @@ app.get("/join-community", apiLimiter, async (req: Request, res: Response) => {
     const subscription = await prismaModule.prisma.subscription.findFirst({
       where: {
         userId: user.id,
-        status: "active",
+        status: SUBSCRIPTION_STATUS.ACTIVE,
         endDate: {
           gte: new Date(),
         },

apps/api/src/routers/payment.ts

@@ -7,6 +7,9 @@ import prismaModule from "../prisma.js";
 
 const { prisma } = prismaModule;
 
+const ALLOWED_NOTE_KEYS = ["plan", "user_email"] as const;
+const MAX_NOTE_VALUE_LENGTH = 255;
+
 const createOrderSchema = z.object({
   planId: z.string().min(1, "Plan ID is required"),
   receipt: z.string().min(1, "Receipt is required"),
@@ -59,18 +62,28 @@ export const paymentRouter = router({
             });
           }
 
-          // Add user_id and plan_id to notes for webhook processing
-          const notesWithUserId = {
-            ...(input.notes || {}),
-            user_id: userId,
-            plan_id: input.planId,
-          };
+          const sanitizedNotes: Record<string, string> = {};
+
+          if (input.notes) {
+            for (const key of ALLOWED_NOTE_KEYS) {
+              if (input.notes[key]) {
+                const value = String(input.notes[key]).slice(
+                  0,
+                  MAX_NOTE_VALUE_LENGTH
+                );
+                sanitizedNotes[key] = value;
+              }
+            }
+          }
+
+          sanitizedNotes.user_id = userId;
+          sanitizedNotes.plan_id = input.planId;
 
           const result = await paymentService.createOrder({
             amount: plan.price, // Use price from database
             currency: plan.currency,
             receipt: input.receipt,
-            notes: notesWithUserId,
+            notes: sanitizedNotes,
           });
 
           // Check if it's an error response

apps/api/src/services/auth.service.ts

@@ -39,6 +39,14 @@ export const authService = {
         authMethod: authMethod || "google",
         lastLogin: new Date(),
       },
+      select: {
+        id: true,
+        email: true,
+        firstName: true,
+        authMethod: true,
+        createdAt: true,
+        lastLogin: true,
+      },
     });
 
     const token = generateToken(email);

apps/api/src/services/email.service.ts

@@ -12,6 +12,14 @@ interface SendEmailInput {
   textBody?: string;
 }
 
+const escapeHtml = (s: string): string =>
+  s
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+
 // Initialize ZeptoMail client
 const initializeEmailClient = () => {
   const url =
@@ -77,10 +85,11 @@ export const emailService = {
     email: string,
     firstName: string
   ): Promise<boolean> {
+    const safeFirstName = escapeHtml(firstName);
     const htmlBody = `
       <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto; padding: 20px;">
         <p style="color: #333; line-height: 1.8; font-size: 16px;">
-          Hi ${firstName},
+          Hi ${safeFirstName},
         </p>
         
         <p style="color: #333; line-height: 1.8; font-size: 16px;">
@@ -127,7 +136,7 @@ export const emailService = {
       </div>
     `;
 
-    const textBody = `Hi ${firstName},
+    const textBody = `Hi ${safeFirstName},
 
 I am Ajeet, founder of Opensox AI.
 
@@ -147,7 +156,7 @@ Best,
 Ajeet from Opensox.ai`;
 
     return this.sendEmail({
-      to: [{ address: email, name: firstName }],
+      to: [{ address: email, name: safeFirstName }],
       subject: "Congratulations! You are in.",
       htmlBody,
       textBody,

apps/api/src/services/payment.service.ts

@@ -1,6 +1,10 @@
 import { rz_instance } from "../clients/razorpay.js";
 import crypto from "crypto";
 import prismaModule from "../prisma.js";
+import {
+  SUBSCRIPTION_STATUS,
+  PAYMENT_STATUS,
+} from "../constants/subscription.js";
 
 const { prisma } = prismaModule;
 
@@ -115,16 +119,18 @@ export const paymentService = {
       }
 
       // Create the expected signature
-      const generatedSignature = crypto
+      const generatedSignatureHex = crypto
         .createHmac("sha256", keySecret)
         .update(`${orderId}|${paymentId}`)
         .digest("hex");
 
+      const a = Buffer.from(signature, "hex");
+      const b = Buffer.from(generatedSignatureHex, "hex");
+
+      if (a.length !== b.length) return false;
+
       // Compare signatures securely
-      return crypto.timingSafeEqual(
-        Buffer.from(signature),
-        Buffer.from(generatedSignature)
-      );
+      return crypto.timingSafeEqual(a, b);
     } catch (error) {
       console.error("Signature verification error:", error);
       return false;
@@ -156,7 +162,7 @@ export const paymentService = {
           razorpayOrderId: paymentData.razorpayOrderId,
           amount: paymentData.amount, // Amount in paise (smallest currency unit)
           currency: paymentData.currency,
-          status: "captured",
+          status: PAYMENT_STATUS.CAPTURED,
         },
       });
 
@@ -229,7 +235,7 @@ export const paymentService = {
         data: {
           userId,
           planId,
-          status: "active",
+          status: SUBSCRIPTION_STATUS.ACTIVE,
           startDate,
           endDate,
           autoRenew: true,

apps/api/src/services/query.service.ts

@@ -1,10 +1,13 @@
-import { PrismaClient } from "@prisma/client";
+import type { PrismaClient } from "@prisma/client";
+import type prismaModule from "../prisma.js";
+
+type ExtendedPrismaClient = typeof prismaModule.prisma;
 
 export const queryService = {
   /**
    * Get total count of queries
    */
-  async getQueryCount(prisma: PrismaClient) {
+  async getQueryCount(prisma: ExtendedPrismaClient | PrismaClient) {
     const queryCount = await prisma.queryCount.findUnique({
       where: { id: 1 },
     });
@@ -17,7 +20,9 @@ export const queryService = {
   /**
    * Increment the query count by 1
    */
-  async incrementQueryCount(prisma: PrismaClient): Promise<void> {
+  async incrementQueryCount(
+    prisma: ExtendedPrismaClient | PrismaClient
+  ): Promise<void> {
     try {
       const updatedCount = await prisma.queryCount.update({
         where: { id: 1 },

apps/api/src/services/user.service.ts

@@ -1,10 +1,14 @@
-import { PrismaClient } from "@prisma/client";
+import type { PrismaClient } from "@prisma/client";
+import type prismaModule from "../prisma.js";
+import { SUBSCRIPTION_STATUS } from "../constants/subscription.js";
+
+type ExtendedPrismaClient = typeof prismaModule.prisma;
 
 export const userService = {
   /**
    * Get total count of users
    */
-  async getUserCount(prisma: PrismaClient) {
+  async getUserCount(prisma: ExtendedPrismaClient | PrismaClient) {
     const userCount = await prisma.user.count();
 
     return {
@@ -15,11 +19,14 @@ export const userService = {
   /**
    * Check if user has an active subscription
    */
-  async checkSubscriptionStatus(prisma: PrismaClient, userId: string) {
+  async checkSubscriptionStatus(
+    prisma: ExtendedPrismaClient | PrismaClient,
+    userId: string
+  ) {
     const subscription = await prisma.subscription.findFirst({
       where: {
         userId,
-        status: "active",
+        status: SUBSCRIPTION_STATUS.ACTIVE,
         endDate: {
           gte: new Date(),
         },

apps/api/src/trpc.ts

@@ -1,8 +1,11 @@
 import { initTRPC, TRPCError } from "@trpc/server";
+import superjson from "superjson";
 import type { Context } from "./context.js";
 import { verifyToken } from "./utils/auth.js";
 
-const t = initTRPC.context<Context>().create();
+const t = initTRPC.context<Context>().create({
+  transformer: superjson,
+});
 
 const isAuthed = t.middleware(async ({ ctx, next }) => {
   const authHeader = ctx.req.headers.authorization;