@better-auth/stripe 1.4.7-beta.2 → 1.4.7-beta.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/stripe@1.4.7-beta.2 build /home/runner/work/better-auth/better-auth/packages/stripe
+> @better-auth/stripe@1.4.7-beta.4 build /home/runner/work/better-auth/better-auth/packages/stripe
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             40.34 kB │ gzip: 7.53 kB
+ℹ dist/index.mjs             40.71 kB │ gzip: 7.59 kB
 ℹ dist/client.mjs             0.26 kB │ gzip: 0.20 kB
-ℹ dist/client.d.mts           0.62 kB │ gzip: 0.35 kB
+ℹ dist/client.d.mts           0.62 kB │ gzip: 0.34 kB
 ℹ dist/index.d.mts            0.21 kB │ gzip: 0.14 kB
-ℹ dist/index-B_7z2Xag.d.mts  25.09 kB │ gzip: 4.83 kB
-ℹ 5 files, total: 66.53 kB
-✔ Build complete in 12150ms
+ℹ dist/index-Dbyi2yVo.d.mts  24.87 kB │ gzip: 4.82 kB
+ℹ 5 files, total: 66.68 kB
+✔ Build complete in 12247ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as stripe } from "./index-B_7z2Xag.mjs";
+import { n as stripe } from "./index-Dbyi2yVo.mjs";
 
 //#region src/client.d.ts
 declare const stripeClient: <O extends {

package/dist/{index-B_7z2Xag.d.mts → index-Dbyi2yVo.d.mts}

@@ -366,15 +366,13 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
     stripeWebhook: better_call0.StrictEndpoint<"/stripe/webhook", {
       method: "POST";
       metadata: {
-        isAction: false;
         openapi: {
           operationId: string;
         };
+        scope: "server";
       };
       cloneRequest: true;
       disableBody: true;
-    } & {
-      use: any[];
     }, {
       success: boolean;
     }>;
@@ -423,8 +421,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
           };
         };
       }>))[];
-    } & {
-      use: any[];
     }, {
       url: string;
       redirect: boolean;
@@ -515,8 +511,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
         };
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
-    } & {
-      use: any[];
     }, never>;
     cancelSubscription: better_call0.StrictEndpoint<"/subscription/cancel", {
       method: "POST";
@@ -553,8 +547,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
           };
         };
       }>))[];
-    } & {
-      use: any[];
     }, {
       url: string;
       redirect: boolean;
@@ -593,8 +585,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
           };
         };
       }>))[];
-    } & {
-      use: any[];
     }, Stripe.Response<Stripe.Subscription>>;
     listActiveSubscriptions: better_call0.StrictEndpoint<"/subscription/list", {
       method: "GET";
@@ -629,8 +619,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
           };
         };
       }>))[];
-    } & {
-      use: any[];
     }, {
       limits: Record<string, unknown> | undefined;
       priceId: string | undefined;
@@ -657,8 +645,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
         };
       };
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
-    } & {
-      use: any[];
     }, {
       status: ("OK" | "CREATED" | "ACCEPTED" | "NO_CONTENT" | "MULTIPLE_CHOICES" | "MOVED_PERMANENTLY" | "FOUND" | "SEE_OTHER" | "NOT_MODIFIED" | "TEMPORARY_REDIRECT" | "BAD_REQUEST" | "UNAUTHORIZED" | "PAYMENT_REQUIRED" | "FORBIDDEN" | "NOT_FOUND" | "METHOD_NOT_ALLOWED" | "NOT_ACCEPTABLE" | "PROXY_AUTHENTICATION_REQUIRED" | "REQUEST_TIMEOUT" | "CONFLICT" | "GONE" | "LENGTH_REQUIRED" | "PRECONDITION_FAILED" | "PAYLOAD_TOO_LARGE" | "URI_TOO_LONG" | "UNSUPPORTED_MEDIA_TYPE" | "RANGE_NOT_SATISFIABLE" | "EXPECTATION_FAILED" | "I'M_A_TEAPOT" | "MISDIRECTED_REQUEST" | "UNPROCESSABLE_ENTITY" | "LOCKED" | "FAILED_DEPENDENCY" | "TOO_EARLY" | "UPGRADE_REQUIRED" | "PRECONDITION_REQUIRED" | "TOO_MANY_REQUESTS" | "REQUEST_HEADER_FIELDS_TOO_LARGE" | "UNAVAILABLE_FOR_LEGAL_REASONS" | "INTERNAL_SERVER_ERROR" | "NOT_IMPLEMENTED" | "BAD_GATEWAY" | "SERVICE_UNAVAILABLE" | "GATEWAY_TIMEOUT" | "HTTP_VERSION_NOT_SUPPORTED" | "VARIANT_ALSO_NEGOTIATES" | "INSUFFICIENT_STORAGE" | "LOOP_DETECTED" | "NOT_EXTENDED" | "NETWORK_AUTHENTICATION_REQUIRED") | better_call0.Status;
       body: ({
@@ -708,8 +694,6 @@ declare const stripe: <O extends StripeOptions>(options: O) => {
           };
         };
       }>))[];
-    } & {
-      use: any[];
     }, {
       url: string;
       redirect: boolean;

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SubscriptionOptions, i as Subscription, n as stripe, r as StripePlan, t as StripePlugin } from "./index-B_7z2Xag.mjs";
+import { a as SubscriptionOptions, i as Subscription, n as stripe, r as StripePlan, t as StripePlugin } from "./index-Dbyi2yVo.mjs";
 export { StripePlan, StripePlugin, Subscription, SubscriptionOptions, stripe };

package/dist/index.mjs

@@ -1,9 +1,9 @@
 import { defineErrorCodes } from "@better-auth/core/utils";
 import { defu } from "defu";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
+import { HIDE_METADATA, logger } from "better-auth";
 import { APIError, getSessionFromCtx, originCheck, sessionMiddleware } from "better-auth/api";
 import * as z from "zod/v4";
-import { logger } from "better-auth";
 import { mergeSchema } from "better-auth/db";
 
 //#region src/utils.ts
@@ -265,7 +265,7 @@ const upgradeSubscription = (options) => {
 		const referenceId = ctx.body.referenceId || user$1.id;
 		const plan = await getPlanByName(options, ctx.body.plan);
 		if (!plan) throw new APIError("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_PLAN_NOT_FOUND });
-		const subscriptionToUpdate = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
+		let subscriptionToUpdate = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
 			model: "subscription",
 			where: [{
 				field: "id",
@@ -283,6 +283,7 @@ const upgradeSubscription = (options) => {
 				value: referenceId
 			}]
 		}) : null;
+		if (ctx.body.subscriptionId && subscriptionToUpdate && subscriptionToUpdate.referenceId !== referenceId) subscriptionToUpdate = null;
 		if (ctx.body.subscriptionId && !subscriptionToUpdate) throw new APIError("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_NOT_FOUND });
 		let customerId = subscriptionToUpdate?.stripeCustomerId || user$1.stripeCustomerId;
 		if (!customerId) try {
@@ -553,7 +554,7 @@ const cancelSubscription = (options) => {
 		]
 	}, async (ctx) => {
 		const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
-		const subscription = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
+		let subscription = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
 			model: "subscription",
 			where: [{
 				field: "id",
@@ -566,6 +567,7 @@ const cancelSubscription = (options) => {
 				value: referenceId
 			}]
 		}).then((subs) => subs.find((sub) => sub.status === "active" || sub.status === "trialing"));
+		if (ctx.body.subscriptionId && subscription && subscription.referenceId !== referenceId) subscription = void 0;
 		if (!subscription || !subscription.stripeCustomerId) throw ctx.error("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_NOT_FOUND });
 		const activeSubscriptions = await client.subscriptions.list({ customer: subscription.stripeCustomerId }).then((res) => res.data.filter((sub) => sub.status === "active" || sub.status === "trialing"));
 		if (!activeSubscriptions.length) {
@@ -631,7 +633,7 @@ const restoreSubscription = (options) => {
 		use: [sessionMiddleware, referenceMiddleware(subscriptionOptions, "restore-subscription")]
 	}, async (ctx) => {
 		const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
-		const subscription = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
+		let subscription = ctx.body.subscriptionId ? await ctx.context.adapter.findOne({
 			model: "subscription",
 			where: [{
 				field: "id",
@@ -644,6 +646,7 @@ const restoreSubscription = (options) => {
 				value: referenceId
 			}]
 		}).then((subs) => subs.find((sub) => sub.status === "active" || sub.status === "trialing"));
+		if (ctx.body.subscriptionId && subscription && subscription.referenceId !== referenceId) subscription = void 0;
 		if (!subscription || !subscription.stripeCustomerId) throw ctx.error("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_NOT_FOUND });
 		if (subscription.status != "active" && subscription.status != "trialing") throw ctx.error("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_NOT_ACTIVE });
 		if (!subscription.cancelAtPeriodEnd) throw ctx.error("BAD_REQUEST", { message: STRIPE_ERROR_CODES$1.SUBSCRIPTION_NOT_SCHEDULED_FOR_CANCELLATION });
@@ -824,7 +827,7 @@ const stripeWebhook = (options) => {
 	return createAuthEndpoint("/stripe/webhook", {
 		method: "POST",
 		metadata: {
-			isAction: false,
+			...HIDE_METADATA,
 			openapi: { operationId: "handleStripeWebhook" }
 		},
 		cloneRequest: true,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/stripe",
   "author": "Bereket Engida",
-  "version": "1.4.7-beta.2",
+  "version": "1.4.7-beta.4",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -50,15 +50,15 @@
   },
   "peerDependencies": {
     "stripe": "^18 || ^19 || ^20",
-    "@better-auth/core": "1.4.7-beta.2",
-    "better-auth": "1.4.7-beta.2"
+    "@better-auth/core": "1.4.7-beta.4",
+    "better-auth": "1.4.7-beta.4"
   },
   "devDependencies": {
     "better-call": "1.1.5",
     "stripe": "^20.0.0",
     "tsdown": "^0.17.2",
-    "@better-auth/core": "1.4.7-beta.2",
-    "better-auth": "1.4.7-beta.2"
+    "@better-auth/core": "1.4.7-beta.4",
+    "better-auth": "1.4.7-beta.4"
   },
   "scripts": {
     "test": "vitest",

package/src/routes.ts

@@ -1,6 +1,7 @@
 import { createAuthEndpoint } from "@better-auth/core/api";
 import { defineErrorCodes } from "@better-auth/core/utils";
 import type { GenericEndpointContext } from "better-auth";
+import { HIDE_METADATA } from "better-auth";
 import {
 	APIError,
 	getSessionFromCtx,
@@ -181,7 +182,7 @@ export const upgradeSubscription = (options: StripeOptions) => {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_PLAN_NOT_FOUND,
 				});
 			}
-			const subscriptionToUpdate = ctx.body.subscriptionId
+			let subscriptionToUpdate = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -204,6 +205,14 @@ export const upgradeSubscription = (options: StripeOptions) => {
 						})
 					: null;
 
+			if (
+				ctx.body.subscriptionId &&
+				subscriptionToUpdate &&
+				subscriptionToUpdate.referenceId !== referenceId
+			) {
+				subscriptionToUpdate = null;
+			}
+
 			if (ctx.body.subscriptionId && !subscriptionToUpdate) {
 				throw new APIError("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,
@@ -697,7 +706,7 @@ export const cancelSubscription = (options: StripeOptions) => {
 		},
 		async (ctx) => {
 			const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
-			const subscription = ctx.body.subscriptionId
+			let subscription = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -718,6 +727,15 @@ export const cancelSubscription = (options: StripeOptions) => {
 							),
 						);
 
+			// Ensure the specified subscription belongs to the (validated) referenceId.
+			if (
+				ctx.body.subscriptionId &&
+				subscription &&
+				subscription.referenceId !== referenceId
+			) {
+				subscription = undefined;
+			}
+
 			if (!subscription || !subscription.stripeCustomerId) {
 				throw ctx.error("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,
@@ -846,7 +864,7 @@ export const restoreSubscription = (options: StripeOptions) => {
 		async (ctx) => {
 			const referenceId = ctx.body?.referenceId || ctx.context.session.user.id;
 
-			const subscription = ctx.body.subscriptionId
+			let subscription = ctx.body.subscriptionId
 				? await ctx.context.adapter.findOne<Subscription>({
 						model: "subscription",
 						where: [
@@ -871,6 +889,15 @@ export const restoreSubscription = (options: StripeOptions) => {
 								(sub) => sub.status === "active" || sub.status === "trialing",
 							),
 						);
+
+			// Ensure the specified subscription belongs to the (validated) referenceId.
+			if (
+				ctx.body.subscriptionId &&
+				subscription &&
+				subscription.referenceId !== referenceId
+			) {
+				subscription = undefined;
+			}
 			if (!subscription || !subscription.stripeCustomerId) {
 				throw ctx.error("BAD_REQUEST", {
 					message: STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND,
@@ -1221,7 +1248,7 @@ export const stripeWebhook = (options: StripeOptions) => {
 		{
 			method: "POST",
 			metadata: {
-				isAction: false,
+				...HIDE_METADATA,
 				openapi: {
 					operationId: "handleStripeWebhook",
 				},

package/src/stripe.test.ts

@@ -227,6 +227,92 @@ describe("stripe", async () => {
 		});
 	});
 
+	it("should not allow cross-user subscriptionId operations (upgrade/cancel/restore)", async () => {
+		const userA = {
+			email: "user-a@email.com",
+			password: "password",
+			name: "User A",
+		};
+		const userARes = await authClient.signUp.email(userA, { throw: true });
+
+		const userAHeaders = new Headers();
+		await authClient.signIn.email(userA, {
+			throw: true,
+			onSuccess: setCookieToHeader(userAHeaders),
+		});
+		await authClient.subscription.upgrade({
+			plan: "starter",
+			fetchOptions: { headers: userAHeaders },
+		});
+
+		const userASub = await ctx.adapter.findOne<Subscription>({
+			model: "subscription",
+			where: [{ field: "referenceId", value: userARes.user.id }],
+		});
+		expect(userASub).toBeTruthy();
+
+		const userB = {
+			email: "user-b@email.com",
+			password: "password",
+			name: "User B",
+		};
+		await authClient.signUp.email(userB, { throw: true });
+		const userBHeaders = new Headers();
+		await authClient.signIn.email(userB, {
+			throw: true,
+			onSuccess: setCookieToHeader(userBHeaders),
+		});
+
+		mockStripe.checkout.sessions.create.mockClear();
+		mockStripe.billingPortal.sessions.create.mockClear();
+		mockStripe.subscriptions.list.mockClear();
+		mockStripe.subscriptions.update.mockClear();
+
+		const upgradeRes = await authClient.subscription.upgrade({
+			plan: "premium",
+			subscriptionId: userASub!.id,
+			fetchOptions: { headers: userBHeaders },
+		});
+		expect(upgradeRes.error?.message).toContain("Subscription not found");
+		expect(mockStripe.checkout.sessions.create).not.toHaveBeenCalled();
+		expect(mockStripe.billingPortal.sessions.create).not.toHaveBeenCalled();
+
+		const cancelHeaders = new Headers(userBHeaders);
+		cancelHeaders.set("content-type", "application/json");
+		const cancelResponse = await auth.handler(
+			new Request("http://localhost:3000/api/auth/subscription/cancel", {
+				method: "POST",
+				headers: cancelHeaders,
+				body: JSON.stringify({
+					subscriptionId: userASub!.id,
+					returnUrl: "/account",
+				}),
+			}),
+		);
+		expect(cancelResponse.status).toBe(400);
+		expect((await cancelResponse.json()).message).toContain(
+			"Subscription not found",
+		);
+		expect(mockStripe.billingPortal.sessions.create).not.toHaveBeenCalled();
+
+		const restoreHeaders = new Headers(userBHeaders);
+		restoreHeaders.set("content-type", "application/json");
+		const restoreResponse = await auth.handler(
+			new Request("http://localhost:3000/api/auth/subscription/restore", {
+				method: "POST",
+				headers: restoreHeaders,
+				body: JSON.stringify({
+					subscriptionId: userASub!.id,
+				}),
+			}),
+		);
+		expect(restoreResponse.status).toBe(400);
+		expect((await restoreResponse.json()).message).toContain(
+			"Subscription not found",
+		);
+		expect(mockStripe.subscriptions.update).not.toHaveBeenCalled();
+	});
+
 	it("should list active subscriptions", async () => {
 		const userRes = await authClient.signUp.email(
 			{