@better-auth/stripe 1.7.0-beta.5 → 1.7.0-beta.6

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { n as STRIPE_ERROR_CODES, t as PACKAGE_VERSION } from "./version-BkrVCPsb.mjs";
+import { n as STRIPE_ERROR_CODES, t as PACKAGE_VERSION } from "./version-DN_gseFy.mjs";
 //#region src/client.ts
 const stripeClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { n as STRIPE_ERROR_CODES, t as PACKAGE_VERSION } from "./version-BkrVCPsb.mjs";
+import { n as STRIPE_ERROR_CODES, t as PACKAGE_VERSION } from "./version-DN_gseFy.mjs";
 import { APIError, HIDE_METADATA } from "better-auth";
 import { defu } from "defu";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
@@ -534,6 +534,23 @@ function getReferenceId(ctxSession, customerType, options) {
 	}
 	return user.id;
 }
+/**
+* Retrieve the subscription a row points to, or `null` if it no longer exists
+* (`resource_missing`) so callers can treat the row as stale.
+* @internal
+*/
+async function retrieveStripeSubscription(client, ctx, stripeSubscriptionId) {
+	return await client.subscriptions.retrieve(stripeSubscriptionId).catch((e) => {
+		/**
+		* @see https://docs.stripe.com/error-codes
+		*/
+		if (e?.code === "resource_missing") return null;
+		throw ctx.error("BAD_REQUEST", {
+			code: e.code,
+			message: e.message
+		});
+	});
+}
 const upgradeSubscriptionBodySchema = z.object({
 	plan: z.string().meta({ description: "The name of the plan to upgrade to. Eg: \"pro\"" }),
 	annual: z.boolean().meta({ description: "Whether to upgrade to an annual plan. Eg: true" }).optional(),
@@ -577,7 +594,11 @@ const upgradeSubscription = (options) => {
 			stripeSessionMiddleware,
 			referenceMiddleware(subscriptionOptions, "upgrade-subscription"),
 			originCheck((c) => {
-				return [c.body.successUrl, c.body.cancelUrl];
+				return [
+					c.body.successUrl,
+					c.body.cancelUrl,
+					c.body.returnUrl
+				];
 			})
 		]
 	}, async (ctx) => {
@@ -675,6 +696,10 @@ const upgradeSubscription = (options) => {
 						break;
 					}
 				}
+				if (stripeCustomer) {
+					const ownerId = customerMetadata.get(stripeCustomer.metadata).userId;
+					if (!!ownerId && ownerId !== user.id || !user.emailVerified) stripeCustomer = void 0;
+				}
 				if (!stripeCustomer) stripeCustomer = await client.customers.create({
 					email: user.email,
 					name: user.name,
@@ -1100,23 +1125,18 @@ const cancelSubscription = (options) => {
 		}).then((subs) => subs.find((sub) => isActiveOrTrialing(sub)));
 		if (ctx.body.subscriptionId && subscription && subscription.referenceId !== referenceId) subscription = void 0;
 		if (!subscription || !subscription.stripeCustomerId) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
-		const activeSubscriptions = await client.subscriptions.list({ customer: subscription.stripeCustomerId }).then((res) => res.data.filter((sub) => isActiveOrTrialing(sub)));
-		if (!activeSubscriptions.length) {
-			/**
-			* If the subscription is not found, we need to delete the subscription
-			* from the database. This is a rare case and should not happen.
-			*/
-			await ctx.context.adapter.deleteMany({
+		if (!subscription.stripeSubscriptionId) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
+		const activeSubscription = await retrieveStripeSubscription(client, ctx, subscription.stripeSubscriptionId);
+		if (!activeSubscription || !isActiveOrTrialing(activeSubscription)) {
+			await ctx.context.adapter.delete({
 				model: "subscription",
 				where: [{
-					field: "referenceId",
-					value: referenceId
+					field: "id",
+					value: subscription.id
 				}]
 			});
 			throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
 		}
-		const activeSubscription = activeSubscriptions.find((sub) => sub.id === subscription.stripeSubscriptionId);
-		if (!activeSubscription) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
 		const { url } = await client.billingPortal.sessions.create({
 			customer: subscription.stripeCustomerId,
 			return_url: getUrl(ctx, ctx.body?.returnUrl || "/"),
@@ -1219,8 +1239,9 @@ const restoreSubscription = (options) => {
 			const releasedSub = await client.subscriptions.retrieve(subscription.stripeSubscriptionId);
 			return ctx.json(releasedSub);
 		}
-		const activeSubscription = await client.subscriptions.list({ customer: subscription.stripeCustomerId }).then((res) => res.data.filter((sub) => isActiveOrTrialing(sub))[0]);
-		if (!activeSubscription) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
+		if (!subscription.stripeSubscriptionId) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
+		const activeSubscription = await retrieveStripeSubscription(client, ctx, subscription.stripeSubscriptionId);
+		if (!activeSubscription || !isActiveOrTrialing(activeSubscription)) throw APIError$1.from("BAD_REQUEST", STRIPE_ERROR_CODES.SUBSCRIPTION_NOT_FOUND);
 		const updateParams = {};
 		if (activeSubscription.cancel_at) updateParams.cancel_at = "";
 		else if (activeSubscription.cancel_at_period_end) updateParams.cancel_at_period_end = false;
@@ -1307,8 +1328,7 @@ const subscriptionSuccess = (options) => {
 		use: [originCheck((ctx) => ctx.query.callbackURL)]
 	}, async (ctx) => {
 		let callbackURL = ctx.query?.callbackURL || "/";
-		const session = await getSessionFromCtx(ctx);
-		if (!session) throw ctx.redirect(getUrl(ctx, callbackURL));
+		if (!await getSessionFromCtx(ctx)) throw ctx.redirect(getUrl(ctx, callbackURL));
 		if (!ctx.query?.checkoutSessionId) throw ctx.redirect(getUrl(ctx, callbackURL));
 		/**
 		* Replace the Stripe {CHECKOUT_SESSION_ID} template variable in callbackURL.
@@ -1337,12 +1357,9 @@ const subscriptionSuccess = (options) => {
 			throw ctx.redirect(getUrl(ctx, callbackURL));
 		}
 		if (isActiveOrTrialing(subscription)) throw ctx.redirect(getUrl(ctx, callbackURL));
-		const customerId = subscription.stripeCustomerId || session.user.stripeCustomerId;
-		if (!customerId) throw ctx.redirect(getUrl(ctx, callbackURL));
-		const stripeSubscription = await client.subscriptions.list({
-			customer: customerId,
-			status: "active"
-		}).then((res) => res.data[0]).catch((error) => {
+		const stripeSubscriptionId = typeof checkoutSession.subscription === "string" ? checkoutSession.subscription : checkoutSession.subscription?.id;
+		if (!stripeSubscriptionId || checkoutSession.payment_status === "unpaid") throw ctx.redirect(getUrl(ctx, callbackURL));
+		const stripeSubscription = await client.subscriptions.retrieve(stripeSubscriptionId).catch((error) => {
 			ctx.context.logger.error("Error fetching subscription from Stripe", error);
 			throw ctx.redirect(getUrl(ctx, callbackURL));
 		});
@@ -1665,12 +1682,11 @@ const stripe = (options) => {
 					const { organization } = data;
 					if (!organization.stripeCustomerId) return;
 					try {
-						const subscriptions = await client.subscriptions.list({
+						for await (const sub of client.subscriptions.list({
 							customer: organization.stripeCustomerId,
 							status: "all",
 							limit: 100
-						});
-						for (const sub of subscriptions.data) if (sub.status !== "canceled" && sub.status !== "incomplete" && sub.status !== "incomplete_expired") throw APIError.from("BAD_REQUEST", STRIPE_ERROR_CODES.ORGANIZATION_HAS_ACTIVE_SUBSCRIPTION);
+						})) if (sub.status !== "canceled" && sub.status !== "incomplete" && sub.status !== "incomplete_expired") throw APIError.from("BAD_REQUEST", STRIPE_ERROR_CODES.ORGANIZATION_HAS_ACTIVE_SUBSCRIPTION);
 					} catch (error) {
 						if (error instanceof APIError) throw error;
 						ctx.logger.error(`Failed to check organization subscriptions: ${error.message}`);
@@ -1775,6 +1791,10 @@ const stripe = (options) => {
 								break;
 							}
 						}
+						if (stripeCustomer) {
+							const ownerId = customerMetadata.get(stripeCustomer.metadata).userId;
+							if (!!ownerId && ownerId !== user.id || !user.emailVerified) stripeCustomer = void 0;
+						}
 						if (stripeCustomer) {
 							await ctx.context.internalAdapter.updateUser(user.id, { stripeCustomerId: stripeCustomer.id });
 							await options.onCustomerCreate?.({

package/dist/{version-BkrVCPsb.mjs → version-DN_gseFy.mjs}

@@ -27,6 +27,6 @@ const STRIPE_ERROR_CODES = defineErrorCodes({
 });
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.5";
+const PACKAGE_VERSION = "1.7.0-beta.6";
 //#endregion
 export { STRIPE_ERROR_CODES as n, PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/stripe",
-  "version": "1.7.0-beta.5",
+  "version": "1.7.0-beta.6",
   "description": "Stripe plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -58,14 +58,14 @@
     "better-call": "1.3.6",
     "stripe": "^22.0.1",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.5",
-    "better-auth": "1.7.0-beta.5"
+    "@better-auth/core": "1.7.0-beta.6",
+    "better-auth": "1.7.0-beta.6"
   },
   "peerDependencies": {
     "better-call": "1.3.6",
     "stripe": "^18 || ^19 || ^20 || ^21 || ^22",
-    "@better-auth/core": "^1.7.0-beta.5",
-    "better-auth": "^1.7.0-beta.5"
+    "@better-auth/core": "^1.7.0-beta.6",
+    "better-auth": "^1.7.0-beta.6"
   },
   "scripts": {
     "build": "tsdown",