@cogito.ai/cli 0.4.3 → 0.4.5

package/dist/templates/web-nextjs/apps/web/src/features/subscription/wechat/server.ts

@@ -0,0 +1,147 @@
+import { wxpayRequest } from '@/lib/wechat-pay/client'
+import type { WechatPayConfig } from '@/lib/wechat-pay/types'
+import { decryptResource, verifySignature } from '@/lib/wechat-pay/crypto'
+
+export function getWechatPayConfig(): WechatPayConfig {
+  const appId = process.env.WECHAT_PAY_APP_ID
+  const mchId = process.env.WECHAT_PAY_MCH_ID
+  const privateKey = process.env.WECHAT_PAY_PRIVATE_KEY
+  const serialNo = process.env.WECHAT_PAY_SERIAL_NO
+  const apiV3Key = process.env.WECHAT_PAY_API_V3_KEY
+  const platformPublicKey = process.env.WECHAT_PAY_PLATFORM_PUBLIC_KEY
+  const baseUrl = process.env.WECHAT_PAY_BASE_URL || 'https://api.mch.weixin.qq.com'
+  const notifyUrl = process.env.WECHAT_PAY_NOTIFY_URL
+
+  if (
+    !appId ||
+    !mchId ||
+    !privateKey ||
+    !serialNo ||
+    !apiV3Key ||
+    !platformPublicKey ||
+    !notifyUrl
+  ) {
+    throw new Error(
+      'Missing WeChat Pay credentials. Ensure all WECHAT_PAY_* environment variables are set.',
+    )
+  }
+
+  return {
+    appId,
+    mchId,
+    privateKey,
+    serialNo,
+    apiV3Key,
+    platformPublicKey,
+    baseUrl,
+    notifyUrl,
+  }
+}
+
+interface CreateWechatPayParams {
+  description: string
+  outTradeNo: string
+  notifyUrl: string
+  amount: { total: number; currency?: string }
+  sceneInfo?: object
+}
+
+export async function createWechatNativePay(params: CreateWechatPayParams) {
+  const config = getWechatPayConfig()
+  const body = {
+    appid: config.appId,
+    mchid: config.mchId,
+    description: params.description,
+    out_trade_no: params.outTradeNo,
+    notify_url: params.notifyUrl,
+    amount: params.amount,
+  }
+
+  return wxpayRequest<{ code_url: string }>({
+    config,
+    method: 'post',
+    url: '/v3/pay/transactions/native',
+    body,
+  })
+}
+
+export async function createWechatH5Pay(params: CreateWechatPayParams) {
+  const config = getWechatPayConfig()
+  const body = {
+    appid: config.appId,
+    mchid: config.mchId,
+    description: params.description,
+    out_trade_no: params.outTradeNo,
+    notify_url: params.notifyUrl,
+    amount: params.amount,
+    scene_info: params.sceneInfo,
+  }
+
+  return wxpayRequest<{ h5_url: string }>({
+    config,
+    method: 'post',
+    url: '/v3/pay/transactions/h5',
+    body,
+  })
+}
+
+export async function queryWechatOrder(outTradeNo: string) {
+  const config = getWechatPayConfig()
+  return wxpayRequest<{ trade_state: string }>({
+    config,
+    method: 'get',
+    url: `/v3/pay/transactions/out-trade-no/${outTradeNo}`,
+  })
+}
+
+export interface VerifyAndDecryptNotifyResult {
+  outTradeNo: string
+  tradeState: string
+  transactionId: string
+  amount: number
+  currency: string
+  appId: string
+  mchId: string
+}
+
+export async function verifyAndDecryptNotify(
+  headers: Record<string, string | undefined>,
+  rawBody: string,
+): Promise<VerifyAndDecryptNotifyResult> {
+  const config = getWechatPayConfig()
+  const timestamp = headers['wechatpay-timestamp'] || headers['Wechatpay-Timestamp'] || ''
+  const nonce = headers['wechatpay-nonce'] || headers['Wechatpay-Nonce'] || ''
+  const signature = headers['wechatpay-signature'] || headers['Wechatpay-Signature'] || ''
+
+  const isValid = verifySignature({
+    timestamp,
+    nonce,
+    body: rawBody,
+    signature,
+    platformPublicKey: config.platformPublicKey,
+  })
+
+  if (!isValid) {
+    throw new Error('Invalid WeChat Pay signature')
+  }
+
+  const bodyData = JSON.parse(rawBody)
+  const resource = bodyData.resource
+  const decrypted = decryptResource({
+    ciphertext: resource.ciphertext,
+    associatedData: resource.associated_data,
+    nonce: resource.nonce,
+    apiV3Key: config.apiV3Key,
+  })
+
+  const transaction = JSON.parse(decrypted)
+  return {
+    outTradeNo: transaction.out_trade_no,
+    tradeState: transaction.trade_state,
+    transactionId: transaction.transaction_id,
+    amount: transaction.amount?.total,
+    currency: transaction.amount?.currency,
+    appId: transaction.appid,
+    mchId: transaction.mchid,
+  }
+}

package/dist/templates/web-nextjs/apps/web/src/lib/supabase/admin.ts

@@ -0,0 +1,23 @@
+import { createClient } from '@supabase/supabase-js'
+
+/**
+ * Creates a Supabase admin client using the service role key.
+ *
+ * ⚠️ WARNING: This client bypasses Row Level Security (RLS).
+ * Use ONLY in server-side contexts (Route Handlers, Server Actions).
+ * NEVER expose this client to the browser.
+ */
+export function createAdminClient() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY
+
+  if (!url || !key) {
+    throw new Error(
+      'Missing Supabase admin credentials. Ensure NEXT_PUBLIC_SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY are set.',
+    )
+  }
+
+  return createClient(url, key, {
+    auth: { autoRefreshToken: false, persistSession: false },
+  })
+}

package/dist/templates/web-nextjs/apps/web/src/lib/wechat-pay/client.ts

@@ -0,0 +1,66 @@
+import { buildAuthorizationHeader, generateNonce, signRequest } from './crypto'
+import type { WechatPayConfig } from './types'
+
+interface WxpayRequestParams<T = unknown> {
+  config: WechatPayConfig
+  method: string
+  url: string
+  body?: object
+}
+
+export async function wxpayRequest<T>(params: WxpayRequestParams): Promise<T> {
+  const { config, method, url, body } = params
+  const timestamp = Math.floor(Date.now() / 1000).toString()
+  const nonce = generateNonce()
+  const bodyStr = body ? JSON.stringify(body) : ''
+
+  const signature = signRequest({
+    method,
+    url,
+    timestamp,
+    nonce,
+    body: bodyStr,
+    privateKey: config.privateKey,
+  })
+
+  const authorization = buildAuthorizationHeader({
+    mchId: config.mchId,
+    serialNo: config.serialNo,
+    timestamp,
+    nonce,
+    signature,
+  })
+
+  const headers: Record<string, string> = {
+    Accept: 'application/json',
+    Authorization: authorization,
+    'Content-Type': 'application/json',
+    'User-Agent': 'Mozilla/5.0 (compatible; WebNextjs/1.0)',
+  }
+
+  const res = await fetch(`${config.baseUrl}${url}`, {
+    method: method.toUpperCase(),
+    headers,
+    body: bodyStr || null,
+  })
+
+  const data = (await res.json()) as T
+
+  // Check for WeChat Pay API errors
+  if (!res.ok) {
+    const errorData = data as Record<string, unknown>
+    const errorMessage =
+      typeof errorData.message === 'string'
+        ? errorData.message
+        : `WeChat Pay API error: ${res.status}`
+    const error = new Error(errorMessage)
+    ;(error as Error & { code?: string; status?: number; raw?: unknown }).code = String(
+      errorData.code || '',
+    )
+    ;(error as Error & { code?: string; status?: number; raw?: unknown }).status = res.status
+    ;(error as Error & { code?: string; status?: number; raw?: unknown }).raw = errorData
+    throw error
+  }
+
+  return data
+}

package/dist/templates/web-nextjs/apps/web/src/lib/wechat-pay/crypto.ts

@@ -0,0 +1,99 @@
+import crypto from 'crypto'
+
+/**
+ * Generates a random nonce string (16 hex chars, uppercase)
+ */
+export function generateNonce(): string {
+  return crypto.randomBytes(16).toString('hex').toUpperCase()
+}
+
+interface SignRequestParams {
+  method: string
+  url: string
+  timestamp: string
+  nonce: string
+  body: string
+  privateKey: string
+}
+
+/**
+ * Constructs the -line signature string and signs it with SHA256withRSA using the merchant private key.
+ * Returns Base64 encoded signature.
+ */
+export function signRequest(params: SignRequestParams): string {
+  const { method, url, timestamp, nonce, body, privateKey } = params
+  const signStr = `${method.toUpperCase()}\n${url}\n${timestamp}\n${nonce}\n${body}\n`
+
+  const signer = crypto.createSign('RSA-SHA256')
+  signer.update(signStr)
+  return signer.sign(privateKey, 'base64')
+}
+
+interface BuildAuthorizationHeaderParams {
+  mchId: string
+  serialNo: string
+  timestamp: string
+  nonce: string
+  signature: string
+}
+
+/**
+ * Builds the Authorization header for WeChat Pay V3 API requests.
+ */
+export function buildAuthorizationHeader(params: BuildAuthorizationHeaderParams): string {
+  const { mchId, serialNo, timestamp, nonce, signature } = params
+  return `WECHATPAY2-SHA256-RSA2048 mchid="${mchId}",nonce_str="${nonce}",timestamp="${timestamp}",serial_no="${serialNo}",signature="${signature}"`
+}
+
+interface VerifySignatureParams {
+  timestamp: string
+  nonce: string
+  body: string
+  signature: string
+  platformPublicKey: string
+}
+
+/**
+ * Verifies WeChat Pay notification signature using the platform public key.
+ */
+export function verifySignature(params: VerifySignatureParams): boolean {
+  const { timestamp, nonce, body, signature, platformPublicKey } = params
+  const verifyStr = `${timestamp}\n${nonce}\n${body}\n`
+
+  const verifier = crypto.createVerify('RSA-SHA256')
+  verifier.update(verifyStr)
+  return verifier.verify(platformPublicKey, signature, 'base64')
+}
+
+interface DecryptResourceParams {
+  ciphertext: string
+  associatedData: string
+  nonce: string
+  apiV3Key: string
+}
+
+/**
+ * Decrypts AEAD_AES_256_GCM encrypted resource.
+ * The ciphertext includes the auth tag as the last 16 bytes.
+ */
+export function decryptResource(params: DecryptResourceParams): string {
+  const { ciphertext, associatedData, nonce, apiV3Key } = params
+  const buf = Buffer.from(ciphertext, 'base64')
+
+  // AES-256-GCM: last 16 bytes are the auth tag
+  const authTagLength = 16
+  const encrypted = buf.slice(0, -authTagLength)
+  const authTag = buf.slice(-authTagLength)
+
+  const decipher = crypto.createDecipheriv(
+    'aes-256-gcm',
+    Buffer.from(apiV3Key),
+    Buffer.from(nonce, 'utf8'),
+  )
+  decipher.setAuthTag(authTag)
+  decipher.setAAD(Buffer.from(associatedData))
+
+  let decrypted = decipher.update(encrypted, undefined, 'utf8')
+  decrypted += decipher.final('utf8')
+  return decrypted
+}

package/dist/templates/web-nextjs/apps/web/src/lib/wechat-pay/types.ts

@@ -0,0 +1,10 @@
+export interface WechatPayConfig {
+  appId: string
+  mchId: string
+  privateKey: string // PKCS8 PEM format merchant private key
+  serialNo: string // Merchant certificate serial number
+  apiV3Key: string // 32-byte APIv3 key
+  platformPublicKey: string // WeChat platform public key PEM (downloaded from /v3/certificates)
+  baseUrl: string // Domestic: https://api.mch.weixin.qq.com; Overseas: https://apihk.mch.weixin.qq.com
+  notifyUrl: string
+}