@deiondz/better-auth-razorpay 2.0.1 → 2.0.2

package/README.md

@@ -84,6 +84,7 @@ export const auth = betterAuth({
     razorpayPlugin({
       razorpayClient,
       razorpayWebhookSecret: process.env.RAZORPAY_WEBHOOK_SECRET,
+      razorpayKeySecret: process.env.RAZORPAY_KEY_SECRET, // optional: enables verify-payment endpoint
       createCustomerOnSignUp: true, // optional
       subscription: {
         enabled: true,
@@ -141,6 +142,7 @@ BETTER_AUTH_URL=https://yourdomain.com
 RAZORPAY_KEY_ID=rzp_test_xxxxxxxxxxxx
 RAZORPAY_KEY_SECRET=your_secret_key
 RAZORPAY_WEBHOOK_SECRET=your_webhook_secret
+# Pass RAZORPAY_KEY_SECRET as razorpayKeySecret in plugin options to enable the verify-payment endpoint (same as client key, not webhook secret).
 ```
 
 5. **Run Database Migration**
@@ -163,6 +165,7 @@ npx @better-auth/cli@latest generate
 interface RazorpayPluginOptions {
   razorpayClient: Razorpay         // Required: Initialized Razorpay instance (key_id, key_secret)
   razorpayWebhookSecret?: string  // Optional: Webhook secret for signature verification
+  razorpayKeySecret?: string      // Optional: API key secret for payment signature verification; when set, enables POST /razorpay/verify-payment (same secret as Razorpay client, not webhook secret)
   createCustomerOnSignUp?: boolean // Optional: Create Razorpay customer on user sign-up (default: false)
   onCustomerCreate?: (args) => Promise<void>
   getCustomerCreateParams?: (args) => Promise<{ params?: Record<string, unknown> }>
@@ -197,6 +200,7 @@ Example: using callbacks in your config:
 razorpayPlugin({
   razorpayClient,
   razorpayWebhookSecret: process.env.RAZORPAY_WEBHOOK_SECRET,
+  razorpayKeySecret: process.env.RAZORPAY_KEY_SECRET, // optional: enables verify-payment endpoint
   createCustomerOnSignUp: true,
   onCustomerCreate: async ({ user, razorpayCustomer }) => {
     console.log(`Razorpay customer created for user ${user.id}: ${razorpayCustomer.id}`)
@@ -429,7 +433,7 @@ if (response.success && response.data) {
 
 ### 4. Verify Payment
 
-Verify payment signature after Razorpay checkout completion.
+Verify payment signature after Razorpay checkout completion. This endpoint is **only registered when `razorpayKeySecret`** is set in plugin options. Use the same API key secret as your Razorpay client (not the webhook secret).
 
 **Endpoint:** `POST /api/auth/razorpay/verify-payment`
 
@@ -484,6 +488,7 @@ const handlePaymentSuccess = async (razorpayResponse: {
 - `SIGNATURE_VERIFICATION_FAILED` - Invalid payment signature
 - `UNAUTHORIZED` - User not authenticated
 - `SUBSCRIPTION_NOT_FOUND` - Subscription record not found
+- `FORBIDDEN` - Subscription does not belong to authenticated user
 
 ---
 

package/api/index.ts

@@ -3,4 +3,5 @@ export { createOrUpdateSubscription } from './create-or-update-subscription'
 export { getPlans } from './get-plans'
 export { listSubscriptions } from './list-subscriptions'
 export { restoreSubscription } from './restore-subscription'
+export { verifyPayment } from './verify-payment'
 export { webhook } from './webhook'

package/api/verify-payment.ts

@@ -0,0 +1,87 @@
+import { createHmac } from 'node:crypto'
+import { createAuthEndpoint, sessionMiddleware } from 'better-auth/api'
+import {
+  handleRazorpayError,
+  verifyPaymentSchema,
+  type SubscriptionRecord,
+} from '../lib'
+
+/**
+ * POST /api/auth/razorpay/verify-payment
+ * Verifies payment signature after Razorpay subscription checkout completion.
+ * Requires razorpayKeySecret to be set in plugin options.
+ */
+export const verifyPayment = (keySecret: string) =>
+  createAuthEndpoint(
+    '/razorpay/verify-payment',
+    { method: 'POST', use: [sessionMiddleware] },
+    async (ctx) => {
+      try {
+        const body = verifyPaymentSchema.parse(ctx.body)
+        const { razorpay_payment_id, razorpay_subscription_id, razorpay_signature } = body
+
+        const generatedSignature = createHmac('sha256', keySecret)
+          .update(`${razorpay_payment_id}|${razorpay_subscription_id}`)
+          .digest('hex')
+
+        if (generatedSignature !== razorpay_signature) {
+          return {
+            success: false,
+            error: {
+              code: 'SIGNATURE_VERIFICATION_FAILED',
+              description: 'Payment signature verification failed',
+            },
+          }
+        }
+
+        const userId = ctx.context.session?.user?.id
+        if (!userId) {
+          return {
+            success: false,
+            error: { code: 'UNAUTHORIZED', description: 'User not authenticated' },
+          }
+        }
+
+        const record = (await ctx.context.adapter.findOne({
+          model: 'subscription',
+          where: [{ field: 'razorpaySubscriptionId', value: razorpay_subscription_id }],
+        })) as SubscriptionRecord | null
+
+        if (!record) {
+          return {
+            success: false,
+            error: { code: 'SUBSCRIPTION_NOT_FOUND', description: 'Subscription not found' },
+          }
+        }
+
+        if (record.referenceId !== userId) {
+          return {
+            success: false,
+            error: { code: 'FORBIDDEN', description: 'Subscription does not belong to you' },
+          }
+        }
+
+        await ctx.context.adapter.update({
+          model: 'subscription',
+          where: [{ field: 'razorpaySubscriptionId', value: razorpay_subscription_id }],
+          update: {
+            data: {
+              status: 'pending',
+              updatedAt: new Date(),
+            },
+          },
+        })
+
+        return {
+          success: true,
+          data: {
+            message: 'Payment verified successfully',
+            payment_id: razorpay_payment_id,
+            subscription_id: razorpay_subscription_id,
+          },
+        }
+      } catch (error) {
+        return handleRazorpayError(error)
+      }
+    }
+  )

package/client/hooks.ts

@@ -17,11 +17,13 @@ import type {
   CancelSubscriptionInput,
   RestoreSubscriptionInput,
   ListSubscriptionsInput,
+  VerifyPaymentInput,
   GetPlansResponse,
   ListSubscriptionsResponse,
   CreateOrUpdateSubscriptionResponse,
   CancelSubscriptionResponse,
   RestoreSubscriptionResponse,
+  VerifyPaymentResponse,
   RazorpayApiError,
 } from './types'
 
@@ -103,6 +105,18 @@ async function restoreSubscription(
   return res.data
 }
 
+/** Verify payment (POST /razorpay/verify-payment). */
+async function verifyPayment(
+  client: RazorpayAuthClient,
+  input: VerifyPaymentInput
+): Promise<VerifyPaymentResponse['data']> {
+  const res = await client.api.post(`${BASE}/verify-payment`, {
+    body: input as unknown as Record<string, unknown>,
+  })
+  assertSuccess<VerifyPaymentResponse['data']>(res)
+  return res.data
+}
+
 export type UsePlansOptions = Omit<
   UseQueryOptions<PlanSummary[], Error, PlanSummary[], readonly string[]>,
   'queryKey' | 'queryFn'
@@ -219,11 +233,13 @@ export type {
   CancelSubscriptionInput,
   RestoreSubscriptionInput,
   ListSubscriptionsInput,
+  VerifyPaymentInput,
   GetPlansResponse,
   ListSubscriptionsResponse,
   CreateOrUpdateSubscriptionResponse,
   CancelSubscriptionResponse,
   RestoreSubscriptionResponse,
+  VerifyPaymentResponse,
   RazorpayApiError,
   RazorpayApiResult,
 } from './types'
@@ -246,3 +262,30 @@ export function useRestoreSubscription(
     },
   })
 }
+
+export type UseVerifyPaymentOptions = UseMutationOptions<
+  VerifyPaymentResponse['data'],
+  Error,
+  VerifyPaymentInput,
+  unknown
+>
+
+/**
+ * Verify payment signature after Razorpay checkout success.
+ * Call with the payload from the Razorpay success handler (razorpay_payment_id, razorpay_subscription_id, razorpay_signature).
+ * Invalidates subscriptions list on success.
+ */
+export function useVerifyPayment(
+  client: RazorpayAuthClient | null | undefined,
+  options?: UseVerifyPaymentOptions
+) {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: (input: VerifyPaymentInput) => verifyPayment(client!, input),
+    ...options,
+    onSuccess: (data, variables, onMutateResult, context) => {
+      queryClient.invalidateQueries({ queryKey: razorpayQueryKeys.subscriptions() })
+      options?.onSuccess?.(data, variables, onMutateResult, context)
+    },
+  })
+}

package/client/types.ts

@@ -106,3 +106,20 @@ export interface RestoreSubscriptionInput {
 export interface ListSubscriptionsInput {
   referenceId?: string
 }
+
+/** Input for verify-payment (Razorpay checkout success callback payload). */
+export interface VerifyPaymentInput {
+  razorpay_payment_id: string
+  razorpay_subscription_id: string
+  razorpay_signature: string
+}
+
+/** Response shape for verify-payment (success). */
+export interface VerifyPaymentResponse {
+  success: true
+  data: {
+    message: string
+    payment_id: string
+    subscription_id: string
+  }
+}

package/index.ts

@@ -5,6 +5,7 @@ import {
   getPlans,
   listSubscriptions,
   restoreSubscription,
+  verifyPayment,
   webhook,
 } from './api'
 import type { RazorpayPluginOptions, RazorpayUserRecord } from './lib'
@@ -21,6 +22,7 @@ import type { RazorpayPluginOptions, RazorpayUserRecord } from './lib'
  * @param options - Plugin configuration
  * @param options.razorpayClient - Initialized Razorpay instance (key_id, key_secret)
  * @param options.razorpayWebhookSecret - Webhook secret for signature verification
+ * @param options.razorpayKeySecret - API key secret for payment signature verification (optional; when set, enables POST /razorpay/verify-payment)
  * @param options.createCustomerOnSignUp - Create Razorpay customer when user signs up (default: false)
  * @param options.onCustomerCreate - Callback after customer is created
  * @param options.getCustomerCreateParams - Custom params when creating customer
@@ -31,6 +33,7 @@ export const razorpayPlugin = (options: RazorpayPluginOptions) => {
   const {
     razorpayClient,
     razorpayWebhookSecret,
+    razorpayKeySecret,
     createCustomerOnSignUp = false,
     onCustomerCreate,
     getCustomerCreateParams,
@@ -83,6 +86,9 @@ export const razorpayPlugin = (options: RazorpayPluginOptions) => {
       'subscription/restore': restoreSubscription(razorpay),
       'subscription/list': listSubscriptions({ subscription: subOpts }),
       'get-plans': getPlans({ subscription: subOpts }),
+      ...(razorpayKeySecret
+        ? { 'verify-payment': verifyPayment(razorpayKeySecret) }
+        : {}),
       webhook: webhook(razorpayWebhookSecret, options.onWebhookEvent ?? undefined, {
         subscription: subOpts,
         onEvent,

package/lib/types.ts

@@ -169,6 +169,8 @@ export interface RazorpayPluginOptions {
   razorpayClient: import('razorpay')
   /** Webhook secret for signature verification. */
   razorpayWebhookSecret?: string
+  /** API key secret for payment signature verification. When set, enables POST /razorpay/verify-payment (same secret as Razorpay client, not webhook secret). */
+  razorpayKeySecret?: string
   /** Create Razorpay customer when user signs up. Default: false. */
   createCustomerOnSignUp?: boolean
   /** Called after a Razorpay customer is created. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deiondz/better-auth-razorpay",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "Better Auth plugin for Razorpay subscriptions and payments",
   "type": "module",
   "main": "./index.ts",