@doccov/api 0.3.6 → 0.4.0

package/src/middleware/org-rate-limit.ts

@@ -0,0 +1,78 @@
+import { getPlanLimits, type Plan } from '@doccov/db';
+import type { Context, MiddlewareHandler, Next } from 'hono';
+import { db } from '../db/client';
+
+const usageStore = new Map<string, { count: number; resetAt: number }>();
+
+setInterval(() => {
+  const now = Date.now();
+  usageStore.forEach((entry, key) => {
+    if (now > entry.resetAt) usageStore.delete(key);
+  });
+}, 60_000).unref();
+
+/**
+ * Rate limit by org plan
+ * Requires apiKey middleware to run first
+ */
+export function orgRateLimit(): MiddlewareHandler {
+  return async (c: Context, next: Next) => {
+    const org = c.get('org');
+    if (!org) return c.json({ error: 'Auth required' }, 401);
+
+    const limits = getPlanLimits(org.plan as Plan);
+    const dailyLimit = limits.analysesPerDay;
+
+    // Unlimited for enterprise
+    if (dailyLimit === Infinity) {
+      await next();
+      return;
+    }
+
+    const key = `org:${org.id}`;
+    const now = Date.now();
+    const dayMs = 24 * 60 * 60 * 1000;
+
+    let entry = usageStore.get(key);
+    if (!entry || now > entry.resetAt) {
+      entry = { count: 0, resetAt: now + dayMs };
+      usageStore.set(key, entry);
+    }
+
+    if (entry.count >= dailyLimit) {
+      c.header('X-RateLimit-Limit', String(dailyLimit));
+      c.header('X-RateLimit-Remaining', '0');
+      c.header('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+
+      return c.json(
+        {
+          error: 'Daily analysis limit exceeded',
+          limit: dailyLimit,
+          plan: org.plan,
+          resetAt: new Date(entry.resetAt).toISOString(),
+          upgrade: org.plan === 'team' ? 'https://doccov.com/pricing' : undefined,
+        },
+        429,
+      );
+    }
+
+    entry.count++;
+
+    c.header('X-RateLimit-Limit', String(dailyLimit));
+    c.header('X-RateLimit-Remaining', String(dailyLimit - entry.count));
+    c.header('X-RateLimit-Reset', String(Math.ceil(entry.resetAt / 1000)));
+
+    // Track in DB (async, don't block)
+    db.insertInto('usage_records')
+      .values({
+        id: crypto.randomUUID(),
+        orgId: org.id,
+        feature: 'analysis',
+        count: 1,
+      })
+      .execute()
+      .catch(console.error);
+
+    await next();
+  };
+}

package/src/routes/api-keys.ts

@@ -0,0 +1,127 @@
+import { Hono } from 'hono';
+import { nanoid } from 'nanoid';
+import { auth } from '../auth/config';
+import { db } from '../db/client';
+import { generateApiKey } from '../utils/api-keys';
+
+export const apiKeysRoute = new Hono();
+
+// List keys for org
+apiKeysRoute.get('/', async (c) => {
+  const orgId = c.req.query('orgId');
+  if (!orgId) return c.json({ error: 'orgId required' }, 400);
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) return c.json({ error: 'Unauthorized' }, 401);
+
+  const membership = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', orgId)
+    .where('userId', '=', session.user.id)
+    .select('role')
+    .executeTakeFirst();
+
+  if (!membership) return c.json({ error: 'Not a member' }, 403);
+
+  const keys = await db
+    .selectFrom('api_keys')
+    .where('orgId', '=', orgId)
+    .select(['id', 'name', 'keyPrefix', 'lastUsedAt', 'expiresAt', 'createdAt'])
+    .orderBy('createdAt', 'desc')
+    .execute();
+
+  return c.json({ keys });
+});
+
+// Create key (paid only)
+apiKeysRoute.post('/', async (c) => {
+  const { orgId, name, expiresIn } = await c.req.json<{
+    orgId: string;
+    name: string;
+    expiresIn?: number;
+  }>();
+
+  if (!orgId || !name) return c.json({ error: 'orgId and name required' }, 400);
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) return c.json({ error: 'Unauthorized' }, 401);
+
+  const membership = await db
+    .selectFrom('org_members')
+    .innerJoin('organizations', 'organizations.id', 'org_members.orgId')
+    .where('org_members.orgId', '=', orgId)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['org_members.role', 'organizations.plan'])
+    .executeTakeFirst();
+
+  if (!membership) return c.json({ error: 'Admin access required' }, 403);
+
+  if (membership.plan === 'free') {
+    return c.json(
+      {
+        error: 'API keys require a paid plan',
+        upgrade: 'https://doccov.com/pricing',
+      },
+      403,
+    );
+  }
+
+  const { key, hash, prefix } = generateApiKey();
+  const id = nanoid(21);
+  const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 24 * 60 * 60 * 1000) : null;
+
+  await db
+    .insertInto('api_keys')
+    .values({
+      id,
+      orgId,
+      name,
+      keyHash: hash,
+      keyPrefix: prefix,
+      expiresAt,
+    })
+    .execute();
+
+  return c.json(
+    {
+      id,
+      key, // Shown once!
+      name,
+      prefix,
+      expiresAt,
+      message: 'Save this key now. It cannot be retrieved again.',
+    },
+    201,
+  );
+});
+
+// Revoke key
+apiKeysRoute.delete('/:keyId', async (c) => {
+  const keyId = c.req.param('keyId');
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) return c.json({ error: 'Unauthorized' }, 401);
+
+  const key = await db
+    .selectFrom('api_keys')
+    .where('id', '=', keyId)
+    .select(['id', 'orgId'])
+    .executeTakeFirst();
+
+  if (!key) return c.json({ error: 'Key not found' }, 404);
+
+  const membership = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', key.orgId)
+    .where('userId', '=', session.user.id)
+    .where('role', 'in', ['owner', 'admin'])
+    .select('role')
+    .executeTakeFirst();
+
+  if (!membership) return c.json({ error: 'Admin access required' }, 403);
+
+  await db.deleteFrom('api_keys').where('id', '=', keyId).execute();
+
+  return c.json({ deleted: true });
+});

package/src/routes/auth.ts

@@ -0,0 +1,62 @@
+import { Hono } from 'hono';
+import { auth } from '../auth/config';
+import { createPersonalOrg } from '../auth/hooks';
+import { db } from '../db/client';
+
+export const authRoute = new Hono();
+
+// Custom routes BEFORE better-auth catch-all
+
+// Get current session with orgs
+authRoute.get('/session', async (c) => {
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+
+  if (!session) {
+    return c.json({ user: null, session: null, organizations: [] });
+  }
+
+  // Get user's orgs
+  const memberships = await db
+    .selectFrom('org_members')
+    .innerJoin('organizations', 'organizations.id', 'org_members.orgId')
+    .where('org_members.userId', '=', session.user.id)
+    .select([
+      'organizations.id',
+      'organizations.name',
+      'organizations.slug',
+      'organizations.plan',
+      'organizations.isPersonal',
+      'org_members.role',
+    ])
+    .execute();
+
+  return c.json({
+    user: session.user,
+    session: session.session,
+    organizations: memberships,
+  });
+});
+
+// Webhook for post-signup actions
+authRoute.post('/webhook/user-created', async (c) => {
+  const { userId, email, name } = await c.req.json();
+
+  // Check if user already has an org
+  const existingMembership = await db
+    .selectFrom('org_members')
+    .where('userId', '=', userId)
+    .select('id')
+    .executeTakeFirst();
+
+  if (!existingMembership) {
+    await createPersonalOrg(userId, name, email);
+  }
+
+  return c.json({ ok: true });
+});
+
+// Better Auth handles all other routes
+authRoute.on(['GET', 'POST'], '/*', async (c) => {
+  const response = await auth.handler(c.req.raw);
+  return response;
+});

package/src/routes/billing.ts

@@ -0,0 +1,202 @@
+import { CustomerPortal, Webhooks } from '@polar-sh/hono';
+import { Hono } from 'hono';
+import { auth } from '../auth/config';
+import { db } from '../db/client';
+
+export const billingRoute = new Hono();
+
+const POLAR_ACCESS_TOKEN = process.env.POLAR_ACCESS_TOKEN!;
+const POLAR_WEBHOOK_SECRET = process.env.POLAR_WEBHOOK_SECRET!;
+const SITE_URL = process.env.SITE_URL || 'http://localhost:3000';
+const API_URL = process.env.API_URL || 'http://localhost:3001';
+
+const PRODUCTS = {
+  team: process.env.POLAR_PRODUCT_TEAM!,
+  pro: process.env.POLAR_PRODUCT_PRO!,
+};
+
+const POLAR_API =
+  process.env.NODE_ENV === 'production' ? 'https://api.polar.sh' : 'https://sandbox-api.polar.sh';
+
+// ============ Checkout ============
+billingRoute.get('/checkout', async (c) => {
+  const plan = c.req.query('plan') as 'team' | 'pro';
+  const orgId = c.req.query('orgId');
+
+  if (!plan || !PRODUCTS[plan]) {
+    return c.json({ error: 'Invalid plan' }, 400);
+  }
+  if (!orgId) {
+    return c.json({ error: 'orgId required' }, 400);
+  }
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) {
+    return c.redirect(`${SITE_URL}/login?callbackUrl=/pricing`);
+  }
+
+  // Verify user is owner/admin of org
+  const membership = await db
+    .selectFrom('org_members')
+    .where('orgId', '=', orgId)
+    .where('userId', '=', session.user.id)
+    .where('role', 'in', ['owner', 'admin'])
+    .select('id')
+    .executeTakeFirst();
+
+  if (!membership) {
+    return c.json({ error: 'Not authorized' }, 403);
+  }
+
+  // Create Polar checkout session via API
+  const res = await fetch(`${POLAR_API}/v1/checkouts/`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${POLAR_ACCESS_TOKEN}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      products: [PRODUCTS[plan]],
+      success_url: `${SITE_URL}/dashboard?upgraded=true`,
+      metadata: { orgId, plan },
+      customer_email: session.user.email,
+    }),
+  });
+
+  if (!res.ok) {
+    const error = await res.text();
+    console.error('Polar checkout error:', error);
+    return c.json({ error: 'Failed to create checkout session' }, 500);
+  }
+
+  const checkout = await res.json();
+  return c.redirect(checkout.url);
+});
+
+// ============ Customer Portal ============
+billingRoute.get('/portal', async (c) => {
+  const orgId = c.req.query('orgId');
+  if (!orgId) return c.json({ error: 'orgId required' }, 400);
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) return c.redirect(`${SITE_URL}/login`);
+
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.id', '=', orgId)
+    .where('org_members.userId', '=', session.user.id)
+    .where('org_members.role', 'in', ['owner', 'admin'])
+    .select(['organizations.polarCustomerId'])
+    .executeTakeFirst();
+
+  if (!org?.polarCustomerId) {
+    return c.json({ error: 'No billing account found' }, 404);
+  }
+
+  const portalHandler = CustomerPortal({
+    accessToken: POLAR_ACCESS_TOKEN,
+    getCustomerId: async () => org.polarCustomerId!,
+    server: process.env.NODE_ENV === 'production' ? 'production' : 'sandbox',
+  });
+
+  return portalHandler(c);
+});
+
+// ============ Webhooks ============
+billingRoute.post(
+  '/webhook',
+  Webhooks({
+    webhookSecret: POLAR_WEBHOOK_SECRET,
+
+    onSubscriptionActive: async (payload) => {
+      const subscription = payload.data;
+      const metadata = subscription.metadata as { orgId?: string; plan?: string };
+
+      if (!metadata?.orgId || !metadata?.plan) {
+        console.error('Missing metadata:', subscription.id);
+        return;
+      }
+
+      await db
+        .updateTable('organizations')
+        .set({
+          plan: metadata.plan as 'team' | 'pro',
+          polarCustomerId: subscription.customerId,
+          polarSubscriptionId: subscription.id,
+        })
+        .where('id', '=', metadata.orgId)
+        .execute();
+
+      console.log(`Org ${metadata.orgId} upgraded to ${metadata.plan}`);
+    },
+
+    onSubscriptionCanceled: async (payload) => {
+      const subscription = payload.data;
+
+      const org = await db
+        .selectFrom('organizations')
+        .where('polarSubscriptionId', '=', subscription.id)
+        .select('id')
+        .executeTakeFirst();
+
+      if (org) {
+        await db
+          .updateTable('organizations')
+          .set({ plan: 'free' })
+          .where('id', '=', org.id)
+          .execute();
+      }
+    },
+
+    onSubscriptionRevoked: async (payload) => {
+      const subscription = payload.data;
+
+      const org = await db
+        .selectFrom('organizations')
+        .where('polarSubscriptionId', '=', subscription.id)
+        .select('id')
+        .executeTakeFirst();
+
+      if (org) {
+        await db
+          .updateTable('organizations')
+          .set({ plan: 'free', polarSubscriptionId: null })
+          .where('id', '=', org.id)
+          .execute();
+      }
+    },
+  }),
+);
+
+// ============ Status ============
+billingRoute.get('/status', async (c) => {
+  const orgId = c.req.query('orgId');
+  if (!orgId) return c.json({ error: 'orgId required' }, 400);
+
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session) return c.json({ error: 'Unauthorized' }, 401);
+
+  const org = await db
+    .selectFrom('organizations')
+    .innerJoin('org_members', 'org_members.orgId', 'organizations.id')
+    .where('organizations.id', '=', orgId)
+    .where('org_members.userId', '=', session.user.id)
+    .select([
+      'organizations.plan',
+      'organizations.polarCustomerId',
+      'organizations.polarSubscriptionId',
+      'organizations.aiCallsUsed',
+      'organizations.aiCallsResetAt',
+    ])
+    .executeTakeFirst();
+
+  if (!org) return c.json({ error: 'Organization not found' }, 404);
+
+  return c.json({
+    plan: org.plan,
+    hasSubscription: !!org.polarSubscriptionId,
+    usage: { aiCalls: org.aiCallsUsed, resetAt: org.aiCallsResetAt },
+    portalUrl: org.polarCustomerId ? `${API_URL}/billing/portal?orgId=${orgId}` : null,
+  });
+});