@mars-stack/cli 3.0.1 → 4.0.0

package/template/src/app/(protected)/settings/billing/page.tsx

@@ -0,0 +1,262 @@
+'use client';
+
+import { Suspense, useEffect, useState, useCallback } from 'react';
+import { useSearchParams } from 'next/navigation';
+import { Card, Badge, Button, LinkButton, Spinner } from '@mars-stack/ui';
+import { appConfig } from '@/config/app.config';
+import { routes } from '@/config/routes';
+import type { SubscriptionRecord } from '@/features/billing/types';
+import { SUBSCRIPTION_STATUS } from '@/features/billing/types';
+
+type BadgeVariant = 'success' | 'warning' | 'error' | 'neutral' | 'info';
+
+function getStatusBadge(status: string): { label: string; variant: BadgeVariant } {
+  switch (status) {
+    case SUBSCRIPTION_STATUS.active:
+      return { label: 'Active', variant: 'success' };
+    case SUBSCRIPTION_STATUS.trialing:
+      return { label: 'Trial', variant: 'info' };
+    case SUBSCRIPTION_STATUS.pastDue:
+      return { label: 'Past due', variant: 'warning' };
+    case SUBSCRIPTION_STATUS.canceled:
+      return { label: 'Cancelled', variant: 'error' };
+    case SUBSCRIPTION_STATUS.unpaid:
+      return { label: 'Unpaid', variant: 'error' };
+    case SUBSCRIPTION_STATUS.paused:
+      return { label: 'Paused', variant: 'neutral' };
+    case SUBSCRIPTION_STATUS.inactive:
+      return { label: 'Inactive', variant: 'neutral' };
+    default:
+      return { label: status, variant: 'neutral' };
+  }
+}
+
+function formatDate(date: Date | string | null): string {
+  if (!date) return 'N/A';
+  return new Date(date).toLocaleDateString(undefined, {
+    year: 'numeric',
+    month: 'long',
+    day: 'numeric',
+  });
+}
+
+function SubscriptionDetails({ subscription }: { subscription: SubscriptionRecord }) {
+  const statusBadge = getStatusBadge(subscription.status);
+  const isActive = subscription.status === SUBSCRIPTION_STATUS.active
+    || subscription.status === SUBSCRIPTION_STATUS.trialing;
+
+  return (
+    <Card>
+      <div className="flex items-start justify-between gap-4">
+        <div>
+          <h3 className="text-lg font-semibold text-text-primary">Current Plan</h3>
+          <p className="mt-1 text-sm text-text-secondary">
+            {subscription.stripePriceId
+              ? `Price: ${subscription.stripePriceId}`
+              : 'No active price'}
+          </p>
+        </div>
+        <Badge variant={statusBadge.variant}>{statusBadge.label}</Badge>
+      </div>
+
+      <dl className="mt-6 grid gap-4 sm:grid-cols-2">
+        <div>
+          <dt className="text-xs font-medium uppercase tracking-wider text-text-muted">Status</dt>
+          <dd className="mt-1 text-sm text-text-primary">{statusBadge.label}</dd>
+        </div>
+        <div>
+          <dt className="text-xs font-medium uppercase tracking-wider text-text-muted">
+            {subscription.cancelAtPeriodEnd ? 'Cancels on' : 'Renews on'}
+          </dt>
+          <dd className="mt-1 text-sm text-text-primary">
+            {formatDate(subscription.currentPeriodEnd)}
+          </dd>
+        </div>
+      </dl>
+
+      {subscription.cancelAtPeriodEnd && isActive && (
+        <div className="mt-4 rounded-lg border border-border-default bg-warning-muted p-3">
+          <p className="text-sm text-text-warning">
+            Your subscription will be cancelled at the end of the current period on{' '}
+            {formatDate(subscription.currentPeriodEnd)}.
+          </p>
+        </div>
+      )}
+    </Card>
+  );
+}
+
+function NoSubscription() {
+  return (
+    <Card>
+      <div className="py-4 text-center">
+        <svg
+          className="mx-auto h-12 w-12 text-text-muted"
+          fill="none"
+          viewBox="0 0 24 24"
+          strokeWidth={1}
+          stroke="currentColor"
+        >
+          <path
+            strokeLinecap="round"
+            strokeLinejoin="round"
+            d="M2.25 8.25h19.5M2.25 9h19.5m-16.5 5.25h6m-6 2.25h3m-3.75 3h15a2.25 2.25 0 002.25-2.25V6.75A2.25 2.25 0 0019.5 4.5h-15a2.25 2.25 0 00-2.25 2.25v10.5A2.25 2.25 0 004.5 19.5z"
+          />
+        </svg>
+        <h3 className="mt-3 text-lg font-semibold text-text-primary">No active subscription</h3>
+        <p className="mt-1 text-sm text-text-secondary">
+          Choose a plan to unlock premium features.
+        </p>
+        <div className="mt-4">
+          <LinkButton href={routes.pricing} variant="primary" size="md">
+            View plans
+          </LinkButton>
+        </div>
+      </div>
+    </Card>
+  );
+}
+
+function StripeNotConfigured() {
+  return (
+    <Card>
+      <div className="py-4 text-center">
+        <h3 className="text-lg font-semibold text-text-primary">Billing not configured</h3>
+        <p className="mt-1 text-sm text-text-secondary">
+          The payments provider is not set up. Configure Stripe in your environment to enable
+          billing.
+        </p>
+      </div>
+    </Card>
+  );
+}
+
+function BillingSettingsContent() {
+  const searchParams = useSearchParams();
+  const [subscription, setSubscription] = useState<SubscriptionRecord | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [portalLoading, setPortalLoading] = useState(false);
+  const [successMessage, setSuccessMessage] = useState<string | null>(null);
+
+  const hasStripe = (appConfig.services.payments.provider as string) === 'stripe';
+
+  const billingStatus = searchParams.get('billing');
+
+  useEffect(() => {
+    if (billingStatus === 'success') {
+      setSuccessMessage('Payment successful! Your subscription is now active.');
+    } else if (billingStatus === 'cancelled') {
+      setSuccessMessage('Checkout was cancelled. No charges were made.');
+    }
+  }, [billingStatus]);
+
+  const fetchSubscription = useCallback(async () => {
+    try {
+      const response = await fetch('/api/protected/billing/subscription', {
+        credentials: 'include',
+      });
+
+      if (response.ok) {
+        const data = (await response.json()) as { subscription: SubscriptionRecord | null };
+        setSubscription(data.subscription);
+      }
+    } catch (error) {
+      console.error('Failed to fetch subscription:', error);
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    if (hasStripe) {
+      fetchSubscription();
+    } else {
+      setLoading(false);
+    }
+  }, [hasStripe, fetchSubscription]);
+
+  const handleManageBilling = async () => {
+    setPortalLoading(true);
+
+    try {
+      const response = await fetch('/api/protected/billing/portal', {
+        method: 'POST',
+        credentials: 'include',
+      });
+
+      if (!response.ok) {
+        const data: { error?: string } = await response.json();
+        throw new Error(data.error ?? 'Failed to create portal session');
+      }
+
+      const { url } = (await response.json()) as { url: string };
+      window.location.href = url;
+    } catch (error) {
+      console.error('Portal error:', error);
+      setPortalLoading(false);
+    }
+  };
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h1 className="text-2xl font-bold text-text-primary">Billing</h1>
+        <p className="mt-1 text-text-secondary">Manage your subscription and billing details.</p>
+      </div>
+
+      {successMessage && (
+        <div className="rounded-lg border border-border-default bg-success-muted p-4">
+          <p className="text-sm text-text-success">{successMessage}</p>
+        </div>
+      )}
+
+      {!hasStripe ? (
+        <StripeNotConfigured />
+      ) : loading ? (
+        <Card>
+          <div className="flex items-center justify-center py-8">
+            <Spinner size="lg" />
+          </div>
+        </Card>
+      ) : subscription && subscription.status !== SUBSCRIPTION_STATUS.inactive ? (
+        <>
+          <SubscriptionDetails subscription={subscription} />
+          <Card>
+            <h3 className="text-sm font-semibold text-text-primary">Manage Subscription</h3>
+            <p className="mt-1 text-sm text-text-secondary">
+              Update payment method, change plan, or cancel via the Stripe Customer Portal.
+            </p>
+            <div className="mt-4">
+              <Button
+                variant="secondary"
+                size="md"
+                onClick={handleManageBilling}
+                disabled={portalLoading}
+              >
+                {portalLoading ? 'Opening portal...' : 'Manage billing'}
+              </Button>
+            </div>
+          </Card>
+        </>
+      ) : (
+        <NoSubscription />
+      )}
+    </div>
+  );
+}
+
+export default function BillingSettingsPage() {
+  return (
+    <Suspense
+      fallback={
+        <Card>
+          <div className="flex items-center justify-center py-8">
+            <Spinner size="lg" />
+          </div>
+        </Card>
+      }
+    >
+      <BillingSettingsContent />
+    </Suspense>
+  );
+}

package/template/src/app/api/auth/signup/route.test.ts

@@ -0,0 +1,118 @@
+// @vitest-environment node
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+
+vi.mock('server-only', () => ({}));
+vi.mock('@/lib/prisma', () => ({ prisma: {} }));
+vi.mock('@/lib/mars', () => ({
+  sendEmail: vi.fn(),
+  handleApiError: vi.fn(),
+  getBaseUrl: vi.fn(),
+  authLogger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+}));
+vi.mock('@mars-stack/core/rate-limit', () => ({
+  checkRateLimit: vi.fn(),
+  getClientIP: vi.fn(),
+  RATE_LIMITS: { signup: {} },
+  rateLimitResponse: vi.fn(),
+}));
+vi.mock('@mars-stack/core/auth/password', () => ({ hashPassword: vi.fn() }));
+vi.mock('@mars-stack/core/auth/crypto-utils', () => ({ hashToken: vi.fn() }));
+vi.mock('@/features/auth/server/user', () => ({ findUserByEmailPublic: vi.fn() }));
+vi.mock('@mars-stack/core/auth/link-utils', () => ({ buildEmailVerificationUrl: vi.fn() }));
+vi.mock('@mars-stack/core/auth/validation', () => ({ apiSchemas: { signup: { parse: vi.fn() } } }));
+vi.mock('@/lib/core/email/templates', () => ({ verificationEmailHtml: vi.fn() }));
+vi.mock('@/config/app.config', () => ({ appConfig: { name: 'TestApp', services: { email: { provider: 'console' } } } }));
+
+import { shouldAutoVerifySignupEmail } from './route';
+import { authLogger } from '@/lib/mars';
+
+describe('shouldAutoVerifySignupEmail', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it('returns false when AUTO_VERIFY_EMAIL is not set', () => {
+    delete process.env.AUTO_VERIFY_EMAIL;
+    expect(shouldAutoVerifySignupEmail()).toBe(false);
+  });
+
+  it('returns false when AUTO_VERIFY_EMAIL is an unrecognised value', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'yes';
+    expect(shouldAutoVerifySignupEmail()).toBe(false);
+  });
+
+  it('returns false when AUTO_VERIFY_EMAIL=true but VERCEL_ENV=production', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    process.env.VERCEL_ENV = 'production';
+    delete process.env.NODE_ENV;
+    expect(shouldAutoVerifySignupEmail()).toBe(false);
+  });
+
+  it('returns true when AUTO_VERIFY_EMAIL=true and NODE_ENV=development', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'development';
+    expect(shouldAutoVerifySignupEmail()).toBe(true);
+  });
+
+  it('returns true when AUTO_VERIFY_EMAIL=1 and NODE_ENV=development', () => {
+    process.env.AUTO_VERIFY_EMAIL = '1';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'development';
+    expect(shouldAutoVerifySignupEmail()).toBe(true);
+  });
+
+  it('returns true when APP_URL points to localhost', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'test';
+    process.env.APP_URL = 'http://localhost:3000';
+    delete process.env.NEXT_PUBLIC_APP_URL;
+    expect(shouldAutoVerifySignupEmail()).toBe(true);
+  });
+
+  it('returns true when NEXT_PUBLIC_APP_URL points to 127.0.0.1', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'test';
+    delete process.env.APP_URL;
+    process.env.NEXT_PUBLIC_APP_URL = 'http://127.0.0.1:3000';
+    expect(shouldAutoVerifySignupEmail()).toBe(true);
+  });
+
+  it('returns false and logs a warning when APP_URL is not localhost', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'test';
+    process.env.APP_URL = 'https://example.com';
+    delete process.env.NEXT_PUBLIC_APP_URL;
+    expect(shouldAutoVerifySignupEmail()).toBe(false);
+    expect(authLogger.warn).toHaveBeenCalledOnce();
+  });
+
+  it('returns false and logs a warning when no APP_URL env vars are set', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'test';
+    delete process.env.APP_URL;
+    delete process.env.NEXT_PUBLIC_APP_URL;
+    expect(shouldAutoVerifySignupEmail()).toBe(false);
+    expect(authLogger.warn).toHaveBeenCalledOnce();
+  });
+
+  it('skips invalid URL values gracefully and continues checking other keys', () => {
+    process.env.AUTO_VERIFY_EMAIL = 'true';
+    delete process.env.VERCEL_ENV;
+    process.env.NODE_ENV = 'test';
+    process.env.APP_URL = 'not-a-valid-url';
+    process.env.NEXT_PUBLIC_APP_URL = 'http://localhost:3000';
+    expect(shouldAutoVerifySignupEmail()).toBe(true);
+  });
+});

package/template/src/app/api/auth/signup/route.ts

@@ -1,7 +1,7 @@
 import 'server-only';
 
 import { prisma } from '@/lib/prisma';
-import { sendEmail, handleApiError, getBaseUrl } from '@/lib/mars';
+import { sendEmail, handleApiError, getBaseUrl, authLogger } from '@/lib/mars';
 import { checkRateLimit, getClientIP, RATE_LIMITS, rateLimitResponse } from '@mars-stack/core/rate-limit';
 import { hashPassword } from '@mars-stack/core/auth/password';
 import { hashToken } from '@mars-stack/core/auth/crypto-utils';
@@ -13,6 +13,32 @@ import { appConfig } from '@/config/app.config';
 import { randomBytes } from 'crypto';
 import { NextResponse } from 'next/server';
 
+/**
+ * When AUTO_VERIFY_EMAIL is true, new users skip the verification email flow.
+ * Active only in safe contexts: Next dev server, or local next start (APP_URL → localhost).
+ * Ignored on Vercel production even if the flag is mistakenly set.
+ */
+export function shouldAutoVerifySignupEmail(): boolean {
+  const raw = (process.env.AUTO_VERIFY_EMAIL ?? '').trim().toLowerCase();
+  if (raw !== 'true' && raw !== '1') return false;
+  if (process.env.VERCEL_ENV === 'production') return false;
+  if (process.env.NODE_ENV === 'development') return true;
+  for (const key of ['APP_URL', 'NEXT_PUBLIC_APP_URL'] as const) {
+    const base = process.env[key];
+    if (!base) continue;
+    try {
+      const host = new URL(base).hostname.toLowerCase();
+      if (host === 'localhost' || host === '127.0.0.1') return true;
+    } catch {
+      /* invalid URL */
+    }
+  }
+  authLogger.warn(
+    '[mars:auth] AUTO_VERIFY_EMAIL is set but not applied: run `yarn dev`, or set APP_URL=http://localhost:PORT (needed for `next start`).',
+  );
+  return false;
+}
+
 export async function POST(request: Request) {
   const ip = getClientIP(request);
   const rateLimit = await checkRateLimit(ip, RATE_LIMITS.signup);
@@ -34,9 +60,7 @@ export async function POST(request: Request) {
     const tokenHash = await hashToken(token, 'email-verification-v1');
     const expires = new Date(Date.now() + 24 * 60 * 60 * 1000);
 
-    const autoVerify =
-      process.env.NODE_ENV === 'development' &&
-      process.env.AUTO_VERIFY_EMAIL === 'true';
+    const autoVerify = shouldAutoVerifySignupEmail();
 
     await prisma.$transaction(async (tx) => {
       await tx.user.create({
@@ -60,7 +84,7 @@ export async function POST(request: Request) {
     });
 
     if (autoVerify) {
-      console.log(`[mars:auth] AUTO_VERIFY_EMAIL is enabled — ${email} verified immediately`);
+      authLogger.info({ email }, 'AUTO_VERIFY_EMAIL: signup marked verified immediately');
     } else {
       const baseUrl = getBaseUrl();
       const verifyUrl = buildEmailVerificationUrl({ baseUrl, token });

package/template/src/app/api/protected/billing/checkout/route.ts

@@ -71,8 +71,8 @@ export const POST = withAuthNoParams(async (request: AuthenticatedRequest) => {
     const { url } = await payments.createCheckoutSession({
       customerId: stripeCustomerId as string,
       priceId,
-      successUrl: `${baseUrl}/settings?billing=success`,
-      cancelUrl: `${baseUrl}/settings?billing=cancelled`,
+      successUrl: `${baseUrl}/settings/billing?billing=success`,
+      cancelUrl: `${baseUrl}/settings/billing?billing=cancelled`,
       metadata: { userId },
     });
 

package/template/src/app/api/protected/billing/portal/route.ts

@@ -29,7 +29,7 @@ export const POST = withAuthNoParams(async (request: AuthenticatedRequest) => {
 
     const { url } = await payments.createPortalSession({
       customerId: subscription.stripeCustomerId,
-      returnUrl: `${baseUrl}/settings`,
+      returnUrl: `${baseUrl}/settings/billing`,
     });
 
     return NextResponse.json({ url });

package/template/src/app/api/protected/billing/subscription/route.ts

@@ -0,0 +1,13 @@
+import { withAuthNoParams, handleApiError } from '@/lib/mars';
+import { findSubscriptionByUserId } from '@/features/billing/server';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+
+export const GET = withAuthNoParams(async (request: AuthenticatedRequest) => {
+  try {
+    const subscription = await findSubscriptionByUserId(request.session.userId);
+    return NextResponse.json({ subscription });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/billing/subscription' });
+  }
+});

package/template/src/app/api/protected/files/list/route.ts

@@ -0,0 +1,22 @@
+import { withAuthNoParams, handleApiError } from '@/lib/mars';
+import { listUserFiles } from '@/features/uploads/server';
+import type { AuthenticatedRequest } from '@mars-stack/core/auth/middleware';
+import { NextResponse } from 'next/server';
+
+export const GET = withAuthNoParams(async (request: AuthenticatedRequest) => {
+  try {
+    const { searchParams } = new URL(request.url);
+    const limit = Math.min(parseInt(searchParams.get('limit') ?? '50', 10), 100);
+    const offset = parseInt(searchParams.get('offset') ?? '0', 10);
+
+    const files = await listUserFiles({
+      userId: request.session.userId,
+      limit,
+      offset,
+    });
+
+    return NextResponse.json({ files });
+  } catch (error) {
+    return handleApiError(error, { endpoint: '/api/protected/files/list' });
+  }
+});