@stripe-sdk/core 1.0.0 → 1.0.2

package/dist/next/index.js

@@ -59,6 +59,9 @@ function createWebhookHandler(config) {
 function createNextWebhookHandler(config) {
   const handler = createWebhookHandler(config);
   return async function POST(request) {
+    if (request.method !== "POST") {
+      return new Response(null, { status: 405 });
+    }
     try {
       const contentLength = request.headers.get("content-length");
       if (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {
@@ -68,6 +71,12 @@ function createNextWebhookHandler(config) {
         });
       }
       const body = await request.text();
+      if (body.length > MAX_BODY_SIZE) {
+        return new Response(JSON.stringify({ error: "Webhook body too large" }), {
+          status: 413,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
       const signature = request.headers.get("stripe-signature");
       if (!signature) {
         return new Response(JSON.stringify({ error: "Missing stripe-signature header" }), {
@@ -81,8 +90,8 @@ function createNextWebhookHandler(config) {
         headers: { "Content-Type": "application/json" }
       });
     } catch (error) {
-      const message = error instanceof Error ? error.message : "Webhook handler failed";
-      return new Response(JSON.stringify({ error: message }), {
+      console.error("[@stripe-sdk/core] Webhook error:", error instanceof Error ? error.message : "Unknown error");
+      return new Response(JSON.stringify({ error: "Webhook processing failed" }), {
         status: 400,
         headers: { "Content-Type": "application/json" }
       });
@@ -106,8 +115,8 @@ function createPagesWebhookHandler(webhookConfig) {
       const result = await handler(body, signature);
       res.status(200).json(result);
     } catch (error) {
-      const message = error instanceof Error ? error.message : "Webhook handler failed";
-      res.status(400).json({ error: message });
+      console.error("[@stripe-sdk/core] Webhook error:", error instanceof Error ? error.message : "Unknown error");
+      res.status(400).json({ error: "Webhook processing failed" });
     }
   };
 }
@@ -135,28 +144,42 @@ function getRawBody(req) {
     }
     const chunks = [];
     let totalLength = 0;
+    let rejected = false;
     req.on("data", (chunk) => {
+      if (rejected) return;
       const buf = Buffer.from(chunk);
       totalLength += buf.length;
       if (totalLength > MAX_BODY_SIZE) {
+        rejected = true;
         reject(new Error("Webhook body too large"));
         return;
       }
       chunks.push(buf);
     });
-    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("end", () => {
+      if (!rejected) resolve(Buffer.concat(chunks).toString("utf8"));
+    });
     req.on("error", reject);
   });
 }
 
 // src/utils/errors.ts
+var SAFE_ERROR_MESSAGES = {
+  card_declined: "Your card was declined.",
+  expired_card: "Your card has expired.",
+  incorrect_cvc: "Incorrect security code.",
+  processing_error: "An error occurred while processing your card.",
+  incorrect_number: "The card number is incorrect.",
+  insufficient_funds: "Insufficient funds."
+};
 function handleStripeError(error) {
   if (error?.type) {
     const stripeError = error;
+    const safeMessage = stripeError.code && SAFE_ERROR_MESSAGES[stripeError.code] || getSafeMessage(stripeError.type);
     return {
       data: null,
       error: {
-        message: stripeError.message,
+        message: safeMessage,
         type: stripeError.type,
         code: stripeError.code,
         statusCode: stripeError.statusCode
@@ -166,72 +189,196 @@ function handleStripeError(error) {
   return {
     data: null,
     error: {
-      message: error instanceof Error ? error.message : "An unknown error occurred",
+      message: "An unexpected error occurred",
       type: "sdk_error"
     }
   };
 }
+function getSafeMessage(type) {
+  switch (type) {
+    case "card_error":
+      return "A card error occurred.";
+    case "invalid_request_error":
+      return "Invalid request. Please check your input.";
+    case "authentication_error":
+      return "Authentication failed.";
+    case "rate_limit_error":
+      return "Too many requests. Please try again later.";
+    case "api_error":
+      return "A payment processing error occurred. Please try again.";
+    default:
+      return "An unexpected error occurred.";
+  }
+}
 function success(data) {
   return { data, error: null };
 }
 
+// src/utils/validators.ts
+var STRIPE_ID_PREFIXES = {
+  customer: "cus_",
+  paymentIntent: "pi_",
+  paymentMethod: "pm_",
+  subscription: "sub_",
+  invoice: "in_",
+  invoiceItem: "ii_",
+  product: "prod_",
+  price: "price_",
+  coupon: "",
+  // coupons can have custom IDs
+  promotionCode: "promo_",
+  refund: "re_",
+  dispute: "dp_",
+  account: "acct_",
+  transfer: "tr_",
+  payout: "po_",
+  setupIntent: "seti_",
+  session: "cs_",
+  paymentLink: "plink_"
+};
+function validateStripeId(id, type) {
+  if (!id || typeof id !== "string") {
+    throw new Error(`${type} ID is required and must be a non-empty string`);
+  }
+  const prefix = STRIPE_ID_PREFIXES[type];
+  if (prefix && !id.startsWith(prefix)) {
+    throw new Error(`Invalid ${type} ID: expected prefix "${prefix}"`);
+  }
+}
+function validateAmount(amount, label = "amount") {
+  if (typeof amount !== "number" || !Number.isFinite(amount)) {
+    throw new Error(`${label} must be a finite number`);
+  }
+  if (!Number.isInteger(amount)) {
+    throw new Error(`${label} must be an integer (amount in smallest currency unit)`);
+  }
+  if (amount < 0) {
+    throw new Error(`${label} must not be negative`);
+  }
+  if (amount > 99999999) {
+    throw new Error(`${label} exceeds maximum allowed value (99999999)`);
+  }
+}
+function validateCurrency(currency) {
+  if (!currency || typeof currency !== "string") {
+    throw new Error("Currency is required");
+  }
+  const normalized = currency.trim().toLowerCase();
+  if (!/^[a-z]{3}$/.test(normalized)) {
+    throw new Error("Currency must be a valid 3-letter ISO 4217 code");
+  }
+  return normalized;
+}
+function validateUrl(url, label = "URL") {
+  if (!url || typeof url !== "string") {
+    throw new Error(`${label} is required`);
+  }
+  try {
+    const parsed = new URL(url);
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+      throw new Error(`${label} must use http or https protocol`);
+    }
+  } catch (e) {
+    if (e instanceof Error && e.message.includes("protocol")) throw e;
+    throw new Error(`${label} must be a valid URL`);
+  }
+}
+function validateMetadata(metadata) {
+  const keys = Object.keys(metadata);
+  if (keys.length > 50) {
+    throw new Error("Metadata cannot have more than 50 keys");
+  }
+  for (const [key, value] of Object.entries(metadata)) {
+    if (key.length > 40) {
+      throw new Error(`Metadata key "${key}" exceeds 40 characters`);
+    }
+    if (typeof value !== "string") {
+      throw new Error(`Metadata value for key "${key}" must be a string`);
+    }
+    if (value.length > 500) {
+      throw new Error(`Metadata value for key "${key}" exceeds 500 characters`);
+    }
+  }
+}
+
 // src/server/payments/index.ts
-async function createPaymentIntent(input) {
+async function createPaymentIntent(input, options) {
   try {
+    validateAmount(input.amount);
+    const currency = validateCurrency(input.currency);
+    if (input.customerId) validateStripeId(input.customerId, "customer");
+    if (input.paymentMethodId) validateStripeId(input.paymentMethodId, "paymentMethod");
+    if (input.returnUrl) validateUrl(input.returnUrl, "returnUrl");
+    if (input.metadata) validateMetadata(input.metadata);
     const stripe = getStripe();
-    const paymentIntent = await stripe.paymentIntents.create({
-      amount: input.amount,
-      currency: input.currency,
-      customer: input.customerId,
-      payment_method: input.paymentMethodId,
-      metadata: input.metadata,
-      description: input.description,
-      receipt_email: input.receiptEmail,
-      setup_future_usage: input.setupFutureUsage,
-      automatic_payment_methods: input.automaticPaymentMethods === false || input.paymentMethodId ? void 0 : { enabled: true },
-      return_url: input.returnUrl
-    });
+    const paymentIntent = await stripe.paymentIntents.create(
+      {
+        amount: input.amount,
+        currency,
+        customer: input.customerId,
+        payment_method: input.paymentMethodId,
+        metadata: input.metadata,
+        description: input.description,
+        receipt_email: input.receiptEmail,
+        setup_future_usage: input.setupFutureUsage,
+        automatic_payment_methods: input.automaticPaymentMethods === false || input.paymentMethodId ? void 0 : { enabled: true },
+        return_url: input.returnUrl
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(paymentIntent);
   } catch (error) {
     return handleStripeError(error);
   }
 }
-async function createCheckoutSession(input) {
+async function createCheckoutSession(input, options) {
   try {
+    validateUrl(input.successUrl, "successUrl");
+    validateUrl(input.cancelUrl, "cancelUrl");
+    if (input.customerId) validateStripeId(input.customerId, "customer");
+    if (input.metadata) validateMetadata(input.metadata);
     const stripe = getStripe();
-    const session = await stripe.checkout.sessions.create({
-      mode: input.mode,
-      line_items: input.lineItems.map((item) => ({
-        price: item.priceId,
-        quantity: item.quantity
-      })),
-      success_url: input.successUrl,
-      cancel_url: input.cancelUrl,
-      customer: input.customerId,
-      customer_email: input.customerEmail,
-      metadata: input.metadata,
-      allow_promotion_codes: input.allowPromotionCodes,
-      shipping_address_collection: input.shippingAddressCollection ? { allowed_countries: input.shippingAddressCollection.allowedCountries } : void 0,
-      billing_address_collection: input.billingAddressCollection,
-      subscription_data: input.trialPeriodDays ? { trial_period_days: input.trialPeriodDays } : void 0,
-      tax_id_collection: input.taxIdCollection ? { enabled: true } : void 0,
-      automatic_tax: input.automaticTax ? { enabled: true } : void 0,
-      locale: input.locale
-    });
+    const session = await stripe.checkout.sessions.create(
+      {
+        mode: input.mode,
+        line_items: input.lineItems.map((item) => ({
+          price: item.priceId,
+          quantity: item.quantity
+        })),
+        success_url: input.successUrl,
+        cancel_url: input.cancelUrl,
+        customer: input.customerId,
+        customer_email: input.customerEmail,
+        metadata: input.metadata,
+        allow_promotion_codes: input.allowPromotionCodes,
+        shipping_address_collection: input.shippingAddressCollection ? { allowed_countries: input.shippingAddressCollection.allowedCountries } : void 0,
+        billing_address_collection: input.billingAddressCollection,
+        subscription_data: input.trialPeriodDays ? { trial_period_days: input.trialPeriodDays } : void 0,
+        tax_id_collection: input.taxIdCollection ? { enabled: true } : void 0,
+        automatic_tax: input.automaticTax ? { enabled: true } : void 0,
+        locale: input.locale
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(session);
   } catch (error) {
     return handleStripeError(error);
   }
 }
-async function createSetupIntent(input) {
+async function createSetupIntent(input, options) {
   try {
+    if (input.customerId) validateStripeId(input.customerId, "customer");
+    if (input.metadata) validateMetadata(input.metadata);
     const stripe = getStripe();
-    const setupIntent = await stripe.setupIntents.create({
-      customer: input.customerId,
-      payment_method_types: input.paymentMethodTypes,
-      usage: input.usage,
-      metadata: input.metadata
-    });
+    const setupIntent = await stripe.setupIntents.create(
+      {
+        customer: input.customerId,
+        payment_method_types: input.paymentMethodTypes,
+        usage: input.usage,
+        metadata: input.metadata
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(setupIntent);
   } catch (error) {
     return handleStripeError(error);
@@ -239,39 +386,49 @@ async function createSetupIntent(input) {
 }
 
 // src/server/customers/index.ts
-async function createCustomer(input) {
+async function createCustomer(input, options) {
   try {
+    if (input.paymentMethodId) validateStripeId(input.paymentMethodId, "paymentMethod");
+    if (input.metadata) validateMetadata(input.metadata);
     const stripe = getStripe();
-    const customer = await stripe.customers.create({
-      email: input.email,
-      name: input.name,
-      phone: input.phone,
-      description: input.description,
-      metadata: input.metadata,
-      payment_method: input.paymentMethodId,
-      invoice_settings: input.paymentMethodId ? { default_payment_method: input.paymentMethodId } : void 0,
-      address: input.address ? {
-        line1: input.address.line1,
-        line2: input.address.line2,
-        city: input.address.city,
-        state: input.address.state,
-        postal_code: input.address.postalCode,
-        country: input.address.country
-      } : void 0
-    });
+    const customer = await stripe.customers.create(
+      {
+        email: input.email,
+        name: input.name,
+        phone: input.phone,
+        description: input.description,
+        metadata: input.metadata,
+        payment_method: input.paymentMethodId,
+        invoice_settings: input.paymentMethodId ? { default_payment_method: input.paymentMethodId } : void 0,
+        address: input.address ? {
+          line1: input.address.line1,
+          line2: input.address.line2,
+          city: input.address.city,
+          state: input.address.state,
+          postal_code: input.address.postalCode,
+          country: input.address.country
+        } : void 0
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(customer);
   } catch (error) {
     return handleStripeError(error);
   }
 }
-async function createPortalSession(input) {
+async function createPortalSession(input, options) {
   try {
+    validateStripeId(input.customerId, "customer");
+    if (input.returnUrl) validateUrl(input.returnUrl, "returnUrl");
     const stripe = getStripe();
-    const session = await stripe.billingPortal.sessions.create({
-      customer: input.customerId,
-      return_url: input.returnUrl,
-      configuration: input.configuration
-    });
+    const session = await stripe.billingPortal.sessions.create(
+      {
+        customer: input.customerId,
+        return_url: input.returnUrl,
+        configuration: input.configuration
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(session);
   } catch (error) {
     return handleStripeError(error);
@@ -279,23 +436,28 @@ async function createPortalSession(input) {
 }
 
 // src/server/subscriptions/index.ts
-async function createSubscription(input) {
+async function createSubscription(input, options) {
   try {
+    validateStripeId(input.customerId, "customer");
+    if (input.metadata) validateMetadata(input.metadata);
     const stripe = getStripe();
     const items = input.items ? input.items.map((item) => ({ price: item.priceId, quantity: item.quantity })) : [{ price: input.priceId, quantity: input.quantity ?? 1 }];
-    const subscription = await stripe.subscriptions.create({
-      customer: input.customerId,
-      items,
-      metadata: input.metadata,
-      trial_period_days: input.trialPeriodDays,
-      coupon: input.couponId,
-      promotion_code: input.promotionCodeId,
-      payment_behavior: input.paymentBehavior ?? "default_incomplete",
-      cancel_at_period_end: input.cancelAtPeriodEnd,
-      billing_cycle_anchor: input.billingCycleAnchor,
-      proration_behavior: input.prorationBehavior,
-      expand: ["latest_invoice.payment_intent"]
-    });
+    const subscription = await stripe.subscriptions.create(
+      {
+        customer: input.customerId,
+        items,
+        metadata: input.metadata,
+        trial_period_days: input.trialPeriodDays,
+        coupon: input.couponId,
+        promotion_code: input.promotionCodeId,
+        payment_behavior: input.paymentBehavior ?? "default_incomplete",
+        cancel_at_period_end: input.cancelAtPeriodEnd,
+        billing_cycle_anchor: input.billingCycleAnchor,
+        proration_behavior: input.prorationBehavior,
+        expand: ["latest_invoice.payment_intent"]
+      },
+      options?.idempotencyKey ? { idempotencyKey: options.idempotencyKey } : void 0
+    );
     return success(subscription);
   } catch (error) {
     return handleStripeError(error);
@@ -303,6 +465,7 @@ async function createSubscription(input) {
 }
 async function cancelSubscription(input) {
   try {
+    validateStripeId(input.subscriptionId, "subscription");
     const stripe = getStripe();
     if (input.cancelAtPeriodEnd) {
       const subscription2 = await stripe.subscriptions.update(input.subscriptionId, {
@@ -327,6 +490,7 @@ async function cancelSubscription(input) {
 }
 async function resumeSubscription(subscriptionId) {
   try {
+    validateStripeId(subscriptionId, "subscription");
     const stripe = getStripe();
     const subscription = await stripe.subscriptions.update(subscriptionId, {
       cancel_at_period_end: false
@@ -338,113 +502,168 @@ async function resumeSubscription(subscriptionId) {
 }
 
 // src/next/index.ts
-var actions = {
-  createPaymentIntent: async (input) => {
-    return createPaymentIntent(input);
-  },
-  createCheckoutSession: async (input) => {
-    return createCheckoutSession(input);
-  },
-  createSetupIntent: async (input) => {
-    return createSetupIntent(input);
-  },
-  createCustomer: async (input) => {
-    return createCustomer(input);
-  },
-  createPortalSession: async (input) => {
-    return createPortalSession(input);
-  },
-  createSubscription: async (input) => {
-    return createSubscription(input);
-  },
-  cancelSubscription: async (input) => {
-    return cancelSubscription(input);
-  },
-  resumeSubscription: async (subscriptionId) => {
-    return resumeSubscription(subscriptionId);
+function createActions(config) {
+  if (typeof config?.authorize !== "function") {
+    throw new Error("[@stripe-sdk/core] createActions requires an authorize callback");
   }
-};
+  async function checkAuth() {
+    const result = await config.authorize();
+    if (result === false) {
+      throw new Error("Unauthorized");
+    }
+  }
+  return {
+    createPaymentIntent: async (input) => {
+      await checkAuth();
+      return createPaymentIntent(input);
+    },
+    createCheckoutSession: async (input) => {
+      await checkAuth();
+      return createCheckoutSession(input);
+    },
+    createSetupIntent: async (input) => {
+      await checkAuth();
+      return createSetupIntent(input);
+    },
+    createCustomer: async (input) => {
+      await checkAuth();
+      return createCustomer(input);
+    },
+    createPortalSession: async (input) => {
+      await checkAuth();
+      return createPortalSession(input);
+    },
+    createSubscription: async (input) => {
+      await checkAuth();
+      return createSubscription(input);
+    },
+    cancelSubscription: async (input) => {
+      await checkAuth();
+      return cancelSubscription(input);
+    },
+    resumeSubscription: async (subscriptionId) => {
+      await checkAuth();
+      return resumeSubscription(subscriptionId);
+    }
+  };
+}
+function errorResponse(message, status) {
+  return new Response(JSON.stringify({ error: message }), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function validateRouteOptions(options) {
+  if (typeof options?.authorize !== "function") {
+    throw new Error("[@stripe-sdk/core] Route helpers require an authorize callback");
+  }
+}
+function ensureJsonContentType(request) {
+  const contentType = request.headers.get("content-type");
+  if (!contentType?.includes("application/json")) {
+    return errorResponse("Content-Type must be application/json", 415);
+  }
+  return null;
+}
+async function parseJsonBody(request) {
+  try {
+    const data = await request.json();
+    return { data };
+  } catch {
+    return { error: errorResponse("Invalid JSON in request body", 400) };
+  }
+}
 function createPaymentIntentRoute(options) {
+  validateRouteOptions(options);
   return async function POST(request) {
     try {
-      let input = await request.json();
-      if (options?.beforeCreate) {
+      const ctError = ensureJsonContentType(request);
+      if (ctError) return ctError;
+      const authResult = await options.authorize(request);
+      if (authResult === false) return errorResponse("Unauthorized", 401);
+      const parsed = await parseJsonBody(request);
+      if ("error" in parsed) return parsed.error;
+      let input = parsed.data;
+      if (options.beforeCreate) {
         input = await options.beforeCreate(input, request);
       }
       const result = await createPaymentIntent(input);
       if (result.error) {
-        return new Response(JSON.stringify(result.error), {
-          status: 400,
-          headers: { "Content-Type": "application/json" }
-        });
+        return errorResponse(result.error.message, 400);
       }
       return new Response(
         JSON.stringify({ clientSecret: result.data.client_secret, id: result.data.id }),
         { status: 200, headers: { "Content-Type": "application/json" } }
       );
     } catch (error) {
-      return new Response(
-        JSON.stringify({ error: error instanceof Error ? error.message : "Internal error" }),
-        { status: 500, headers: { "Content-Type": "application/json" } }
-      );
+      const message = error instanceof Error && error.message === "Unauthorized" ? "Unauthorized" : "Internal error";
+      const status = message === "Unauthorized" ? 401 : 500;
+      return errorResponse(message, status);
     }
   };
 }
 function createCheckoutSessionRoute(options) {
+  validateRouteOptions(options);
   return async function POST(request) {
     try {
-      let input = await request.json();
-      if (options?.beforeCreate) {
+      const ctError = ensureJsonContentType(request);
+      if (ctError) return ctError;
+      const authResult = await options.authorize(request);
+      if (authResult === false) return errorResponse("Unauthorized", 401);
+      const parsed = await parseJsonBody(request);
+      if ("error" in parsed) return parsed.error;
+      let input = parsed.data;
+      if (options.beforeCreate) {
         input = await options.beforeCreate(input, request);
       }
       const result = await createCheckoutSession(input);
       if (result.error) {
-        return new Response(JSON.stringify(result.error), {
-          status: 400,
-          headers: { "Content-Type": "application/json" }
-        });
+        return errorResponse(result.error.message, 400);
       }
       return new Response(
         JSON.stringify({ sessionId: result.data.id, url: result.data.url }),
         { status: 200, headers: { "Content-Type": "application/json" } }
       );
     } catch (error) {
-      return new Response(
-        JSON.stringify({ error: error instanceof Error ? error.message : "Internal error" }),
-        { status: 500, headers: { "Content-Type": "application/json" } }
-      );
+      const message = error instanceof Error && error.message === "Unauthorized" ? "Unauthorized" : "Internal error";
+      const status = message === "Unauthorized" ? 401 : 500;
+      return errorResponse(message, status);
     }
   };
 }
-function createPortalSessionRoute() {
+function createPortalSessionRoute(options) {
+  validateRouteOptions(options);
   return async function POST(request) {
     try {
-      const input = await request.json();
+      const ctError = ensureJsonContentType(request);
+      if (ctError) return ctError;
+      const authResult = await options.authorize(request);
+      if (authResult === false) return errorResponse("Unauthorized", 401);
+      const parsed = await parseJsonBody(request);
+      if ("error" in parsed) return parsed.error;
+      let input = parsed.data;
+      if (options.beforeCreate) {
+        input = await options.beforeCreate(input, request);
+      }
       const result = await createPortalSession(input);
       if (result.error) {
-        return new Response(JSON.stringify(result.error), {
-          status: 400,
-          headers: { "Content-Type": "application/json" }
-        });
+        return errorResponse(result.error.message, 400);
       }
       return new Response(
         JSON.stringify({ url: result.data.url }),
         { status: 200, headers: { "Content-Type": "application/json" } }
       );
     } catch (error) {
-      return new Response(
-        JSON.stringify({ error: error instanceof Error ? error.message : "Internal error" }),
-        { status: 500, headers: { "Content-Type": "application/json" } }
-      );
+      const message = error instanceof Error && error.message === "Unauthorized" ? "Unauthorized" : "Internal error";
+      const status = message === "Unauthorized" ? 401 : 500;
+      return errorResponse(message, status);
     }
   };
 }
 
-exports.actions = actions;
+exports.createActions = createActions;
 exports.createCheckoutSessionRoute = createCheckoutSessionRoute;
 exports.createNextWebhookHandler = createNextWebhookHandler;
 exports.createPagesWebhookHandler = createPagesWebhookHandler;
 exports.createPaymentIntentRoute = createPaymentIntentRoute;
 exports.createPortalSessionRoute = createPortalSessionRoute;
-//# sourceMappingURL=index.js.map
-//# sourceMappingURL=index.js.map