kasy-cli 1.31.10 → 1.31.11

package/lib/commands/add.js

@@ -30,6 +30,33 @@ const { toPackageName, buildTokens } = require('../scaffold/backends/firebase/to
 
 const execAsync = promisify(exec);
 
+/**
+ * Ensure the target project's supabase/config.toml has a [functions.<name>] block
+ * with verify_jwt = false. `kasy new` already writes the full config, but a project
+ * created before 1.31.10 (or any project missing the block) needs it appended here —
+ * otherwise the deployed function keeps the platform JWT gate ON and the browser CORS
+ * preflight (OPTIONS, no auth header) is rejected => "Failed to fetch" on web. The
+ * deploy --no-verify-jwt flag is deprecated/ignored by recent CLIs, so config.toml is
+ * the authoritative setting. The function authenticates itself, so this stays secure.
+ */
+async function ensureSupabaseConfigNoVerifyJwt(projectDir, fnName) {
+  const configPath = path.join(projectDir, 'supabase', 'config.toml');
+  if (!(await fs.pathExists(configPath))) return;
+  const toml = await fs.readFile(configPath, 'utf8');
+  const safe = fnName.replace(/[.*+?^${}()|[\]\\-]/g, '\\$&');
+  const block = toml.match(new RegExp(`\\[functions\\.${safe}\\]([\\s\\S]*?)(?=\\n\\[|$)`));
+  if (block && /verify_jwt\s*=\s*false/.test(block[1])) return; // already correct
+  let next;
+  if (block && /verify_jwt\s*=\s*true/.test(block[0])) {
+    next = toml.replace(block[0], block[0].replace(/verify_jwt\s*=\s*true/, 'verify_jwt = false'));
+  } else if (block) {
+    next = toml.replace(block[0], `${block[0].replace(/\s*$/, '')}\nverify_jwt = false`);
+  } else {
+    next = `${toml.replace(/\s*$/, '')}\n\n[functions.${fnName}]\nverify_jwt = false\n`;
+  }
+  await fs.writeFile(configPath, next, 'utf8');
+}
+
 /** URL do endpoint AI no app (espelha defineUpdates de ai_chat). */
 function resolveAiChatEndpoint(answers, kitSetup) {
   if (kitSetup?.backendProvider === 'api') {
@@ -513,6 +540,10 @@ async function postAddAiChat(projectDir, kitSetup, answers, t) {
     if (backend === 'firebase') {
       await execAsync('firebase deploy --only functions:aiChat', { cwd: projectDir, timeout: 180_000 });
     } else if (backend === 'supabase') {
+      // Authoritative JWT setting lives in config.toml; ensure it before deploying so
+      // ai-chat is reachable from the web (the --no-verify-jwt flag alone is ignored
+      // by recent Supabase CLIs).
+      await ensureSupabaseConfigNoVerifyJwt(projectDir, 'ai-chat');
       await execAsync(`supabase functions deploy ai-chat --no-verify-jwt${refFlag}`, { cwd: projectDir, timeout: 180_000 });
     }
     deploySpinner.stop(t('add.ai_chat.deployed'));

package/lib/commands/new.js

@@ -575,20 +575,6 @@ async function promptSupabaseManual(tr, cancel) {
   return { supabaseUrl, supabaseAnonKey };
 }
 
-// ── Module presets ────────────────────────────────────────────────────────────
-
-function buildPresets(audience) {
-  const catalog = getVisibleFeatures({ audience });
-  const named = ['starter', 'saas', 'content', 'full'];
-  const result = { none: [], custom: null };
-  for (const name of named) {
-    result[name] = catalog.filter((f) => f.defaultInPresets.includes(name)).map((f) => f.id);
-  }
-  return result;
-}
-
-const MODULE_PRESETS = buildPresets(KASY_AUDIENCE);
-
 // ── Main wizard ───────────────────────────────────────────────────────────────
 
 /**

package/lib/scaffold/backends/supabase/edge-functions/admin-list-users/index.ts

@@ -14,7 +14,9 @@
  *      users — the users/subscriptions RLS exposes only a user's own row, so a
  *      non-admin can never reach other people's data.
  *
- * Deployed WITH JWT verification (the default) — see deploy.js.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; security is enforced by the two layers above (the
+ * handler verifies the caller's JWT and admin role itself). See config.toml / deploy.js.
  */
 
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-checkout-session/index.ts

@@ -6,7 +6,9 @@
  * verified JWT, never trusted from the request body, so a client cannot check
  * out on behalf of someone else.
  *
- * Deployed WITH JWT verification.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; the handler still authenticates the user via the
+ * verified JWT (getUser), so it stays secure.
  *
  * Secrets required:
  *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
@@ -32,7 +34,11 @@ function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | nu
   return meta ? Number(meta) : null;
 }
 
-async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+async function getAuthUser(
+  req: Request,
+  supabaseUrl: string,
+  anonKey: string,
+): Promise<{ id: string; email?: string } | null> {
   const authHeader = req.headers.get("Authorization");
   if (!authHeader?.startsWith("Bearer ")) return null;
   const token = authHeader.replace("Bearer ", "");
@@ -41,19 +47,30 @@ async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promi
   });
   const { data: { user }, error } = await client.auth.getUser(token);
   if (error || !user) return null;
-  return user.id;
+  return { id: user.id, email: user.email ?? undefined };
 }
 
 // deno-lint-ignore no-explicit-any
-async function getOrCreateCustomer(stripe: Stripe, admin: any, uid: string): Promise<string> {
+async function getOrCreateCustomer(
+  stripe: Stripe,
+  admin: any,
+  uid: string,
+  email?: string,
+): Promise<string> {
   const { data } = await admin
     .from(CUSTOMERS_TABLE)
     .select("customer_id")
     .eq("user_id", uid)
     .maybeSingle();
   const existing = data?.customer_id as string | undefined;
-  if (existing) return existing;
-  const customer = await stripe.customers.create({ metadata: { supabaseUID: uid } });
+  if (existing) {
+    // Keep the Stripe customer email in sync so Checkout pre-fills it. The
+    // payment is bound to the app user by uid (customer + metadata.supabaseUID),
+    // never by the typed email, so this is purely UX / billing hygiene.
+    if (email) await stripe.customers.update(existing, { email });
+    return existing;
+  }
+  const customer = await stripe.customers.create({ email, metadata: { supabaseUID: uid } });
   await admin.from(CUSTOMERS_TABLE).upsert({ user_id: uid, customer_id: customer.id });
   return customer.id;
 }
@@ -74,10 +91,11 @@ Deno.serve(async (req: Request) => {
     return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
   }
 
-  const uid = await getUid(req, supabaseUrl, anonKey);
-  if (!uid) {
+  const user = await getAuthUser(req, supabaseUrl, anonKey);
+  if (!user) {
     return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
   }
+  const uid = user.id;
 
   let body: { priceId?: string; successUrl?: string; cancelUrl?: string };
   try {
@@ -95,7 +113,7 @@ Deno.serve(async (req: Request) => {
   try {
     const stripe = new Stripe(secretKey);
     const admin = createClient(supabaseUrl, serviceRoleKey);
-    const customerId = await getOrCreateCustomer(stripe, admin, uid);
+    const customerId = await getOrCreateCustomer(stripe, admin, uid, user.email);
 
     const price = await stripe.prices.retrieve(priceId, { expand: ["product"] });
     const trialDays = trialDaysFor(price, price.product as Stripe.Product);

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-portal-session/index.ts

@@ -5,7 +5,9 @@
  * authenticated user and returns its URL. The user is identified by the
  * verified JWT and the Stripe customer is looked up server-side.
  *
- * Deployed WITH JWT verification.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; the handler still authenticates the user via the
+ * verified JWT (getUser), so it stays secure.
  *
  * Secrets required:
  *   - STRIPE_SECRET_KEY

package/lib/scaffold/backends/supabase/edge-functions/stripe-list-prices/index.ts

@@ -5,8 +5,9 @@
  * contract used by the Flutter client (mirrors the Firebase `listPrices`
  * callable). The Stripe secret key never leaves the server.
  *
- * Deployed WITH JWT verification (the platform checks the caller's token), so
- * only an authenticated app user can reach it.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes. This endpoint is public by design — it only
+ * returns the active prices (no user data) — so it does NOT authenticate the caller.
  *
  * Secrets required (set via `supabase secrets set`):
  *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...

package/lib/scaffold/shared/generator-utils.js

@@ -369,6 +369,9 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   if (withWidget) {
     lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_home_widgets.dart';`);
   }
+  // Admin console — always shipped (settings/ui/components/admin) and always routable;
+  // access is gated inside AdminPage (admin role || debug). The settings UI links to it.
+  lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_page.dart';`);
   if (withRevenuecat) {
     lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_paywalls.dart';`);
   }
@@ -534,6 +537,14 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   lines.push(`        ),`);
   lines.push(`      ),`);
 
+  // Admin console (always routable so the settings 'Admin console' tile works in
+  // release too; access is gated inside AdminPage by admin role || debug).
+  lines.push(`      GoRoute(`);
+  lines.push(`        name: 'admin',`);
+  lines.push(`        path: '/admin',`);
+  lines.push(`        builder: (context, state) => const AdminPage(),`);
+  lines.push(`      ),`);
+
   // Send push notification (admin tool — always routable; the entry point in
   // the settings admin sheet is itself debug-gated).
   lines.push(`      GoRoute(`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.10",
+  "version": "1.31.11",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"
@@ -31,7 +31,7 @@
     "access": "public"
   },
   "scripts": {
-    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js",
+    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js && node test/backend-pubspec-local-reminders.test.js",
     "start": "node ./bin/kasy.js",
     "setup": "node ./bin/kasy.js setup",
     "doctor": "node ./bin/kasy.js doctor",

package/templates/firebase/functions/src/subscriptions/stripe_functions.ts

@@ -21,13 +21,27 @@ function stripeClient(): Stripe {
   return new Stripe(stripeSecretKey.value());
 }
 
-async function getOrCreateCustomer(stripe: Stripe, uid: string): Promise<string> {
+async function getOrCreateCustomer(
+  stripe: Stripe,
+  uid: string,
+  email?: string,
+): Promise<string> {
   const db = admin.firestore();
   const ref = db.collection(CUSTOMERS_COLLECTION).doc(uid);
   const snap = await ref.get();
   const existing = snap.data()?.customerId as string | undefined;
-  if (existing) return existing;
-  const customer = await stripe.customers.create({metadata: {firebaseUID: uid}});
+  if (existing) {
+    // Keep the Stripe customer email in sync so Checkout pre-fills it and the
+    // receipts carry the right address. The payment is bound to the app user by
+    // UID (customer + metadata.firebaseUID), never by the typed email, so this
+    // is purely UX / billing hygiene.
+    if (email) await stripe.customers.update(existing, {email});
+    return existing;
+  }
+  const customer = await stripe.customers.create({
+    email,
+    metadata: {firebaseUID: uid},
+  });
   await ref.set({customerId: customer.id, created_at: Timestamp.now()});
   return customer.id;
 }
@@ -86,9 +100,12 @@ export const createCheckoutSession = onCall(
     if (!priceId) throw new HttpsError("invalid-argument", "priceId is required");
     const successUrl = (request.data?.successUrl as string | undefined) ?? "";
     const cancelUrl = (request.data?.cancelUrl as string | undefined) ?? successUrl;
+    // Pre-fill Checkout with the signed-in user's email (UX only; the user is
+    // identified by uid, so paying with a different email still updates them).
+    const email = request.auth?.token?.email as string | undefined;
 
     const stripe = stripeClient();
-    const customerId = await getOrCreateCustomer(stripe, uid);
+    const customerId = await getOrCreateCustomer(stripe, uid, email);
 
     const price = await stripe.prices.retrieve(priceId, {expand: ["product"]});
     const trialDays = trialDaysFor(price, price.product as Stripe.Product);

package/templates/firebase/lib/components/kasy_app_bar.dart

@@ -194,40 +194,41 @@ class KasyFrostedChromeBackground extends StatelessWidget {
 class KasyTopScrollFade extends StatelessWidget {
   const KasyTopScrollFade({super.key});
 
-  /// Always-solid strong band at the very top, ON TOP of the status-bar inset.
-  /// Fixed (not derived from the inset) so the top reads 100% solid even on web,
-  /// where there is no status-bar inset.
-  static const double _solidBand = 20;
-
-  /// Smooth fade below the solid band before the wash is fully transparent.
-  static const double _fadeTail = 18;
+  /// Fade zone below the status-bar strip (mobile only).
+  static const double _contentFade = 40.0;
 
   @override
   Widget build(BuildContext context) {
     final double topInset = MediaQuery.paddingOf(context).top;
-    final double solidHeight = topInset + _solidBand;
-    final double height = solidHeight + _fadeTail;
+    // On web topInset = 0; enforce a 6 px minimum so the topmost pixels are
+    // 100 % opaque even without a status bar.
+    final double solidHeight = topInset < 6 ? 6.0 : topInset;
+    final double totalHeight = solidHeight + _contentFade;
+    final double ss = solidHeight / totalHeight; // solidStop
     final Color bg = context.colors.background;
-    // Fully solid (100%) from the very top through the status-bar strip and the
-    // fixed band, then an eased fade to transparent — strong at the top, soft at
-    // the bottom. The middle stop curves the fade so it is gradual, not linear.
-    final double solidStop = (solidHeight / height).clamp(0.0, 1.0);
-    final double midStop = solidStop + (1 - solidStop) * 0.5;
+
+    // Whole wash is intentionally faint — even the very top peaks at ~0.32, then
+    // melts to nothing across the fade zone. "Quase transparente, bem suave."
+    // Read from bottom → top: invisible → ghost → a soft hint at the very top.
+    double p(double t) => ss + (1 - ss) * t;
+
     return IgnorePointer(
       child: SizedBox(
-        height: height,
+        height: totalHeight,
         child: DecoratedBox(
           decoration: BoxDecoration(
             gradient: LinearGradient(
               begin: Alignment.topCenter,
               end: Alignment.bottomCenter,
               colors: <Color>[
-                bg,
-                bg,
-                bg.withValues(alpha: 0.4),
-                bg.withValues(alpha: 0),
+                bg.withValues(alpha: 0.32),
+                bg.withValues(alpha: 0.32),
+                bg.withValues(alpha: 0.16),
+                bg.withValues(alpha: 0.06),
+                bg.withValues(alpha: 0.01),
+                bg.withValues(alpha: 0.0),
               ],
-              stops: <double>[0.0, solidStop, midStop, 1.0],
+              stops: <double>[0.0, ss, p(0.10), p(0.26), p(0.44), 1.0],
             ),
           ),
         ),
@@ -399,12 +400,13 @@ class KasyAppBar extends StatelessWidget {
     }
 
     // A top wash sits BEHIND the bar (and stays put even when the bar hides) so
-    // content melts into the background at the top — the same pattern on every
-    // screen that has an app bar. Skipped for modal / page-sheet bars (custom
-    // height or inset), where nothing scrolls behind the bar.
+    // content melts into the background at the top — mobile only (tablet/desktop
+    // use the sidebar/web header instead). Skipped for modal / page-sheet bars.
+    final bool isMobile =
+        MediaQuery.sizeOf(context).width < DeviceType.medium.breakpoint;
     final bool standardBar =
         useSafeArea && topInset == null && toolbarHeight == null;
-    if (!standardBar) return animatedChrome;
+    if (!standardBar || !isMobile) return animatedChrome;
     return Stack(
       clipBehavior: Clip.none,
       children: <Widget>[

package/templates/firebase/lib/features/subscriptions/api/stripe_payment_api.dart

@@ -40,6 +40,10 @@ class StripePaymentApi implements SubscriptionPaymentApi {
       cancelUrl: returnUrl,
     );
     await _open(url);
+    // Checkout is now open in a new tab. Payment is NOT confirmed yet — the
+    // webhook will write the subscription record when the user pays. Throw so
+    // the provider knows to poll for activation instead of setting active now.
+    throw PendingWebCheckoutException();
   }
 
   @override
@@ -75,8 +79,6 @@ class StripePaymentApi implements SubscriptionPaymentApi {
   Future<void> presentCodeRedemptionSheet() async {}
 
   Future<void> _open(String url) async {
-    // On web, redirect the current tab so the user returns to the app after
-    // Stripe Checkout / the Customer Portal.
-    await launchUrl(Uri.parse(url), webOnlyWindowName: '_self');
+    await launchUrl(Uri.parse(url), webOnlyWindowName: '_blank');
   }
 }

package/templates/firebase/lib/features/subscriptions/api/subscription_payment_api.dart

@@ -51,3 +51,11 @@ abstract interface class SubscriptionPaymentApi {
 class UserCancelledPurchaseException implements Exception {
   UserCancelledPurchaseException();
 }
+
+/// Thrown by [StripePaymentApi.purchaseProduct] on web after the hosted
+/// Checkout URL is opened in a new browser tab. The purchase is NOT complete —
+/// the caller must poll for subscription activation (via webhook) instead of
+/// treating the returned Future as payment confirmation.
+class PendingWebCheckoutException implements Exception {
+  PendingWebCheckoutException();
+}

package/templates/firebase/lib/features/subscriptions/providers/premium_page_provider.dart

@@ -1,6 +1,7 @@
 import 'package:flutter/foundation.dart';
 import 'package:flutter/services.dart' show PlatformException;
 import 'package:kasy_kit/core/data/api/analytics_api.dart';
+import 'package:kasy_kit/core/data/models/entitlement.dart';
 import 'package:kasy_kit/core/data/models/subscription.dart';
 import 'package:kasy_kit/core/states/models/user_state.dart';
 import 'package:kasy_kit/core/states/translations.dart';
@@ -8,7 +9,7 @@ import 'package:kasy_kit/core/states/user_state_notifier.dart';
 import 'package:kasy_kit/core/toast/toast_service.dart';
 import 'package:kasy_kit/features/feedbacks/repositories/feature_request_repository.dart';
 import 'package:kasy_kit/features/subscriptions/api/subscription_payment_api.dart'
-    show UserCancelledPurchaseException;
+    show PendingWebCheckoutException, UserCancelledPurchaseException;
 import 'package:kasy_kit/features/subscriptions/providers/models/premium_state.dart';
 import 'package:kasy_kit/features/subscriptions/repositories/subscription_repository.dart';
 import 'package:kasy_kit/router.dart';
@@ -123,61 +124,102 @@ class PremiumStateNotifier extends _$PremiumStateNotifier {
     String? paywall,
     String? redirectRoute,
   }) async {
-    state = switch (state.value) {
-      PremiumStateData(:final offers) => AsyncData(
-        PremiumState.sending(
-          isPremium: false,
-          offers: offers,
-          selectedOffer: offer,
-        ),
-      ),
+    final currentOffers = switch (state.value) {
+      PremiumStateData(:final offers) => offers,
       _ => throw "cannot purchase while active",
     };
+    state = AsyncData(
+      PremiumState.sending(isPremium: false, offers: currentOffers, selectedOffer: offer),
+    );
     try {
       final entitlements = await _subscriptionRepository.purchase(offer);
-      state = AsyncData(PremiumState.active(activeOffer: offer));
-      await _analyticsApi?.logEvent("purchase", {
-        "skuId": offer.skuId,
-        "price": offer.price,
-        // "promotion": offer.promotion,
-        "duration": offer.duration,
-        "paywall": paywall,
-      });
-      // let's refresh the user state
-      await ref
-          .read(userStateNotifierProvider.notifier)
-          .refreshSubscription(product: offer, entitlements: entitlements);
-      final t = ref.read(translationsProvider);
-      ref
-          .read(toastProvider)
-          .success(
-            title: t.premium.purchase_success_title,
-            text: t.premium.purchase_success_text,
-          );
-      await Future.delayed(const Duration(seconds: 2));
-      if (redirectRoute != null) ref.read(goRouterProvider).go(redirectRoute);
+      await _activateAfterPurchase(offer, entitlements, paywall, redirectRoute);
+    } on PendingWebCheckoutException {
+      // Stripe web: checkout opened in a new tab. Poll until the webhook
+      // activates the subscription or we time out.
+      await _waitForWebPayment(offer, currentOffers, paywall: paywall, redirectRoute: redirectRoute);
     } catch (err, stackTrace) {
-      state = switch (state.value) {
-        PremiumStateData(:final offers) => AsyncData(
-          PremiumState(offers: offers, selectedOffer: offer),
-        ),
-        PremiumStateSending(:final offers) => AsyncData(
-          PremiumState(offers: offers, selectedOffer: offer),
-        ),
-        PremiumStateActive() => state,
-        _ => throw "cannot purchase while active",
-      };
+      state = AsyncData(PremiumState(offers: currentOffers, selectedOffer: offer));
       if (err is UserCancelledPurchaseException) return;
       await Sentry.captureException(err, stackTrace: stackTrace);
       _logger.e("...PremiumStateNotifier: purchase failed $err : $stackTrace");
       final t = ref.read(translationsProvider);
-      ref
-          .read(toastProvider)
-          .error(
-            title: t.premium.error_title,
-            text: t.premium.error_text,
-            reason: "We were unable to process your subscription",
-          );
+      ref.read(toastProvider).error(
+        title: t.premium.error_title,
+        text: t.premium.error_text,
+        reason: "We were unable to process your subscription",
+      );
+    }
+  }
+
+  Future<void> _activateAfterPurchase(
+    SubscriptionProduct offer,
+    List<Entitlement>? entitlements,
+    String? paywall,
+    String? redirectRoute,
+  ) async {
+    state = AsyncData(PremiumState.active(activeOffer: offer));
+    await _analyticsApi?.logEvent("purchase", {
+      "skuId": offer.skuId,
+      "price": offer.price,
+      "duration": offer.duration,
+      "paywall": paywall,
+    });
+    await ref
+        .read(userStateNotifierProvider.notifier)
+        .refreshSubscription(product: offer, entitlements: entitlements);
+    final t = ref.read(translationsProvider);
+    ref.read(toastProvider).success(
+      title: t.premium.purchase_success_title,
+      text: t.premium.purchase_success_text,
+    );
+    await Future.delayed(const Duration(seconds: 2));
+    if (redirectRoute != null) ref.read(goRouterProvider).go(redirectRoute);
+  }
+
+  /// Polls the subscription backend every 5 s until the Stripe webhook delivers
+  /// the activation (up to 10 min). Runs while the state is [PremiumStateSending].
+  Future<void> _waitForWebPayment(
+    SubscriptionProduct offer,
+    List<SubscriptionProduct> currentOffers, {
+    String? paywall,
+    String? redirectRoute,
+  }) async {
+    const maxAttempts = 120; // 10 min at 5 s intervals
+    const interval = Duration(seconds: 5);
+    final userId = _userState.user.idOrNull;
+    if (userId == null) {
+      state = AsyncData(PremiumState(offers: currentOffers, selectedOffer: offer));
+      return;
+    }
+
+    try {
+      for (var i = 0; i < maxAttempts; i++) {
+        await Future.delayed(interval);
+        if (state.value is! PremiumStateSending) return;
+        try {
+          final sub = await _subscriptionRepository.get(userId);
+          if (sub.isActive) {
+            await _activateAfterPurchase(offer, null, paywall, redirectRoute);
+            return;
+          }
+        } catch (_) {
+          // network / backend error → keep polling; disposal propagates to
+          // the outer catch on the next state.value access.
+        }
+      }
+
+      // Timed out — revert to paywall and ask the user to restore if they paid.
+      if (state.value is PremiumStateSending) {
+        state = AsyncData(PremiumState(offers: currentOffers, selectedOffer: offer));
+        final t = ref.read(translationsProvider);
+        ref.read(toastProvider).error(
+          title: t.premium.web_checkout_timeout_title,
+          text: t.premium.web_checkout_timeout_text,
+        );
+      }
+    } catch (_) {
+      // Provider was disposed while polling (user left the paywall). Ignore.
     }
   }
 

package/templates/firebase/lib/features/subscriptions/ui/widgets/premium_bottom_menu.dart

@@ -76,26 +76,19 @@ class BottomPremiumMenu extends StatelessWidget {
   Widget _buildRestoreButton(BuildContext context) {
     final translations = Translations.of(context).premium;
     final color = textColor ?? context.colors.muted;
+    // While a purchase / restore is in flight, onTapRestore is null. We keep the
+    // label visible but disabled instead of swapping it for a spinner, so the
+    // only loading indicator on the paywall is the main CTA button.
     return Padding(
       padding: const EdgeInsets.symmetric(horizontal: KasySpacing.sm),
-      child: onTapRestore != null
-          ? KasyButton(
-              variant: KasyButtonVariant.ghost,
-              label: translations.restore_action,
-              size: KasyButtonSize.small,
-              foregroundColor: color,
-              fontWeight: FontWeight.w500,
-              onPressed: onTapRestore,
-            )
-          : KasyButton.iconOnly(
-              icon: KasyIcons.refresh,
-              variant: KasyButtonVariant.ghost,
-              foregroundColor: color,
-              isLoading: true,
-              onPressed: null,
-              semanticLabel: translations.restore_action,
-              size: KasyButtonSize.small,
-            ),
+      child: KasyButton(
+        variant: KasyButtonVariant.ghost,
+        label: translations.restore_action,
+        size: KasyButtonSize.small,
+        foregroundColor: color,
+        fontWeight: FontWeight.w500,
+        onPressed: onTapRestore,
+      ),
     );
   }
 }

package/templates/firebase/lib/i18n/en.i18n.json

@@ -206,6 +206,8 @@
         "purchase_success_text": "Thank you for your trust",
         "error_title": "Error",
         "error_text": "An error occurred. Please try again",
+        "web_checkout_timeout_title": "Payment not confirmed",
+        "web_checkout_timeout_text": "We did not receive payment confirmation. If you already paid, tap Restore.",
         "comparison": {
             "title": "Premium plan comparison",
             "features_label": "Features",

package/templates/firebase/lib/i18n/es.i18n.json

@@ -206,6 +206,8 @@
         "purchase_success_text": "Gracias por tu confianza",
         "error_title": "Error",
         "error_text": "Ocurrió un error. Inténtalo de nuevo",
+        "web_checkout_timeout_title": "Pago no confirmado",
+        "web_checkout_timeout_text": "No recibimos confirmacion del pago. Si ya pagaste, toca Restaurar.",
         "comparison": {
             "title": "Comparación de planes Premium",
             "features_label": "Características",

package/templates/firebase/lib/i18n/pt.i18n.json

@@ -206,6 +206,8 @@
         "purchase_success_text": "Obrigado pela sua confiança",
         "error_title": "Erro",
         "error_text": "Ocorreu um erro. Tente novamente",
+        "web_checkout_timeout_title": "Pagamento nao confirmado",
+        "web_checkout_timeout_text": "Nao recebemos a confirmacao do pagamento. Se voce ja pagou, toque em Restaurar.",
         "comparison": {
             "title": "Comparação de planos Premium",
             "features_label": "Recursos",