kybernus 2.2.0 → 2.3.0

package/templates/java-spring/mvc/src/main/java/{{packagePath}}/controller/PaymentsController.java.hbs

@@ -1,20 +1,15 @@
 package {{packageName}}.controller;
 
-import com.stripe.exception.SignatureVerificationException;
-import com.stripe.model.Event;
-import com.stripe.net.Webhook;
-import {{packageName}}.model.User;
-import {{packageName}}.repository.UserRepository;
 import {{packageName}}.service.StripeService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Map;
-import java.util.Optional;
 
 @RestController
 @RequestMapping("/api/payments")
@@ -22,71 +17,65 @@ public class PaymentsController {
 
     private static final Logger logger = LoggerFactory.getLogger(PaymentsController.class);
 
-    @Value("${stripe.webhook-secret}")
-    private String webhookSecret;
-
     private final StripeService stripeService;
-    private final UserRepository userRepository;
 
-    public PaymentsController(StripeService stripeService, UserRepository userRepository) {
+    public PaymentsController(StripeService stripeService) {
         this.stripeService = stripeService;
-        this.userRepository = userRepository;
     }
 
+    /**
+     * POST /api/payments/checkout
+     * Requires authentication. Creates a Stripe Checkout session.
+     */
     @PostMapping("/checkout")
-    public ResponseEntity<?> createCheckout(@RequestBody Map<String, String> request) {
+    public ResponseEntity<?> createCheckout(
+            @AuthenticationPrincipal UserDetails userDetails,
+            @RequestBody Map<String, String> body) {
         try {
-            String customerId = request.get("customerId"); // Optional
-            com.stripe.model.checkout.Session session = stripeService.createCheckoutSession(customerId);
+            String priceId = body.get("priceId");
+            if (priceId == null || priceId.isEmpty()) {
+                return ResponseEntity.badRequest().body(Map.of("error", "priceId is required"));
+            }
+            // userDetails.getUsername() returns the user ID (set in JWT filter)
+            com.stripe.model.checkout.Session session =
+                    stripeService.createCheckoutSession(userDetails.getUsername(), priceId);
             return ResponseEntity.ok(Map.of("url", session.getUrl()));
         } catch (Exception e) {
             logger.error("Error creating checkout session", e);
-            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
-                    .body(Map.of("error", e.getMessage()));
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(Map.of("error", e.getMessage()));
+        }
+    }
+
+    /**
+     * POST /api/payments/portal
+     * Requires authentication. Opens Stripe Billing Portal.
+     */
+    @PostMapping("/portal")
+    public ResponseEntity<?> createPortal(@AuthenticationPrincipal UserDetails userDetails) {
+        try {
+            com.stripe.model.billingportal.Session session =
+                    stripeService.createPortalSession(userDetails.getUsername());
+            return ResponseEntity.ok(Map.of("url", session.getUrl()));
+        } catch (Exception e) {
+            logger.error("Error creating portal session", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(Map.of("error", e.getMessage()));
         }
     }
 
+    /**
+     * POST /api/payments/webhook
+     * No authentication. Stripe sends raw body + signature header.
+     */
     @PostMapping("/webhook")
     public ResponseEntity<String> handleWebhook(
             @RequestBody String payload,
             @RequestHeader("Stripe-Signature") String sigHeader) {
-
-        Event event;
-
         try {
-            event = Webhook.constructEvent(payload, sigHeader, webhookSecret);
-        } catch (SignatureVerificationException e) {
-            logger.warn("Invalid signature", e);
-            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Invalid signature");
+            stripeService.handleWebhook(payload, sigHeader);
+            return ResponseEntity.ok("{\"received\": true}");
         } catch (Exception e) {
-            logger.error("Error parsing webhook", e);
-             return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Error parsing webhook");
+            logger.warn("Webhook error: {}", e.getMessage());
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(e.getMessage());
         }
-
-        switch (event.getType()) {
-            case "checkout.session.completed":
-                com.stripe.model.checkout.Session session = (com.stripe.model.checkout.Session) event.getDataObjectDeserializer().getObject().orElse(null);
-                if (session != null) {
-                    logger.info("Checkout completed: {}", session.getId());
-                    // Match to database user here using session properties
-                }
-                break;
-            case "customer.subscription.updated":
-                 com.stripe.model.Subscription subscription = (com.stripe.model.Subscription) event.getDataObjectDeserializer().getObject().orElse(null);
-                 if (subscription != null) {
-                    logger.info("Subscription updated: {}", subscription.getId());
-                 }
-                 break;
-             case "customer.subscription.deleted":
-                  com.stripe.model.Subscription deletedSub = (com.stripe.model.Subscription) event.getDataObjectDeserializer().getObject().orElse(null);
-                  if (deletedSub != null) {
-                      logger.info("Subscription deleted: {}", deletedSub.getId());
-                  }
-                  break;
-            default:
-                logger.info("Unhandled event type: {}", event.getType());
-        }
-
-        return ResponseEntity.ok("Received");
     }
 }

package/templates/java-spring/mvc/src/main/java/{{packagePath}}/service/StripeService.java.hbs

@@ -3,65 +3,147 @@ package {{packageName}}.service;
 import com.stripe.Stripe;
 import com.stripe.exception.StripeException;
 import com.stripe.model.Customer;
+import com.stripe.model.Event;
 import com.stripe.model.checkout.Session;
+import com.stripe.net.Webhook;
 import com.stripe.param.CustomerCreateParams;
 import com.stripe.param.checkout.SessionCreateParams;
+import {{packageName}}.model.User;
+import {{packageName}}.repository.UserRepository;
 import jakarta.annotation.PostConstruct;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 @Service
 public class StripeService {
 
+    private static final Logger logger = LoggerFactory.getLogger(StripeService.class);
+
     @Value("${stripe.secret-key}")
     private String stripeSecretKey;
 
-    @Value("${stripe.price-id}")
-    private String priceId;
+    @Value("${stripe.webhook-secret}")
+    private String webhookSecret;
 
     @Value("${frontend.url}")
     private String frontendUrl;
 
+    private final UserRepository userRepository;
+
+    public StripeService(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
     @PostConstruct
     public void init() {
         Stripe.apiKey = stripeSecretKey;
     }
 
-    public Session createCheckoutSession(String customerId) throws StripeException {
-        SessionCreateParams.Builder paramsBuilder = SessionCreateParams.builder()
+    /**
+     * Retrieve or create a Stripe customer for the given user, then open a checkout session.
+     */
+    public Session createCheckoutSession(String userId, String priceId) throws StripeException {
+        User user = userRepository.findById(java.util.UUID.fromString(userId))
+                .orElseThrow(() -> new RuntimeException("User not found"));
+
+        String customerId = user.getStripeCustomerId();
+
+        if (customerId == null || customerId.isEmpty()) {
+            CustomerCreateParams customerParams = CustomerCreateParams.builder()
+                    .setEmail(user.getEmail())
+                    .putMetadata("userId", userId)
+                    .build();
+            Customer customer = Customer.create(customerParams);
+            customerId = customer.getId();
+            user.setStripeCustomerId(customerId);
+            userRepository.save(user);
+        }
+
+        SessionCreateParams params = SessionCreateParams.builder()
                 .setMode(SessionCreateParams.Mode.SUBSCRIPTION)
+                .addPaymentMethodType(SessionCreateParams.PaymentMethodType.CARD)
+                .addLineItem(SessionCreateParams.LineItem.builder()
+                        .setPrice(priceId)
+                        .setQuantity(1L)
+                        .build())
+                .setCustomer(customerId)
                 .setSuccessUrl(frontendUrl + "/success?session_id={CHECKOUT_SESSION_ID}")
                 .setCancelUrl(frontendUrl + "/cancel")
-                .addLineItem(
-                        SessionCreateParams.LineItem.builder()
-                                .setPrice(priceId)
-                                .setQuantity(1L)
-                                .build()
-                );
-
-        if (customerId != null && !customerId.isEmpty()) {
-             paramsBuilder.setCustomer(customerId);
-        }
+                .setClientReferenceId(userId)
+                .build();
 
-        return Session.create(paramsBuilder.build());
+        return Session.create(params);
     }
 
-    public com.stripe.model.billingportal.Session createPortalSession(String customerId) throws StripeException {
+    /**
+     * Open the Stripe Billing Portal for the given customer.
+     */
+    public com.stripe.model.billingportal.Session createPortalSession(String userId) throws StripeException {
+        User user = userRepository.findById(java.util.UUID.fromString(userId))
+                .orElseThrow(() -> new RuntimeException("User not found"));
+
+        if (user.getStripeCustomerId() == null) {
+            throw new RuntimeException("No Stripe customer found for this user");
+        }
+
         com.stripe.param.billingportal.SessionCreateParams params =
                 com.stripe.param.billingportal.SessionCreateParams.builder()
-                        .setCustomer(customerId)
+                        .setCustomer(user.getStripeCustomerId())
                         .setReturnUrl(frontendUrl + "/dashboard")
                         .build();
 
         return com.stripe.model.billingportal.Session.create(params);
     }
 
-    public Customer createCustomer(String email, String name) throws StripeException {
-        CustomerCreateParams params = CustomerCreateParams.builder()
-                .setEmail(email)
-                .setName(name)
-                .build();
+    /**
+     * Validate and handle a Stripe webhook event.
+     */
+    public void handleWebhook(String payload, String sigHeader) throws Exception {
+        Event event;
+        try {
+            event = Webhook.constructEvent(payload, sigHeader, webhookSecret);
+        } catch (Exception e) {
+            throw new RuntimeException("Webhook signature verification failed: " + e.getMessage());
+        }
 
-        return Customer.create(params);
+        switch (event.getType()) {
+            case "checkout.session.completed": {
+                Session session = (Session) event.getDataObjectDeserializer().getObject().orElse(null);
+                if (session != null && session.getClientReferenceId() != null) {
+                    String userId = session.getClientReferenceId();
+                    userRepository.findById(java.util.UUID.fromString(userId)).ifPresent(user -> {
+                        user.setStripeCustomerId(session.getCustomer());
+                        userRepository.save(user);
+                    });
+                    logger.info("Checkout completed for user: {}", userId);
+                }
+                break;
+            }
+            case "customer.subscription.updated": {
+                com.stripe.model.Subscription sub =
+                        (com.stripe.model.Subscription) event.getDataObjectDeserializer().getObject().orElse(null);
+                if (sub != null) logger.info("Subscription updated: {} | Status: {}", sub.getId(), sub.getStatus());
+                // TODO: update subscriptionStatus field on user
+                break;
+            }
+            case "customer.subscription.deleted": {
+                com.stripe.model.Subscription sub =
+                        (com.stripe.model.Subscription) event.getDataObjectDeserializer().getObject().orElse(null);
+                if (sub != null) logger.info("Subscription deleted: {}", sub.getId());
+                // TODO: mark user as unsubscribed
+                break;
+            }
+            case "invoice.payment_failed": {
+                com.stripe.model.Invoice invoice =
+                        (com.stripe.model.Invoice) event.getDataObjectDeserializer().getObject().orElse(null);
+                if (invoice != null) logger.info("Payment failed for invoice: {}", invoice.getId());
+                // TODO: notify user via email
+                break;
+            }
+            default:
+                logger.info("Unhandled Stripe event: {}", event.getType());
+        }
     }
 }

package/templates/nestjs/clean/infra/main.tf.hbs

@@ -5,9 +5,13 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.5"
+    }
   }
 
 # Uncomment for remote state (recommended for production)
@@ -27,27 +31,27 @@ provider "aws" {
 # Variables
 variable "aws_region" {
   description = "AWS region"
-  type = string
-  default = "us-east-1"
+  type        = string
+  default     = "us-east-1"
 }
 
 variable "environment" {
   description = "Environment name (dev, staging, prod)"
-  type = string
-  default = "dev"
+  type        = string
+  default     = "dev"
 }
 
 variable "app_name" {
   description = "Application name"
-  type = string
-  default = "{{projectNameKebabCase}}"
+  type        = string
+  default     = "{{projectNameKebabCase}}"
 }
 
 # VPC
 module "vpc" {
   source = "./modules/vpc"
 
-  app_name = var.app_name
+  app_name    = var.app_name
   environment = var.environment
 }
 
@@ -55,29 +59,49 @@ module "vpc" {
 module "ecs" {
   source = "./modules/ecs"
 
-  app_name = var.app_name
-  environment = var.environment
-  vpc_id = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnet_ids
+  app_name                    = var.app_name
+  environment                 = var.environment
+  vpc_id                      = module.vpc.vpc_id
+  public_subnet_ids           = module.vpc.public_subnet_ids
+  private_subnet_ids          = module.vpc.private_subnet_ids
+  alb_security_group_id       = module.vpc.alb_security_group_id
+  ecs_tasks_security_group_id = module.vpc.ecs_tasks_security_group_id
 }
 
 # RDS PostgreSQL
 module "rds" {
   source = "./modules/rds"
 
-  app_name = var.app_name
-  environment = var.environment
-  vpc_id = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnet_ids
+  app_name          = var.app_name
+  environment       = var.environment
+  vpc_id            = module.vpc.vpc_id
+  subnet_ids        = module.vpc.private_subnet_ids
   security_group_id = module.vpc.db_security_group_id
 }
 
 # Outputs
+output "vpc_id" {
+  value = module.vpc.vpc_id
+}
+
 output "ecs_cluster_name" {
   value = module.ecs.cluster_name
 }
 
+output "ecr_repository_url" {
+  value = module.ecs.ecr_repository_url
+}
+
+output "alb_dns_name" {
+  value       = module.ecs.alb_dns_name
+  description = "The DNS name of the ALB to access the application"
+}
+
 output "rds_endpoint" {
-  value = module.rds.endpoint
+  value     = module.rds.endpoint
   sensitive = true
-}
+}
+
+output "db_name" {
+  value = module.rds.db_name
+}

package/templates/nestjs/clean/infra/modules/ecs/main.tf.hbs

@@ -12,21 +12,54 @@ variable "vpc_id" {
   type = string
 }
 
-variable "subnet_ids" {
+variable "public_subnet_ids" {
   type = list(string)
 }
 
+variable "private_subnet_ids" {
+  type = list(string)
+}
+
+variable "alb_security_group_id" {
+  type = string
+}
+
+variable "ecs_tasks_security_group_id" {
+  type = string
+}
+
+variable "container_port" {
+  type    = number
+  default = 3000
+}
+
+# ECR Repository
+resource "aws_ecr_repository" "app" {
+  name                 = "${var.app_name}-${var.environment}"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}"
+    Environment = var.environment
+  }
+}
+
 # ECS Cluster
 resource "aws_ecs_cluster" "main" {
   name = "${var.app_name}-${var.environment}"
 
   setting {
-    name = "containerInsights"
+    name  = "containerInsights"
     value = "enabled"
   }
 
   tags = {
-    Name = "${var.app_name}-${var.environment}"
+    Name        = "${var.app_name}-${var.environment}"
     Environment = var.environment
   }
 }
@@ -38,12 +71,182 @@ resource "aws_ecs_cluster_capacity_providers" "main" {
   capacity_providers = ["FARGATE", "FARGATE_SPOT"]
 
   default_capacity_provider_strategy {
-    base = 1
-    weight = 100
+    base              = 1
+    weight            = 100
     capacity_provider = "FARGATE"
   }
 }
 
+# Application Load Balancer
+resource "aws_lb" "main" {
+  name               = "${var.app_name}-${var.environment}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [var.alb_security_group_id]
+  subnets            = var.public_subnet_ids
+
+  enable_deletion_protection = false
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-alb"
+    Environment = var.environment
+  }
+}
+
+# ALB Target Group
+resource "aws_lb_target_group" "app" {
+  name        = "${var.app_name}-${var.environment}-tg"
+  port        = var.container_port
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  health_check {
+    path                = "/health"
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
+    timeout             = 30
+    interval            = 40
+    matcher             = "200-399"
+  }
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-tg"
+    Environment = var.environment
+  }
+}
+
+# ALB Listener (HTTP)
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+
+# CloudWatch Log Group for ECS
+resource "aws_cloudwatch_log_group" "ecs" {
+  name              = "/ecs/${var.app_name}-${var.environment}"
+  retention_in_days = 14
+
+  tags = {
+    Environment = var.environment
+  }
+}
+
+# IAM Role for ECS Task Execution
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name = "${var.app_name}-${var.environment}-ecs-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# IAM Role for ECS Task (the application itself)
+resource "aws_iam_role" "ecs_task_role" {
+  name = "${var.app_name}-${var.environment}-ecs-task-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# ECS Task Definition
+resource "aws_ecs_task_definition" "app" {
+  family                   = "${var.app_name}-${var.environment}"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 256
+  memory                   = 512
+  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+  task_role_arn            = aws_iam_role.ecs_task_role.arn
+
+  container_definitions = jsonencode([
+    {
+      name      = "${var.app_name}"
+      image     = "${aws_ecr_repository.app.repository_url}:latest"
+      essential = true
+      
+      portMappings = [
+        {
+          containerPort = var.container_port
+          hostPort      = var.container_port
+          protocol      = "tcp"
+        }
+      ]
+
+      environment = [
+        { name = "NODE_ENV", value = var.environment == "prod" ? "production" : "development" },
+        { name = "PORT", value = tostring(var.container_port) }
+      ]
+
+      # Note: Add Secrets (like DB passwords) via SSM Parameter Store dynamically in a real deployment
+      
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
+          "awslogs-region"        = "us-east-1"
+          "awslogs-stream-prefix" = "ecs"
+        }
+      }
+    }
+  ])
+}
+
+# ECS Service
+resource "aws_ecs_service" "app" {
+  name            = "${var.app_name}-${var.environment}"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets          = var.private_subnet_ids
+    security_groups  = [var.ecs_tasks_security_group_id]
+    assign_public_ip = false
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.app.arn
+    container_name   = "${var.app_name}"
+    container_port   = var.container_port
+  }
+
+  depends_on = [
+    aws_lb_listener.http
+  ]
+}
+
 # Outputs
 output "cluster_name" {
   value = aws_ecs_cluster.main.name
@@ -51,4 +254,12 @@ output "cluster_name" {
 
 output "cluster_arn" {
   value = aws_ecs_cluster.main.arn
-}
+}
+
+output "ecr_repository_url" {
+  value = aws_ecr_repository.app.repository_url
+}
+
+output "alb_dns_name" {
+  value = aws_lb.main.dns_name
+}