payment-kit 1.28.0 → 1.29.0

package/cloudflare/migrations/0005_iap_tenant_backfill.sql

@@ -0,0 +1,112 @@
+-- Payment Kit: IAP multi-tenant backfill
+-- Backfills metadata.bundle_id / metadata.package_name on existing Prices and
+-- payment_details.app_store.bundle_id / payment_details.google_play.package_name
+-- on existing Subscriptions, so Payment Kit can be wired into multiple iOS /
+-- Android apps without same-SKU collisions across App Store / Play Console
+-- namespaces (each store's SKU space is per-app, not global).
+--
+-- Backend code already filters Price.findOne by (sku, bundle_id) / (sku,
+-- package_name); without this backfill, every pre-existing Price would stop
+-- resolving the moment the new lookup ships.
+--
+-- Safety: tenant value is DERIVED from the configured PaymentMethods (which
+-- store bundle_id / package_name as plain text under settings JSON — only
+-- private keys are encrypted). The migration deliberately refuses to guess in
+-- ambiguous setups:
+--
+--   * For Subscriptions we always use the sub's own
+--     `default_payment_method_id` to resolve the tenant, which is a 1:1 map —
+--     never ambiguous as long as the row points at a real PaymentMethod.
+--   * For Prices we update only when EXACTLY ONE active PaymentMethod of the
+--     matching type + livemode exists with a non-null tenant. Multi-tenant
+--     installations (two iOS apps sharing one Payment Kit, etc.) skip the
+--     Price backfill — admin must set bundle_id / package_name explicitly
+--     because the migration can't safely guess which app a Price belongs to.
+--
+-- Idempotent. The IS NULL guards make re-runs a no-op for already-backfilled
+-- rows, and the subquery filters skip rows that can't be resolved safely.
+
+-- 1. Prices with App Store SKU → set bundle_id (only when one active
+--    app_store PaymentMethod for the same livemode unambiguously identifies
+--    the tenant).
+UPDATE prices
+SET metadata = json_set(
+  metadata,
+  '$.bundle_id',
+  (SELECT json_extract(pm.settings, '$.app_store.bundle_id')
+   FROM payment_methods pm
+   WHERE pm.type = 'app_store'
+     AND pm.livemode = prices.livemode
+     AND pm.active = 1
+     AND json_extract(pm.settings, '$.app_store.bundle_id') IS NOT NULL
+   LIMIT 1)
+)
+WHERE json_extract(metadata, '$.app_store_product_id') IS NOT NULL
+  AND json_extract(metadata, '$.bundle_id') IS NULL
+  AND (
+    SELECT COUNT(*) FROM payment_methods pm
+    WHERE pm.type = 'app_store'
+      AND pm.livemode = prices.livemode
+      AND pm.active = 1
+      AND json_extract(pm.settings, '$.app_store.bundle_id') IS NOT NULL
+  ) = 1;
+
+-- 2. Prices with Google Play SKU → set package_name (same single-tenant guard).
+UPDATE prices
+SET metadata = json_set(
+  metadata,
+  '$.package_name',
+  (SELECT json_extract(pm.settings, '$.google_play.package_name')
+   FROM payment_methods pm
+   WHERE pm.type = 'google_play'
+     AND pm.livemode = prices.livemode
+     AND pm.active = 1
+     AND json_extract(pm.settings, '$.google_play.package_name') IS NOT NULL
+   LIMIT 1)
+)
+WHERE json_extract(metadata, '$.google_play_product_id') IS NOT NULL
+  AND json_extract(metadata, '$.package_name') IS NULL
+  AND (
+    SELECT COUNT(*) FROM payment_methods pm
+    WHERE pm.type = 'google_play'
+      AND pm.livemode = prices.livemode
+      AND pm.active = 1
+      AND json_extract(pm.settings, '$.google_play.package_name') IS NOT NULL
+  ) = 1;
+
+-- 3. App Store Subscriptions → set payment_details.app_store.bundle_id from
+--    the sub's own default_payment_method (1:1 — always safe).
+UPDATE subscriptions
+SET payment_details = json_set(
+  payment_details,
+  '$.app_store.bundle_id',
+  (SELECT json_extract(pm.settings, '$.app_store.bundle_id')
+   FROM payment_methods pm
+   WHERE pm.id = subscriptions.default_payment_method_id)
+)
+WHERE channel = 'app_store'
+  AND json_extract(payment_details, '$.app_store.bundle_id') IS NULL
+  AND default_payment_method_id IS NOT NULL
+  AND (
+    SELECT json_extract(pm.settings, '$.app_store.bundle_id')
+    FROM payment_methods pm
+    WHERE pm.id = subscriptions.default_payment_method_id
+  ) IS NOT NULL;
+
+-- 4. Google Play Subscriptions → set payment_details.google_play.package_name.
+UPDATE subscriptions
+SET payment_details = json_set(
+  payment_details,
+  '$.google_play.package_name',
+  (SELECT json_extract(pm.settings, '$.google_play.package_name')
+   FROM payment_methods pm
+   WHERE pm.id = subscriptions.default_payment_method_id)
+)
+WHERE channel = 'google_play'
+  AND json_extract(payment_details, '$.google_play.package_name') IS NULL
+  AND default_payment_method_id IS NOT NULL
+  AND (
+    SELECT json_extract(pm.settings, '$.google_play.package_name')
+    FROM payment_methods pm
+    WHERE pm.id = subscriptions.default_payment_method_id
+  ) IS NOT NULL;

package/cloudflare/run-build.js

@@ -297,6 +297,7 @@ build({
     "@blocklet/sdk/lib/wallet-handler": s("shims/blocklet-sdk/wallet-handler.ts"),
     "@blocklet/sdk/lib/security": s("shims/blocklet-sdk/security.ts"),
     "@blocklet/sdk/lib/util/verify-sign": s("shims/blocklet-sdk/verify-sign.ts"),
+    "@blocklet/sdk/lib/util/verify-session": s("shims/blocklet-sdk/verify-session.ts"),
     "@blocklet/sdk/lib/util/component-api": s("shims/blocklet-sdk/component-api.ts"),
     "@blocklet/sdk/lib/error-handler": s("shims/noop.ts"),
     "@blocklet/sdk/lib/did": s("shims/blocklet-sdk/did.ts"),

package/cloudflare/shims/blocklet-sdk/verify-session.ts

@@ -0,0 +1,44 @@
+// CF Workers no-op shim for @blocklet/sdk/lib/util/verify-session.
+//
+// In CF Workers, Bearer / cookie validation happens *before* Express routes
+// run — see worker.ts auth middleware at /api/*, which calls
+// `c.env.AUTH_SERVICE.resolveIdentity(...)` and injects x-user-did into the
+// request headers when the token is valid. By the time security.ts'
+// `authenticate` middleware sees the request, the x-user-did branch handles
+// it. The fallback Bearer-validation path that calls verifyLoginToken
+// directly is only needed in the Express dev server, where the tunnel
+// bypasses Blocklet Server's nginx and we can't rely on header injection.
+//
+// So in Workers we return null — security.ts treats null as "couldn't
+// validate locally, fall through" — and the x-user-did set by the worker
+// layer is the source of truth.
+
+export type SessionUser = {
+  did: string;
+  role?: string;
+  fullName?: string;
+  provider?: string;
+  walletOS?: string;
+  method?: string;
+  org?: string;
+};
+
+export async function verifyLoginToken(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifyAccessKey(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifyComponentCall(_opts: { req: any; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifySignedToken(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export function getSessionSecret(): string {
+  return '';
+}

package/cloudflare/shims/queue.ts

@@ -408,8 +408,34 @@ export default function createQueue<T = any>({ name, onJob, options = defaults }
         if (_cfQueue) {
           try {
             await sendToCFQueue(jobId, job);
-          } catch (_err: any) {
-            // CF Queue unavailable — job is safe in D1, cron will dispatch
+          } catch (err: any) {
+            // CF Queue unavailable (429 Too Many Requests, transport down, etc.)
+            // Fall through to inline execution: the worker context already has
+            // its own CPU budget (HTTP handler: 30s; scheduled handler: 30s),
+            // and a tightly-throttled CF Queue + a backed-up cron dispatcher
+            // means immediate jobs would otherwise sit in D1 indefinitely.
+            // The D1 row persists either way, so a crash here still lets a
+            // later cron tick (or a retry) pick it up.
+            console.warn(`[queue:${name}] CF Queue send failed (${err?.message || err}); executing inline`);
+            try {
+              // Pass persist=false so executeJob does NOT delete the D1 row on a
+              // terminal failure — that would wipe the only durable backup (esp.
+              // for maxRetries:0 queues like webhookQueue) and the cron dispatcher
+              // could never retry it. Delete the row ONLY on success here.
+              // (PR #1381 re-review P1.)
+              const data = await executeJob(jobId, job, false);
+              if (persist) {
+                try {
+                  await store.deleteJob(jobId);
+                } catch (_e) {
+                  /* ignore — duplicate delete is harmless */
+                }
+              }
+              emit('finished', data);
+            } catch (execErr: any) {
+              // D1 row intact → a later cron tick / retry can pick it up.
+              emit('failed', { id: jobId, job, error: execErr });
+            }
           }
         } else {
           // No CF Queue binding — execute inline (Blocklet Server compatibility)

package/cloudflare/shims/sequelize-d1/model.ts

@@ -312,6 +312,25 @@ export class Model {
     return this.findOne({ ...options, where: { ...(options?.where || {}), id } });
   }
 
+  /**
+   * Sequelize-compatible `findOrCreate`: find a row matching `where`, otherwise
+   * insert a new one using `defaults` merged over `where`. Returns the
+   * Sequelize tuple `[instance, wasCreated]`.
+   *
+   * D1 doesn't expose row-level locks, so this is racy at the storage layer —
+   * two concurrent calls with the same `where` can both miss and both insert.
+   * For our IAP / customer flows that's acceptable because primary-key
+   * collisions (or unique-index constraints) catch the second writer, and the
+   * IAP entry path already de-dupes by purchase token upstream. Mirrors the
+   * single-node Sequelize behavior of "not strictly atomic" under SQLite.
+   */
+  static async findOrCreate(options: { where: any; defaults?: any }): Promise<[any, boolean]> {
+    const existing = await this.findOne({ where: options.where });
+    if (existing) return [existing, false];
+    const created = await this.create({ ...(options.where || {}), ...(options.defaults || {}) });
+    return [created, true];
+  }
+
   static async findAndCountAll(options?: any): Promise<{ rows: any[]; count: number }> {
     // Batch SELECT + COUNT into a single D1 round-trip
     const { sql: selectSql, values: selectValues } = buildSelectSQL(this.tableName, options, (this as any)._attributes);

package/cloudflare/shims/sequelize-d1/operators.ts

@@ -213,10 +213,23 @@ export function buildWhereClause(where: any): { sql: string; values: any[] } {
 
   return {
     sql: conditions.length > 0 ? conditions.join(' AND ') : '',
-    values,
+    values: values.map(coerceBindValue),
   };
 }
 
+/**
+ * D1 only accepts primitive bind values (string, number, boolean, null,
+ * BigInt, ArrayBuffer). Sequelize APIs commonly pass `Date` objects in WHERE
+ * clauses (e.g. `{ updated_at: { [Op.lt]: new Date(...) } }`); coerce them to
+ * ISO strings to match how dates are stored. Without this iap-reconcile and
+ * any other time-window query throws `D1_TYPE_ERROR: Type 'object' not
+ * supported for value 'Tue Jun 02 2026 …'`.
+ */
+export function coerceBindValue(v: any): any {
+  if (v instanceof Date) return v.toISOString();
+  return v;
+}
+
 function processWhereEntry(key: string, value: any, conditions: string[], values: any[]): void {
   const fieldSQL = fieldToSQL(key);
 

package/cloudflare/tests/shims/queue-delayed-persist.spec.ts

@@ -0,0 +1,87 @@
+// Regression guard for PR #1381 review P1: on Cloudflare the queue shim only
+// writes a DELAYED job to D1 (with will_run_at, later dispatched by the cron)
+// when it is persisted. A delayed job pushed with persist:false is silently
+// dropped — which is exactly how the webhook retry ladder lost deliveries after
+// the first failure. These tests pin that invariant so callers always persist
+// delayed retries.
+
+// A single shared store mock so we can assert what the shim wrote.
+const mockStore = {
+  addJob: jest.fn().mockResolvedValue(undefined),
+  deleteJob: jest.fn().mockResolvedValue(true),
+  getJob: jest.fn(),
+  getJobs: jest.fn(),
+  getScheduledJobs: jest.fn(),
+  updateJob: jest.fn(),
+  isCancelled: jest.fn().mockResolvedValue(false),
+  findJobs: jest.fn(),
+};
+
+jest.mock('../../../api/src/store/models/job', () => ({ Job: { findAll: jest.fn() } }));
+jest.mock('../../../api/src/libs/queue/store', () => ({
+  __esModule: true,
+  default: jest.fn(() => mockStore),
+}));
+
+import createQueue, { setCFQueue, flushPendingJobs } from '../../shims/queue';
+
+const futureRunAt = () => Math.floor(Date.now() / 1000) + 600; // +10 min → delayed
+
+describe('shim queue — delayed job persistence (PR #1381 P1)', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    setCFQueue(null); // no CF Queue binding; delayed path is independent of it anyway
+  });
+
+  it('persists a delayed job to D1 (with will_run_at) when persist=true', async () => {
+    const q = createQueue({ name: 'webhook-persist-true', onJob: jest.fn() });
+    q.push({ id: 'j1', job: { v: 1 }, runAt: futureRunAt(), persist: true });
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).toHaveBeenCalledTimes(1);
+    const attrs = mockStore.addJob.mock.calls[0]![2];
+    expect(attrs.will_run_at).toBeGreaterThan(Date.now());
+    expect(attrs.delay).toBeGreaterThan(0);
+  });
+
+  it('DROPS a delayed job (no D1 write) when persist=false — the lost-retry bug class', async () => {
+    const q = createQueue({ name: 'webhook-persist-false', onJob: jest.fn() });
+    q.push({ id: 'j2', job: { v: 2 }, runAt: futureRunAt(), persist: false });
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).not.toHaveBeenCalled();
+  });
+});
+
+describe('shim queue — inline fallback keeps the D1 backup on failure (PR #1381 re-review P1)', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('does NOT delete the persisted row when CF Queue send fails AND the inline handler fails', async () => {
+    setCFQueue({ send: jest.fn().mockRejectedValue(new Error('429 Too Many Requests')) } as any);
+    const onJob = jest.fn().mockRejectedValue(new Error('handler boom'));
+    const q = createQueue({ name: 'webhook-fallback-fail', onJob, options: { maxRetries: 1 } });
+
+    q.push({ id: 'wj1', job: { v: 1 }, persist: true }); // immediate
+    await flushPendingJobs();
+
+    expect(mockStore.addJob).toHaveBeenCalledTimes(1); // durable backup written
+    expect(onJob).toHaveBeenCalled(); // inline attempt ran
+    expect(mockStore.deleteJob).not.toHaveBeenCalled(); // backup retained → cron can retry
+    setCFQueue(null);
+  });
+
+  it('deletes the persisted row when the inline fallback SUCCEEDS', async () => {
+    setCFQueue({ send: jest.fn().mockRejectedValue(new Error('429')) } as any);
+    const onJob = jest.fn().mockResolvedValue(undefined);
+    const q = createQueue({ name: 'webhook-fallback-ok', onJob, options: { maxRetries: 1 } });
+
+    q.push({ id: 'wj2', job: { v: 2 }, persist: true });
+    await flushPendingJobs();
+
+    expect(onJob).toHaveBeenCalled();
+    expect(mockStore.deleteJob).toHaveBeenCalledWith('wj2'); // deleted only on success
+    setCFQueue(null);
+  });
+});

package/cloudflare/worker.ts

@@ -33,6 +33,13 @@ import '../api/src/queues/refund';
 import '../api/src/queues/checkout-session';
 import '../api/src/queues/discount-status';
 import '../api/src/queues/exchange-rate-health';
+// Event + webhook queues turn createEvent rows into actual HTTP POSTs to
+// registered WebhookEndpoints. Without these, every subscription state change
+// writes an Event row with pending_webhooks=99 that no one ever consumes —
+// downstream apps (aistro etc.) silently never get notified of purchase /
+// renewal / cancel events.
+import '../api/src/queues/event';
+import '../api/src/queues/webhook';
 
 // Import security shim — initFromAuthService fetches EK from AUTH_SERVICE
 import { initFromAuthService } from './shims/blocklet-sdk/security';
@@ -267,6 +274,22 @@ function buildApp(env: Env): Hono<HonoEnv> {
       if (c.env.APP_NAME) process.env.BLOCKLET_APP_NAME = c.env.APP_NAME;
       if (c.env.PAYMENT_CHANGE_LOCKED_PRICE) process.env.PAYMENT_CHANGE_LOCKED_PRICE = c.env.PAYMENT_CHANGE_LOCKED_PRICE;
       if (c.env.SHORT_URL_DOMAIN) process.env.SHORT_URL_DOMAIN = c.env.SHORT_URL_DOMAIN;
+      // Audience for the Pub/Sub OIDC JWT that wraps Google Play RTDN webhooks.
+      // Without this mirror, libs/util.ts googlePlayEndpoint() falls back to
+      // getUrl('/api/integrations/google-play/webhook') — which resolves to
+      // the *.workers.dev origin, not the custom domain Pub/Sub actually
+      // POSTs to. Every webhook then dies with "audience mismatch".
+      if (c.env.GOOGLE_PLAY_WEBHOOK_URL) {
+        process.env.GOOGLE_PLAY_WEBHOOK_URL = c.env.GOOGLE_PLAY_WEBHOOK_URL;
+      }
+      // Pub/Sub sender binding — without mirroring these, the google_play webhook
+      // can't enforce the push service account on CF and would fail open (PR #1381 P1).
+      if (c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT) {
+        process.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT = c.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
+      }
+      if (c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER) {
+        process.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER = c.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER;
+      }
       process.env.BLOCKLET_MODE = 'production';
     }
 
@@ -592,6 +615,31 @@ function buildApp(env: Env): Hono<HonoEnv> {
     return c.json({ handlers: names, ...result });
   });
 
+  // Debug: pass through Google Play Developer API for an arbitrary subscription
+  // purchase token. Returns the *raw* Google response so we can see if Google
+  // itself considers the purchase valid / acknowledged / expired.
+  app.get('/api/__dev__/google-play-info', async (c) => {
+    const token = c.req.query('token');
+    const subId = c.req.query('sub') || 'pk_demo_monthly';
+    if (!token) return c.json({ error: 'token query param required' }, 400);
+    const { PaymentMethod } = await import('../api/src/store/models/payment-method');
+    const method = await PaymentMethod.findOne({
+      where: { type: 'google_play', active: true, livemode: false } as any,
+    });
+    if (!method) return c.json({ error: 'no google_play PaymentMethod' }, 503);
+    try {
+      const client = method.getGooglePlayClient();
+      const purchase = await client.getSubscription(subId, token);
+      return c.json({ ok: true, sub: subId, purchase });
+    } catch (err: any) {
+      return c.json({ ok: false, error: err?.message || String(err) }, 500);
+    }
+  });
+
+  // Bootstrap google_play PaymentMethod in staging D1 — the admin UI flow
+  // for creating PaymentMethods is owner-gated, and staging has no owner yet
+  // (Pengfei's blocklet-service role is `member`). Gated by PAYMENT_LIVEMODE
+  // === 'false' so this only ever touches testmode data.
   // === Express-to-Hono Route Adapter ===
   mountExpressRoutes(app, '/api', expressRoutes);
 
@@ -1141,7 +1189,10 @@ function createExpressReq(c: any, routeParams: Record<string, string>): any {
     body: null,
     headers,
     user: null,
-    livemode: true,
+    // Worker-wide livemode is driven by the PAYMENT_LIVEMODE env var (set on
+    // each deployment). Routes that filter PaymentMethod by livemode rely on
+    // this value matching what we stored when bootstrapping the methods.
+    livemode: c.env?.PAYMENT_LIVEMODE !== 'false',
     baseCurrency: null,
     ip: headers['cf-connecting-ip'] || headers['x-forwarded-for'] || '127.0.0.1',
     get(name: string) {
@@ -1388,18 +1439,22 @@ function mountExpressRoutes(honoApp: Hono<HonoEnv>, prefix: string, expressRoute
         });
       }
 
-      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback)
+      // Inject caller identity resolved by AUTH_SERVICE RPC (or mock fallback).
+      // AUTH_SERVICE returns the bare base58 address; Customer/Subscription queries
+      // and entitlement lookups expect the canonical `did:abt:…` form, so we
+      // normalize once here at the boundary instead of in every downstream call site.
       const caller: CallerIdentityDTO | null = c.get('caller');
       if (caller) {
+        const canonicalDid = caller.did?.startsWith('did:abt:') ? caller.did : `did:abt:${caller.did}`;
         req.user = {
-          did: caller.did,
+          did: canonicalDid,
           role: caller.role || 'guest',
           provider: caller.authMethod === 'access-key' ? 'access-key' : 'wallet',
           fullName: caller.displayName || '',
           walletOS: '',
           via: 'dashboard',
         };
-        req.headers['x-user-did'] = caller.did;
+        req.headers['x-user-did'] = canonicalDid;
         req.headers['x-user-role'] = `blocklet-${caller.role || 'guest'}`;
         req.headers['x-user-provider'] = caller.authMethod || 'wallet';
         req.headers['x-user-fullname'] = encodeURIComponent(caller.displayName || '');

package/cloudflare/wrangler.jsonc

@@ -65,5 +65,11 @@
   },
   "triggers": {
     "crons": ["* * * * *"]
-  }
+  },
+  // Batch crons (subscription scans, queue dispatch, retry backstops) all run in
+  // one scheduled() invocation each minute; raise the per-invocation CPU ceiling
+  // so they aren't killed mid-run ("Exceeded CPU Limit") on Workers Paid. The
+  // structural fix (offload to a Consumer Worker / Paid Queue throughput) is
+  // tracked in task-44. No effect on Workers Free (CPU limit is fixed there).
+  "limits": { "cpu_ms": 300000 }
 }

package/cloudflare/wrangler.staging.json

@@ -62,5 +62,6 @@
   },
   "triggers": {
     "crons": ["* * * * *"]
-  }
+  },
+  "limits": { "cpu_ms": 300000 }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "payment-kit",
-  "version": "1.28.0",
+  "version": "1.29.0",
   "scripts": {
     "dev": "blocklet dev --open",
     "prelint": "npm run types",
@@ -47,6 +47,7 @@
   },
   "dependencies": {
     "@abtnode/cron": "^1.17.12",
+    "@apple/app-store-server-library": "^3.1.0",
     "@arcblock/did": "^1.30.9",
     "@arcblock/did-connect-js": "4.0.0",
     "@arcblock/did-connect-react": "^3.5.2",
@@ -61,9 +62,9 @@
     "@blocklet/error": "^0.3.5",
     "@blocklet/js-sdk": "^1.17.12",
     "@blocklet/logger": "^1.17.12",
-    "@blocklet/payment-broker-client": "1.28.0",
-    "@blocklet/payment-react": "1.28.0",
-    "@blocklet/payment-vendor": "1.28.0",
+    "@blocklet/payment-broker-client": "1.29.0",
+    "@blocklet/payment-react": "1.29.0",
+    "@blocklet/payment-vendor": "1.29.0",
     "@blocklet/sdk": "^1.17.12",
     "@blocklet/ui-react": "^3.5.2",
     "@blocklet/uploader": "^0.3.20",
@@ -98,6 +99,7 @@
     "fastq": "^1.19.1",
     "flat": "^5.0.2",
     "google-libphonenumber": "^3.2.42",
+    "google-play-billing-validator": "^2.1.3",
     "html2canvas": "^1.4.1",
     "iframe-resizer-react": "^1.1.1",
     "joi": "17.12.2",
@@ -108,6 +110,7 @@
     "morgan": "^1.10.0",
     "mui-daterange-picker": "^1.0.5",
     "nanoid": "^3.3.11",
+    "node-apple-receipt-verify": "^1.15.0",
     "numbro": "^2.5.0",
     "p-all": "3.0.0",
     "p-wait-for": "^3.2.0",
@@ -137,13 +140,14 @@
   "devDependencies": {
     "@abtnode/types": "^1.17.12",
     "@arcblock/eslint-config-ts": "^0.3.3",
-    "@blocklet/payment-types": "1.28.0",
+    "@blocklet/payment-types": "1.29.0",
     "@types/cookie-parser": "^1.4.9",
     "@types/cors": "^2.8.19",
     "@types/debug": "^4.1.12",
     "@types/dotenv-flow": "^3.3.3",
     "@types/express": "^4.17.23",
     "@types/node": "^18.19.112",
+    "@types/node-apple-receipt-verify": "^1.7.5",
     "@types/react": "^18.3.23",
     "@types/react-dom": "^18.3.7",
     "@vitejs/plugin-react": "^4.6.0",
@@ -184,5 +188,5 @@
       "parser": "typescript"
     }
   },
-  "gitHead": "1486b54f913b83fb42323a89cce7503814d0685a"
+  "gitHead": "02334964fbf505ea2fd27081039542d1f9868d57"
 }

package/scripts/seed-google-play.ts

@@ -0,0 +1,79 @@
+#!/usr/bin/env tsx
+/* eslint-disable no-console */
+//
+// Seed a `google_play` PaymentMethod from a service account JSON file.
+//
+// Usage:
+//   GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH=/path/to/sa.json \
+//   GOOGLE_PLAY_PACKAGE_NAME=io.arcblock.aistro \
+//   tsx scripts/seed-google-play.ts
+//
+// Optional:
+//   PAYMENT_METHOD_ID            existing id to update; otherwise a new one is created
+//   PAYMENT_METHOD_LIVEMODE      "true" (default) | "false"
+//
+// The JSON contents are stored encrypted via PaymentMethod.encryptSettings.
+
+import 'dotenv-flow/config';
+import { readFileSync } from 'fs';
+
+import { PaymentMethod } from '../api/src/store/models';
+import { sequelize } from '../api/src/store/sequelize';
+import migrate from '../api/src/store/migrate';
+import { initialize } from '../api/src/store/models';
+
+async function main(): Promise<void> {
+  const jsonPath = process.env.GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH;
+  const packageName = process.env.GOOGLE_PLAY_PACKAGE_NAME;
+  if (!jsonPath || !packageName) {
+    console.error('Missing GOOGLE_PLAY_SERVICE_ACCOUNT_JSON_PATH or GOOGLE_PLAY_PACKAGE_NAME');
+    process.exit(1);
+  }
+  const livemode = process.env.PAYMENT_METHOD_LIVEMODE !== 'false';
+  const existingId = process.env.PAYMENT_METHOD_ID;
+
+  const raw = readFileSync(jsonPath, 'utf8');
+  // Validate JSON shape early
+  const parsed = JSON.parse(raw);
+  if (!parsed.client_email || !parsed.private_key) {
+    throw new Error('service account JSON missing client_email or private_key');
+  }
+
+  initialize(sequelize);
+  await migrate();
+
+  const settings = PaymentMethod.encryptSettings({
+    google_play: {
+      package_name: packageName,
+      service_account_json: raw,
+      pubsub_topic_name: '',
+    },
+  });
+
+  if (existingId) {
+    const method = await PaymentMethod.findByPk(existingId);
+    if (!method) throw new Error(`PaymentMethod ${existingId} not found`);
+    await method.update({ settings, active: true, livemode });
+    console.log('updated PaymentMethod', method.id);
+  } else {
+    const method = await PaymentMethod.create({
+      type: 'google_play',
+      name: `Google Play (${packageName})`,
+      description: 'In-App Billing via Google Play Console',
+      logo: '',
+      active: true,
+      livemode,
+      confirmation: { type: 'callback' },
+      settings,
+      features: { recurring: true, refund: true, dispute: false },
+    } as any);
+    console.log('created PaymentMethod', method.id, `client_email=${parsed.client_email}`);
+  }
+
+  await sequelize.close();
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});