payment-kit 1.29.1 → 1.29.3

package/api/src/routes/{meter-events.ts → hono/meter-events.ts}

@@ -1,18 +1,24 @@
-import { Router } from 'express';
+// Phase 3 (express→hono) — hono fork of routes/meter-events.ts. Sub-app with
+// routes relative to /api/meter-events (mounted via mountResourceGroup). The
+// business logic is unchanged; only the express plumbing becomes hono:
+//   req.body → c.get('sanitizedBody') ?? {}; res.status(n).json(x) → c.json(x, n).
+//   req.(c.get('customer_id') ?? query.customer_id) → (c.get('customer_id') ?? c.req.query('customer_id')) [SECURITY].
+import { Hono } from 'hono';
 import Joi from 'joi';
 import { Op, QueryTypes, Sequelize } from 'sequelize';
 
 import { fromTokenToUnit } from '@ocap/util';
-import { createListParamSchema, getOrder, getWhereFromKvQuery, MetadataSchema } from '../libs/api';
-import logger from '../libs/logger';
-import { authenticate } from '../libs/security';
-import { formatMetadata } from '../libs/util';
-import { trimDecimals } from '../libs/math-utils';
-import { Customer, Meter, MeterEvent, MeterEventStatus, PaymentCurrency, Subscription } from '../store/models';
+import { createListParamSchema, getOrder, getWhereFromKvQuery, MetadataSchema } from '../../libs/api';
+import { getInstanceDid } from '../../libs/context';
+import logger from '../../libs/logger';
+import { authenticate } from '../../middlewares/hono/security';
+import { formatMetadata } from '../../libs/util';
+import { trimDecimals } from '../../libs/math-utils';
+import { Customer, Meter, MeterEvent, MeterEventStatus, PaymentCurrency, Subscription } from '../../store/models';
 
-import { getCachedMeter, getCachedCurrency } from '../libs/reference-cache';
+import { getCachedMeter, getCachedCurrency } from '../../libs/reference-cache';
 
-const router = Router();
+const app = new Hono();
 const auth = authenticate<MeterEvent>({ component: true, roles: ['owner', 'admin'] });
 const authMine = authenticate<MeterEvent>({ component: true, roles: ['owner', 'admin'], mine: true });
 
@@ -79,9 +85,9 @@ const statsSchema = Joi.object({
   granularity: Joi.string().valid('minute', 'hour', 'day').default('day'),
 });
 
-router.get('/', authMine, async (req, res) => {
+app.get('/', authMine, async (c) => {
   try {
-    const { page, pageSize, ...query } = await listSchema.validateAsync(req.query, { stripUnknown: true });
+    const { page, pageSize, ...query } = await listSchema.validateAsync(c.req.query(), { stripUnknown: true });
     const where = getWhereFromKvQuery(query.q);
 
     if (typeof query.livemode === 'boolean') {
@@ -98,10 +104,13 @@ router.get('/', authMine, async (req, res) => {
       }
     }
 
-    if (query.customer_id) {
+    if (c.get('customer_id') ?? query.customer_id) {
       where[Op.and] = where[Op.and] || [];
       where[Op.and].push(
-        Sequelize.where(Sequelize.literal("json_extract(payload, '$.customer_id')"), query.customer_id)
+        Sequelize.where(
+          Sequelize.literal("json_extract(payload, '$.customer_id')"),
+          c.get('customer_id') ?? query.customer_id
+        )
       );
     }
 
@@ -130,20 +139,20 @@ router.get('/', authMine, async (req, res) => {
       offset: (page - 1) * pageSize,
       limit: pageSize,
     });
-    const expanded = await MeterEvent.expand(list, !!req.livemode, {
+    const expanded = await MeterEvent.expand(list, !!c.get('livemode'), {
       customer: true,
       subscription: true,
       meter: !!query.meter_id,
     });
 
-    res.json({ count, list: expanded, paging: { page, pageSize } });
+    return c.json({ count, list: expanded, paging: { page, pageSize } });
   } catch (err) {
     logger.error('Error listing meter events', err);
-    res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
-router.get('/stats', authMine, async (req, res) => {
+app.get('/stats', authMine, async (c) => {
   try {
     const {
       meter_id: meterId,
@@ -151,11 +160,11 @@ router.get('/stats', authMine, async (req, res) => {
       end,
       customer_id: customerId,
       granularity,
-    } = await statsSchema.validateAsync(req.query, { stripUnknown: true });
+    } = await statsSchema.validateAsync(c.req.query(), { stripUnknown: true });
 
     const meter = await Meter.findByPk(meterId);
     if (!meter) {
-      return res.status(404).json({ error: 'Meter not found' });
+      return c.json({ error: 'Meter not found' }, 404);
     }
 
     const startDate = new Date(start * 1000);
@@ -177,11 +186,14 @@ router.get('/stats', authMine, async (req, res) => {
     }
 
     // 构建查询条件
+    // 洞 G (Phase 4): raw stats read on meter_events (tenant table) — guard with
+    // instance_did so a tenant only ever aggregates its own events.
     let whereClause =
-      'event_name = :eventName AND livemode = :livemode AND created_at >= :startDate AND created_at <= :endDate';
+      'event_name = :eventName AND livemode = :livemode AND instance_did = :instance_did AND created_at >= :startDate AND created_at <= :endDate';
     const replacements: any = {
       eventName: meter.event_name,
-      livemode: !!req.livemode,
+      livemode: !!c.get('livemode'),
+      instance_did: getInstanceDid(),
       startDate: startDate.toISOString(),
       endDate: endDate.toISOString(),
     };
@@ -192,12 +204,12 @@ router.get('/stats', authMine, async (req, res) => {
     }
 
     const statsQuery = `
-      SELECT 
+      SELECT
         ${dateFormat} as date,
         ${dateFormat} as timestamp,
         COUNT(*) as event_count,
         COALESCE(SUM(CAST(payload->>'value' AS DECIMAL)), 0) as total_value
-      FROM meter_events 
+      FROM meter_events
       WHERE ${whereClause}
       GROUP BY ${groupBy}
       ORDER BY ${groupBy}
@@ -205,7 +217,7 @@ router.get('/stats', authMine, async (req, res) => {
 
     const { sequelize } = MeterEvent;
     if (!sequelize) {
-      return res.status(500).json({ error: 'Database connection not available' });
+      return c.json({ error: 'Database connection not available' }, 500);
     }
 
     const stats = await sequelize.query(statsQuery, {
@@ -213,7 +225,7 @@ router.get('/stats', authMine, async (req, res) => {
       type: QueryTypes.SELECT,
     });
 
-    return res.json({
+    return c.json({
       count: stats.length,
       list: stats.map((item: any) => ({
         ...item,
@@ -222,98 +234,93 @@ router.get('/stats', authMine, async (req, res) => {
     });
   } catch (err) {
     logger.error('Error getting meter event stats', err);
-    return res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
-router.post('/', auth, async (req, res) => {
+app.post('/', auth, async (c) => {
   const t0 = performance.now();
   try {
-    const { error } = meterEventSchema.validate(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const { error } = meterEventSchema.validate(body);
     if (error) {
-      return res.status(400).json({ error: `Meter event create request invalid: ${error.message}` });
+      return c.json({ error: `Meter event create request invalid: ${error.message}` }, 400);
     }
 
     // Phase 1: dedupe + meter + customer lookups in parallel (all independent)
     let t1 = performance.now();
     const [existing, meter, customer] = await Promise.all([
-      MeterEvent.isEventExists(req.body.identifier),
-      getCachedMeter(req.body.event_name),
-      Customer.findByPkOrDid(req.body.payload.customer_id),
+      MeterEvent.isEventExists(body.identifier),
+      getCachedMeter(body.event_name),
+      Customer.findByPkOrDid(body.payload.customer_id),
     ]);
     const tPhase1 = performance.now() - t1;
 
     if (existing) {
-      return res.status(400).json({ error: `Event with identifier "${req.body.identifier}" already exists` });
+      return c.json({ error: `Event with identifier "${body.identifier}" already exists` }, 400);
     }
     if (!meter) {
-      return res
-        .status(400)
-        .json({ error: `Meter not found for event name "${req.body.event_name}"`, code: 'METER_NOT_FOUND' });
+      return c.json({ error: `Meter not found for event name "${body.event_name}"`, code: 'METER_NOT_FOUND' }, 400);
     }
     if (meter.status !== 'active') {
-      return res
-        .status(400)
-        .json({ error: 'Meter is not active, please activate it first.', code: 'METER_NOT_ACTIVE' });
+      return c.json({ error: 'Meter is not active, please activate it first.', code: 'METER_NOT_ACTIVE' }, 400);
     }
     if (!customer) {
-      return res.status(400).json({ error: 'Customer not found' });
+      return c.json({ error: 'Customer not found' }, 400);
     }
 
     // Phase 2: currency + subscription in parallel (currency depends on meter)
     t1 = performance.now();
     const [paymentCurrency, subscription] = await Promise.all([
       getCachedCurrency(meter.currency_id),
-      req.body.payload.subscription_id
-        ? Subscription.findByPk(req.body.payload.subscription_id)
-        : Promise.resolve(null),
+      body.payload.subscription_id ? Subscription.findByPk(body.payload.subscription_id) : Promise.resolve(null),
     ]);
     const tPhase2 = performance.now() - t1;
 
     if (!paymentCurrency) {
-      return res.status(400).json({ error: `Payment currency not found for meter "${meter.id}"` });
+      return c.json({ error: `Payment currency not found for meter "${meter.id}"` }, 400);
     }
 
     if (subscription) {
       if (subscription.currency_id !== paymentCurrency.id) {
-        return res.status(400).json({ error: 'Subscription currency does not match meter currency' });
+        return c.json({ error: 'Subscription currency does not match meter currency' }, 400);
       }
       if (!subscription.isConsumesCredit()) {
-        return res.status(400).json({ error: 'Subscription does not consume credit' });
+        return c.json({ error: 'Subscription does not consume credit' }, 400);
       }
-      if (subscription.customer_id !== req.body.payload.customer_id) {
-        return res.status(400).json({ error: 'This is not your subscription' });
+      if (subscription.customer_id !== body.payload.customer_id) {
+        return c.json({ error: 'This is not your subscription' }, 400);
       }
       if (subscription.isImmutable()) {
-        return res.status(400).json({ error: 'Subscription is immutable' });
+        return c.json({ error: 'Subscription is immutable' }, 400);
       }
-    } else if (req.body.payload.subscription_id) {
-      return res.status(400).json({ error: `Subscription not found for meter event "${req.body.event_name}"` });
+    } else if (body.payload.subscription_id) {
+      return c.json({ error: `Subscription not found for meter event "${body.event_name}"` }, 400);
     }
 
-    const timestamp = req.body.timestamp || req.body.payload.timestamp || Math.floor(Date.now() / 1000);
+    const timestamp = body.timestamp || body.payload.timestamp || Math.floor(Date.now() / 1000);
 
-    const value = trimDecimals(req.body.payload.value, paymentCurrency.decimal);
+    const value = trimDecimals(body.payload.value, paymentCurrency.decimal);
     const eventData = {
-      event_name: req.body.event_name,
+      event_name: body.event_name,
       payload: {
         customer_id: customer.id,
         currency_id: paymentCurrency.id,
         decimal: paymentCurrency.decimal,
         unit: paymentCurrency.name,
-        subscription_id: req.body.payload.subscription_id,
+        subscription_id: body.payload.subscription_id,
         value: fromTokenToUnit(value, paymentCurrency.decimal).toString(),
       },
-      identifier: req.body.identifier,
+      identifier: body.identifier,
       livemode: meter.livemode,
       processed: false,
       status: 'pending' as MeterEventStatus,
       attempt_count: 0,
       credit_consumed: '0',
       credit_pending: fromTokenToUnit(value, paymentCurrency.decimal).toString(),
-      created_via: req.user?.via || 'api',
-      metadata: formatMetadata(req.body.metadata),
-      source_data: req.body.source_data,
+      created_via: c.get('user')?.via || 'api',
+      metadata: formatMetadata(body.metadata),
+      source_data: body.source_data,
       timestamp,
     };
 
@@ -335,9 +342,9 @@ router.post('/', auth, async (req, res) => {
       `create;dur=${tCreate.toFixed(1)}`,
       `total;dur=${tTotal.toFixed(1)}`,
     ];
-    res.set('Server-Timing', timings.join(', '));
+    c.header('Server-Timing', timings.join(', '));
 
-    return res.json({
+    return c.json({
       ...event.toJSON(),
       processing: {
         queued: true,
@@ -345,42 +352,43 @@ router.post('/', auth, async (req, res) => {
       },
     });
   } catch (err) {
-    logger.error('create meter event failed', { error: err?.message, request: req.body });
-    return res.status(400).json({ error: err?.message });
+    logger.error('create meter event failed', { error: (err as any)?.message, request: c.get('sanitizedBody') ?? {} });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
-router.get('/pending-amount', authMine, async (req, res) => {
+app.get('/pending-amount', authMine, async (c) => {
   try {
     const params: any = {
-      livemode: !!req.livemode,
+      livemode: !!c.get('livemode'),
     };
-    if (req.query.subscription_id) {
-      params.subscriptionId = req.query.subscription_id;
+    if (c.req.query('subscription_id')) {
+      params.subscriptionId = c.req.query('subscription_id');
     }
-    if (req.query.currency_id) {
-      params.currencyId = req.query.currency_id;
+    if (c.req.query('currency_id')) {
+      params.currencyId = c.req.query('currency_id');
     }
-    if (req.query.customer_id) {
-      if (typeof req.query.customer_id !== 'string') {
-        return res.status(400).json({ error: 'Customer ID must be a string' });
+    const rawCustomerId = c.get('customer_id') ?? c.req.query('customer_id');
+    if (rawCustomerId) {
+      if (typeof rawCustomerId !== 'string') {
+        return c.json({ error: 'Customer ID must be a string' }, 400);
       }
-      const customer = await Customer.findByPkOrDid(req.query.customer_id);
+      const customer = await Customer.findByPkOrDid(rawCustomerId);
       if (!customer) {
-        return res.status(404).json({ error: 'Customer not found' });
+        return c.json({ error: 'Customer not found' }, 404);
       }
       params.customerId = customer.id;
     }
     const [summary] = await MeterEvent.getPendingAmounts(params);
-    return res.json(summary);
+    return c.json(summary);
   } catch (err) {
     logger.error('Error getting meter event pending amount', err);
-    return res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
 // Get overdue summary by credit currency (action-required amounts grouped by currency)
-router.get('/overdue-summary', auth, async (req, res) => {
+app.get('/overdue-summary', auth, async (c) => {
   try {
     // Query to aggregate credit_pending by currency, showing overdue amounts per credit currency
     const results = await MeterEvent.sequelize!.query<{
@@ -389,21 +397,21 @@ router.get('/overdue-summary', auth, async (req, res) => {
       customer_count: number;
       event_count: number;
     }>(
-      `SELECT 
+      `SELECT
         m.currency_id,
         SUM(CAST(me.credit_pending AS DECIMAL(40,0))) as total_pending,
         COUNT(DISTINCT json_extract(me.payload, '$.customer_id')) as customer_count,
         COUNT(*) as event_count
       FROM meter_events me
       JOIN meters m ON me.event_name = m.event_name
-      WHERE me.livemode = :livemode 
+      WHERE me.livemode = :livemode
         AND me.status IN ('requires_capture', 'requires_action')
         AND m.status = 'active'
       GROUP BY m.currency_id
       HAVING total_pending > 0
       ORDER BY total_pending DESC`,
       {
-        replacements: { livemode: req.livemode ? 1 : 0 },
+        replacements: { livemode: c.get('livemode') ? 1 : 0 },
         type: QueryTypes.SELECT,
       }
     );
@@ -412,7 +420,7 @@ router.get('/overdue-summary', auth, async (req, res) => {
     const currencyIds = results.map((r) => r.currency_id);
     const currencies =
       currencyIds.length > 0 ? await PaymentCurrency.findAll({ where: { id: { [Op.in]: currencyIds } } }) : [];
-    const currencyMap = new Map(currencies.map((c) => [c.id, c]));
+    const currencyMap = new Map(currencies.map((cur) => [cur.id, cur]));
 
     // Filter out results whose currency no longer exists (e.g. deleted currency)
     const list = results
@@ -431,26 +439,26 @@ router.get('/overdue-summary', auth, async (req, res) => {
       })
       .filter((item): item is NonNullable<typeof item> => item !== null);
 
-    return res.json({ list });
+    return c.json({ list });
   } catch (err) {
     logger.error('Error getting overdue summary', err);
-    return res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
 // Get all customers with credit overdue (action-required amount > 0), grouped by customer + currency
-router.get('/overdue-customers', auth, async (req, res) => {
+app.get('/overdue-customers', auth, async (c) => {
   try {
-    const page = Math.max(1, parseInt(String(req.query.page || '1'), 10));
-    const pageSize = Math.min(100, Math.max(1, parseInt(String(req.query.pageSize || '20'), 10)));
+    const page = Math.max(1, parseInt(String(c.req.query('page') || '1'), 10));
+    const pageSize = Math.min(100, Math.max(1, parseInt(String(c.req.query('pageSize') || '20'), 10)));
     const offset = (page - 1) * pageSize;
-    const currencyId = req.query.currency_id as string | undefined;
-    const searchQuery = req.query.q as string | undefined;
+    const currencyId = c.req.query('currency_id') as string | undefined;
+    const searchQuery = c.req.query('q') as string | undefined;
 
     // If search query provided, first find matching customer IDs
     let customerFilter = '';
-    const replacements: any = { livemode: req.livemode ? 1 : 0, limit: pageSize, offset };
-    const countReplacements: any = { livemode: req.livemode ? 1 : 0 };
+    const replacements: any = { livemode: c.get('livemode') ? 1 : 0, limit: pageSize, offset };
+    const countReplacements: any = { livemode: c.get('livemode') ? 1 : 0 };
 
     // Build currency filter
     let currencyFilter = '';
@@ -473,9 +481,9 @@ router.get('/overdue-customers', auth, async (req, res) => {
         },
         attributes: ['id'],
       });
-      const searchCustomerIds = searchCustomers.map((c) => c.id);
+      const searchCustomerIds = searchCustomers.map((cust) => cust.id);
       if (searchCustomerIds.length === 0) {
-        return res.json({ list: [], count: 0, paging: { page, pageSize } });
+        return c.json({ list: [], count: 0, paging: { page, pageSize } });
       }
       // Generate parameterized placeholders for customer IDs
       const placeholders = searchCustomerIds.map((_, i) => `:searchId${i}`);
@@ -493,14 +501,14 @@ router.get('/overdue-customers', auth, async (req, res) => {
       total_pending: string;
       event_count: number;
     }>(
-      `SELECT 
+      `SELECT
         json_extract(me.payload, '$.customer_id') as customer_id,
         m.currency_id as currency_id,
         SUM(CAST(me.credit_pending AS DECIMAL(40,0))) as total_pending,
         COUNT(*) as event_count
       FROM meter_events me
       JOIN meters m ON me.event_name = m.event_name
-      WHERE me.livemode = :livemode 
+      WHERE me.livemode = :livemode
         AND me.status IN ('requires_capture', 'requires_action')
         AND m.status = 'active'
         ${currencyFilter}
@@ -521,7 +529,7 @@ router.get('/overdue-customers', auth, async (req, res) => {
         SELECT json_extract(me.payload, '$.customer_id') as customer_id, m.currency_id
         FROM meter_events me
         JOIN meters m ON me.event_name = m.event_name
-        WHERE me.livemode = :livemode 
+        WHERE me.livemode = :livemode
           AND me.status IN ('requires_capture', 'requires_action')
           AND m.status = 'active'
           ${currencyFilter}
@@ -541,11 +549,11 @@ router.get('/overdue-customers', auth, async (req, res) => {
 
     // Fetch customer and currency details
     const customers = customerIds.length > 0 ? await Customer.findAll({ where: { id: { [Op.in]: customerIds } } }) : [];
-    const customerMap = new Map(customers.map((c) => [c.id, c]));
+    const customerMap = new Map(customers.map((cust) => [cust.id, cust]));
 
-    const currencies =
+    const fetchedCurrencies =
       currencyIds.length > 0 ? await PaymentCurrency.findAll({ where: { id: { [Op.in]: currencyIds } } }) : [];
-    const currencyMap = new Map(currencies.map((c) => [c.id, c]));
+    const currencyMap = new Map(fetchedCurrencies.map((cur) => [cur.id, cur]));
 
     const list = results.map((r) => ({
       customer: customerMap.get(r.customer_id),
@@ -554,19 +562,21 @@ router.get('/overdue-customers', auth, async (req, res) => {
       event_count: r.event_count,
     }));
 
-    return res.json({ list, count, paging: { page, pageSize } });
+    return c.json({ list, count, paging: { page, pageSize } });
   } catch (err) {
     logger.error('Error getting overdue customers', err);
-    return res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
-router.get('/:id', authMine, async (req, res) => {
+
+app.get('/:id', authMine, async (c) => {
   try {
-    logger.info('get meter event', { id: req.params.id });
-    const event = await MeterEvent.findByPk(req.params.id);
+    const id = c.req.param('id');
+    logger.info('get meter event', { id });
+    const event = await MeterEvent.findByPk(id);
 
     if (!event) {
-      return res.status(404).json({ error: 'Meter event not found' });
+      return c.json({ error: 'Meter event not found' }, 404);
     }
 
     const customerId = event.getCustomerId();
@@ -574,10 +584,10 @@ router.get('/:id', authMine, async (req, res) => {
     const subscription = subscriptionId ? await Subscription.findByPk(subscriptionId) : null;
     const customer = customerId ? await Customer.findByPk(customerId) : null;
     if (!customer) {
-      return res.status(404).json({ error: 'Customer not found' });
+      return c.json({ error: 'Customer not found' }, 404);
     }
-    if (customer.did !== req.user?.did && !['owner', 'admin'].includes(req.user?.role || '')) {
-      return res.status(403).json({ error: 'You are not allowed to access this resource' });
+    if (customer.did !== c.get('user')?.did && !['owner', 'admin'].includes(c.get('user')?.role || '')) {
+      return c.json({ error: 'You are not allowed to access this resource' }, 403);
     }
     const meter = await Meter.getMeterByEventName(event.event_name);
     let paymentCurrency = null;
@@ -592,11 +602,11 @@ router.get('/:id', authMine, async (req, res) => {
       meter,
       paymentCurrency,
     };
-    return res.json(result);
+    return c.json(result);
   } catch (err) {
     logger.error('Error getting meter event', err);
-    return res.status(400).json({ error: err?.message });
+    return c.json({ error: (err as any)?.message }, 400);
   }
 });
 
-export default router;
+export default app;