unified-video-framework 1.0.0

package/apps/rental-api/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@unified-video/rental-api",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "main": "dist/server.js",
+  "types": "dist/types.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "ts-node-dev --respawn --transpile-only src/server.ts",
+    "start": "node dist/server.js",
+    "migrate": "node ./scripts/run-migration.js"
+  },
+  "dependencies": {
+    "@types/cors": "^2.8.19",
+    "axios": "^1.7.2",
+    "body-parser": "^1.20.2",
+    "cors": "^2.8.5",
+    "dotenv": "^16.4.5",
+    "express": "^4.19.2",
+    "pg": "^8.11.3",
+    "stripe": "^16.6.0",
+    "unified-video-framework": "file:../.."
+  },
+  "devDependencies": {
+    "@types/body-parser": "^1.19.5",
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.12.12",
+    "@types/pg": "^8.15.5",
+    "ts-node-dev": "^2.0.0",
+    "typescript": "^5.4.5"
+  }
+}

package/apps/rental-api/scripts/run-migration.js

@@ -0,0 +1,42 @@
+// Simple migration runner: applies all SQL files in migrations/ in alphabetical order
+import 'dotenv/config';
+import { readdirSync, readFileSync, existsSync } from 'fs';
+import { join, dirname, resolve } from 'path';
+import { fileURLToPath } from 'url';
+import { Pool } from 'pg';
+
+async function main() {
+  const dbUrl = process.env.DATABASE_URL;
+  if (!dbUrl) throw new Error('DATABASE_URL not set');
+  const pool = new Pool({ connectionString: dbUrl });
+
+  try {
+    const __dirname = dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+      // Repo layout: apps/rental-api/scripts/run-migration.js -> migrations alongside ../migrations
+      resolve(__dirname, '..', 'migrations'),
+      // Executed from repo root
+      resolve(process.cwd(), 'apps', 'rental-api', 'migrations'),
+      // Executed from apps/rental-api
+      resolve(process.cwd(), 'migrations')
+    ];
+    const dir = candidates.find(p => existsSync(p));
+    if (!dir) throw new Error('migrations directory not found');
+
+    const files = readdirSync(dir).filter(f => f.endsWith('.sql')).sort();
+    for (const f of files) {
+      const sql = readFileSync(join(dir, f), 'utf8');
+      process.stdout.write(`[migrate] applying ${f}...\n`);
+      await pool.query(sql);
+    }
+    process.stdout.write('[migrate] done\n');
+  } finally {
+    await pool.end();
+  }
+}
+
+main().catch(err => {
+  console.error('[migrate] failed', err);
+  process.exit(1);
+});
+

package/apps/rental-api/scripts/update-video-currency.js

@@ -0,0 +1,21 @@
+import 'dotenv/config';
+import { Pool } from 'pg';
+
+async function main() {
+  const url = process.env.DATABASE_URL;
+  if (!url) throw new Error('DATABASE_URL not set');
+  const pool = new Pool({ connectionString: url });
+  try {
+    const sql = `UPDATE videos SET currency=$1, price_cents=$2 WHERE video_id=$3`;
+    const res = await pool.query(sql, ['INR', 399, 'v1']);
+    console.log(`[update-video] rows affected: ${res.rowCount}`);
+  } finally {
+    await pool.end();
+  }
+}
+
+main().catch(err => {
+  console.error('[update-video] failed', err);
+  process.exit(1);
+});
+

package/apps/rental-api/scripts/update-video-price.js

@@ -0,0 +1,19 @@
+import 'dotenv/config';
+import { Pool } from 'pg';
+
+async function main() {
+  const url = process.env.DATABASE_URL;
+  if (!url) throw new Error('DATABASE_URL not set');
+  const pool = new Pool({ connectionString: url });
+  const videoId = process.env.VIDEO_ID || 'v1';
+  const cents = Number(process.env.NEW_PRICE_CENTS || 9900); // default ₹99.00
+  try {
+    const res = await pool.query('UPDATE videos SET price_cents=$1 WHERE video_id=$2', [cents, videoId]);
+    console.log(`[update-price] rows affected: ${res.rowCount}`);
+  } finally {
+    await pool.end();
+  }
+}
+
+main().catch(err => { console.error('[update-price] failed', err); process.exit(1); });
+

package/apps/rental-api/src/config.ts

@@ -0,0 +1,14 @@
+import 'dotenv/config';
+
+export const config = {
+  stripeSecretKey: process.env.STRIPE_SECRET_KEY || '',
+  stripeWebhookSecret: process.env.STRIPE_WEBHOOK_SECRET || '',
+  cashfree: {
+    appId: process.env.CASHFREE_APP_ID || '',
+    secretKey: process.env.CASHFREE_SECRET_KEY || '',
+    baseUrl: process.env.CASHFREE_BASE_URL || 'https://sandbox.cashfree.com'
+  },
+  appBaseUrl: process.env.APP_BASE_URL || 'http://localhost:3000',
+  dbUrl: process.env.DATABASE_URL || ''
+};
+

package/apps/rental-api/src/db.ts

@@ -0,0 +1,10 @@
+import { Pool } from 'pg';
+import { config } from './config.js';
+
+export const db = new Pool({ connectionString: config.dbUrl });
+
+export async function initDb() {
+  // Simple connectivity check
+  await db.query('SELECT 1');
+}
+

package/apps/rental-api/src/routes/cashfree.ts

@@ -0,0 +1,167 @@
+import { Router, type Request, type Response } from 'express';
+import axios from 'axios';
+import { config } from '../config.js';
+import { db } from '../db.js';
+import { upsertPayment } from '../services/payments.js';
+import { issueRentalEntitlement } from '../services/entitlements.js';
+import { randomUUID } from 'crypto';
+
+export const cashfreeRouter = Router();
+
+// POST /api/rentals/cashfree/order { userId, videoId, returnUrl }
+cashfreeRouter.post('/cashfree/order', async (req: Request, res: Response) => {
+  const { userId, videoId, returnUrl, userEmail, userPhone, userName } = req.body || {};
+  if (!userId || !videoId || !returnUrl) return res.status(400).json({ error: 'userId, videoId, returnUrl required' });
+
+  try {
+    let price_cents = 0;
+    let currency = 'INR';
+    let rental_duration_hours = 48;
+    let title = videoId;
+    try {
+      const { rows } = await db.query(`SELECT price_cents, currency, rental_duration_hours, title FROM videos WHERE video_id=$1`, [videoId]);
+      if (rows[0]) {
+        price_cents = Number(rows[0].price_cents || 0);
+        currency = String(rows[0].currency || 'INR');
+        rental_duration_hours = Number(rows[0].rental_duration_hours || 48);
+        title = String(rows[0].title || videoId);
+      } else {
+        // Fallback demo price when DB has no record
+        price_cents = 2500; // ₹25.00
+        currency = 'INR';
+        rental_duration_hours = 48;
+        title = videoId;
+      }
+    } catch {
+      // Fallback when DB is disabled or not reachable
+      price_cents = 2500; // ₹25.00
+      currency = 'INR';
+      rental_duration_hours = 48;
+      title = videoId;
+    }
+
+    // If Cashfree credentials are not configured, fallback to local mock checkout
+    if (!config.cashfree.appId || !config.cashfree.secretKey) {
+      const host = req.get('host') as string;
+      const apiBase = `${req.protocol}://${host}`.replace(/\/$/, '');
+      const orderId = 'cf_' + randomUUID();
+      const mockUrl = `${apiBase}/api/rentals/mock/checkout?gateway=cashfree&order_id=${orderId}`;
+      return res.json({ paymentLink: mockUrl, orderId, rentalDurationHours: Number(rental_duration_hours || 48), title: title || videoId });
+    }
+
+    const orderId = 'cf_' + randomUUID();
+
+    // Ensure HTTPS return_url for live Cashfree (production requires https)
+    let safeReturnUrl = String(returnUrl || '').trim();
+    try {
+      const u = new URL(safeReturnUrl || 'https://example.com/');
+      const isLive = /api\.cashfree\.com/i.test(config.cashfree.baseUrl || '');
+      if (isLive && u.protocol !== 'https:') {
+        u.protocol = 'https:';
+      }
+      safeReturnUrl = u.toString();
+    } catch {
+      // Fallback placeholder
+      safeReturnUrl = 'https://example.com/';
+    }
+
+    const body = {
+      order_id: orderId,
+      order_amount: (price_cents / 100).toFixed(2),
+      order_currency: (currency || 'INR').toUpperCase(),
+      customer_details: {
+        customer_id: String(userId),
+        customer_phone: String(userPhone || '9999999999'),
+        customer_email: String(userEmail || 'demo@example.com'),
+        customer_name: String(userName || 'Demo User')
+      },
+      order_meta: {
+        return_url: `${safeReturnUrl}${safeReturnUrl.includes('?') ? '&' : '?'}rental=success&popup=1&order_id=${orderId}`
+      }
+    } as any;
+
+    const base = config.cashfree.baseUrl.replace(/\/$/, '');
+    const url = `${base}/pg/orders`;
+    const headers = {
+      'x-client-id': config.cashfree.appId,
+      'x-client-secret': config.cashfree.secretKey,
+      'x-api-version': '2022-09-01',
+      'Content-Type': 'application/json'
+    } as any;
+
+    try { console.log('[cashfree/order] POST', url, JSON.stringify({ ...body, customer_details: { ...body.customer_details, customer_phone: '***' } })); } catch(_) {}
+    const resp = await axios.post(url, body, { headers });
+    try { console.log('[cashfree/order] resp keys', Object.keys(resp.data || {})); } catch(_) {}
+    let paymentLink = resp.data?.payment_link || resp.data?.payment_link_url || resp.data?.payment_url;
+    // New PG v2 API returns payment_session_id without a direct link; construct hosted checkout URL
+    if (!paymentLink && resp.data?.payment_session_id) {
+      const sessionIdRaw = resp.data.payment_session_id;
+      let sessionId = typeof sessionIdRaw === 'string' ? sessionIdRaw : String(sessionIdRaw?.id || sessionIdRaw);
+      // A few sandbox responses have been observed appending the word "payment" at the end; strip trailing repetitions safely
+      sessionId = sessionId.replace(/(payment)+$/i, '');
+      try { console.log('[cashfree/order] sessionId', sessionId); } catch(_) {}
+      const isLive = /api\.cashfree\.com/i.test(config.cashfree.baseUrl || '');
+      // Per Cashfree docs, the hosted page is served from payments.cashfree.com (live) or sandbox.cashfree.com
+      const host = isLive ? 'https://payments.cashfree.com' : 'https://sandbox.cashfree.com';
+      // Hosted checkout path per Cashfree PG v2 docs
+      paymentLink = `${host.replace(/\/$/, '')}/pg/view/checkout?payment_session_id=${encodeURIComponent(sessionId)}`;
+    }
+    if (!paymentLink) {
+      try { console.error('[cashfree/order] response missing payment link', typeof resp.data === 'object' ? JSON.stringify(resp.data) : String(resp.data)); } catch(_) {}
+      return res.status(500).json({ error: 'cashfree payment link not returned', details: resp.data });
+    }
+    // Also return sessionId to support JS SDK (Elements/Dropin) integration
+    const sessionIdOut = String(resp.data?.payment_session_id || '').replace(/(payment)+$/i, '');
+    return res.json({ paymentLink, orderId, sessionId: sessionIdOut, rentalDurationHours: Number(rental_duration_hours || 48), title: title || videoId });
+  } catch (err: any) {
+    const status = err?.response?.status;
+    const data = err?.response?.data;
+    try { console.error('[cashfree/order] error', status, typeof data === 'object' ? JSON.stringify(data) : String(data)); } catch (_) {}
+    return res.status(500).json({ error: 'failed to create cashfree order', details: { status, data } });
+  }
+});
+
+// GET /api/rentals/cashfree/verify?orderId=&userId=&videoId=&rentalDurationHours=
+cashfreeRouter.get('/cashfree/verify', async (req: Request, res: Response) => {
+  const orderId = String(req.query.orderId || '');
+  const userId = String(req.query.userId || '');
+  const videoId = String(req.query.videoId || '');
+  const rentalDurationHours = Number(req.query.rentalDurationHours || 48);
+  if (!orderId || !userId || !videoId) return res.status(400).json({ error: 'orderId, userId, videoId required' });
+
+  try {
+    const base = config.cashfree.baseUrl.replace(/\/$/, '');
+    const url = `${base}/pg/orders/${encodeURIComponent(orderId)}`;
+    const headers = {
+      'x-client-id': config.cashfree.appId,
+      'x-client-secret': config.cashfree.secretKey,
+      'x-api-version': '2022-09-01'
+    } as any;
+    const resp = await axios.get(url, { headers });
+    const status = (resp.data?.order_status || '').toUpperCase();
+    const amount = Math.round(Number(resp.data?.order_amount || 0) * 100);
+    const currency = (resp.data?.order_currency || 'INR').toUpperCase();
+
+    if (status === 'PAID') {
+      const pay = await upsertPayment({
+        gateway: 'cashfree',
+        gatewayRef: orderId,
+        amountCents: amount,
+        currency,
+        status: 'succeeded',
+        rawPayload: resp.data,
+        userId,
+        videoId
+      });
+      await issueRentalEntitlement({ userId, videoId, paymentId: pay.id, rentalDurationHours });
+      return res.json({ ok: true, paid: true });
+    }
+    return res.json({ ok: true, paid: false, status });
+  } catch (err: any) {
+    const status = err?.response?.status;
+    const data = err?.response?.data;
+    try { console.error('[cashfree/verify] error', status, typeof data === 'object' ? JSON.stringify(data) : String(data)); } catch (_) {}
+    return res.status(500).json({ error: 'verify failed', details: { status, data } });
+  }
+});
+

package/apps/rental-api/src/routes/pesapal.ts

@@ -0,0 +1,92 @@
+import { Router, type Request, type Response } from 'express';
+import axios from 'axios';
+// Pesapal integration removed in favor of Cashfree
+import { config } from '../config.js';
+import { db } from '../db.js';
+import { upsertPayment } from '../services/payments.js';
+import { issueRentalEntitlement } from '../services/entitlements.js';
+import { randomUUID } from 'crypto';
+
+// export const pesapalRouter = Router();
+
+// POST /api/rentals/pesapal/order { userId, videoId, returnUrl }
+/* pesapalRouter.post('/pesapal/order', async (req: Request, res: Response) => {
+  const { userId, videoId, returnUrl } = req.body || {};
+  if (!userId || !videoId || !returnUrl) return res.status(400).json({ error: 'userId, videoId, returnUrl required' });
+
+  try {
+    const token = await pesapalAuthToken();
+
+    const { rows } = await db.query(
+      `SELECT price_cents, currency, rental_duration_hours, title FROM videos WHERE video_id=$1`, [videoId]);
+    if (!rows[0]) return res.status(404).json({ error: 'Video not found' });
+
+    const { price_cents, currency, rental_duration_hours, title } = rows[0];
+
+    const orderReq = {
+      id: randomUUID(),
+      currency: (currency || 'USD').toUpperCase(),
+      amount: (price_cents / 100).toFixed(2),
+      description: `Rent: ${title || videoId}`,
+      callback_url: `${config.appBaseUrl}/api/ipn/pesapal/callback`,
+      notification_id: 'your-pesapal-ipn-ref',
+      billing_address: { email_address: 'customer@example.com' }
+    };
+
+    const submit = await axios.post(`${config.pesapal.baseUrl}/api/Transactions/SubmitOrderRequest`,
+      orderReq, { headers: { Authorization: `Bearer ${token}` } });
+
+    return res.json({ redirectUrl: submit.data.redirect_url, orderTrackingId: submit.data.order_tracking_id });
+  } catch (err) {
+    return res.status(500).json({ error: 'failed to create pesapal order' });
+  }
+}); */
+
+/* async function pesapalAuthToken(): Promise<string> {
+  const res = await axios.post(`${config.pesapal.baseUrl}/api/Auth/RequestToken`, {
+    consumer_key: config.pesapal.consumerKey,
+    consumer_secret: config.pesapal.consumerSecret
+  });
+  return res.data.token;
+}
+*/
+
+// Pesapal IPN target: POST /api/ipn/pesapal/callback
+/* pesapalRouter.post('/pesapal/callback', async (req: Request, res: Response) => {
+  const { order_tracking_id, userId, videoId, rentalDurationHours } = req.body || {};
+  if (!order_tracking_id || !userId || !videoId) return res.status(400).send('Bad IPN payload');
+
+  try {
+    const token = await pesapalAuthToken();
+    const statusRes = await axios.get(
+      `${config.pesapal.baseUrl}/api/Transactions/GetTransactionStatus?orderTrackingId=${order_tracking_id}`,
+      { headers: { Authorization: `Bearer ${token}` } }
+    );
+    const status = statusRes.data;
+
+    if (status.payment_status_code === 'COMPLETED' || status.status === 'COMPLETED') {
+      const amountCents = Math.round(Number(status.amount) * 100);
+      const currency = (status.currency || 'USD').toUpperCase();
+
+      const payment = await upsertPayment({
+        gateway: 'pesapal',
+        gatewayRef: order_tracking_id,
+        amountCents,
+        currency,
+        status: 'succeeded',
+        rawPayload: status,
+        userId,
+        videoId
+      });
+
+      await issueRentalEntitlement({
+        userId, videoId, paymentId: payment.id, rentalDurationHours: Number(rentalDurationHours || 48)
+      });
+    }
+
+    res.status(200).send('ok');
+  } catch (err) {
+    res.status(500).send('IPN handling failed');
+  }
+}); */
+

package/apps/rental-api/src/routes/rentals.ts

@@ -0,0 +1,242 @@
+import { Router, type Request, type Response } from 'express';
+import Stripe from 'stripe';
+import { config } from '../config.js';
+import { getEntitlement, issueRentalEntitlement } from '../services/entitlements.js';
+import { upsertPayment } from '../services/payments.js';
+import { db } from '../db.js';
+
+export const rentalsRouter = Router();
+const stripe = new Stripe(config.stripeSecretKey, { apiVersion: '2024-06-20' });
+
+// Simple mock checkout page for local development when Stripe is not configured
+rentalsRouter.get('/mock/checkout', async (_req: Request, res: Response) => {
+  res.set('Content-Type', 'text/html');
+  return res.send(`<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mock Checkout</title>
+  <style>
+    body { margin:0; background:#0f0f10; color:#fff; font-family:Arial, sans-serif; display:flex; align-items:center; justify-content:center; height:100vh; }
+    .card { background:#141416; border:1px solid rgba(255,255,255,0.12); border-radius:12px; padding:24px; width: min(520px, 92vw); box-shadow: 0 20px 60px rgba(0,0,0,0.5); }
+    h1 { margin:0 0 8px; font-size:20px; }
+    p { margin:0 0 16px; color: rgba(255,255,255,0.75); }
+    .actions { display:flex; gap:12px; }
+    button { cursor:pointer; border:none; border-radius:8px; padding:10px 16px; }
+    .primary { background:linear-gradient(135deg,#ff4d4f,#d9363e); color:#fff; }
+    .secondary { background:rgba(255,255,255,0.12); color:#fff; border:1px solid rgba(255,255,255,0.2); }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Mock Stripe Checkout</h1>
+    <p>This is a simulated checkout used for local development.</p>
+    <div class="actions">
+      <button class="primary" onclick="complete()">Complete Payment</button>
+      <button class="secondary" onclick="cancel()">Cancel</button>
+    </div>
+  </div>
+  <script>
+    function complete(){ try{ window.opener && window.opener.postMessage({ type: 'uvfCheckout', status: 'success' }, '*'); }catch(e){} window.close(); }
+    function cancel(){ try{ window.opener && window.opener.postMessage({ type: 'uvfCheckout', status: 'cancel' }, '*'); }catch(e){} window.close(); }
+  </script>
+</body>
+</html>`);
+});
+
+// POST /api/rentals/stripe/confirm { sessionId }
+rentalsRouter.post('/stripe/confirm', async (req: Request, res: Response) => {
+  try {
+    if (!config.stripeSecretKey) return res.status(400).json({ error: 'stripe not configured' });
+    const { sessionId } = req.body || {};
+    if (!sessionId) return res.status(400).json({ error: 'sessionId required' });
+    const session = await stripe.checkout.sessions.retrieve(String(sessionId));
+    const paid = (session.payment_status === 'paid') || (session.status === 'complete');
+    if (!paid) return res.status(400).json({ error: 'not paid', status: session.payment_status || session.status });
+
+    const userId = (session.metadata?.userId || '').toString();
+    const videoId = (session.metadata?.videoId || '').toString();
+    const rentalDurationHours = Number(session.metadata?.rentalDurationHours || 48);
+    if (!userId || !videoId) return res.status(400).json({ error: 'missing metadata on session' });
+
+    const amountCents = session.amount_total ?? 0;
+    const currency = (session.currency || 'USD').toUpperCase();
+
+    const payment = await upsertPayment({
+      gateway: 'stripe',
+      gatewayRef: session.id,
+      amountCents: amountCents,
+      currency,
+      status: 'succeeded',
+      rawPayload: session,
+      userId,
+      videoId
+    });
+
+    await issueRentalEntitlement({ userId, videoId, paymentId: payment.id, rentalDurationHours });
+    return res.json({ ok: true });
+  } catch (err: any) {
+    try { console.error('[stripe/confirm] error', err?.message || err); } catch (_) {}
+    return res.status(500).json({ error: 'confirm failed', details: err?.message || String(err) });
+  }
+});
+
+// GET /api/rentals/config?tenant=&userId=&videoId=
+// Returns a PaywallConfig JSON for the web player
+rentalsRouter.get('/config', async (req: Request, res: Response) => {
+  const tenant = String(req.query.tenant || 'demo').toLowerCase();
+  const userId = String(req.query.userId || 'u1');
+  const videoId = String(req.query.videoId || 'v1');
+
+  // Basic mock mapping: demo tenants get both gateways
+  const gateways = ['stripe','cashfree'];
+  const branding = { title: 'Continue watching', description: 'Rent to continue watching this video.' };
+  const popup = { width: 1000, height: 800 };
+
+  // Always point apiBase to this API's origin so the web demo calls the correct server
+  const host = req.get('host') as string;
+  const apiBase = `${req.protocol}://${host}`;
+
+  return res.json({ enabled: true, apiBase, userId, videoId, gateways, branding, popup });
+});
+
+// GET /api/rentals/entitlement?userId=&videoId=
+rentalsRouter.get('/entitlement', async (req: Request, res: Response) => {
+  const userId = String(req.query.userId || '');
+  const videoId = String(req.query.videoId || '');
+  if (!userId || !videoId) return res.status(400).json({ error: 'userId and videoId required' });
+
+  try {
+    const out = await getEntitlement(userId, videoId);
+    return res.json(out);
+  } catch (err) {
+    return res.status(500).json({ error: 'entitlement lookup failed' });
+  }
+});
+
+// POST /api/rentals/mock/grant
+// Body: { userId, videoId, rentalDurationHours? }
+rentalsRouter.post('/mock/grant', async (req: Request, res: Response) => {
+  if (process.env.ENABLE_DEV_MOCKS !== '1' && process.env.NODE_ENV === 'production') {
+    return res.status(403).json({ error: 'mock endpoint disabled' });
+  }
+  const { userId, videoId, rentalDurationHours } = req.body || {};
+  if (!userId || !videoId) return res.status(400).json({ error: 'userId and videoId required' });
+  try {
+    const { rows } = await db.query(
+      `SELECT price_cents, currency, rental_duration_hours FROM videos WHERE video_id=$1`, [videoId]
+    );
+    const price_cents = rows[0]?.price_cents ?? 0;
+    const currency = rows[0]?.currency ?? 'USD';
+    const hours = Number(rentalDurationHours || rows[0]?.rental_duration_hours || 48);
+
+    const pay = await upsertPayment({
+      gateway: 'stripe',
+      gatewayRef: `mock_${Date.now()}`,
+      amountCents: price_cents,
+      currency,
+      status: 'succeeded',
+      rawPayload: { mock: true },
+      userId,
+      videoId
+    });
+
+    const ent = await issueRentalEntitlement({ userId, videoId, paymentId: pay.id, rentalDurationHours: hours });
+    return res.json({ ok: true, entitlement: ent });
+  } catch (err) {
+    return res.status(500).json({ error: 'mock grant failed' });
+  }
+});
+
+// POST /api/rentals/mock/revoke
+// Body: { userId, videoId }
+rentalsRouter.post('/mock/revoke', async (req: Request, res: Response) => {
+  if (process.env.ENABLE_DEV_MOCKS !== '1' && process.env.NODE_ENV === 'production') {
+    return res.status(403).json({ error: 'mock endpoint disabled' });
+  }
+  const { userId, videoId } = req.body || {};
+  if (!userId || !videoId) return res.status(400).json({ error: 'userId and videoId required' });
+  try {
+    await db.query(
+      `UPDATE entitlements SET status='expired', expires_at=LEAST(expires_at, NOW())
+       WHERE user_id=$1 AND video_id=$2 AND status='active'`, [userId, videoId]
+    );
+    return res.json({ ok: true });
+  } catch (err) {
+    return res.status(500).json({ error: 'mock revoke failed' });
+  }
+});
+
+// POST /api/rentals/stripe/checkout-session
+// Body: { userId, videoId, successUrl, cancelUrl }
+rentalsRouter.post('/stripe/checkout-session', async (req: Request, res: Response) => {
+  const { userId, videoId, successUrl, cancelUrl } = req.body || {};
+  if (!userId || !videoId || !successUrl || !cancelUrl) {
+    return res.status(400).json({ error: 'userId, videoId, successUrl, cancelUrl required' });
+  }
+
+  // Derive this API's origin for local mock URLs
+  const host = req.get('host') as string;
+  const apiBase = `${req.protocol}://${host}`.replace(/\/$/, '');
+
+  // Defaults for demo when DB is disabled or empty
+  let price_cents = 2500; // $25.00
+  let currency = 'USD';
+  let rental_duration_hours = 48;
+  let title = videoId as string;
+
+  try {
+    const { rows } = await db.query(
+      `SELECT price_cents, currency, rental_duration_hours, title FROM videos WHERE video_id=$1`,
+      [videoId]
+    );
+    if (rows[0]) {
+      price_cents = Number(rows[0].price_cents ?? price_cents);
+      currency = String(rows[0].currency || currency);
+      rental_duration_hours = Number(rows[0].rental_duration_hours ?? rental_duration_hours);
+      title = String(rows[0].title || title);
+    }
+  } catch (_) {
+    // DB unavailable or disabled: keep defaults
+  }
+
+  // Fallback to mock checkout when Stripe key is not configured
+  if (!config.stripeSecretKey) {
+    const mockUrl = `${apiBase}/api/rentals/mock/checkout?videoId=${encodeURIComponent(String(videoId))}&userId=${encodeURIComponent(String(userId))}&amountCents=${price_cents}&currency=${encodeURIComponent(currency || 'USD')}`;
+    return res.json({ url: mockUrl, id: `mock_${Date.now()}` });
+  }
+
+  try {
+    // Ensure successUrl carries the Stripe session placeholder so the client can confirm without webhooks
+    const successWithSession = `${successUrl}${successUrl.includes('?') ? '&' : '?'}session_id={CHECKOUT_SESSION_ID}`;
+    const session = await stripe.checkout.sessions.create({
+      mode: 'payment',
+      payment_method_types: ['card'],
+      line_items: [{
+        price_data: {
+          currency: (currency || 'usd').toLowerCase(),
+          unit_amount: price_cents,
+          product_data: { name: `Rent: ${title || videoId}` }
+        },
+        quantity: 1
+      }],
+      success_url: successWithSession,
+      cancel_url: cancelUrl,
+      metadata: {
+        userId, videoId, rentalDurationHours: String(rental_duration_hours || 48)
+      }
+    });
+
+    return res.json({ url: session.url, id: session.id });
+  } catch (e: any) {
+    // In dev, gracefully fallback to mock checkout if Stripe call fails and mocks enabled
+    try { console.error('[stripe/checkout-session] error', e?.message || e); } catch (_) {}
+    if (process.env.ENABLE_DEV_MOCKS === '1') {
+      const mockUrl = `${apiBase}/api/rentals/mock/checkout?videoId=${encodeURIComponent(String(videoId))}&userId=${encodeURIComponent(String(userId))}&amountCents=${price_cents}&currency=${encodeURIComponent(currency || 'USD')}`;
+      return res.json({ url: mockUrl, id: `mock_${Date.now()}` });
+    }
+    return res.status(500).json({ error: 'failed to create checkout session', details: e?.message || String(e) });
+  }
+});
+