vibefast-cli 1.3.4 → 1.3.5

package/recipes/lemonsqueezy-supabase/packages/backend/supabase/functions/payments-webhook/index.ts

@@ -0,0 +1,339 @@
+/**
+ * Supabase Payments Webhook (Stripe or LemonSqueezy)
+ *
+ * Handles provider webhooks and upserts subscription/order records.
+ */
+
+import 'jsr:@supabase/functions-js/edge-runtime.d.ts';
+import { createClient } from 'npm:@supabase/supabase-js@2';
+import Stripe from 'npm:stripe@14.25.0';
+import { getPaymentProvider, getPlanByPriceId } from '../payments/config.ts';
+
+const jsonResponse = (body: unknown, status = 200) =>
+  new Response(JSON.stringify(body), {
+    status,
+    headers: { 'Content-Type': 'application/json' },
+  });
+
+const getEnv = (key: string) => {
+  const value = Deno.env.get(key);
+  if (!value) {
+    throw new Error(`Missing environment variable: ${key}`);
+  }
+  return value;
+};
+
+const getSupabaseAdmin = () => {
+  const supabaseUrl = getEnv('SUPABASE_URL');
+  const supabaseSecretKey =
+    Deno.env.get('SUPABASE_SECRET_KEY') ??
+    Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+  if (!supabaseSecretKey) {
+    throw new Error('Supabase service role key not configured');
+  }
+  return createClient(supabaseUrl, supabaseSecretKey);
+};
+
+const toIso = (timestamp?: number | null) =>
+  typeof timestamp === 'number'
+    ? new Date(timestamp * 1000).toISOString()
+    : null;
+
+const parseUserId = (customData: unknown): string | null => {
+  if (typeof customData === 'object' && customData !== null) {
+    const data = customData as Record<string, unknown>;
+    if (typeof data.user_id === 'string') {
+      return data.user_id;
+    }
+  }
+  return null;
+};
+
+const verifyLemonSignature = async (
+  rawBody: string,
+  signature: string,
+  secret: string,
+): Promise<boolean> => {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign'],
+  );
+
+  const signatureBuffer = await crypto.subtle.sign(
+    'HMAC',
+    key,
+    encoder.encode(rawBody),
+  );
+
+  const hashArray = Array.from(new Uint8Array(signatureBuffer));
+  const digest = hashArray.map((b) => b.toString(16).padStart(2, '0')).join('');
+  return digest === signature;
+};
+
+const upsertPaymentCustomer = async (
+  supabaseAdmin: ReturnType<typeof createClient>,
+  userId: string,
+  provider: string,
+  providerCustomerId: string,
+) => {
+  await supabaseAdmin.from('payment_customers').upsert(
+    {
+      user_id: userId,
+      provider,
+      provider_customer_id: providerCustomerId,
+    },
+    { onConflict: 'user_id,provider' },
+  );
+};
+
+const upsertSubscription = async (
+  supabaseAdmin: ReturnType<typeof createClient>,
+  data: {
+    userId: string;
+    provider: string;
+    providerSubscriptionId: string;
+    providerCustomerId?: string | null;
+    priceId?: string | null;
+    status?: string | null;
+    currentPeriodEnd?: string | null;
+    cancelAt?: string | null;
+    cancelAtPeriodEnd?: boolean | null;
+    metadata?: Record<string, unknown> | null;
+  },
+) => {
+  const plan = data.priceId ? getPlanByPriceId(data.priceId) : undefined;
+  const now = new Date().toISOString();
+
+  await supabaseAdmin.from('subscriptions').upsert(
+    {
+      user_id: data.userId,
+      provider: data.provider,
+      provider_subscription_id: data.providerSubscriptionId,
+      provider_customer_id: data.providerCustomerId ?? null,
+      price_id: data.priceId ?? null,
+      plan_id: plan?.id ?? null,
+      status: data.status ?? null,
+      current_period_end: data.currentPeriodEnd ?? null,
+      cancel_at: data.cancelAt ?? null,
+      cancel_at_period_end: data.cancelAtPeriodEnd ?? null,
+      metadata: data.metadata ?? null,
+      updated_at: now,
+      created_at: now,
+    },
+    { onConflict: 'provider,provider_subscription_id' },
+  );
+};
+
+Deno.serve(async (req: Request) => {
+  try {
+    if (req.method !== 'POST') {
+      return jsonResponse({ ok: false, message: 'Method not allowed' }, 405);
+    }
+
+    const provider = getPaymentProvider();
+    const supabaseAdmin = getSupabaseAdmin();
+    const rawBody = await req.text();
+
+    if (provider === 'stripe') {
+      const signature = req.headers.get('stripe-signature');
+      const secret = Deno.env.get('STRIPE_WEBHOOK_SECRET');
+      if (!signature || !secret) {
+        return jsonResponse({ ok: false, message: 'Stripe webhook not configured' }, 400);
+      }
+
+      const stripe = new Stripe(getEnv('STRIPE_SECRET_KEY'), {
+        apiVersion: '2023-10-16',
+      });
+
+      let event: Stripe.Event;
+      try {
+        event = stripe.webhooks.constructEvent(rawBody, signature, secret);
+      } catch (err) {
+        return jsonResponse({ ok: false, message: 'Invalid Stripe signature' }, 401);
+      }
+
+      if (
+        event.type === 'checkout.session.completed' &&
+        event.data.object &&
+        (event.data.object as Stripe.Checkout.Session).subscription
+      ) {
+        const session = event.data.object as Stripe.Checkout.Session;
+        const subscriptionId = session.subscription as string;
+        const subscription = await stripe.subscriptions.retrieve(subscriptionId);
+
+        const userId =
+          session.metadata?.user_id ??
+          subscription.metadata?.user_id ??
+          null;
+
+        const customerId =
+          typeof subscription.customer === 'string'
+            ? subscription.customer
+            : subscription.customer?.id;
+
+        let resolvedUserId = userId;
+        if (!resolvedUserId && customerId) {
+          const { data } = await supabaseAdmin
+            .from('payment_customers')
+            .select('user_id')
+            .eq('provider', 'stripe')
+            .eq('provider_customer_id', customerId)
+            .maybeSingle();
+          resolvedUserId = data?.user_id ?? null;
+        }
+
+        if (resolvedUserId && customerId) {
+          await upsertPaymentCustomer(
+            supabaseAdmin,
+            resolvedUserId,
+            'stripe',
+            customerId,
+          );
+        }
+
+        if (resolvedUserId) {
+          const priceId =
+            subscription.items?.data?.[0]?.price?.id ??
+            session.metadata?.price_id ??
+            null;
+
+          await upsertSubscription(supabaseAdmin, {
+            userId: resolvedUserId,
+            provider: 'stripe',
+            providerSubscriptionId: subscription.id,
+            providerCustomerId: customerId ?? null,
+            priceId,
+            status: subscription.status,
+            currentPeriodEnd: toIso(subscription.current_period_end),
+            cancelAt: toIso(subscription.cancel_at),
+            cancelAtPeriodEnd: subscription.cancel_at_period_end,
+            metadata: subscription.metadata ?? null,
+          });
+        }
+      }
+
+      if (event.type === 'customer.subscription.updated' || event.type === 'customer.subscription.deleted') {
+        const subscription = event.data.object as Stripe.Subscription;
+        const customerId =
+          typeof subscription.customer === 'string'
+            ? subscription.customer
+            : subscription.customer?.id;
+
+        let userId = subscription.metadata?.user_id ?? null;
+        if (!userId && customerId) {
+          const { data } = await supabaseAdmin
+            .from('payment_customers')
+            .select('user_id')
+            .eq('provider', 'stripe')
+            .eq('provider_customer_id', customerId)
+            .maybeSingle();
+          userId = data?.user_id ?? null;
+        }
+
+        if (userId) {
+          const priceId = subscription.items?.data?.[0]?.price?.id ?? null;
+          await upsertSubscription(supabaseAdmin, {
+            userId,
+            provider: 'stripe',
+            providerSubscriptionId: subscription.id,
+            providerCustomerId: customerId ?? null,
+            priceId,
+            status: subscription.status,
+            currentPeriodEnd: toIso(subscription.current_period_end),
+            cancelAt: toIso(subscription.cancel_at),
+            cancelAtPeriodEnd: subscription.cancel_at_period_end,
+            metadata: subscription.metadata ?? null,
+          });
+        }
+      }
+
+      return jsonResponse({ ok: true });
+    }
+
+    // LemonSqueezy webhook
+    const secret = Deno.env.get('LEMONSQUEEZY_WEBHOOK_SECRET');
+    const signature = req.headers.get('X-Signature');
+    if (!secret || !signature) {
+      return jsonResponse({ ok: false, message: 'LemonSqueezy webhook not configured' }, 400);
+    }
+
+    const isValid = await verifyLemonSignature(rawBody, signature, secret);
+    if (!isValid) {
+      return jsonResponse({ ok: false, message: 'Invalid signature' }, 401);
+    }
+
+    const payload = JSON.parse(rawBody);
+    const eventName = payload?.meta?.event_name as string | undefined;
+    const data = payload?.data;
+
+    if (!eventName || !data) {
+      return jsonResponse({ ok: false, message: 'Missing event data' }, 400);
+    }
+
+    if (eventName.startsWith('subscription_')) {
+      const userId = parseUserId(payload?.meta?.custom_data);
+      if (userId) {
+        const attrs = data.attributes ?? {};
+        const currentPeriodEnd =
+          attrs.renews_at || attrs.ends_at || attrs.trial_ends_at || null;
+
+        if (attrs.customer_id) {
+          await upsertPaymentCustomer(
+            supabaseAdmin,
+            userId,
+            'lemonsqueezy',
+            String(attrs.customer_id),
+          );
+        }
+
+        await upsertSubscription(supabaseAdmin, {
+          userId,
+          provider: 'lemonsqueezy',
+          providerSubscriptionId: String(data.id),
+          providerCustomerId: attrs.customer_id
+            ? String(attrs.customer_id)
+            : null,
+          priceId: attrs.variant_id ? String(attrs.variant_id) : null,
+          status: attrs.status ?? 'unknown',
+          currentPeriodEnd: currentPeriodEnd
+            ? new Date(currentPeriodEnd).toISOString()
+            : null,
+          cancelAt: attrs.ends_at ? new Date(attrs.ends_at).toISOString() : null,
+          cancelAtPeriodEnd: attrs.status === 'cancelled',
+          metadata: {
+            customerPortalUrl: attrs.urls?.customer_portal,
+          },
+        });
+      }
+    }
+
+    if (eventName === 'order_created') {
+      const userId = parseUserId(payload?.meta?.custom_data);
+      if (userId) {
+        const attrs = data.attributes ?? {};
+        await supabaseAdmin.from('orders').upsert(
+          {
+            provider: 'lemonsqueezy',
+            order_id: String(data.id),
+            user_id: userId,
+            product_id: attrs.product_id ? String(attrs.product_id) : null,
+            variant_id: attrs.variant_id ? String(attrs.variant_id) : null,
+            amount: attrs.total ?? null,
+            currency: attrs.currency ?? 'USD',
+            status: 'completed',
+          },
+          { onConflict: 'provider,order_id' },
+        );
+      }
+    }
+
+    return jsonResponse({ ok: true });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'Unexpected error';
+    return jsonResponse({ ok: false, message }, 500);
+  }
+});

package/recipes/lemonsqueezy-supabase/packages/backend/supabase/migrations/web_payments.sql

@@ -0,0 +1,85 @@
+-- Web Payments Migration (Stripe/LemonSqueezy)
+-- Creates provider-agnostic tables for subscriptions and orders
+
+-- ============================================================================
+-- PAYMENT_CUSTOMERS TABLE
+-- Maps users to provider customer IDs
+-- ============================================================================
+CREATE TABLE IF NOT EXISTS payment_customers (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  provider TEXT NOT NULL,
+  provider_customer_id TEXT NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT now(),
+  UNIQUE (user_id, provider),
+  UNIQUE (provider, provider_customer_id)
+);
+
+-- ============================================================================
+-- SUBSCRIPTIONS TABLE
+-- Tracks subscription state across providers
+-- ============================================================================
+CREATE TABLE IF NOT EXISTS subscriptions (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  provider TEXT NOT NULL,
+  provider_subscription_id TEXT NOT NULL,
+  provider_customer_id TEXT,
+  price_id TEXT,
+  plan_id TEXT,
+  status TEXT,
+  current_period_end TIMESTAMPTZ,
+  cancel_at TIMESTAMPTZ,
+  cancel_at_period_end BOOLEAN,
+  metadata JSONB,
+  created_at TIMESTAMPTZ DEFAULT now(),
+  updated_at TIMESTAMPTZ DEFAULT now(),
+  UNIQUE (provider, provider_subscription_id)
+);
+
+-- ============================================================================
+-- ORDERS TABLE
+-- Stores one-time purchases (used by LemonSqueezy and future providers)
+-- ============================================================================
+CREATE TABLE IF NOT EXISTS orders (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  provider TEXT NOT NULL,
+  order_id TEXT NOT NULL,
+  user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  product_id TEXT,
+  variant_id TEXT,
+  amount NUMERIC,
+  currency TEXT,
+  status TEXT,
+  created_at TIMESTAMPTZ DEFAULT now(),
+  UNIQUE (provider, order_id)
+);
+
+-- ============================================================================
+-- INDEXES
+-- ============================================================================
+CREATE INDEX IF NOT EXISTS idx_payment_customers_user_id ON payment_customers(user_id);
+CREATE INDEX IF NOT EXISTS idx_payment_customers_provider ON payment_customers(provider);
+
+CREATE INDEX IF NOT EXISTS idx_subscriptions_user_id ON subscriptions(user_id);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_provider ON subscriptions(provider);
+CREATE INDEX IF NOT EXISTS idx_subscriptions_status ON subscriptions(status);
+
+CREATE INDEX IF NOT EXISTS idx_orders_user_id ON orders(user_id);
+CREATE INDEX IF NOT EXISTS idx_orders_provider ON orders(provider);
+
+-- ============================================================================
+-- RLS POLICIES
+-- ============================================================================
+ALTER TABLE payment_customers ENABLE ROW LEVEL SECURITY;
+ALTER TABLE subscriptions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "payment_customers_select_own" ON payment_customers
+  FOR SELECT USING (auth.uid() = user_id);
+
+CREATE POLICY "subscriptions_select_own" ON subscriptions
+  FOR SELECT USING (auth.uid() = user_id);
+
+CREATE POLICY "orders_select_own" ON orders
+  FOR SELECT USING (auth.uid() = user_id);

package/recipes/lemonsqueezy-supabase/recipe.json

@@ -0,0 +1,129 @@
+{
+  "name": "lemonsqueezy-supabase",
+  "version": "1.0.0",
+  "description": "Lemon Squeezy web payments for Supabase (pricing + billing)",
+  "copy": [
+    {
+      "from": "apps/web/app/pricing",
+      "to": "apps/web/app/pricing"
+    },
+    {
+      "from": "apps/web/app/billing",
+      "to": "apps/web/app/billing"
+    },
+    {
+      "from": "apps/web/components/payments",
+      "to": "apps/web/components/payments"
+    },
+    {
+      "from": "apps/web/lib/plans.ts",
+      "to": "apps/web/lib/plans.ts"
+    },
+    {
+      "from": "packages/backend/supabase/functions/payments",
+      "to": "packages/backend/supabase/functions/payments"
+    },
+    {
+      "from": "packages/backend/supabase/functions/payments-webhook",
+      "to": "packages/backend/supabase/functions/payments-webhook"
+    },
+    {
+      "from": "packages/backend/supabase/migrations/web_payments.sql",
+      "to": "packages/backend/supabase/migrations/web_payments.sql"
+    }
+  ],
+  "target": "web",
+  "env": [
+    {
+      "key": "PAYMENT_PROVIDER",
+      "description": "Active payments provider (stripe or lemonsqueezy)",
+      "example": "lemonsqueezy",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "SITE_URL",
+      "description": "Public site URL for checkout redirects (no trailing slash)",
+      "example": "https://yourdomain.com",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "PLAN_STARTER_PRICE_ID",
+      "description": "Lemon Squeezy variant ID for Starter plan",
+      "example": "123456",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "PLAN_PRO_PRICE_ID",
+      "description": "Lemon Squeezy variant ID for Pro plan",
+      "example": "234567",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "PLAN_ENTERPRISE_PRICE_ID",
+      "description": "Lemon Squeezy variant ID for Enterprise plan",
+      "example": "345678",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "LEMONSQUEEZY_API_KEY",
+      "description": "Lemon Squeezy API key",
+      "example": "api_key_...",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "LEMONSQUEEZY_STORE_ID",
+      "description": "Lemon Squeezy store ID",
+      "example": "12345",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "LEMONSQUEEZY_WEBHOOK_SECRET",
+      "description": "Lemon Squeezy webhook signing secret",
+      "example": "whsec_...",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "key": "NEXT_PUBLIC_PLAN_STARTER_PRICE_ID",
+      "description": "Starter plan variant ID for the web app",
+      "example": "123456",
+      "file": "apps/web/.env.local"
+    },
+    {
+      "key": "NEXT_PUBLIC_PLAN_PRO_PRICE_ID",
+      "description": "Pro plan variant ID for the web app",
+      "example": "234567",
+      "file": "apps/web/.env.local"
+    },
+    {
+      "key": "NEXT_PUBLIC_PLAN_ENTERPRISE_PRICE_ID",
+      "description": "Enterprise plan variant ID for the web app",
+      "example": "345678",
+      "file": "apps/web/.env.local"
+    }
+  ],
+  "manualSteps": [
+    {
+      "title": "Push Supabase secrets",
+      "description": "Add PAYMENT_PROVIDER, SITE_URL, LEMONSQUEEZY_API_KEY, LEMONSQUEEZY_STORE_ID, LEMONSQUEEZY_WEBHOOK_SECRET, and plan IDs to packages/backend/.env.local, then run: pnpm --filter @vibefast/backend secrets:push",
+      "file": "packages/backend/.env.local"
+    },
+    {
+      "title": "Deploy Edge Functions",
+      "description": "Deploy payments functions: pnpm --filter @vibefast/backend functions:deploy",
+      "file": "packages/backend/supabase/functions"
+    },
+    {
+      "title": "Create Stripe webhook",
+      "description": "Add a webhook endpoint: https://<project-ref>.functions.supabase.co/payments-webhook",
+      "file": "Lemon Squeezy Dashboard"
+    },
+    {
+      "title": "Apply database migrations",
+      "description": "Run: pnpm --filter @vibefast/backend db:push",
+      "file": "packages/backend/supabase/migrations"
+    }
+  ],
+  "postInstall": {
+    "message": "✅ Lemon Squeezy web payments (Supabase) added. Set env vars, deploy functions, and apply migrations."
+  }
+}

package/recipes/stripe-supabase/apps/web/app/billing/page.tsx

@@ -0,0 +1,48 @@
+'use client';
+
+import { Layout } from '@/components/Layout';
+import { BillingSection } from '@/components/payments';
+import { Authenticated, Unauthenticated } from '@/lib/supabase-provider';
+import Link from 'next/link';
+import { Button } from '@/components/ui/button';
+
+// ============================================================================
+// Billing Page
+// User's subscription and billing management
+// ============================================================================
+
+export default function BillingPage() {
+  return (
+    <Layout>
+      <div className="container max-w-2xl py-8">
+        <div className="mb-8">
+          <h1 className="text-2xl font-bold">Billing & Subscription</h1>
+          <p className="mt-1 text-muted-foreground">
+            Manage your subscription and billing details
+          </p>
+        </div>
+
+        <Authenticated>
+          <BillingSection />
+        </Authenticated>
+
+        <Unauthenticated>
+          <div className="rounded-lg border bg-card p-8 text-center">
+            <h2 className="text-lg font-semibold">Sign in to view billing</h2>
+            <p className="mt-2 text-sm text-muted-foreground">
+              You need to be signed in to manage your subscription.
+            </p>
+            <div className="mt-6 flex justify-center gap-4">
+              <Button asChild>
+                <Link href="/">Sign In</Link>
+              </Button>
+              <Button variant="outline" asChild>
+                <Link href="/pricing">View Plans</Link>
+              </Button>
+            </div>
+          </div>
+        </Unauthenticated>
+      </div>
+    </Layout>
+  );
+}

package/recipes/stripe-supabase/apps/web/app/pricing/page.tsx

@@ -0,0 +1,19 @@
+'use client';
+
+import { Layout } from '@/components/Layout';
+import { PricingSection } from '@/components/payments';
+
+// ============================================================================
+// Pricing Page
+// Displays available subscription plans
+// ============================================================================
+
+export default function PricingPage() {
+  return (
+    <Layout>
+      <div className="container max-w-6xl py-8">
+        <PricingSection />
+      </div>
+    </Layout>
+  );
+}