karaoke-gen 0.99.3__py3-none-any.whl → 0.103.1__py3-none-any.whl

backend/services/stripe_service.py

@@ -46,11 +46,12 @@ CREDIT_PACKAGES = {
     },
 }
 
-# Done-for-you service package (not a credit package - creates a job directly)
-DONE_FOR_YOU_PACKAGE = {
+# Made-for-you service package (not a credit package - creates a job directly)
+MADE_FOR_YOU_PACKAGE = {
     "price_cents": 1500,  # $15.00
-    "name": "Done For You Karaoke Video",
-    "description": "Full-service karaoke video creation with 24-hour delivery",
+    "name": "Made For You Karaoke Video",
+    "description": "Professional 4K karaoke video with perfectly synced lyrics, delivered to your email within 24 hours",
+    "images": ["https://gen.nomadkaraoke.com/nomad-logo.png"],
 }
 
 
@@ -65,6 +66,10 @@ class StripeService:
         self.frontend_url = os.getenv("FRONTEND_URL", "https://gen.nomadkaraoke.com")
         # After consolidation, buy URL is the same as frontend URL
         self.buy_url = os.getenv("BUY_URL", self.frontend_url)
+        # Payment method configuration ID from Stripe Dashboard
+        # Enables Google Pay, Apple Pay, Link, and other wallet methods
+        # Get this from: Dashboard > Settings > Payment methods > [Your Config] > Copy ID
+        self.payment_method_config = os.getenv("STRIPE_PAYMENT_METHOD_CONFIG")
 
         if self.secret_key:
             stripe.api_key = self.secret_key
@@ -72,6 +77,11 @@ class StripeService:
         else:
             logger.warning("STRIPE_SECRET_KEY not set - payments disabled")
 
+        if self.payment_method_config:
+            logger.info(f"Using payment method config: {self.payment_method_config}")
+        else:
+            logger.info("No STRIPE_PAYMENT_METHOD_CONFIG set - using Stripe defaults")
+
     def is_configured(self) -> bool:
         """Check if Stripe is properly configured."""
         return bool(self.secret_key)
@@ -113,32 +123,40 @@ class StripeService:
             if not cancel_url:
                 cancel_url = f"{self.buy_url}?cancelled=true"
 
-            # Create checkout session
-            session = stripe.checkout.Session.create(
-                payment_method_types=['card'],
-                line_items=[{
+            # Build checkout session params
+            session_params = {
+                # Omit payment_method_types to auto-enable Apple Pay, Google Pay, Link, etc.
+                'line_items': [{
                     'price_data': {
                         'currency': 'usd',
                         'product_data': {
                             'name': package['name'],
                             'description': package['description'],
+                            'images': ['https://gen.nomadkaraoke.com/nomad-logo.png'],
                         },
                         'unit_amount': package['price_cents'],
                     },
                     'quantity': 1,
                 }],
-                mode='payment',
-                success_url=success_url,
-                cancel_url=cancel_url,
-                customer_email=user_email,
-                metadata={
+                'mode': 'payment',
+                'success_url': success_url,
+                'cancel_url': cancel_url,
+                'customer_email': user_email,
+                'metadata': {
                     'package_id': package_id,
                     'credits': str(package['credits']),
                     'user_email': user_email,
                 },
                 # Allow promotion codes
-                allow_promotion_codes=True,
-            )
+                'allow_promotion_codes': True,
+            }
+
+            # Add payment method configuration if set (enables Google Pay, Link, etc.)
+            if self.payment_method_config:
+                session_params['payment_method_configuration'] = self.payment_method_config
+
+            # Create checkout session
+            session = stripe.checkout.Session.create(**session_params)
 
             logger.info(f"Created checkout session {session.id} for {user_email}, package {package_id}")
             return True, session.url, "Checkout session created"
@@ -150,7 +168,7 @@ class StripeService:
             logger.error(f"Error creating checkout session: {e}")
             return False, None, "Failed to create checkout session"
 
-    def create_done_for_you_checkout_session(
+    def create_made_for_you_checkout_session(
         self,
         customer_email: str,
         artist: str,
@@ -162,7 +180,7 @@ class StripeService:
         cancel_url: Optional[str] = None,
     ) -> Tuple[bool, Optional[str], str]:
         """
-        Create a Stripe Checkout session for a done-for-you order.
+        Create a Stripe Checkout session for a made-for-you order.
 
         This is for the full-service karaoke video creation where Nomad Karaoke
         handles all the work (lyrics review, instrumental selection, etc.).
@@ -192,7 +210,7 @@ class StripeService:
 
             # Build metadata for job creation after payment
             metadata = {
-                'order_type': 'done_for_you',
+                'order_type': 'made_for_you',
                 'customer_email': customer_email,
                 'artist': artist,
                 'title': title,
@@ -204,39 +222,47 @@ class StripeService:
                 # Truncate notes to fit Stripe's 500 char limit per metadata value
                 metadata['notes'] = notes[:500] if len(notes) > 500 else notes
 
-            # Create checkout session
-            session = stripe.checkout.Session.create(
-                payment_method_types=['card'],
-                line_items=[{
+            # Build checkout session params
+            session_params = {
+                # Omit payment_method_types to auto-enable Apple Pay, Google Pay, Link, etc.
+                'line_items': [{
                     'price_data': {
                         'currency': 'usd',
                         'product_data': {
-                            'name': DONE_FOR_YOU_PACKAGE['name'],
-                            'description': f"{artist} - {title}",
+                            'name': f"Karaoke Video: {artist} - {title}",
+                            'description': MADE_FOR_YOU_PACKAGE['description'],
+                            'images': MADE_FOR_YOU_PACKAGE['images'],
                         },
-                        'unit_amount': DONE_FOR_YOU_PACKAGE['price_cents'],
+                        'unit_amount': MADE_FOR_YOU_PACKAGE['price_cents'],
                     },
                     'quantity': 1,
                 }],
-                mode='payment',
-                success_url=success_url,
-                cancel_url=cancel_url,
-                customer_email=customer_email,
-                metadata=metadata,
-                allow_promotion_codes=True,
-            )
+                'mode': 'payment',
+                'success_url': success_url,
+                'cancel_url': cancel_url,
+                'customer_email': customer_email,
+                'metadata': metadata,
+                'allow_promotion_codes': True,
+            }
+
+            # Add payment method configuration if set (enables Google Pay, Link, etc.)
+            if self.payment_method_config:
+                session_params['payment_method_configuration'] = self.payment_method_config
+
+            # Create checkout session
+            session = stripe.checkout.Session.create(**session_params)
 
             logger.info(
-                f"Created done-for-you checkout session {session.id} for {customer_email}, "
+                f"Created made-for-you checkout session {session.id} for {customer_email}, "
                 f"song: {artist} - {title}"
             )
             return True, session.url, "Checkout session created"
 
         except stripe.error.StripeError as e:
-            logger.error(f"Stripe error creating done-for-you checkout session: {e}")
+            logger.error(f"Stripe error creating made-for-you checkout session: {e}")
             return False, None, f"Payment error: {str(e)}"
         except Exception as e:
-            logger.error(f"Error creating done-for-you checkout session: {e}")
+            logger.error(f"Error creating made-for-you checkout session: {e}")
             return False, None, "Failed to create checkout session"
 
     def verify_webhook_signature(self, payload: bytes, signature: str) -> Tuple[bool, Optional[Dict], str]:

backend/services/tenant_service.py

@@ -0,0 +1,285 @@
+"""
+Tenant service for managing white-label B2B portal configurations.
+
+Tenant configs are stored in GCS at tenants/{tenant_id}/config.json.
+The service provides:
+- Tenant config loading with caching
+- Subdomain to tenant ID resolution
+- Tenant validation
+
+Similar to ThemeService, configs are cached for 5 minutes to reduce GCS reads.
+"""
+
+import logging
+import threading
+from datetime import datetime
+from typing import Dict, Optional
+
+from backend.models.tenant import TenantConfig, TenantPublicConfig
+from backend.services.storage_service import StorageService
+
+logger = logging.getLogger(__name__)
+
+# GCS paths for tenant configs
+TENANTS_PREFIX = "tenants"
+
+# Default sender email (shared with EmailService for consistency)
+DEFAULT_SENDER_EMAIL = "gen@nomadkaraoke.com"
+
+
+class TenantService:
+    """Service for managing tenant configurations from GCS."""
+
+    def __init__(self, storage: Optional[StorageService] = None):
+        """
+        Initialize the tenant service.
+
+        Args:
+            storage: StorageService instance (creates new one if not provided)
+        """
+        self.storage = storage or StorageService()
+        self._config_cache: Dict[str, TenantConfig] = {}
+        self._cache_times: Dict[str, datetime] = {}
+        self._subdomain_map: Dict[str, str] = {}  # subdomain -> tenant_id
+        self._subdomain_map_time: Optional[datetime] = None
+        self.CACHE_TTL_SECONDS = 300  # 5 minute cache
+
+    def _get_config_path(self, tenant_id: str) -> str:
+        """Get the GCS path for a tenant's config file."""
+        return f"{TENANTS_PREFIX}/{tenant_id}/config.json"
+
+    def _is_cache_valid(self, tenant_id: str) -> bool:
+        """Check if the config cache for a tenant is still valid."""
+        if tenant_id not in self._config_cache or tenant_id not in self._cache_times:
+            return False
+        age = datetime.now() - self._cache_times[tenant_id]
+        return age.total_seconds() < self.CACHE_TTL_SECONDS
+
+    def _is_subdomain_map_valid(self) -> bool:
+        """Check if the subdomain map cache is still valid."""
+        if not self._subdomain_map or self._subdomain_map_time is None:
+            return False
+        age = datetime.now() - self._subdomain_map_time
+        return age.total_seconds() < self.CACHE_TTL_SECONDS
+
+    def get_tenant_config(
+        self, tenant_id: str, force_refresh: bool = False
+    ) -> Optional[TenantConfig]:
+        """
+        Load tenant configuration from GCS with caching.
+
+        Args:
+            tenant_id: The tenant identifier
+            force_refresh: Force reload from GCS even if cache is valid
+
+        Returns:
+            TenantConfig if found, None otherwise
+        """
+        if not force_refresh and self._is_cache_valid(tenant_id):
+            return self._config_cache[tenant_id]
+
+        try:
+            config_path = self._get_config_path(tenant_id)
+            if not self.storage.file_exists(config_path):
+                logger.debug(f"Tenant config not found: {tenant_id}")
+                return None
+
+            data = self.storage.download_json(config_path)
+            config = TenantConfig(**data)
+
+            # Update cache
+            self._config_cache[tenant_id] = config
+            self._cache_times[tenant_id] = datetime.now()
+
+            # Update subdomain map and its timestamp
+            self._subdomain_map[config.subdomain.lower()] = tenant_id
+            self._subdomain_map_time = datetime.now()
+
+            logger.info(f"Loaded tenant config: {tenant_id}")
+            return config
+        except Exception as e:
+            logger.error(f"Failed to load tenant config {tenant_id}: {e}")
+            return None
+
+    def get_tenant_by_subdomain(self, subdomain: str) -> Optional[TenantConfig]:
+        """
+        Get tenant config by subdomain.
+
+        Args:
+            subdomain: Full subdomain (e.g., 'vocalstar.nomadkaraoke.com')
+
+        Returns:
+            TenantConfig if found, None otherwise
+        """
+        subdomain_lower = subdomain.lower()
+
+        # Check cache first
+        if subdomain_lower in self._subdomain_map:
+            tenant_id = self._subdomain_map[subdomain_lower]
+            return self.get_tenant_config(tenant_id)
+
+        # Try to find tenant by listing all configs
+        # This is a fallback for when we don't have the subdomain cached
+        tenant_id = self._resolve_subdomain_to_tenant_id(subdomain_lower)
+        if tenant_id:
+            return self.get_tenant_config(tenant_id)
+
+        return None
+
+    def _resolve_subdomain_to_tenant_id(self, subdomain: str) -> Optional[str]:
+        """
+        Resolve a subdomain to tenant ID by checking GCS.
+
+        This extracts the tenant ID from the subdomain pattern:
+        - 'vocalstar.nomadkaraoke.com' -> 'vocalstar'
+        - 'vocalstar.gen.nomadkaraoke.com' -> 'vocalstar'
+        """
+        # Extract potential tenant ID from subdomain
+        # Pattern: {tenant}.nomadkaraoke.com or {tenant}.gen.nomadkaraoke.com
+        parts = subdomain.split(".")
+
+        if len(parts) >= 3:
+            # First part is likely the tenant ID
+            potential_tenant_id = parts[0]
+
+            # Check if config exists
+            config_path = self._get_config_path(potential_tenant_id)
+            if self.storage.file_exists(config_path):
+                return potential_tenant_id
+
+        return None
+
+    def get_public_config(self, tenant_id: str) -> Optional[TenantPublicConfig]:
+        """
+        Get the public (frontend-safe) tenant configuration.
+
+        Args:
+            tenant_id: The tenant identifier
+
+        Returns:
+            TenantPublicConfig if found, None otherwise
+        """
+        config = self.get_tenant_config(tenant_id)
+        if config:
+            return TenantPublicConfig.from_config(config)
+        return None
+
+    def get_public_config_by_subdomain(
+        self, subdomain: str
+    ) -> Optional[TenantPublicConfig]:
+        """
+        Get the public tenant configuration by subdomain.
+
+        Args:
+            subdomain: Full subdomain
+
+        Returns:
+            TenantPublicConfig if found, None otherwise
+        """
+        config = self.get_tenant_by_subdomain(subdomain)
+        if config:
+            return TenantPublicConfig.from_config(config)
+        return None
+
+    def tenant_exists(self, tenant_id: str) -> bool:
+        """
+        Check if a tenant exists.
+
+        Args:
+            tenant_id: The tenant identifier
+
+        Returns:
+            True if tenant config exists, False otherwise
+        """
+        config_path = self._get_config_path(tenant_id)
+        return self.storage.file_exists(config_path)
+
+    def is_email_allowed_for_tenant(self, tenant_id: str, email: str) -> bool:
+        """
+        Check if an email is allowed for a specific tenant.
+
+        Args:
+            tenant_id: The tenant identifier
+            email: Email address to check
+
+        Returns:
+            True if email is allowed, False otherwise
+        """
+        config = self.get_tenant_config(tenant_id)
+        if not config:
+            return False
+        return config.is_email_allowed(email)
+
+    def get_tenant_sender_email(self, tenant_id: str) -> str:
+        """
+        Get the email sender address for a tenant.
+
+        Args:
+            tenant_id: The tenant identifier
+
+        Returns:
+            Sender email address
+        """
+        config = self.get_tenant_config(tenant_id)
+        if config:
+            return config.get_sender_email()
+        # Default fallback (consistent with EmailService)
+        return DEFAULT_SENDER_EMAIL
+
+    def invalidate_cache(self, tenant_id: Optional[str] = None) -> None:
+        """
+        Invalidate tenant config cache.
+
+        Args:
+            tenant_id: Specific tenant to invalidate, or None for all
+        """
+        if tenant_id:
+            self._config_cache.pop(tenant_id, None)
+            self._cache_times.pop(tenant_id, None)
+            # Also remove any subdomain map entries pointing to this tenant
+            subdomains_to_remove = [
+                subdomain
+                for subdomain, tid in self._subdomain_map.items()
+                if tid == tenant_id
+            ]
+            for subdomain in subdomains_to_remove:
+                self._subdomain_map.pop(subdomain, None)
+            logger.info(f"Tenant config cache invalidated: {tenant_id}")
+        else:
+            self._config_cache.clear()
+            self._cache_times.clear()
+            self._subdomain_map.clear()
+            self._subdomain_map_time = None
+            logger.info("All tenant config caches invalidated")
+
+    def get_asset_url(self, tenant_id: str, asset_name: str) -> Optional[str]:
+        """
+        Get a signed URL for a tenant asset (logo, favicon, etc.).
+
+        Args:
+            tenant_id: The tenant identifier
+            asset_name: Asset filename (e.g., 'logo.png')
+
+        Returns:
+            Signed URL if asset exists, None otherwise
+        """
+        asset_path = f"{TENANTS_PREFIX}/{tenant_id}/{asset_name}"
+        if self.storage.file_exists(asset_path):
+            return self.storage.generate_signed_url(asset_path, expiration_minutes=60)
+        return None
+
+
+# Singleton instance with thread-safe initialization
+_tenant_service: Optional[TenantService] = None
+_tenant_service_lock = threading.Lock()
+
+
+def get_tenant_service() -> TenantService:
+    """Get or create the singleton TenantService instance (thread-safe)."""
+    global _tenant_service
+    if _tenant_service is None:
+        with _tenant_service_lock:
+            # Double-check after acquiring lock
+            if _tenant_service is None:
+                _tenant_service = TenantService()
+    return _tenant_service

backend/services/user_service.py

@@ -73,16 +73,26 @@ class UserService:
             logger.exception(f"Error getting user {email}")
             return None
 
-    def get_or_create_user(self, email: str) -> User:
+    def get_or_create_user(self, email: str, tenant_id: Optional[str] = None) -> User:
         """
         Get existing user or create a new one.
 
         New users receive a welcome credit to try the service.
+
+        Args:
+            email: User's email address
+            tenant_id: Tenant ID for white-label portals (None = default Nomad Karaoke)
+
+        Note: If user exists but has a different tenant_id, the existing user is returned.
+        Users are uniquely identified by email, not email+tenant.
         """
         email = email.lower()
         user = self.get_user(email)
 
         if user:
+            # If user exists but tenant_id differs, we still return the user
+            # This allows users to access multiple tenants with one account
+            # (though features may be restricted per-tenant)
             return user
 
         # Create new user with welcome credit
@@ -97,9 +107,10 @@ class UserService:
             email=email,
             credits=welcome_credit,
             credit_transactions=[welcome_transaction],
+            tenant_id=tenant_id,  # Associate with tenant on creation
         )
         self._save_user(user)
-        logger.info(f"Created new user: {email} with {welcome_credit} welcome credit(s)")
+        logger.info(f"Created new user: {email} with {welcome_credit} welcome credit(s) (tenant: {tenant_id or 'default'})")
         return user
 
     def _save_user(self, user: User) -> None:
@@ -153,6 +164,7 @@ class UserService:
             display_name=user.display_name,
             total_jobs_created=user.total_jobs_created,
             total_jobs_completed=user.total_jobs_completed,
+            tenant_id=user.tenant_id,
         )
 
     # =========================================================================
@@ -163,18 +175,25 @@ class UserService:
         self,
         email: str,
         ip_address: Optional[str] = None,
-        user_agent: Optional[str] = None
+        user_agent: Optional[str] = None,
+        tenant_id: Optional[str] = None
     ) -> MagicLinkToken:
         """
         Create a magic link token for email authentication.
 
         Returns the token object. The actual sending of the email
         should be handled by the caller (or an email service).
+
+        Args:
+            email: User's email address
+            ip_address: Client IP for auditing
+            user_agent: Client user agent for auditing
+            tenant_id: Tenant ID for white-label portals (None = default Nomad Karaoke)
         """
         email = email.lower()
 
-        # Ensure user exists
-        self.get_or_create_user(email)
+        # Ensure user exists (with tenant association)
+        self.get_or_create_user(email, tenant_id=tenant_id)
 
         # Generate secure token
         token = secrets.token_urlsafe(32)
@@ -185,6 +204,7 @@ class UserService:
             expires_at=datetime.utcnow() + timedelta(minutes=MAGIC_LINK_EXPIRY_MINUTES),
             ip_address=ip_address,
             user_agent=user_agent,
+            tenant_id=tenant_id,
         )
 
         # Save to Firestore
@@ -194,6 +214,54 @@ class UserService:
         logger.info(f"Created magic link for {email}")
         return magic_link
 
+    def create_admin_login_token(
+        self,
+        email: str,
+        expiry_hours: int = 24,
+    ) -> MagicLinkToken:
+        """
+        Create an admin login token for email-embedded authentication links.
+
+        Similar to magic links but with configurable expiry (default 24 hours).
+        Used for made-for-you order notification emails to allow admin one-click login.
+
+        Args:
+            email: Admin's email address to authenticate as
+            expiry_hours: Hours until token expires (default: 24, max: 168)
+
+        Returns:
+            MagicLinkToken object containing the token
+
+        Raises:
+            ValueError: If expiry_hours is out of valid range (1-168)
+        """
+        # Validate expiry_hours (1 hour to 7 days)
+        if not 1 <= expiry_hours <= 168:
+            raise ValueError(f"expiry_hours must be between 1 and 168, got {expiry_hours}")
+
+        email = email.lower()
+
+        # Ensure user exists
+        self.get_or_create_user(email)
+
+        # Generate secure token
+        token = secrets.token_urlsafe(32)
+
+        admin_login = MagicLinkToken(
+            token=token,
+            email=email,
+            expires_at=datetime.utcnow() + timedelta(hours=expiry_hours),
+        )
+
+        # Save to Firestore (same collection as magic links for unified verification)
+        doc_ref = self.db.collection(MAGIC_LINKS_COLLECTION).document(token)
+        doc_ref.set(admin_login.model_dump(mode='json'))
+
+        # Log with redacted email (show only domain) for PII protection
+        domain = email.split('@')[-1] if '@' in email else 'unknown'
+        logger.info(f"Created admin login token for ***@{domain} (expires in {expiry_hours}h)")
+        return admin_login
+
     def verify_magic_link(self, token: str) -> Tuple[bool, Optional[User], str]:
         """
         Verify a magic link token using a Firestore transaction to prevent race conditions.
@@ -262,9 +330,18 @@ class UserService:
         self,
         user_email: str,
         ip_address: Optional[str] = None,
-        user_agent: Optional[str] = None
+        user_agent: Optional[str] = None,
+        tenant_id: Optional[str] = None
     ) -> Session:
-        """Create a new session for an authenticated user."""
+        """
+        Create a new session for an authenticated user.
+
+        Args:
+            user_email: User's email address
+            ip_address: Client IP for auditing
+            user_agent: Client user agent for auditing
+            tenant_id: Tenant ID for white-label portals (None = default Nomad Karaoke)
+        """
         token = secrets.token_urlsafe(32)
         token_prefix = token[:12]
 
@@ -274,6 +351,7 @@ class UserService:
             expires_at=datetime.utcnow() + timedelta(days=SESSION_ABSOLUTE_EXPIRY_DAYS),
             ip_address=ip_address,
             user_agent=user_agent,
+            tenant_id=tenant_id,
         )
 
         # Serialize and write to Firestore

backend/tests/conftest.py

@@ -91,7 +91,13 @@ def mock_auth_dependency(request):
     if 'emulator' in test_path or 'integration' in test_path:
         yield
         return
-    
+
+    # Skip for service-only unit tests that don't need the FastAPI app
+    service_only_tests = ['test_rate_limit_service', 'test_email_validation_service', 'test_rate_limits_api']
+    if any(test_name in test_path for test_name in service_only_tests):
+        yield
+        return
+
     # Skip if FIRESTORE_EMULATOR_HOST is set (running in emulator environment)
     import os
     if os.environ.get('FIRESTORE_EMULATOR_HOST'):