fix: invoice error mapping so Stripe 4xx responses are not returned as 500

backend/README.md

@@ -60,13 +60,7 @@ See [spec](spec) for more details
 
 ## API Routes
 
-Most API routes are NIP-98 protected.
+All routes are NIP-98 protected.
-
-Public exceptions:
-
-- `GET /plans`
-- `GET /plans/:id`
-- `POST /stripe/webhook` (validated with Stripe signatures instead)
 
 - `GET /identity` — get auth identity (`pubkey`, `is_admin`)
 - `GET /tenants` — list tenants (admin)
@@ -79,13 +73,3 @@ Public exceptions:
 - `PUT /relays/:id` — update relay (admin or relay tenant)
 - `POST /relays/:id/deactivate` — deactivate relay (admin or relay tenant)
 - `GET /invoices` — list invoices (`?tenant=<pubkey>` allowed for admin only)
-
-## API Auth Model
-
-Caravel intentionally uses a session-style variant of NIP-98 for client-to-backend API auth.
-
-- Frontend signs one kind `27235` event with `u = VITE_API_URL` and caches that header for about 10 minutes.
-- Backend verifies event kind, signature, and that `u` contains configured `HOST`.
-- Backend intentionally does not bind auth to exact request URL/method/query, and does not enforce payload hash, timestamp freshness window, or replay cache.
-- Goal: reduce repeated wallet signing prompts and avoid cookie-based sessions.
-- Tradeoff: this is weaker request-intent binding than strict NIP-98 semantics.

backend/spec/api.md

@@ -184,11 +184,9 @@ Notes:
 ## `extract_auth_pubkey(&self, headers: &HeaderMap) -> Result<String>`
 
 - Parses `Authorization` header
-- Validates event kind (`27235`) and signature using `nostr_sdk`
+- Validates event kind and signature using `nostr_sdk`
-- Validates event `u` contains configured `HOST`
+- Validates event `u` against `HOST` (not the request path. Non-standard, but correct)
-- Intentionally does **not** enforce exact request URL/method/query matching
+- Does not validate `method` tag
-- Intentionally does **not** validate `payload` tag/hash, `created_at` freshness window, or replay nonce/cache
-- This is a deliberate session-style tradeoff to reduce repeated signer prompts in the client
 - Returns pubkey if header all checks pass
 
 Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. Use `nostr_sdk` functionality where possible.
@@ -204,8 +202,7 @@ Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. U
 ## `prepare_relay(&self, relay: Relay) -> anyhow::Result<Relay>`
 
 - Validate `subdomain`
-- Validate that `plan` matches a known plan id from `Query::list_plans`
+- If `plan` is free and `blossom` is enabled, return `premium-feature`
-- If selected `plan` does not include `blossom` and `blossom` is enabled, return `premium-feature`
+- If `plan` is free and `livekit` is enabled, return `premium-feature`
-- If selected `plan` does not include `livekit` and `livekit` is enabled, return `premium-feature`
 - Populate `schema` if not already set
 - Populate missing fields using reasonable defaults

backend/src/api.rs

@@ -209,9 +209,6 @@ impl Api {
             return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
         };
 
-        // Intentional session-style variant of NIP-98 for Caravel API auth.
-        // We validate signer identity plus host affinity, and do not bind to exact
-        // request URL/method or maintain replay state here.
         if !self.host.is_empty() && !got_u.contains(&self.host) {
             return Err(ApiError::Unauthorized(anyhow!(
                 "authorization host mismatch"
@@ -259,12 +256,10 @@ impl Api {
             return Err(anyhow!("invalid-subdomain"));
         }
 
-        let plan = Query::get_plan(&relay.plan).ok_or_else(|| anyhow!("invalid-plan"))?;
+        if relay.plan == "free" && relay.blossom_enabled == 1 {
-
-        if !plan.blossom && relay.blossom_enabled == 1 {
             return Err(anyhow!("premium-feature"));
         }
-        if !plan.livekit && relay.livekit_enabled == 1 {
+        if relay.plan == "free" && relay.livekit_enabled == 1 {
             return Err(anyhow!("premium-feature"));
         }
 
@@ -278,10 +273,14 @@ impl Api {
         relay.policy_strip_signatures = parse_bool_default(relay.policy_strip_signatures, 0);
         relay.groups_enabled = parse_bool_default(relay.groups_enabled, 1);
         relay.management_enabled = parse_bool_default(relay.management_enabled, 1);
-        relay.blossom_enabled =
+        relay.blossom_enabled = parse_bool_default(
-            parse_bool_default(relay.blossom_enabled, if plan.blossom { 1 } else { 0 });
+            relay.blossom_enabled,
-        relay.livekit_enabled =
+            if relay.plan == "free" { 0 } else { 1 },
-            parse_bool_default(relay.livekit_enabled, if plan.livekit { 1 } else { 0 });
+        );
+        relay.livekit_enabled = parse_bool_default(
+            relay.livekit_enabled,
+            if relay.plan == "free" { 0 } else { 1 },
+        );
         relay.push_enabled = parse_bool_default(relay.push_enabled, 1);
 
         Ok(relay)
@@ -451,7 +450,7 @@ async fn get_identity(
 }
 
 async fn get_plan(Path(id): Path<String>) -> Response {
-    match Query::get_plan(&id) {
+    match Query::list_plans().into_iter().find(|p| p.id == id) {
         Some(plan) => ok(StatusCode::OK, plan),
         None => err(StatusCode::NOT_FOUND, "not-found", "plan not found"),
     }
@@ -592,13 +591,6 @@ async fn create_relay(
     };
 
     relay = match state.api.prepare_relay(relay) {
-        Err(e) if e.to_string() == "invalid-plan" => {
-            return Ok(err(
-                StatusCode::UNPROCESSABLE_ENTITY,
-                "invalid-plan",
-                "plan not found",
-            ));
-        }
         Ok(r) => r,
         Err(e) if e.to_string() == "premium-feature" => {
             return Ok(err(
@@ -696,13 +688,6 @@ async fn update_relay(
     }
 
     relay = match state.api.prepare_relay(relay) {
-        Err(e) if e.to_string() == "invalid-plan" => {
-            return Ok(err(
-                StatusCode::UNPROCESSABLE_ENTITY,
-                "invalid-plan",
-                "plan not found",
-            ));
-        }
         Ok(r) => r,
         Err(e) if e.to_string() == "premium-feature" => {
             return Ok(err(

backend/src/billing.rs

@@ -154,11 +154,8 @@ impl Billing {
             return Ok(());
         };
 
-        let plan = Query::get_plan(&relay.plan)
-            .ok_or_else(|| anyhow!("unknown relay plan id: {}", relay.plan))?;
-
         // Free plan: remove subscription item if exists, then clean up
-        if plan.id == "free" {
+        if relay.plan == "free" {
             if let Some(ref item_id) = relay.stripe_subscription_item_id {
                 self.stripe_delete_subscription_item(item_id).await?;
                 self.command
@@ -182,6 +179,12 @@ impl Billing {
         }
 
         // Active relay on a paid plan
+        let plan = Query::list_plans().into_iter().find(|p| p.id == relay.plan);
+
+        let Some(plan) = plan else {
+            return Ok(());
+        };
+
         let Some(ref stripe_price_id) = plan.stripe_price_id else {
             return Ok(());
         };
@@ -439,7 +442,7 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && Query::is_paid_plan(&relay.plan) {
+            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
                 self.command.mark_relay_delinquent(&relay).await?;
             }
         }
@@ -474,7 +477,7 @@ impl Billing {
 
         let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
         for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && Query::is_paid_plan(&relay.plan) {
+            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
                 self.command.mark_relay_delinquent(&relay).await?;
             }
         }
@@ -798,7 +801,7 @@ impl Billing {
     }
 
     fn should_reactivate_after_payment(relay: &Relay) -> bool {
-        relay.status == RELAY_STATUS_DELINQUENT && Query::is_paid_plan(&relay.plan)
+        relay.status == RELAY_STATUS_DELINQUENT && relay.plan != "free"
     }
 
     async fn fetch_btc_spot_price(&self, currency: &str) -> Result<f64> {

backend/src/query.rs

@@ -68,16 +68,6 @@ impl Query {
         ]
     }
 
-    pub fn get_plan(plan_id: &str) -> Option<Plan> {
-        Self::list_plans().into_iter().find(|p| p.id == plan_id)
-    }
-
-    pub fn is_paid_plan(plan_id: &str) -> bool {
-        Self::get_plan(plan_id)
-            .map(|p| p.id != "free")
-            .unwrap_or(false)
-    }
-
     pub async fn list_relays(&self) -> Result<Vec<Relay>> {
         let rows = sqlx::query_as::<_, Relay>(
             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
@@ -145,14 +135,13 @@ impl Query {
     }
 
     pub async fn has_active_paid_relays(&self, tenant_id: &str) -> Result<bool> {
-        let plans = sqlx::query_scalar::<_, String>(
+        let count = sqlx::query_scalar::<_, i64>(
-            "SELECT plan FROM relay WHERE tenant = ? AND status = 'active'",
+            "SELECT COUNT(*) FROM relay WHERE tenant = ? AND status = 'active' AND plan != 'free'",
         )
         .bind(tenant_id)
-        .fetch_all(&self.pool)
+        .fetch_one(&self.pool)
         .await?;
-
+        Ok(count > 0)
-        Ok(plans.into_iter().any(|plan| Self::is_paid_plan(&plan)))
     }
 
     pub async fn list_activity_for_relay(&self, relay_id: &str) -> Result<Vec<Activity>> {

frontend/README.md

@@ -51,11 +51,8 @@ npm run preview
 
 ## Authentication
 
-- Tenant requests use an intentional session-style variant of NIP-98:
+- Tenant requests use NIP-98 tokens derived from the logged-in user
-  - The client signs one kind `27235` event with `u = VITE_API_URL`.
+- Admin routes require a pubkey listed in `PLATFORM_ADMIN_PUBKEYS` on the backend
-  - The resulting `Authorization` header is cached for about 10 minutes to avoid repeated signer prompts.
-  - The backend validates signer identity + host affinity rather than exact URL/method binding per request.
-- Admin routes require a pubkey listed in `ADMINS` on the backend.
 
 ## Routes
 

frontend/src/lib/api.ts

@@ -145,8 +145,6 @@ export async function makeAuth(): Promise<string | undefined> {
     kind: 27235,
     content: "",
     created_at: Math.floor(now / 1000),
-    // Intentional session-style auth: sign the API base URL once, then reuse
-    // the header briefly to avoid prompting the signer on every request.
     tags: [["u", API_URL]],
   })