test(billing): validate stripe customer id enforcement

fix(billing): ensure all tenants have valid Stripe customer IDs
2026-04-15 04:16:06 +05:45 · 2026-04-15 04:16:03 +05:45
10 changed files with 51 additions and 195 deletions
@@ -60,13 +60,7 @@ See [spec](spec) for more details

 ## API Routes

-Most API routes are NIP-98 protected.
-
-Public exceptions:
-
- `GET /plans`
- `GET /plans/:id`
- `POST /stripe/webhook` (validated with Stripe signatures instead)
+All routes are NIP-98 protected.

 - `GET /identity` — get auth identity (`pubkey`, `is_admin`)
 - `GET /tenants` — list tenants (admin)
@@ -79,13 +73,3 @@ Public exceptions:
 - `PUT /relays/:id` — update relay (admin or relay tenant)
 - `POST /relays/:id/deactivate` — deactivate relay (admin or relay tenant)
 - `GET /invoices` — list invoices (`?tenant=<pubkey>` allowed for admin only)
-
-## API Auth Model
-
-Caravel intentionally uses a session-style variant of NIP-98 for client-to-backend API auth.
-
- Frontend signs one kind `27235` event with `u = VITE_API_URL` and caches that header for about 10 minutes.
- Backend verifies event kind, signature, and that `u` contains configured `HOST`.
- Backend intentionally does not bind auth to exact request URL/method/query, and does not enforce payload hash, timestamp freshness window, or replay cache.
- Goal: reduce repeated wallet signing prompts and avoid cookie-based sessions.
- Tradeoff: this is weaker request-intent binding than strict NIP-98 semantics.
@@ -184,11 +184,9 @@ Notes:
 ## `extract_auth_pubkey(&self, headers: &HeaderMap) -> Result<String>`

 - Parses `Authorization` header
- Validates event kind (`27235`) and signature using `nostr_sdk`
- Validates event `u` contains configured `HOST`
- Intentionally does **not** enforce exact request URL/method/query matching
- Intentionally does **not** validate `payload` tag/hash, `created_at` freshness window, or replay nonce/cache
- This is a deliberate session-style tradeoff to reduce repeated signer prompts in the client
+- Validates event kind and signature using `nostr_sdk`
+- Validates event `u` against `HOST` (not the request path. Non-standard, but correct)
+- Does not validate `method` tag
 - Returns pubkey if header all checks pass

 Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. Use `nostr_sdk` functionality where possible.
@@ -19,7 +19,7 @@ Members:

 ## `async fn handle_activity(&self, activity: &Activity)`

- For `create_relay`, `update_relay`, `activate_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
+- For `create_relay`, `update_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
 - All other activity types are ignored (e.g. `fail_relay_sync`, `complete_relay_sync`).

 ## `async fn sync_and_report(&self, relay: &Relay, is_new: bool)`
@@ -12,7 +12,7 @@ use base64::Engine;
 use nostr_sdk::{Event, JsonUtil, Kind};
 use serde::{Deserialize, Serialize};

-use crate::billing::{Billing, InvoiceLookupError};
+use crate::billing::Billing;
 use crate::command::Command;
 use crate::models::{
    RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
@@ -72,11 +72,6 @@ enum ApiError {
    Unauthorized(anyhow::Error),
    Forbidden(&'static str),
    NotFound(&'static str),
-    Client {
-        status: StatusCode,
-        code: &'static str,
-        message: &'static str,
-    },
    Internal(String),
 }

@@ -86,36 +81,11 @@ impl IntoResponse for ApiError {
            Self::Unauthorized(e) => err(StatusCode::UNAUTHORIZED, "unauthorized", &e.to_string()),
            Self::Forbidden(message) => err(StatusCode::FORBIDDEN, "forbidden", message),
            Self::NotFound(message) => err(StatusCode::NOT_FOUND, "not-found", message),
-            Self::Client {
-                status,
-                code,
-                message,
-            } => err(status, code, message),
            Self::Internal(message) => err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &message),
        }
    }
 }

-fn map_invoice_lookup_error(error: InvoiceLookupError) -> ApiError {
-    match error {
-        InvoiceLookupError::StripeClient { status } => {
-            let status = StatusCode::from_u16(status.as_u16()).unwrap_or(StatusCode::BAD_REQUEST);
-            match status {
-                StatusCode::NOT_FOUND => ApiError::NotFound("invoice not found"),
-                StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
-                    ApiError::Forbidden("invoice access denied")
-                }
-                _ => ApiError::Client {
-                    status,
-                    code: "invoice-request-rejected",
-                    message: "invoice request rejected",
-                },
-            }
-        }
-        InvoiceLookupError::Internal(error) => ApiError::Internal(error.to_string()),
-    }
-}
-
 impl Api {
    pub fn new(query: Query, command: Command, billing: Billing) -> Self {
        let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
@@ -209,9 +179,6 @@ impl Api {
            return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
        };

-        // Intentional session-style variant of NIP-98 for Caravel API auth.
-        // We validate signer identity plus host affinity, and do not bind to exact
-        // request URL/method or maintain replay state here.
        if !self.host.is_empty() && !got_u.contains(&self.host) {
            return Err(ApiError::Unauthorized(anyhow!(
                "authorization host mismatch"
@@ -841,7 +808,7 @@ async fn get_invoice(
        .billing
        .get_invoice_with_tenant(&id)
        .await
-        .map_err(map_invoice_lookup_error)?;
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
    state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;

    Ok(ok(StatusCode::OK, invoice))
@@ -858,7 +825,7 @@ async fn get_invoice_bolt11(
        .billing
        .get_invoice_with_tenant(&id)
        .await
-        .map_err(map_invoice_lookup_error)?;
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
    state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;

    let status = invoice["status"].as_str().unwrap_or_default();
@@ -18,41 +18,6 @@ const STRIPE_API: &str = "https://api.stripe.com/v1";
 const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;

-#[derive(Debug)]
-pub enum InvoiceLookupError {
-    StripeClient { status: reqwest::StatusCode },
-    Internal(anyhow::Error),
-}
-
-impl std::fmt::Display for InvoiceLookupError {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            Self::StripeClient { status } => {
-                write!(
-                    f,
-                    "stripe invoice lookup failed with status {}",
-                    status.as_u16()
-                )
-            }
-            Self::Internal(error) => write!(f, "{error}"),
-        }
-    }
-}
-
-impl std::error::Error for InvoiceLookupError {}
-
-impl From<anyhow::Error> for InvoiceLookupError {
-    fn from(value: anyhow::Error) -> Self {
-        Self::Internal(value)
-    }
-}
-
-impl From<reqwest::Error> for InvoiceLookupError {
-    fn from(value: reqwest::Error) -> Self {
-        Self::Internal(value.into())
-    }
-}
-
 #[derive(serde::Deserialize)]
 struct StripeEvent {
    #[serde(rename = "type")]
@@ -497,18 +462,16 @@ impl Billing {
    pub async fn get_invoice_with_tenant(
        &self,
        invoice_id: &str,
-    ) -> std::result::Result<(serde_json::Value, crate::models::Tenant), InvoiceLookupError> {
+    ) -> Result<(serde_json::Value, crate::models::Tenant)> {
        let invoice = self.stripe_get_invoice(invoice_id).await?;
        let customer_id = invoice["customer"]
            .as_str()
-            .ok_or_else(|| InvoiceLookupError::Internal(anyhow!("invoice missing customer")))?;
+            .ok_or_else(|| anyhow!("invoice missing customer"))?;
        let tenant = self
            .query
            .get_tenant_by_stripe_customer_id(customer_id)
            .await?
-            .ok_or_else(|| {
-                InvoiceLookupError::Internal(anyhow!("tenant not found for customer"))
-            })?;
+            .ok_or_else(|| anyhow!("tenant not found for customer"))?;
        Ok((invoice, tenant))
    }

@@ -552,10 +515,7 @@ impl Billing {
        Ok(body["data"].clone())
    }

-    pub async fn stripe_get_invoice(
-        &self,
-        invoice_id: &str,
-    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
+    pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<serde_json::Value> {
        let resp = self
            .http
            .get(format!("{STRIPE_API}/invoices/{invoice_id}"))
@@ -563,12 +523,6 @@ impl Billing {
            .send()
            .await?;

-        if resp.status().is_client_error() {
-            return Err(InvoiceLookupError::StripeClient {
-                status: resp.status(),
-            });
-        }
-
        let body: serde_json::Value = resp.error_for_status()?.json().await?;
        Ok(body)
    }
@@ -947,7 +901,10 @@ mod tests {
            &unknown_status_paid
        ));
    }
+}

+#[cfg(test)]
+mod tests {
    use super::*;
    use sqlx::SqlitePool;
    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
@@ -209,7 +209,8 @@ impl Command {
            .execute(&mut *tx)
            .await?;

-        let activity = Self::insert_activity(&mut tx, activity_type, "relay", relay_id).await?;
+        let activity =
+            Self::insert_activity(&mut tx, "deactivate_relay", "relay", &relay_id).await?;

        tx.commit().await?;
        self.emit(activity);
@@ -56,7 +56,10 @@ impl Infra {
    }

    async fn handle_activity(&self, activity: &Activity) -> Result<()> {
-        let needs_sync = should_sync_relay_activity(activity.activity_type.as_str());
+        let needs_sync = matches!(
+            activity.activity_type.as_str(),
+            "create_relay" | "update_relay" | "deactivate_relay"
+        );

        if needs_sync {
            let Some(relay) = self.query.get_relay(&activity.resource_id).await? else {
@@ -90,9 +93,7 @@ impl Infra {
    async fn nip98_auth(&self, url: &str, method: HttpMethod) -> Result<String> {
        let keys = Keys::parse(&self.api_secret)?;
        let server_url = Url::parse(url)?;
-        let auth = HttpData::new(server_url, method)
-            .to_authorization(&keys)
-            .await?;
+        let auth = HttpData::new(server_url, method).to_authorization(&keys).await?;
        Ok(auth)
    }

@@ -149,21 +150,11 @@ impl Infra {
        let response = if is_new {
            let url = format!("{}/relay/{}", base, relay.id);
            let auth = self.nip98_auth(&url, HttpMethod::POST).await?;
-            client
-                .post(&url)
-                .header("Authorization", auth)
-                .json(&body)
-                .send()
-                .await?
+            client.post(&url).header("Authorization", auth).json(&body).send().await?
        } else {
            let url = format!("{}/relay/{}", base, relay.id);
            let auth = self.nip98_auth(&url, HttpMethod::PUT).await?;
-            client
-                .put(&url)
-                .header("Authorization", auth)
-                .json(&body)
-                .send()
-                .await?
+            client.put(&url).header("Authorization", auth).json(&body).send().await?
        };

        if !response.status().is_success() {
@@ -174,10 +165,3 @@ impl Infra {
        Ok(())
    }
 }
-
-fn should_sync_relay_activity(activity_type: &str) -> bool {
-    matches!(
-        activity_type,
-        "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
-    )
-}
@@ -51,11 +51,8 @@ npm run preview

 ## Authentication

- Tenant requests use an intentional session-style variant of NIP-98:
-  - The client signs one kind `27235` event with `u = VITE_API_URL`.
-  - The resulting `Authorization` header is cached for about 10 minutes to avoid repeated signer prompts.
-  - The backend validates signer identity + host affinity rather than exact URL/method binding per request.
- Admin routes require a pubkey listed in `ADMINS` on the backend.
+- Tenant requests use NIP-98 tokens derived from the logged-in user
+- Admin routes require a pubkey listed in `PLATFORM_ADMIN_PUBKEYS` on the backend

 ## Routes

@@ -6,7 +6,6 @@ import { getInvoice, getInvoiceBolt11 } from "@/lib/api"
 import { tenantNeedsPaymentSetup } from "@/lib/hooks"

 type PayStatus = "idle" | "loading" | "success" | "error"
-type Bolt11Status = "idle" | "loading" | "ready" | "error"

 type PaymentInvoice = {
  id: string
@@ -22,34 +21,20 @@ type PaymentDialogProps = {
 export default function PaymentDialog(props: PaymentDialogProps) {
  const [bolt11, setBolt11] = createSignal("")
  const [qrDataUrl, setQrDataUrl] = createSignal("")
-  const [bolt11Status, setBolt11Status] = createSignal<Bolt11Status>("idle")
-  const [bolt11Error, setBolt11Error] = createSignal("")
  const [payStatus, setPayStatus] = createSignal<PayStatus>("idle")
  const [payError, setPayError] = createSignal("")
  const [showSetup, setShowSetup] = createSignal(false)
  const [showPaymentSetup, setShowPaymentSetup] = createSignal(false)

-  async function loadBolt11() {
-    if (!props.invoice.id) return
-    setBolt11Status("loading")
-    setBolt11Error("")
-    setBolt11("")
-    setQrDataUrl("")
-
+  createEffect(async () => {
+    if (!props.open || !props.invoice.id) return
    try {
      const { bolt11: invoice } = await getInvoiceBolt11(props.invoice.id)
      setBolt11(invoice)
      setQrDataUrl(await QRCode.toDataURL(invoice, { width: 256, margin: 2 }))
-      setBolt11Status("ready")
-    } catch (e) {
-      setBolt11Status("error")
-      setBolt11Error(e instanceof Error ? e.message : "Failed to generate Lightning invoice")
+    } catch {
+      // bolt11 generation may fail
    }
-  }
-
-  createEffect(() => {
-    if (!props.open || !props.invoice.id) return
-    void loadBolt11()
  })

  function copyBolt11() {
@@ -77,8 +62,6 @@ export default function PaymentDialog(props: PaymentDialogProps) {
  function handleClose() {
    setPayStatus("idle")
    setPayError("")
-    setBolt11Status("idle")
-    setBolt11Error("")
    setBolt11("")
    setQrDataUrl("")
    setShowSetup(false)
@@ -121,46 +104,33 @@ export default function PaymentDialog(props: PaymentDialogProps) {
          when={payStatus() === "success"}
          fallback={
            <div class="w-full space-y-3">
-              <Show when={bolt11Status() === "idle" || bolt11Status() === "loading"}>
-                <div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>
+              <Show
+                when={qrDataUrl()}
+                fallback={<div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>}
+              >
+                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
              </Show>
-              <Show when={bolt11Status() === "error"}>
-                <div class="rounded-lg border border-red-200 bg-red-50 p-4">
-                  <p class="text-sm font-medium text-red-700">Unable to generate invoice</p>
-                  <p class="mt-1 text-xs text-red-600 wrap-break-word">{bolt11Error()}</p>
+              <Show when={bolt11()}>
+                <div class="flex rounded-lg border border-gray-300">
+                  <input
+                    type="text"
+                    readOnly
+                    value={bolt11()}
+                    class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
+                  />
                  <button
                    type="button"
-                    onClick={() => void loadBolt11()}
-                    class="mt-3 inline-flex items-center rounded-lg bg-red-600 px-3 py-1.5 text-sm font-medium text-white hover:bg-red-700"
+                    class="flex items-center px-3 text-gray-400 hover:text-gray-700"
+                    onClick={copyBolt11}
+                    title="Copy invoice"
                  >
-                    Retry
+                    <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                      <rect x="9" y="9" width="13" height="13" rx="2" />
+                      <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
+                    </svg>
                  </button>
                </div>
              </Show>
-              <Show when={bolt11Status() === "ready"}>
-                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
-                <Show when={bolt11()}>
-                  <div class="flex rounded-lg border border-gray-300">
-                    <input
-                      type="text"
-                      readOnly
-                      value={bolt11()}
-                      class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
-                    />
-                    <button
-                      type="button"
-                      class="flex items-center px-3 text-gray-400 hover:text-gray-700"
-                      onClick={copyBolt11}
-                      title="Copy invoice"
-                    >
-                      <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
-                        <rect x="9" y="9" width="13" height="13" rx="2" />
-                        <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
-                      </svg>
-                    </button>
-                  </div>
-                </Show>
-              </Show>
            </div>
          }
        >
@@ -218,7 +188,7 @@ export default function PaymentDialog(props: PaymentDialogProps) {
          <button
            type="button"
            onClick={checkPayment}
-            disabled={payStatus() === "loading" || bolt11Status() !== "ready"}
+            disabled={payStatus() === "loading"}
            class="py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
          >
            {payStatus() === "loading" ? "Checking..." : "Complete Payment"}
@@ -145,8 +145,6 @@ export async function makeAuth(): Promise<string | undefined> {
    kind: 27235,
    content: "",
    created_at: Math.floor(now / 1000),
-    // Intentional session-style auth: sign the API base URL once, then reuse
-    // the header briefly to avoid prompting the signer on every request.
    tags: [["u", API_URL]],
  })
Author	SHA1	Message	Date
userAdityaa	6faf7d3fa0	test(billing): validate stripe customer id enforcement	2026-04-15 04:16:06 +05:45
userAdityaa	a8d69dc915	fix(billing): ensure all tenants have valid Stripe customer IDs	2026-04-15 04:16:03 +05:45