chore (testing): add deterministic quote stub test

fix (billing): use fx quote for stripe to lightning
2026-04-11 23:45:02 +05:45 · 2026-04-11 23:45:02 +05:45
14 changed files with 128 additions and 609 deletions
@@ -60,13 +60,7 @@ See [spec](spec) for more details
 ## API Routes
-Most API routes are NIP-98 protected.
+All routes are NIP-98 protected.
 Public exceptions:
 - `GET /plans`
 - `GET /plans/:id`
 - `POST /stripe/webhook` (validated with Stripe signatures instead)
 - `GET /identity` — get auth identity (`pubkey`, `is_admin`)
 - `GET /tenants` — list tenants (admin)
@@ -79,13 +73,3 @@ Public exceptions:
 - `PUT /relays/:id` — update relay (admin or relay tenant)
 - `POST /relays/:id/deactivate` — deactivate relay (admin or relay tenant)
 - `GET /invoices` — list invoices (`?tenant=<pubkey>` allowed for admin only)
 ## API Auth Model
 Caravel intentionally uses a session-style variant of NIP-98 for client-to-backend API auth.
 - Frontend signs one kind `27235` event with `u = VITE_API_URL` and caches that header for about 10 minutes.
 - Backend verifies event kind, signature, and that `u` contains configured `HOST`.
 - Backend intentionally does not bind auth to exact request URL/method/query, and does not enforce payload hash, timestamp freshness window, or replay cache.
 - Goal: reduce repeated wallet signing prompts and avoid cookie-based sessions.
 - Tradeoff: this is weaker request-intent binding than strict NIP-98 semantics.
@@ -12,7 +12,7 @@ CREATE TABLE IF NOT EXISTS tenant (
  nwc_url TEXT NOT NULL DEFAULT '',
  nwc_error TEXT,
  created_at INTEGER NOT NULL,
-  stripe_customer_id TEXT NOT NULL,
+  stripe_customer_id TEXT NOT NULL DEFAULT '',
  stripe_subscription_id TEXT,
  past_due_at INTEGER
 );
@@ -184,11 +184,9 @@ Notes:
 ## `extract_auth_pubkey(&self, headers: &HeaderMap) -> Result<String>`
 - Parses `Authorization` header
- Validates event kind (`27235`) and signature using `nostr_sdk`
+- Validates event kind and signature using `nostr_sdk`
- Validates event `u` contains configured `HOST`
+- Validates event `u` against `HOST` (not the request path. Non-standard, but correct)
- Intentionally does **not** enforce exact request URL/method/query matching
+- Does not validate `method` tag
 - Intentionally does **not** validate `payload` tag/hash, `created_at` freshness window, or replay nonce/cache
 - This is a deliberate session-style tradeoff to reduce repeated signer prompts in the client
 - Returns pubkey if header all checks pass
 Refer to https://github.com/nostr-protocol/nips/blob/master/98.md for details. Use `nostr_sdk` functionality where possible.
@@ -19,7 +19,7 @@ Members:
 ## `async fn handle_activity(&self, activity: &Activity)`
- For `create_relay`, `update_relay`, `activate_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
+- For `create_relay`, `update_relay`, or `deactivate_relay` activity, calls `sync_and_report`.
 - All other activity types are ignored (e.g. `fail_relay_sync`, `complete_relay_sync`).
 ## `async fn sync_and_report(&self, relay: &Relay, is_new: bool)`
@@ -12,11 +12,9 @@ use base64::Engine;
 use nostr_sdk::{Event, JsonUtil, Kind};
 use serde::{Deserialize, Serialize};
-use crate::billing::{Billing, InvoiceLookupError};
+use crate::billing::Billing;
 use crate::command::Command;
-use crate::models::{
+use crate::models::{Relay, Tenant};
    RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
 };
 use crate::query::Query;
 use axum::body::Bytes;
@@ -72,11 +70,6 @@ enum ApiError {
    Unauthorized(anyhow::Error),
    Forbidden(&'static str),
    NotFound(&'static str),
    Client {
        status: StatusCode,
        code: &'static str,
        message: &'static str,
    },
    Internal(String),
 }
@@ -86,36 +79,11 @@ impl IntoResponse for ApiError {
            Self::Unauthorized(e) => err(StatusCode::UNAUTHORIZED, "unauthorized", &e.to_string()),
            Self::Forbidden(message) => err(StatusCode::FORBIDDEN, "forbidden", message),
            Self::NotFound(message) => err(StatusCode::NOT_FOUND, "not-found", message),
            Self::Client {
                status,
                code,
                message,
            } => err(status, code, message),
            Self::Internal(message) => err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &message),
        }
    }
 }
 fn map_invoice_lookup_error(error: InvoiceLookupError) -> ApiError {
    match error {
        InvoiceLookupError::StripeClient { status } => {
            let status = StatusCode::from_u16(status.as_u16()).unwrap_or(StatusCode::BAD_REQUEST);
            match status {
                StatusCode::NOT_FOUND => ApiError::NotFound("invoice not found"),
                StatusCode::UNAUTHORIZED | StatusCode::FORBIDDEN => {
                    ApiError::Forbidden("invoice access denied")
                }
                _ => ApiError::Client {
                    status,
                    code: "invoice-request-rejected",
                    message: "invoice request rejected",
                },
            }
        }
        InvoiceLookupError::Internal(error) => ApiError::Internal(error.to_string()),
    }
 }
 impl Api {
    pub fn new(query: Query, command: Command, billing: Billing) -> Self {
        let host = std::env::var("HOST").unwrap_or_else(|_| "127.0.0.1".to_string());
@@ -154,10 +122,7 @@ impl Api {
            .route("/tenants/:pubkey/invoices", get(list_tenant_invoices))
            .route("/invoices/:id", get(get_invoice))
            .route("/invoices/:id/bolt11", get(get_invoice_bolt11))
-            .route(
+            .route("/tenants/:pubkey/stripe/session", get(create_stripe_session))
                "/tenants/:pubkey/stripe/session",
                get(create_stripe_session),
            )
            .route("/stripe/webhook", post(stripe_webhook))
            .with_state(state)
    }
@@ -209,9 +174,6 @@ impl Api {
            return Err(ApiError::Unauthorized(anyhow!("missing u tag")));
        };
        // Intentional session-style variant of NIP-98 for Caravel API auth.
        // We validate signer identity plus host affinity, and do not bind to exact
        // request URL/method or maintain replay state here.
        if !self.host.is_empty() && !got_u.contains(&self.host) {
            return Err(ApiError::Unauthorized(anyhow!(
                "authorization host mismatch"
@@ -270,7 +232,7 @@ impl Api {
            relay.schema = format!("{}_{}", relay.subdomain.replace('-', "_"), relay.id);
        }
        if relay.status.is_empty() {
-            relay.status = RELAY_STATUS_ACTIVE.to_string();
+            relay.status = "active".to_string();
        }
        relay.policy_public_join = parse_bool_default(relay.policy_public_join, 0);
        relay.policy_strip_signatures = parse_bool_default(relay.policy_strip_signatures, 0);
@@ -403,53 +365,41 @@ async fn get_identity(
    let pubkey = state.api.extract_auth_pubkey(&headers)?;
    let is_admin = state.api.admins.iter().any(|a| a == &pubkey);
-    // Ensure tenant exists.
+    // Only create if tenant doesn't exist yet
-    match state.api.query.get_tenant(&pubkey).await {
+    if let Ok(None) = state.api.query.get_tenant(&pubkey).await {
-        Ok(Some(_)) => {}
+        // TODO: Call Stripe API to create a new customer
-        Ok(None) => {
+        let stripe_customer_id = String::new();
            let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await {
                Ok(id) => id,
                Err(e) => {
                    return Ok(err(
                        StatusCode::INTERNAL_SERVER_ERROR,
                        "stripe-customer-create-failed",
                        &e.to_string(),
                    ));
                }
            };
-            let tenant = Tenant {
+        let tenant = Tenant {
-                pubkey: pubkey.clone(),
+            pubkey: pubkey.clone(),
-                nwc_url: String::new(),
+            nwc_url: String::new(),
-                nwc_error: None,
+            nwc_error: None,
-                created_at: now_ts(),
+            created_at: now_ts(),
-                stripe_customer_id,
+            stripe_customer_id,
-                stripe_subscription_id: None,
+            stripe_subscription_id: None,
-                past_due_at: None,
+            past_due_at: None,
-            };
+        };
-            match state.api.command.create_tenant(&tenant).await {
+        match state.api.command.create_tenant(&tenant).await {
-                Ok(()) => {}
+            Ok(()) => {}
-                Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
+            Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => {}
-                Err(e) => {
+            Err(e) => {
-                    return Ok(err(
+                return Ok(err(
-                        StatusCode::INTERNAL_SERVER_ERROR,
+                    StatusCode::INTERNAL_SERVER_ERROR,
-                        "internal",
+                    "internal",
-                        &e.to_string(),
+                    &e.to_string(),
-                    ));
+                ));
-                }
+            }
-            };
+        };
        }
        Err(e) => {
            return Ok(err(
                StatusCode::INTERNAL_SERVER_ERROR,
                "internal",
                &e.to_string(),
            ));
        }
    }
-    Ok(ok(StatusCode::OK, IdentityResponse { pubkey, is_admin }))
+    Ok(ok(
        StatusCode::OK,
        IdentityResponse {
            pubkey,
            is_admin,
        },
    ))
 }
 async fn get_plan(Path(id): Path<String>) -> Response {
@@ -539,27 +489,14 @@ async fn list_relay_activity(
    let relay = match state.api.query.get_relay(&id).await {
        Ok(Some(r)) => r,
        Ok(None) => return Ok(err(StatusCode::NOT_FOUND, "not-found", "relay not found")),
-        Err(e) => {
+        Err(e) => return Ok(err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &e.to_string())),
            return Ok(err(
                StatusCode::INTERNAL_SERVER_ERROR,
                "internal",
                &e.to_string(),
            ));
        }
    };
    state.api.require_admin_or_tenant(&auth, &relay.tenant)?;
    match state.api.query.list_activity_for_relay(&id).await {
-        Ok(activity) => Ok(ok(
+        Ok(activity) => Ok(ok(StatusCode::OK, serde_json::json!({ "activity": activity }))),
-            StatusCode::OK,
+        Err(e) => Ok(err(StatusCode::INTERNAL_SERVER_ERROR, "internal", &e.to_string())),
            serde_json::json!({ "activity": activity }),
        )),
        Err(e) => Ok(err(
            StatusCode::INTERNAL_SERVER_ERROR,
            "internal",
            &e.to_string(),
        )),
    }
 }
@@ -578,7 +515,7 @@ async fn create_relay(
        subdomain: payload.subdomain,
        plan: payload.plan,
        stripe_subscription_item_id: None,
-        status: RELAY_STATUS_ACTIVE.to_string(),
+        status: "active".to_string(),
        sync_error: String::new(),
        info_name: payload.info_name.unwrap_or_default(),
        info_icon: payload.info_icon.unwrap_or_default(),
@@ -749,7 +686,7 @@ async fn deactivate_relay(
    state.api.require_admin_or_tenant(&auth, &relay.tenant)?;
-    if relay.status == RELAY_STATUS_INACTIVE || relay.status == RELAY_STATUS_DELINQUENT {
+    if relay.status == "inactive" {
        return Ok(err(
            StatusCode::BAD_REQUEST,
            "relay-is-inactive",
@@ -788,7 +725,7 @@ async fn reactivate_relay(
    state.api.require_admin_or_tenant(&auth, &relay.tenant)?;
-    if relay.status == RELAY_STATUS_ACTIVE {
+    if relay.status == "active" {
        return Ok(err(
            StatusCode::BAD_REQUEST,
            "relay-is-active",
@@ -836,12 +773,8 @@ async fn get_invoice(
    Path(id): Path<String>,
 ) -> std::result::Result<Response, ApiError> {
    let auth = state.api.extract_auth_pubkey(&headers)?;
-    let (invoice, tenant) = state
+    let (invoice, tenant) = state.api.billing.get_invoice_with_tenant(&id).await
-        .api
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
        .billing
        .get_invoice_with_tenant(&id)
        .await
        .map_err(map_invoice_lookup_error)?;
    state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
    Ok(ok(StatusCode::OK, invoice))
@@ -853,12 +786,8 @@ async fn get_invoice_bolt11(
    Path(id): Path<String>,
 ) -> std::result::Result<Response, ApiError> {
    let auth = state.api.extract_auth_pubkey(&headers)?;
-    let (invoice, tenant) = state
+    let (invoice, tenant) = state.api.billing.get_invoice_with_tenant(&id).await
-        .api
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
        .billing
        .get_invoice_with_tenant(&id)
        .await
        .map_err(map_invoice_lookup_error)?;
    state.api.require_admin_or_tenant(&auth, &tenant.pubkey)?;
    let status = invoice["status"].as_str().unwrap_or_default();
@@ -6,9 +6,7 @@ use nwc::prelude::{
 use sha2::Sha256;
 use crate::command::Command;
-use crate::models::{
+use crate::models::Activity;
    Activity, RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay,
 };
 use crate::query::Query;
 use crate::robot::Robot;
@@ -18,41 +16,6 @@ const STRIPE_API: &str = "https://api.stripe.com/v1";
 const COINBASE_SPOT_API: &str = "https://api.coinbase.com/v2/prices";
 const WEBHOOK_TOLERANCE_SECS: i64 = 300;
 #[derive(Debug)]
 pub enum InvoiceLookupError {
    StripeClient { status: reqwest::StatusCode },
    Internal(anyhow::Error),
 }
 impl std::fmt::Display for InvoiceLookupError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::StripeClient { status } => {
                write!(
                    f,
                    "stripe invoice lookup failed with status {}",
                    status.as_u16()
                )
            }
            Self::Internal(error) => write!(f, "{error}"),
        }
    }
 }
 impl std::error::Error for InvoiceLookupError {}
 impl From<anyhow::Error> for InvoiceLookupError {
    fn from(value: anyhow::Error) -> Self {
        Self::Internal(value)
    }
 }
 impl From<reqwest::Error> for InvoiceLookupError {
    fn from(value: reqwest::Error) -> Self {
        Self::Internal(value.into())
    }
 }
 #[derive(serde::Deserialize)]
 struct StripeEvent {
    #[serde(rename = "type")]
@@ -91,12 +54,9 @@ impl Billing {
    pub fn new(query: Query, command: Command, robot: Robot) -> Self {
        let nwc_url = std::env::var("NWC_URL").unwrap_or_default();
        let stripe_secret_key = std::env::var("STRIPE_SECRET_KEY").unwrap_or_default();
        if stripe_secret_key.trim().is_empty() {
            panic!("missing STRIPE_SECRET_KEY environment variable");
        }
        let stripe_webhook_secret = std::env::var("STRIPE_WEBHOOK_SECRET").unwrap_or_default();
-        let btc_quote_api_base =
+        let btc_quote_api_base = std::env::var("BTC_PRICE_API_BASE")
-            std::env::var("BTC_PRICE_API_BASE").unwrap_or_else(|_| COINBASE_SPOT_API.to_string());
+            .unwrap_or_else(|_| COINBASE_SPOT_API.to_string());
        Self {
            nwc_url,
            stripe_secret_key,
@@ -167,7 +127,7 @@ impl Billing {
        }
        // Inactive relay: remove subscription item if exists, then clean up
-        if relay.status == RELAY_STATUS_INACTIVE || relay.status == RELAY_STATUS_DELINQUENT {
+        if relay.status == "inactive" {
            if let Some(ref item_id) = relay.stripe_subscription_item_id {
                self.stripe_delete_subscription_item(item_id).await?;
                self.command
@@ -388,7 +348,7 @@ impl Billing {
            let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
            for relay in relays {
-                if Self::should_reactivate_after_payment(&relay) {
+                if relay.status == "inactive" && relay.plan != "free" {
                    self.command.activate_relay(&relay).await?;
                }
            }
@@ -442,8 +402,8 @@ impl Billing {
        let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
        for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
+            if relay.status == "active" && relay.plan != "free" {
-                self.command.mark_relay_delinquent(&relay).await?;
+                self.command.deactivate_relay(&relay).await?;
            }
        }
@@ -477,8 +437,8 @@ impl Billing {
        let relays = self.query.list_relays_for_tenant(&tenant.pubkey).await?;
        for relay in relays {
-            if relay.status == RELAY_STATUS_ACTIVE && relay.plan != "free" {
+            if relay.status == "active" && relay.plan != "free" {
-                self.command.mark_relay_delinquent(&relay).await?;
+                self.command.deactivate_relay(&relay).await?;
            }
        }
@@ -497,48 +457,19 @@ impl Billing {
    pub async fn get_invoice_with_tenant(
        &self,
        invoice_id: &str,
-    ) -> std::result::Result<(serde_json::Value, crate::models::Tenant), InvoiceLookupError> {
+    ) -> Result<(serde_json::Value, crate::models::Tenant)> {
        let invoice = self.stripe_get_invoice(invoice_id).await?;
        let customer_id = invoice["customer"]
            .as_str()
-            .ok_or_else(|| InvoiceLookupError::Internal(anyhow!("invoice missing customer")))?;
+            .ok_or_else(|| anyhow!("invoice missing customer"))?;
        let tenant = self
            .query
            .get_tenant_by_stripe_customer_id(customer_id)
            .await?
-            .ok_or_else(|| {
+            .ok_or_else(|| anyhow!("tenant not found for customer"))?;
                InvoiceLookupError::Internal(anyhow!("tenant not found for customer"))
            })?;
        Ok((invoice, tenant))
    }
    pub async fn stripe_create_customer(&self, tenant_pubkey: &str) -> Result<String> {
        let short_pubkey: String = tenant_pubkey.chars().take(12).collect();
        let display_name = format!("Caravel tenant {short_pubkey}");
        let resp = self
            .http
            .post(format!("{STRIPE_API}/customers"))
            .bearer_auth(&self.stripe_secret_key)
            .form(&[
                ("name", display_name.as_str()),
                ("metadata[tenant_pubkey]", tenant_pubkey),
            ])
            .send()
            .await?;
        let body: serde_json::Value = resp.error_for_status()?.json().await?;
        let customer_id = body["id"]
            .as_str()
            .ok_or_else(|| anyhow!("missing customer id"))?;
        if !customer_id.starts_with("cus_") {
            return Err(anyhow!("unexpected customer id format"));
        }
        Ok(customer_id.to_string())
    }
    pub async fn stripe_list_invoices(&self, customer_id: &str) -> Result<serde_json::Value> {
        let resp = self
            .http
@@ -552,10 +483,7 @@ impl Billing {
        Ok(body["data"].clone())
    }
-    pub async fn stripe_get_invoice(
+    pub async fn stripe_get_invoice(&self, invoice_id: &str) -> Result<serde_json::Value> {
        &self,
        invoice_id: &str,
    ) -> std::result::Result<serde_json::Value, InvoiceLookupError> {
        let resp = self
            .http
            .get(format!("{STRIPE_API}/invoices/{invoice_id}"))
@@ -563,12 +491,6 @@ impl Billing {
            .send()
            .await?;
        if resp.status().is_client_error() {
            return Err(InvoiceLookupError::StripeClient {
                status: resp.status(),
            });
        }
        let body: serde_json::Value = resp.error_for_status()?.json().await?;
        Ok(body)
    }
@@ -800,10 +722,6 @@ impl Billing {
        fiat_minor_to_msats_from_quote(amount_due_minor, &normalized_currency, btc_price)
    }
    fn should_reactivate_after_payment(relay: &Relay) -> bool {
        relay.status == RELAY_STATUS_DELINQUENT && relay.plan != "free"
    }
    async fn fetch_btc_spot_price(&self, currency: &str) -> Result<f64> {
        fetch_btc_spot_price_from_base(&self.http, &self.btc_quote_api_base, currency).await
    }
@@ -841,9 +759,7 @@ pub async fn fetch_btc_spot_price_from_base(
        .map_err(|e| anyhow!("invalid BTC spot quote for {currency}: {e}"))?;
    if amount <= 0.0 {
-        return Err(anyhow!(
+        return Err(anyhow!("invalid non-positive BTC spot quote for {currency}"));
            "invalid non-positive BTC spot quote for {currency}"
        ));
    }
    Ok(amount)
@@ -883,34 +799,7 @@ pub fn fiat_minor_to_msats_from_quote(
 #[cfg(test)]
 mod tests {
-    use super::{Billing, fiat_minor_to_msats_from_quote};
+    use super::fiat_minor_to_msats_from_quote;
    use crate::models::{
        RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay,
    };
    fn relay_fixture(status: &str, plan: &str) -> Relay {
        Relay {
            id: "relay-1".to_string(),
            tenant: "tenant-1".to_string(),
            schema: "tenant_1".to_string(),
            subdomain: "relay-1".to_string(),
            plan: plan.to_string(),
            stripe_subscription_item_id: None,
            status: status.to_string(),
            sync_error: String::new(),
            info_name: String::new(),
            info_icon: String::new(),
            info_description: String::new(),
            policy_public_join: 0,
            policy_strip_signatures: 0,
            groups_enabled: 1,
            management_enabled: 1,
            blossom_enabled: 1,
            livekit_enabled: 1,
            push_enabled: 1,
            synced: 1,
        }
    }
    #[test]
    fn converts_usd_minor_units_with_quote() {
@@ -925,129 +814,4 @@ mod tests {
            .expect("conversion should succeed");
        assert_eq!(msats, 1_000_000);
    }
    #[test]
    fn reactivates_only_delinquent_paid_relays_after_payment() {
        let delinquent_paid = relay_fixture(RELAY_STATUS_DELINQUENT, "basic");
        assert!(Billing::should_reactivate_after_payment(&delinquent_paid));
        let manually_inactive_paid = relay_fixture(RELAY_STATUS_INACTIVE, "basic");
        assert!(!Billing::should_reactivate_after_payment(
            &manually_inactive_paid
        ));
        let free_delinquent = relay_fixture(RELAY_STATUS_DELINQUENT, "free");
        assert!(!Billing::should_reactivate_after_payment(&free_delinquent));
        let active_paid = relay_fixture(RELAY_STATUS_ACTIVE, "basic");
        assert!(!Billing::should_reactivate_after_payment(&active_paid));
        let unknown_status_paid = relay_fixture("suspended", "basic");
        assert!(!Billing::should_reactivate_after_payment(
            &unknown_status_paid
        ));
    }
    use super::*;
    use sqlx::SqlitePool;
    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
    use std::str::FromStr;
    use std::sync::{Mutex, OnceLock};
    fn env_lock() -> &'static Mutex<()> {
        static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
        LOCK.get_or_init(|| Mutex::new(()))
    }
    #[allow(unused_unsafe)]
    fn set_stripe_secret_key(value: Option<&str>) {
        match value {
            Some(v) => unsafe { std::env::set_var("STRIPE_SECRET_KEY", v) },
            None => unsafe { std::env::remove_var("STRIPE_SECRET_KEY") },
        }
    }
    struct StripeSecretKeyGuard {
        previous: Option<String>,
    }
    impl StripeSecretKeyGuard {
        fn set(value: Option<&str>) -> Self {
            let previous = std::env::var("STRIPE_SECRET_KEY").ok();
            set_stripe_secret_key(value);
            Self { previous }
        }
    }
    impl Drop for StripeSecretKeyGuard {
        fn drop(&mut self) {
            set_stripe_secret_key(self.previous.as_deref());
        }
    }
    async fn test_pool() -> SqlitePool {
        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
            .expect("valid sqlite memory url")
            .create_if_missing(true);
        let pool = SqlitePoolOptions::new()
            .max_connections(1)
            .connect_with(connect_options)
            .await
            .expect("connect sqlite memory db");
        sqlx::migrate!("./migrations")
            .run(&pool)
            .await
            .expect("run migrations");
        pool
    }
    #[tokio::test]
    async fn billing_new_panics_without_stripe_secret_key() {
        let _lock = env_lock().lock().expect("acquire env lock");
        let _env = StripeSecretKeyGuard::set(None);
        let pool = test_pool().await;
        let query = Query::new(pool.clone());
        let command = Command::new(pool);
        let robot = Robot::test_stub();
        let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
            Billing::new(query, command, robot)
        }));
        let panic_payload = match result {
            Ok(_) => panic!("constructor should panic when STRIPE_SECRET_KEY is missing"),
            Err(payload) => payload,
        };
        let panic_msg = if let Some(msg) = panic_payload.downcast_ref::<&str>() {
            (*msg).to_string()
        } else if let Some(msg) = panic_payload.downcast_ref::<String>() {
            msg.clone()
        } else {
            String::new()
        };
        assert!(
            panic_msg.contains("missing STRIPE_SECRET_KEY environment variable"),
            "unexpected panic: {panic_msg}"
        );
    }
    #[tokio::test]
    async fn billing_new_accepts_non_empty_stripe_secret_key() {
        let _lock = env_lock().lock().expect("acquire env lock");
        let _env = StripeSecretKeyGuard::set(Some("sk_test_dummy"));
        let pool = test_pool().await;
        let billing = Billing::new(
            Query::new(pool.clone()),
            Command::new(pool),
            Robot::test_stub(),
        );
        assert_eq!(billing.stripe_secret_key, "sk_test_dummy");
    }
 }
@@ -2,9 +2,7 @@ use anyhow::Result;
 use sqlx::{Sqlite, SqlitePool, Transaction};
 use tokio::sync::broadcast;
-use crate::models::{
+use crate::models::{Activity, Relay, Tenant};
    Activity, RELAY_STATUS_ACTIVE, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE, Relay, Tenant,
 };
 #[derive(Clone)]
 pub struct Command {
@@ -66,10 +64,6 @@ impl Command {
    }
    pub async fn create_tenant(&self, tenant: &Tenant) -> Result<()> {
        if tenant.stripe_customer_id.trim().is_empty() {
            anyhow::bail!("stripe_customer_id is required");
        }
        let mut tx = self.pool.begin().await?;
        sqlx::query(
@@ -83,8 +77,7 @@ impl Command {
        .execute(&mut *tx)
        .await?;
-        let activity =
+        let activity = Self::insert_activity(&mut tx, "create_tenant", "tenant", &tenant.pubkey).await?;
            Self::insert_activity(&mut tx, "create_tenant", "tenant", &tenant.pubkey).await?;
        tx.commit().await?;
        self.emit(activity);
@@ -100,8 +93,7 @@ impl Command {
            .execute(&mut *tx)
            .await?;
-        let activity =
+        let activity = Self::insert_activity(&mut tx, "update_tenant", "tenant", &tenant.pubkey).await?;
            Self::insert_activity(&mut tx, "update_tenant", "tenant", &tenant.pubkey).await?;
        tx.commit().await?;
        self.emit(activity);
@@ -186,30 +178,14 @@ impl Command {
    }
    pub async fn deactivate_relay(&self, relay: &Relay) -> Result<()> {
        self.set_relay_status(&relay.id, RELAY_STATUS_INACTIVE, "deactivate_relay")
            .await
    }
    pub async fn mark_relay_delinquent(&self, relay: &Relay) -> Result<()> {
        self.set_relay_status(&relay.id, RELAY_STATUS_DELINQUENT, "deactivate_relay")
            .await
    }
    async fn set_relay_status(
        &self,
        relay_id: &str,
        status: &str,
        activity_type: &str,
    ) -> Result<()> {
        let mut tx = self.pool.begin().await?;
-        sqlx::query("UPDATE relay SET status = ? WHERE id = ?")
+        sqlx::query("UPDATE relay SET status = 'inactive' WHERE id = ?")
-            .bind(status)
+            .bind(&relay.id)
            .bind(relay_id)
            .execute(&mut *tx)
            .await?;
-        let activity = Self::insert_activity(&mut tx, activity_type, "relay", relay_id).await?;
+        let activity = Self::insert_activity(&mut tx, "deactivate_relay", "relay", &relay.id).await?;
        tx.commit().await?;
        self.emit(activity);
@@ -217,8 +193,18 @@ impl Command {
    }
    pub async fn activate_relay(&self, relay: &Relay) -> Result<()> {
-        self.set_relay_status(&relay.id, RELAY_STATUS_ACTIVE, "activate_relay")
+        let mut tx = self.pool.begin().await?;
-            .await
+
        sqlx::query("UPDATE relay SET status = 'active' WHERE id = ?")
            .bind(&relay.id)
            .execute(&mut *tx)
            .await?;
        let activity = Self::insert_activity(&mut tx, "activate_relay", "relay", &relay.id).await?;
        tx.commit().await?;
        self.emit(activity);
        Ok(())
    }
    pub async fn fail_relay_sync(&self, relay: &Relay, sync_error: String) -> Result<()> {
@@ -230,8 +216,7 @@ impl Command {
            .execute(&mut *tx)
            .await?;
-        let activity =
+        let activity = Self::insert_activity(&mut tx, "fail_relay_sync", "relay", &relay.id).await?;
            Self::insert_activity(&mut tx, "fail_relay_sync", "relay", &relay.id).await?;
        tx.commit().await?;
        self.emit(activity);
@@ -246,8 +231,7 @@ impl Command {
            .execute(&mut *tx)
            .await?;
-        let activity =
+        let activity = Self::insert_activity(&mut tx, "complete_relay_sync", "relay", relay_id).await?;
            Self::insert_activity(&mut tx, "complete_relay_sync", "relay", relay_id).await?;
        tx.commit().await?;
        self.emit(activity);
@@ -262,11 +246,7 @@ impl Command {
        Ok(())
    }
-    pub async fn set_relay_subscription_item(
+    pub async fn set_relay_subscription_item(&self, relay_id: &str, stripe_subscription_item_id: &str) -> Result<()> {
        &self,
        relay_id: &str,
        stripe_subscription_item_id: &str,
    ) -> Result<()> {
        sqlx::query("UPDATE relay SET stripe_subscription_item_id = ? WHERE id = ?")
            .bind(stripe_subscription_item_id)
            .bind(relay_id)
@@ -275,11 +255,7 @@ impl Command {
        Ok(())
    }
-    pub async fn set_tenant_subscription(
+    pub async fn set_tenant_subscription(&self, pubkey: &str, stripe_subscription_id: &str) -> Result<()> {
        &self,
        pubkey: &str,
        stripe_subscription_id: &str,
    ) -> Result<()> {
        sqlx::query("UPDATE tenant SET stripe_subscription_id = ? WHERE pubkey = ?")
            .bind(stripe_subscription_id)
            .bind(pubkey)
@@ -331,56 +307,3 @@ impl Command {
        Ok(())
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    use sqlx::SqlitePool;
    use sqlx::sqlite::{SqliteConnectOptions, SqlitePoolOptions};
    use std::str::FromStr;
    async fn test_pool() -> SqlitePool {
        let connect_options = SqliteConnectOptions::from_str("sqlite::memory:")
            .expect("valid sqlite memory url")
            .create_if_missing(true);
        let pool = SqlitePoolOptions::new()
            .max_connections(1)
            .connect_with(connect_options)
            .await
            .expect("connect sqlite memory db");
        sqlx::migrate!("./migrations")
            .run(&pool)
            .await
            .expect("run migrations");
        pool
    }
    #[tokio::test]
    async fn create_tenant_rejects_empty_stripe_customer_id() {
        let pool = test_pool().await;
        let command = Command::new(pool);
        let tenant = Tenant {
            pubkey: "tenant_pubkey".to_string(),
            nwc_url: String::new(),
            nwc_error: None,
            created_at: 0,
            stripe_customer_id: "   ".to_string(),
            stripe_subscription_id: None,
            past_due_at: None,
        };
        let err = command
            .create_tenant(&tenant)
            .await
            .expect_err("empty customer id must be rejected");
        assert!(
            err.to_string().contains("stripe_customer_id is required"),
            "unexpected error: {err}"
        );
    }
 }
@@ -2,7 +2,7 @@ use anyhow::Result;
 use nostr_sdk::prelude::*;
 use crate::command::Command;
-use crate::models::{Activity, RELAY_STATUS_DELINQUENT, RELAY_STATUS_INACTIVE};
+use crate::models::Activity;
 use crate::query::Query;
 #[derive(Clone)]
@@ -56,7 +56,10 @@ impl Infra {
    }
    async fn handle_activity(&self, activity: &Activity) -> Result<()> {
-        let needs_sync = should_sync_relay_activity(activity.activity_type.as_str());
+        let needs_sync = matches!(
            activity.activity_type.as_str(),
            "create_relay" | "update_relay" | "deactivate_relay"
        );
        if needs_sync {
            let Some(relay) = self.query.get_relay(&activity.resource_id).await? else {
@@ -90,9 +93,7 @@ impl Infra {
    async fn nip98_auth(&self, url: &str, method: HttpMethod) -> Result<String> {
        let keys = Keys::parse(&self.api_secret)?;
        let server_url = Url::parse(url)?;
-        let auth = HttpData::new(server_url, method)
+        let auth = HttpData::new(server_url, method).to_authorization(&keys).await?;
            .to_authorization(&keys)
            .await?;
        Ok(auth)
    }
@@ -123,8 +124,7 @@ impl Infra {
            "host": host,
            "schema": relay.schema,
            "secret": secret,
-            "inactive": relay.status == RELAY_STATUS_INACTIVE
+            "inactive": relay.status == "inactive",
                || relay.status == RELAY_STATUS_DELINQUENT,
            "info": {
                "name": relay.info_name,
                "icon": relay.info_icon,
@@ -149,21 +149,11 @@ impl Infra {
        let response = if is_new {
            let url = format!("{}/relay/{}", base, relay.id);
            let auth = self.nip98_auth(&url, HttpMethod::POST).await?;
-            client
+            client.post(&url).header("Authorization", auth).json(&body).send().await?
                .post(&url)
                .header("Authorization", auth)
                .json(&body)
                .send()
                .await?
        } else {
            let url = format!("{}/relay/{}", base, relay.id);
            let auth = self.nip98_auth(&url, HttpMethod::PUT).await?;
-            client
+            client.put(&url).header("Authorization", auth).json(&body).send().await?
                .put(&url)
                .header("Authorization", auth)
                .json(&body)
                .send()
                .await?
        };
        if !response.status().is_success() {
@@ -174,10 +164,3 @@ impl Infra {
        Ok(())
    }
 }
 fn should_sync_relay_activity(activity_type: &str) -> bool {
    matches!(
        activity_type,
        "create_relay" | "update_relay" | "activate_relay" | "deactivate_relay"
    )
 }
@@ -1,9 +1,5 @@
 use serde::{Deserialize, Serialize};
 pub const RELAY_STATUS_ACTIVE: &str = "active";
 pub const RELAY_STATUS_INACTIVE: &str = "inactive";
 pub const RELAY_STATUS_DELINQUENT: &str = "delinquent";
 #[derive(Debug, Clone, Serialize, Deserialize, sqlx::FromRow)]
 pub struct Activity {
    pub id: String,
@@ -70,7 +70,7 @@ impl Query {
    pub async fn list_relays(&self) -> Result<Vec<Relay>> {
        let rows = sqlx::query_as::<_, Relay>(
-            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                     status, sync_error,
                     info_name, info_icon, info_description,
                     policy_public_join, policy_strip_signatures,
@@ -86,7 +86,7 @@ impl Query {
    pub async fn list_relays_for_tenant(&self, tenant_id: &str) -> Result<Vec<Relay>> {
        let rows = sqlx::query_as::<_, Relay>(
-            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                     status, sync_error,
                     info_name, info_icon, info_description,
                     policy_public_join, policy_strip_signatures,
@@ -104,7 +104,7 @@ impl Query {
    pub async fn get_relay(&self, id: &str) -> Result<Option<Relay>> {
        let row = sqlx::query_as::<_, Relay>(
-            "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
+             "SELECT id, tenant, schema, subdomain, plan, stripe_subscription_item_id,
                     status, sync_error,
                     info_name, info_icon, info_description,
                     policy_public_join, policy_strip_signatures,
@@ -119,10 +119,7 @@ impl Query {
        Ok(row)
    }
-    pub async fn get_tenant_by_stripe_customer_id(
+    pub async fn get_tenant_by_stripe_customer_id(&self, stripe_customer_id: &str) -> Result<Option<Tenant>> {
        &self,
        stripe_customer_id: &str,
    ) -> Result<Option<Tenant>> {
        let row = sqlx::query_as::<_, Tenant>(
            "SELECT pubkey, nwc_url, nwc_error, created_at, stripe_customer_id, stripe_subscription_id, past_due_at
             FROM tenant
@@ -254,23 +254,3 @@ async fn set_cached(
        },
    );
 }
 #[cfg(test)]
 impl Robot {
    pub fn test_stub() -> Self {
        let keys = Keys::generate();
        let client = Client::new(keys);
        Self {
            secret: String::new(),
            name: String::new(),
            description: String::new(),
            picture: String::new(),
            outbox_client: client.clone(),
            indexer_client: client.clone(),
            messaging_client: client,
            outbox_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
            dm_cache: std::sync::Arc::new(Mutex::new(HashMap::new())),
        }
    }
 }
@@ -51,11 +51,8 @@ npm run preview
 ## Authentication
- Tenant requests use an intentional session-style variant of NIP-98:
+- Tenant requests use NIP-98 tokens derived from the logged-in user
-  - The client signs one kind `27235` event with `u = VITE_API_URL`.
+- Admin routes require a pubkey listed in `PLATFORM_ADMIN_PUBKEYS` on the backend
  - The resulting `Authorization` header is cached for about 10 minutes to avoid repeated signer prompts.
  - The backend validates signer identity + host affinity rather than exact URL/method binding per request.
 - Admin routes require a pubkey listed in `ADMINS` on the backend.
 ## Routes
@@ -6,7 +6,6 @@ import { getInvoice, getInvoiceBolt11 } from "@/lib/api"
 import { tenantNeedsPaymentSetup } from "@/lib/hooks"
 type PayStatus = "idle" | "loading" | "success" | "error"
 type Bolt11Status = "idle" | "loading" | "ready" | "error"
 type PaymentInvoice = {
  id: string
@@ -22,34 +21,20 @@ type PaymentDialogProps = {
 export default function PaymentDialog(props: PaymentDialogProps) {
  const [bolt11, setBolt11] = createSignal("")
  const [qrDataUrl, setQrDataUrl] = createSignal("")
  const [bolt11Status, setBolt11Status] = createSignal<Bolt11Status>("idle")
  const [bolt11Error, setBolt11Error] = createSignal("")
  const [payStatus, setPayStatus] = createSignal<PayStatus>("idle")
  const [payError, setPayError] = createSignal("")
  const [showSetup, setShowSetup] = createSignal(false)
  const [showPaymentSetup, setShowPaymentSetup] = createSignal(false)
-  async function loadBolt11() {
+  createEffect(async () => {
-    if (!props.invoice.id) return
+    if (!props.open || !props.invoice.id) return
    setBolt11Status("loading")
    setBolt11Error("")
    setBolt11("")
    setQrDataUrl("")
    try {
      const { bolt11: invoice } = await getInvoiceBolt11(props.invoice.id)
      setBolt11(invoice)
      setQrDataUrl(await QRCode.toDataURL(invoice, { width: 256, margin: 2 }))
-      setBolt11Status("ready")
+    } catch {
-    } catch (e) {
+      // bolt11 generation may fail
      setBolt11Status("error")
      setBolt11Error(e instanceof Error ? e.message : "Failed to generate Lightning invoice")
    }
  }
  createEffect(() => {
    if (!props.open || !props.invoice.id) return
    void loadBolt11()
  })
  function copyBolt11() {
@@ -77,8 +62,6 @@ export default function PaymentDialog(props: PaymentDialogProps) {
  function handleClose() {
    setPayStatus("idle")
    setPayError("")
    setBolt11Status("idle")
    setBolt11Error("")
    setBolt11("")
    setQrDataUrl("")
    setShowSetup(false)
@@ -121,46 +104,33 @@ export default function PaymentDialog(props: PaymentDialogProps) {
          when={payStatus() === "success"}
          fallback={
            <div class="w-full space-y-3">
-              <Show when={bolt11Status() === "idle" || bolt11Status() === "loading"}>
+              <Show
-                <div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>
+                when={qrDataUrl()}
                fallback={<div class="flex items-center justify-center py-12 text-sm text-gray-400">Generating invoice...</div>}
              >
                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
              </Show>
-              <Show when={bolt11Status() === "error"}>
+              <Show when={bolt11()}>
-                <div class="rounded-lg border border-red-200 bg-red-50 p-4">
+                <div class="flex rounded-lg border border-gray-300">
-                  <p class="text-sm font-medium text-red-700">Unable to generate invoice</p>
+                  <input
-                  <p class="mt-1 text-xs text-red-600 wrap-break-word">{bolt11Error()}</p>
+                    type="text"
                    readOnly
                    value={bolt11()}
                    class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
                  />
                  <button
                    type="button"
-                    onClick={() => void loadBolt11()}
+                    class="flex items-center px-3 text-gray-400 hover:text-gray-700"
-                    class="mt-3 inline-flex items-center rounded-lg bg-red-600 px-3 py-1.5 text-sm font-medium text-white hover:bg-red-700"
+                    onClick={copyBolt11}
                    title="Copy invoice"
                  >
-                    Retry
+                    <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                      <rect x="9" y="9" width="13" height="13" rx="2" />
                      <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
                    </svg>
                  </button>
                </div>
              </Show>
              <Show when={bolt11Status() === "ready"}>
                <img src={qrDataUrl()} alt="Lightning invoice QR code" class="mx-auto rounded-lg" />
                <Show when={bolt11()}>
                  <div class="flex rounded-lg border border-gray-300">
                    <input
                      type="text"
                      readOnly
                      value={bolt11()}
                      class="min-w-0 flex-1 rounded-l-lg border-0 px-3 py-2 text-xs text-gray-500 bg-transparent focus:outline-none"
                    />
                    <button
                      type="button"
                      class="flex items-center px-3 text-gray-400 hover:text-gray-700"
                      onClick={copyBolt11}
                      title="Copy invoice"
                    >
                      <svg class="w-4 h-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                        <rect x="9" y="9" width="13" height="13" rx="2" />
                        <path d="M5 15H4a2 2 0 01-2-2V4a2 2 0 012-2h9a2 2 0 012 2v1" />
                      </svg>
                    </button>
                  </div>
                </Show>
              </Show>
            </div>
          }
        >
@@ -218,7 +188,7 @@ export default function PaymentDialog(props: PaymentDialogProps) {
          <button
            type="button"
            onClick={checkPayment}
-            disabled={payStatus() === "loading" || bolt11Status() !== "ready"}
+            disabled={payStatus() === "loading"}
            class="py-2 px-4 bg-blue-600 text-white text-sm font-medium rounded-lg hover:bg-blue-700 disabled:opacity-50 transition-colors"
          >
            {payStatus() === "loading" ? "Checking..." : "Complete Payment"}
@@ -145,8 +145,6 @@ export async function makeAuth(): Promise<string | undefined> {
    kind: 27235,
    content: "",
    created_at: Math.floor(now / 1000),
    // Intentional session-style auth: sign the API base URL once, then reuse
    // the header briefly to avoid prompting the signer on every request.
    tags: [["u", API_URL]],
  })
Author	SHA1	Message	Date
userAdityaa	3c5cf8500a	chore (testing): add deterministic quote stub test	2026-04-11 23:45:02 +05:45
userAdityaa	5214439abb	fix (billing): use fx quote for stripe to lightning	2026-04-11 23:45:02 +05:45