stripe: wire checkout, customer portal, and webhook for read.markets
Stripe is the merchant-on-record for read.markets after Polar/Paddle
both declined the financial-media category. This commit lands the
full subscription flow: an "Upgrade" button on /pricing now opens a
real Stripe-hosted Checkout, completes the subscription, and the
webhook flips user.tier to "paid" idempotently.
Endpoints
- POST /api/stripe/checkout (require_auth) — creates a hosted
Checkout Session in subscription mode, passes user.id as
client_reference_id + email as customer_email, returns the URL
for the page-side JS to redirect to. Reuses an existing
stripe_customer_id to avoid duplicate Stripe customers on repeat
checkouts. allow_promotion_codes=True so the referral-credit
redemption can attach a coupon at checkout once that flow ships.
- POST /api/stripe/portal (require_auth) — mints a Stripe Customer
Portal session. Used by /settings; returns 404 until the user has
a stripe_customer_id (i.e. completed at least one checkout).
- POST /api/stripe/webhook — signature-verified via
stripe.Webhook.construct_event. Idempotent via UNIQUE on
stripe_events.event_id. Event dispatch:
checkout.session.completed → grant paid, store IDs
customer.subscription.created → grant paid (active/trialing)
customer.subscription.updated → grant paid (active/trialing)
customer.subscription.deleted → drop to free, clear sub id
invoice.paid / failed → audit only
charge.refunded → audit only
Stripe-SDK objects don't expose dict.get(); we use the SDK for
signature verification then re-parse the JSON body for handler
dispatch — cleaner than reaching into StripeObject internals.
Schema (migration 0019)
- users.stripe_customer_id, users.stripe_subscription_id (nullable
String(64), UNIQUE on customer_id).
- stripe_events table mirroring polar_events: event_id (unique),
event_type, received_at, processed_at, error, raw payload
(truncated to 16 KiB).
Settings (.env)
- STRIPE_API_KEY (rk_test_… for dev, rk_live_… for GA)
- STRIPE_WEBHOOK_SECRET (whsec_… from the dashboard endpoint)
- STRIPE_PRICE_MONTHLY (price_xxx for £7/month)
- STRIPE_PRICE_ANNUAL (price_xxx for £70/year)
Pricing page
- Free tier CTA unchanged.
- Paid CTA branches three ways: paid → "Manage subscription" to
/settings; logged-in free → two buttons (£7/mo, £70/yr) that POST
to /api/stripe/checkout and redirect; anonymous → /login?next=/pricing.
- Inline JS intercepts the button click, calls the checkout
endpoint, redirects on success, surfaces errors via alert(). No
Stripe.js dep — we use the hosted-checkout URL directly.
Polar handler stays in place for berengar.io / flyroom.net which
still ship through Polar. polar_* and stripe_* columns coexist
independently on the User row.
Tests
- 9 in tests/test_stripe_billing.py covering: bad signature → 401,
missing signature → 400, checkout.session.completed flips tier +
stores IDs, subscription.updated active grants paid,
subscription.deleted drops to free with customer id preserved,
replayed event id is no-op (one row in stripe_events),
unknown event acked 200, checkout endpoint mocks the SDK and
returns the hosted URL, checkout requires login.
- Full suite: 221 passed, 5 skipped.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
6c13f855e9
commit
410afe0078
9 changed files with 858 additions and 7 deletions
|
|
@ -194,11 +194,18 @@ class User(Base):
|
|||
# we cancel against from /settings.
|
||||
polar_customer_id: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
||||
polar_subscription_id: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
||||
# Stripe (merchant-on-record for read.markets). Populated on the
|
||||
# first checkout.session.completed event via client_reference_id;
|
||||
# used thereafter to match incoming subscription/invoice events
|
||||
# back to this row.
|
||||
stripe_customer_id: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
||||
stripe_subscription_id: Mapped[str | None] = mapped_column(String(64), nullable=True)
|
||||
|
||||
__table_args__ = (
|
||||
UniqueConstraint("email", name="uq_users_email"),
|
||||
UniqueConstraint("referral_code", name="uq_users_referral_code"),
|
||||
UniqueConstraint("polar_customer_id", name="uq_users_polar_customer"),
|
||||
UniqueConstraint("stripe_customer_id", name="uq_users_stripe_customer"),
|
||||
)
|
||||
|
||||
|
||||
|
|
@ -385,3 +392,29 @@ class PolarEvent(Base):
|
|||
UniqueConstraint("event_id", name="uq_polar_events_event_id"),
|
||||
Index("ix_polar_events_type_received", "event_type", "received_at"),
|
||||
)
|
||||
|
||||
|
||||
class StripeEvent(Base):
|
||||
"""Audit + idempotency table for inbound Stripe webhook deliveries.
|
||||
|
||||
Same shape and purpose as PolarEvent — Stripe's `event.id` plays the
|
||||
same role as Standard Webhooks' `webhook-id`. We keep the tables
|
||||
distinct (rather than a single 'webhook_events' table) so an
|
||||
operator can look at the audit trail per processor without filtering
|
||||
on a `source` column."""
|
||||
__tablename__ = "stripe_events"
|
||||
|
||||
id: Mapped[int] = mapped_column(_PK, primary_key=True, autoincrement=True)
|
||||
event_id: Mapped[str] = mapped_column(String(128), nullable=False)
|
||||
event_type: Mapped[str] = mapped_column(String(64), nullable=False)
|
||||
received_at: Mapped[datetime] = mapped_column(
|
||||
DateTime(timezone=True), default=utcnow, nullable=False,
|
||||
)
|
||||
processed_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
|
||||
error: Mapped[str | None] = mapped_column(Text)
|
||||
payload: Mapped[str] = mapped_column(Text, nullable=False)
|
||||
|
||||
__table_args__ = (
|
||||
UniqueConstraint("event_id", name="uq_stripe_events_event_id"),
|
||||
Index("ix_stripe_events_type_received", "event_type", "received_at"),
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue