grant/keysat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
927ac2be538bf7f895649b1f2bfbad11610a5b1f
keysat/licensing-service/src/api/upgrade.rs
T
Grant 54f7ea08b5 P1 — change-tier UX, Zaprite webhook copy, self-tier guard, Lightning copy 
Bundle of bugfixes from the P1 testing batch. None individually
huge; together they close several "tested it, hit a sharp edge"
items.

1. Change-tier modal — kill the paid path from UI
   The Apply-as-comp toggle is gone. Admin tier changes always
   apply as comp now. The reasoning (per Grant's testing): admin
   tier changes are operator-driven, payment has either already
   happened off-rails or it's a comp; the "admin generates
   invoice and forwards URL" flow is a tiny niche that just
   produces orphan invoices when the modal gets dismissed.
   Buyers who want to pay use the SDK's /v1/upgrade.
   The API path is unchanged for back-compat with scripted
   operators (skip_payment defaults to true here).

2. Change-tier modal — downgrade detection + warning banner
   Detects target.tier_rank < current.tier_rank (or price-diff
   when ranks aren't set), renders a yellow warning card listing
   the entitlements the buyer is about to lose, and confirms via
   browser dialog before submit. Operator sees what they're
   doing.

3. Self-tier guard on admin change-tier
   POST /v1/admin/licenses/<id>/change-tier rejects when <id>
   is the daemon's own self_license. Avoids the recursion Grant
   hit when trying to downgrade himself: the on-disk signed key
   is the source-of-truth at boot, so the DB tier_change just
   produces a half-applied state. Error message points at the
   right paths (re-mint via master Keysat OR rename
   /data/keysat-license.txt for testing). With the P0 self-tier
   live-refresh in place the recursion is now fully resolved
   anyway, but the guard is good belt-and-suspenders for
   operator clarity.

4. Zaprite webhook — full URL in copy + persistent action
   - The Connect Zaprite action now shows the EXACT
     https://your-keysat-url/v1/zaprite/webhook URL to paste
     into Zaprite's dashboard. Previous copy showed a
     placeholder "<your Keysat public URL>/...", which Zaprite's
     form rejects (it requires full https://). Daemon's
     /v1/admin/zaprite/connect now returns webhook_url; the
     action displays it.
   - New "Show Zaprite webhook setup" StartOS Action — operators
     who skipped the step on first connect, or who lost the
     output, can run this any time and get the URL again.
   - Full explainer of what webhooks unlock vs polling-only:
     "without webhooks, Keysat polls /v1/orders every 60s, so
     license issuance lags settle by up to a minute; with
     webhooks, ~1s." Lives on /v1/admin/zaprite/status response
     as `webhook_explainer` + in the action's display text.

5. Connect-while-connected short-circuit
   POST /v1/admin/zaprite/connect now returns 409 Conflict with a
   clear "already connected — disconnect first" message instead
   of silently overwriting an existing config. (BTCPay's
   start_connect already had this guard since the durable
   provider switch work.)

6. Lightning vs on-chain copy on the wait page
   /thank-you was hard-coded to "next block confirms" — wrong
   for Lightning payments (instant) and confusing in the common
   case where buyers paid via Lightning and saw a "waiting for
   block confirmation" message. Updated to: "Lightning settles
   in seconds; on-chain typically settles in 10-20 minutes (one
   block confirmation)." Method-aware copy (parsed from the
   provider's invoice payload) is a deeper fix but out of scope
   here — this gets the operator-facing accuracy right today.

Test count unchanged; all 77 still passing.
2026-05-09 13:58:03 -05:00

574 lines
22 KiB
Rust
Raw Blame History

//! Buyer-facing tier upgrade endpoints.
//!
//! Phase 3 of TIER_UPGRADES_DESIGN.md. Two endpoints:
//!
//! - `POST /v1/upgrade-quote` — read-only quote: "what would I owe
//! if I upgraded to <tier>?"
//! - `POST /v1/upgrade` — start an upgrade: creates a payment
//! invoice for the prorated charge,
//! returns the checkout URL. Webhook
//! handler applies the change on settle.
//!
//! Auth model matches the recovery + buyer-cancel endpoints — the
//! buyer's signed license key in the request body is the credential.
//! The daemon verifies the signature, looks up the local license row,
//! computes the quote, optionally creates an invoice. No admin token,
//! no cookie.
//!
//! Out of scope for Phase 3 (Phase 4 with admin endpoint):
//! - **Buyer-initiated recurring downgrades.** The quote function in
//! `crate::upgrades` already returns a 0-charge quote with
//! `effective_at = next_renewal_at`, but actually applying the
//! change at the right moment (cycle boundary) requires renewal-
//! worker integration. Phase 4 lands that. For now this endpoint
//! rejects buyer downgrades with a 403 and a hint to contact support.
//! - **Admin force-change.** `POST /v1/admin/licenses/:id/change-tier`
//! ships in Phase 4.
use crate::api::admin::{request_context, require_admin};
use crate::api::AppState;
use crate::error::{AppError, AppResult};
use crate::payment::{CreateInvoiceParams, Money};
use axum::{
extract::{Path, State},
http::HeaderMap,
Json,
};
use serde::Deserialize;
use serde_json::{json, Value};
use uuid::Uuid;
#[derive(Debug, Deserialize)]
pub struct QuoteReq {
/// Buyer's signed license key. Verified before we compute anything.
pub license_key: String,
/// Slug of the policy the buyer wants to move to. Resolved within
/// the license's product (cross-product changes are not supported
/// by the quote function).
pub target_policy_slug: String,
}
/// `POST /v1/upgrade-quote` — quote-only. No DB writes, no invoice.
/// Returns the same shape `crate::upgrades::UpgradeQuote` produces,
/// flattened to JSON for SDK consumption.
pub async fn quote(
State(state): State<AppState>,
Json(body): Json<QuoteReq>,
) -> AppResult<Json<Value>> {
let (license, target_policy) = resolve_request(&state, &body.license_key, &body.target_policy_slug).await?;
let q = crate::upgrades::compute_upgrade_quote(&state, &license, &target_policy, crate::upgrades::QuoteMode::Buyer).await?;
Ok(Json(quote_to_json(&q)))
}
#[derive(Debug, Deserialize)]
pub struct StartReq {
pub license_key: String,
pub target_policy_slug: String,
/// Optional buyer-supplied redirect target on payment-provider
/// success. Mirrors the purchase flow's same-named field.
#[serde(default)]
pub redirect_url: Option<String>,
}
/// `POST /v1/upgrade` — buyer commits to the upgrade. We:
/// 1. Recompute the quote (DON'T trust client-side shaping; the
/// on-chain charge must match what the daemon's logic decides).
/// 2. Reject buyer-initiated downgrades for v0.2.x (Phase 4 ships).
/// 3. Reject zero-charge upgrades — those are admin-only (e.g., free
/// upgrades come through the comp path, not the buyer path).
/// 4. Create a provider invoice for the prorated charge.
/// 5. Persist the local invoice + tier_changes row tying them
/// together. The webhook handler picks it up on settle.
///
/// Returns `{ invoice_id, checkout_url, amount_sats }` so the SDK can
/// open the checkout URL in the buyer's browser, then poll the
/// existing `/v1/purchase/:invoice_id` to detect settle (the webhook
/// applies the change server-side).
pub async fn start(
State(state): State<AppState>,
headers: HeaderMap,
Json(body): Json<StartReq>,
) -> AppResult<Json<Value>> {
let (ip, ua) = request_context(&headers);
let (license, target_policy) =
resolve_request(&state, &body.license_key, &body.target_policy_slug).await?;
let quote = crate::upgrades::compute_upgrade_quote(&state, &license, &target_policy, crate::upgrades::QuoteMode::Buyer).await?;
// Phase 3 scope: buyer endpoint handles UPGRADE only. Downgrades
// (even 0-charge ones) need the cycle-boundary apply path which
// ships with Phase 4 admin endpoint + renewal-worker integration.
if quote.direction == crate::upgrades::TierDirection::Downgrade {
return Err(AppError::Forbidden);
}
if quote.proration_charge_value <= 0 {
return Err(AppError::BadRequest(
"this upgrade has no charge owed; admin must apply it as a comp via \
POST /v1/admin/licenses/:id/change-tier (Phase 4)".into(),
));
}
// Convert proration to sats. SAT-currency licenses skip the rate
// fetcher (identity). Fiat licenses re-quote against the live rate.
let conversion = crate::rates::convert_to_sats(
&state,
&quote.listed_currency,
quote.proration_charge_value,
)
.await
.map_err(|e| AppError::Upstream(format!("rate conversion failed: {e:#}")))?;
let amount_sats = conversion.sats.max(1);
// Create provider invoice. Same trait method the purchase + renewal
// paths use, so any provider-specific concerns (URL rewriting,
// metadata enrichment) live inside the impl.
let provider = state.payment_provider().await?;
let internal_invoice_id = Uuid::new_v4().to_string();
let default_redirect = format!(
"{}/thank-you?invoice_id={}",
state.config.public_base_url, internal_invoice_id
);
let redirect_url = body
.redirect_url
.as_deref()
.filter(|s| !s.is_empty())
.unwrap_or(&default_redirect);
let created = provider
.create_invoice(CreateInvoiceParams {
amount: Money::sats(amount_sats),
redirect_url,
metadata: json!({
"productId": target_policy.product_id,
"intent": "tier_change",
"licenseId": license.id,
"fromPolicyId": quote.from_policy_id,
"toPolicyId": quote.to_policy_id,
}),
external_order_id: &internal_invoice_id,
buyer_email: license.buyer_email.as_deref(),
})
.await
.map_err(|e| AppError::Upstream(format!("provider create_invoice: {e:#}")))?;
// Persist invoice. The exchange rate fields capture the conversion
// so the receipt UI can show "you paid X sats which is $Y at the
// moment of charge." Same shape as the regular purchase path.
let invoice = crate::db::repo::create_invoice_with_currency(
&state.db,
&internal_invoice_id,
&created.provider_invoice_id,
&target_policy.product_id,
amount_sats,
&created.checkout_url,
license.buyer_email.as_deref(),
Some("tier upgrade"),
Some(&quote.to_policy_id),
Some(&quote.listed_currency),
Some(quote.proration_charge_value),
conversion.rate_centibps,
Some(conversion.source.as_str()),
)
.await?;
// Record the tier_change row, tied to this invoice. The webhook
// handler looks it up by invoice_id on settle and applies.
let effective_at = match &quote.effective_at {
crate::upgrades::EffectiveAt::Immediate => chrono::Utc::now().to_rfc3339(),
crate::upgrades::EffectiveAt::At(s) => s.clone(),
};
let tier_change_id = crate::upgrades::record_tier_change(
&state.db,
&license.id,
&quote.from_policy_id,
&quote.to_policy_id,
quote.direction,
&quote.listed_currency,
quote.proration_charge_value,
Some(&invoice.id),
&effective_at,
"buyer",
None,
)
.await
.map_err(AppError::Internal)?;
// Audit row in the generic stream; tier_changes is its own
// audit-shaped table, but audit_log is the single "what
// happened" feed operators read from.
let _ = crate::db::repo::insert_audit(
&state.db,
"buyer_license_key",
Some(&license.id),
"subscription.upgrade.started",
Some("tier_change"),
Some(&tier_change_id),
ip.as_deref(),
ua.as_deref(),
&json!({
"license_id": license.id,
"from_policy_id": quote.from_policy_id,
"to_policy_id": quote.to_policy_id,
"invoice_id": invoice.id,
"listed_currency": quote.listed_currency,
"proration_charge_value": quote.proration_charge_value,
"amount_sats": amount_sats,
}),
)
.await;
Ok(Json(json!({
"invoice_id": invoice.id,
"provider_invoice_id": created.provider_invoice_id,
"checkout_url": created.checkout_url,
"amount_sats": amount_sats,
"proration_charge_value": quote.proration_charge_value,
"listed_currency": quote.listed_currency,
"tier_change_id": tier_change_id,
"from_policy_slug": quote.from_policy_slug,
"to_policy_slug": quote.to_policy_slug,
})))
}
/// Verify the buyer's license key, look up the local license row, and
/// resolve the target policy by slug (under the license's product).
/// Centralises the auth + lookup so quote and start handlers can
/// stay narrow. 401 on auth failure (don't leak whether the policy
/// exists), 404 on missing target.
async fn resolve_request(
state: &AppState,
license_key: &str,
target_policy_slug: &str,
) -> AppResult<(crate::models::License, crate::models::Policy)> {
let (payload, signature, signed_bytes) =
crate::crypto::parse_key(license_key).map_err(|_| AppError::Unauthorized)?;
crate::crypto::verify_payload(&state.keypair.verifying, &signed_bytes, &signature)
.map_err(|_| AppError::Unauthorized)?;
let license_id = payload.license_id.to_string();
let license = crate::db::repo::get_license_by_id(&state.db, &license_id)
.await?
.ok_or(AppError::Unauthorized)?;
if license.revoked_at.is_some() || license.suspended_at.is_some() {
return Err(AppError::Unauthorized);
}
let target_policy = crate::db::repo::get_policy_by_slug(
&state.db,
&license.product_id,
target_policy_slug,
)
.await?
.ok_or_else(|| AppError::NotFound(format!("target policy '{target_policy_slug}'")))?;
Ok((license, target_policy))
}
// ---------------------------------------------------------------------
// Admin force-change endpoint (Phase 4)
// ---------------------------------------------------------------------
#[derive(Debug, Deserialize)]
pub struct AdminChangeReq {
/// Slug of the policy to move the license to. Resolved within
/// the license's product.
pub to_policy_slug: String,
/// When true, apply the change immediately with no invoice
/// (operator absorbs the cost — comp upgrade, support fix-up,
/// fixing a misissue). When false, behave like the buyer
/// endpoint: create an invoice for the prorated charge,
/// webhook applies on settle.
#[serde(default)]
pub skip_payment: bool,
/// Free-form audit note. Surfaced in audit_log + tier_changes.reason.
#[serde(default)]
pub reason: Option<String>,
}
/// `POST /v1/admin/licenses/:id/change-tier` — admin force-change.
/// Bypasses ladder rules (sideways changes, NULL-rank policies,
/// perpetual downgrades all allowed). Two modes:
///
/// - `skip_payment: true`: applies immediately. tier_changes row
/// is written with invoice_id = NULL and proration_charge_value = 0.
/// The license's policy_id + entitlements + expiry + max_machines
/// flip on the spot; any tied subscription's policy_id +
/// listed_value + period_days update so the next renewal bills the
/// new tier.
///
/// - `skip_payment: false`: same flow as the buyer's `/v1/upgrade` —
/// creates a provider invoice for the prorated charge, persists
/// the local invoice + a tier_changes row tied to it. The webhook
/// handler applies on settle. The operator gets the checkout URL
/// back and forwards it to the buyer through whatever channel
/// they prefer (email, chat, etc.).
pub async fn admin_change(
State(state): State<AppState>,
headers: HeaderMap,
Path(license_id): Path<String>,
Json(body): Json<AdminChangeReq>,
) -> AppResult<Json<Value>> {
let actor_hash = require_admin(&state, &headers)?;
let (ip, ua) = request_context(&headers);
let reason = body.reason.as_deref().filter(|s| !s.trim().is_empty());
// Refuse to change-tier on the daemon's OWN self-license. The
// signed key on disk is the immutable proof-of-tier and won't
// reflect any DB change anyway — operators trying to "downgrade
// themselves to test gating" hit a recursion that produces a
// confusing half-applied state. Live-refresh from the DB does
// pick up the new entitlements, but the operator should drive
// self-tier changes through the proper re-mint flow on the
// master Keysat instead. For now, refuse with a clear message.
{
let current = state.self_tier.read().await.clone();
if let crate::license_self::Tier::Licensed { license_id: self_id, .. } = current {
if self_id.to_string() == license_id {
return Err(AppError::BadRequest(
"cannot change tier on the daemon's own self-license — \
re-issue a new key from the master Keysat and activate it via \
'Activate Keysat license' instead. Or, for testing Creator-tier \
gates, temporarily move /data/keysat-license.txt aside and \
restart Keysat to boot Unlicensed."
.into(),
));
}
}
}
let license = crate::db::repo::get_license_by_id(&state.db, &license_id)
.await?
.ok_or_else(|| AppError::NotFound(format!("license '{license_id}'")))?;
let target_policy = crate::db::repo::get_policy_by_slug(
&state.db,
&license.product_id,
&body.to_policy_slug,
)
.await?
.ok_or_else(|| AppError::NotFound(format!("target policy '{}'", body.to_policy_slug)))?;
let quote = crate::upgrades::compute_upgrade_quote(
&state,
&license,
&target_policy,
crate::upgrades::QuoteMode::Admin,
)
.await?;
if body.skip_payment {
// Comp path: apply immediately, no invoice.
let product = crate::db::repo::get_product_by_id(&state.db, &target_policy.product_id)
.await?
.ok_or_else(|| AppError::NotFound(format!("product '{}'", target_policy.product_id)))?;
crate::upgrades::apply_tier_change(&state.db, &license.id, &target_policy, &product)
.await
.map_err(AppError::Internal)?;
let tier_change_id = crate::upgrades::record_tier_change(
&state.db,
&license.id,
&quote.from_policy_id,
&quote.to_policy_id,
quote.direction,
&quote.listed_currency,
0, // comp: no charge
None,
&chrono::Utc::now().to_rfc3339(),
"admin",
reason,
)
.await
.map_err(AppError::Internal)?;
let _ = crate::db::repo::insert_audit(
&state.db,
"admin_api_key",
Some(&actor_hash),
"license.change_tier.comp",
Some("tier_change"),
Some(&tier_change_id),
ip.as_deref(),
ua.as_deref(),
&json!({
"license_id": license.id,
"from_policy_id": quote.from_policy_id,
"to_policy_id": quote.to_policy_id,
"to_policy_slug": target_policy.slug,
"direction": quote.direction.as_str(),
"reason": reason,
"skip_payment": true,
}),
)
.await;
crate::webhooks::dispatch(
&state,
"license.tier_changed",
&json!({
"license_id": license.id,
"product_id": product.id,
"from_policy_id": quote.from_policy_id,
"to_policy_id": quote.to_policy_id,
"to_policy_slug": target_policy.slug,
"direction": quote.direction.as_str(),
"actor": "admin",
"tier_change_id": tier_change_id,
}),
)
.await;
return Ok(Json(json!({
"ok": true,
"applied": true,
"license_id": license.id,
"tier_change_id": tier_change_id,
"skip_payment": true,
"from_policy_slug": quote.from_policy_slug,
"to_policy_slug": quote.to_policy_slug,
})));
}
// Paid path: create invoice + tier_changes row tied to it.
// If the quote came back with proration <= 0 (sideways or
// operator forcing a same-price change), there's nothing to bill.
// Surface a clear error so the operator switches to skip_payment=true.
if quote.proration_charge_value <= 0 {
return Err(AppError::BadRequest(
"this change has no charge owed; use skip_payment=true to apply as a comp"
.into(),
));
}
let conversion = crate::rates::convert_to_sats(
&state,
&quote.listed_currency,
quote.proration_charge_value,
)
.await
.map_err(|e| AppError::Upstream(format!("rate conversion failed: {e:#}")))?;
let amount_sats = conversion.sats.max(1);
let provider = state.payment_provider().await?;
let internal_invoice_id = Uuid::new_v4().to_string();
let default_redirect = format!(
"{}/thank-you?invoice_id={}",
state.config.public_base_url, internal_invoice_id
);
let created = provider
.create_invoice(CreateInvoiceParams {
amount: Money::sats(amount_sats),
redirect_url: &default_redirect,
metadata: json!({
"productId": target_policy.product_id,
"intent": "admin_tier_change",
"licenseId": license.id,
"fromPolicyId": quote.from_policy_id,
"toPolicyId": quote.to_policy_id,
}),
external_order_id: &internal_invoice_id,
buyer_email: license.buyer_email.as_deref(),
})
.await
.map_err(|e| AppError::Upstream(format!("provider create_invoice: {e:#}")))?;
let invoice = crate::db::repo::create_invoice_with_currency(
&state.db,
&internal_invoice_id,
&created.provider_invoice_id,
&target_policy.product_id,
amount_sats,
&created.checkout_url,
license.buyer_email.as_deref(),
Some("admin tier-change"),
Some(&quote.to_policy_id),
Some(&quote.listed_currency),
Some(quote.proration_charge_value),
conversion.rate_centibps,
Some(conversion.source.as_str()),
)
.await?;
let effective_at = match &quote.effective_at {
crate::upgrades::EffectiveAt::Immediate => chrono::Utc::now().to_rfc3339(),
crate::upgrades::EffectiveAt::At(s) => s.clone(),
};
let tier_change_id = crate::upgrades::record_tier_change(
&state.db,
&license.id,
&quote.from_policy_id,
&quote.to_policy_id,
quote.direction,
&quote.listed_currency,
quote.proration_charge_value,
Some(&invoice.id),
&effective_at,
"admin",
reason,
)
.await
.map_err(AppError::Internal)?;
let _ = crate::db::repo::insert_audit(
&state.db,
"admin_api_key",
Some(&actor_hash),
"license.change_tier.invoice_created",
Some("tier_change"),
Some(&tier_change_id),
ip.as_deref(),
ua.as_deref(),
&json!({
"license_id": license.id,
"from_policy_id": quote.from_policy_id,
"to_policy_id": quote.to_policy_id,
"to_policy_slug": target_policy.slug,
"direction": quote.direction.as_str(),
"invoice_id": invoice.id,
"amount_sats": amount_sats,
"listed_currency": quote.listed_currency,
"proration_charge_value": quote.proration_charge_value,
"reason": reason,
"skip_payment": false,
}),
)
.await;
Ok(Json(json!({
"ok": true,
"applied": false,
"license_id": license.id,
"tier_change_id": tier_change_id,
"invoice_id": invoice.id,
"provider_invoice_id": created.provider_invoice_id,
"checkout_url": created.checkout_url,
"amount_sats": amount_sats,
"proration_charge_value": quote.proration_charge_value,
"listed_currency": quote.listed_currency,
"from_policy_slug": quote.from_policy_slug,
"to_policy_slug": quote.to_policy_slug,
"skip_payment": false,
})))
}
fn quote_to_json(q: &crate::upgrades::UpgradeQuote) -> Value {
let effective_at = match &q.effective_at {
crate::upgrades::EffectiveAt::Immediate => json!("immediate"),
crate::upgrades::EffectiveAt::At(s) => json!(s),
};
json!({
"from_policy_id": q.from_policy_id,
"from_policy_slug": q.from_policy_slug,
"to_policy_id": q.to_policy_id,
"to_policy_slug": q.to_policy_slug,
"direction": q.direction.as_str(),
"listed_currency": q.listed_currency,
"proration_charge_value": q.proration_charge_value,
"effective_at": effective_at,
"next_renewal_charge": q.next_renewal_charge,
"next_renewal_period_days": q.next_renewal_period_days,
})
}
Reference in New Issue View Git Blame Copy Permalink