fix: signup (#25334)

* Handle Stripe logic in `paymentCallback`

* Remove endpoint

* Do not send email verification email if premium username

* Remove logic from verify-view

* Callback send verification email

* Add `create` method to `VerificationToken` repository

* Create `VerificationTokenService`

* Early return if payment failed

* Refactor token generation

* Add tests

* Type fixes

* Type fixes

Author: joeauyeung

apps/web/modules/auth/verify-view.tsx

@@ -10,14 +10,11 @@ import { WEBAPP_URL } from "@calcom/lib/constants";
 import { useCompatSearchParams } from "@calcom/lib/hooks/useCompatSearchParams";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { useRouterQuery } from "@calcom/lib/hooks/useRouterQuery";
-import { trpc } from "@calcom/trpc/react";
 import classNames from "@calcom/ui/classNames";
 import { Button } from "@calcom/ui/components/button";
 import { Icon } from "@calcom/ui/components/icon";
 import { showToast } from "@calcom/ui/components/toast";
 
-import Loader from "@components/Loader";
-
 async function sendVerificationLogin(email: string, username: string, t: (key: string) => string) {
   await signIn("email", {
     email: email.toLowerCase(),
@@ -54,8 +51,9 @@ function useSendFirstVerificationLogin({
 }
 
 const querySchema = z.object({
-  stripeCustomerId: z.string().optional(),
-  sessionId: z.string().optional(),
+  email: z.string().optional(),
+  username: z.string().optional(),
+  paymentStatus: z.string().optional(),
   t: z.string().optional(),
 });
 
@@ -119,20 +117,20 @@ export default function Verify({ EMAIL_FROM }: { EMAIL_FROM?: string }) {
   const pathname = usePathname();
   const router = useRouter();
   const routerQuery = useRouterQuery();
-  const { t: tParam, sessionId, stripeCustomerId } = querySchema.parse(routerQuery);
+  const { email, username, paymentStatus } = querySchema.parse(routerQuery);
   const { t } = useLocale();
   const [secondsLeft, setSecondsLeft] = useState(30);
-  const { data } = trpc.viewer.public.stripeCheckoutSession.useQuery(
-    {
-      stripeCustomerId,
-      checkoutSessionId: sessionId,
-    },
-    {
-      enabled: !!stripeCustomerId || !!sessionId,
-      staleTime: Infinity,
-    }
-  );
-  useSendFirstVerificationLogin({ email: data?.customer?.email, username: data?.customer?.username });
+
+  // Derive payment failed status from payment status
+  const hasPaymentFailed = paymentStatus !== undefined && paymentStatus !== "paid";
+  const isPremiumUsername = !!paymentStatus; // If paymentStatus exists, it's from premium username flow
+
+  // Only send verification login if we DON'T have the email yet (for resend button)
+  // The email is already sent server-side in paymentCallback
+  useSendFirstVerificationLogin({
+    email: !isPremiumUsername ? email : undefined,
+    username: !isPremiumUsername ? username : undefined,
+  });
   // @note: check for t=timestamp and apply disabled state and secondsLeft accordingly
   // to avoid refresh to skip waiting 30 seconds to re-send email
   useEffect(() => {
@@ -159,34 +157,31 @@ export default function Verify({ EMAIL_FROM }: { EMAIL_FROM?: string }) {
     }
   }, [secondsLeft]);
 
-  if (!data) {
-    // Loading state
-    return <Loader />;
-  }
-  const { valid, hasPaymentFailed, customer } = data;
-  if (!valid) {
-    throw new Error("Invalid session or customer id");
-  }
-
-  if (!stripeCustomerId && !sessionId) {
+  if (!email) {
     return <div>{t("invalid_link")}</div>;
   }
 
   return (
     <div className="text-default bg-muted bg-opacity-90 backdrop-blur-md backdrop-grayscale backdrop-filter">
       <div className="flex min-h-screen flex-col items-center justify-center px-6">
         <div className="border-subtle bg-default m-10 flex max-w-2xl flex-col items-center rounded-xl border px-8 py-14 text-left">
-          {hasPaymentFailed ? <PaymentFailedIcon /> : sessionId ? <PaymentSuccess /> : <MailOpenIcon />}
+          {hasPaymentFailed ? (
+            <PaymentFailedIcon />
+          ) : isPremiumUsername ? (
+            <PaymentSuccess />
+          ) : (
+            <MailOpenIcon />
+          )}
           <h3 className="font-cal text-emphasis my-6 text-2xl font-normal leading-none">
             {hasPaymentFailed
               ? t("your_payment_failed")
-              : sessionId
+              : isPremiumUsername
               ? t("payment_successful")
               : t("check_your_inbox")}
           </h3>
           {hasPaymentFailed && <p className="my-6">{t("account_created_premium_not_reserved")}</p>}
           <p className="text-muted dark:text-subtle text-base font-normal">
-            {t("email_sent_with_activation_link", { email: customer?.email })}{" "}
+            {t("email_sent_with_activation_link", { email })}{" "}
             {hasPaymentFailed && t("activate_account_to_purchase_username")}
           </p>
           <div className="mt-7">
@@ -212,7 +207,7 @@ export default function Verify({ EMAIL_FROM }: { EMAIL_FROM?: string }) {
             )}
             disabled={secondsLeft > 0}
             onClick={async (e) => {
-              if (!customer) {
+              if (!email || !username) {
                 return;
               }
               e.preventDefault();
@@ -221,7 +216,7 @@ export default function Verify({ EMAIL_FROM }: { EMAIL_FROM?: string }) {
               const _searchParams = new URLSearchParams(searchParams?.toString());
               _searchParams.set("t", `${Date.now()}`);
               router.replace(`${pathname}?${_searchParams.toString()}`);
-              return await sendVerificationLogin(customer.email, customer.username, t);
+              return await sendVerificationLogin(email, username, t);
             }}>
             {secondsLeft > 0 ? t("resend_in_seconds", { seconds: secondsLeft }) : t("resend")}
           </button>

packages/app-store/stripepayment/api/__tests__/paymentCallback.test.ts

@@ -0,0 +1,266 @@
+import type { NextApiRequest, NextApiResponse } from "next";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+import sendVerificationRequest from "@calcom/features/auth/lib/sendVerificationRequest";
+import { HttpError } from "@calcom/lib/http-error";
+import { VerificationTokenService } from "@calcom/lib/server/service/VerificationTokenService";
+import { prisma } from "@calcom/prisma";
+
+import { getCustomerAndCheckoutSession } from "../../lib/getCustomerAndCheckoutSession";
+
+// Mock dependencies
+vi.mock("@calcom/prisma", () => ({
+  prisma: {
+    user: {
+      findFirst: vi.fn(),
+      update: vi.fn(),
+    },
+  },
+}));
+
+vi.mock("../../lib/getCustomerAndCheckoutSession");
+vi.mock("@calcom/features/auth/lib/sendVerificationRequest");
+vi.mock("@calcom/lib/server/service/VerificationTokenService");
+
+const mockGetCustomerAndCheckoutSession = vi.mocked(getCustomerAndCheckoutSession);
+const mockSendVerificationRequest = vi.mocked(sendVerificationRequest);
+const mockVerificationTokenService = vi.mocked(VerificationTokenService);
+
+// Type the mocked prisma properly
+const mockPrisma = prisma as unknown as {
+  user: {
+    findFirst: ReturnType<typeof vi.fn>;
+    update: ReturnType<typeof vi.fn>;
+  };
+};
+
+describe("paymentCallback", () => {
+  let mockReq: Partial<NextApiRequest>;
+  let mockRes: Partial<NextApiResponse>;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    mockReq = {
+      query: {
+        callbackUrl: "/premium-username-checkout",
+        checkoutSessionId: "cs_test_123",
+      },
+      url: "/api/payment/callback",
+      method: "GET",
+    };
+
+    mockRes = {
+      redirect: vi.fn().mockReturnThis(),
+      end: vi.fn().mockReturnThis(),
+      setHeader: vi.fn().mockReturnThis(),
+      status: vi.fn().mockReturnThis(),
+      json: vi.fn().mockReturnThis(),
+    };
+
+    // Default mock implementations
+    mockGetCustomerAndCheckoutSession.mockResolvedValue({
+      stripeCustomer: {
+        id: "cus_123",
+        email: "test@example.com",
+        metadata: {
+          username: "premium-user",
+        },
+      },
+      checkoutSession: {
+        payment_status: "paid",
+      },
+    } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+    mockPrisma.user.findFirst.mockResolvedValue({
+      id: 1,
+      email: "test@example.com",
+      locale: "en",
+      metadata: {},
+    } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+    mockPrisma.user.update.mockResolvedValue({
+      id: 1,
+      username: "premium-user",
+    } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+    mockVerificationTokenService.create.mockResolvedValue("test-token-123");
+    mockSendVerificationRequest.mockResolvedValue(undefined);
+  });
+
+  describe("VerificationTokenService integration", () => {
+    it("should call VerificationTokenService.create with correct parameters", async () => {
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(mockVerificationTokenService.create).toHaveBeenCalledWith({
+        identifier: "test@example.com",
+        expires: expect.any(Date),
+      });
+
+      const callArgs = mockVerificationTokenService.create.mock.calls[0][0];
+      const expiresDate = callArgs.expires;
+      const now = Date.now();
+      const oneDayInMs = 86400 * 1000;
+
+      // Verify expires is approximately 1 day from now (within 1 second tolerance)
+      expect(expiresDate.getTime()).toBeGreaterThan(now);
+      expect(expiresDate.getTime()).toBeLessThanOrEqual(now + oneDayInMs + 1000);
+    });
+
+    it("should send verification email with token from service", async () => {
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(mockSendVerificationRequest).toHaveBeenCalledWith({
+        identifier: "test@example.com",
+        url: expect.stringContaining("token=test-token-123"),
+      });
+    });
+
+    it("should create verification token before sending email", async () => {
+      const { default: handler } = await import("../paymentCallback");
+      const callOrder: string[] = [];
+
+      mockVerificationTokenService.create.mockImplementation(async () => {
+        callOrder.push("create-token");
+        return "test-token";
+      });
+
+      mockSendVerificationRequest.mockImplementation(async () => {
+        callOrder.push("send-email");
+      });
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(callOrder).toEqual(["create-token", "send-email"]);
+    });
+
+    it("should create verification token only after payment is confirmed", async () => {
+      mockGetCustomerAndCheckoutSession.mockResolvedValue({
+        stripeCustomer: {
+          id: "cus_123",
+          email: "test@example.com",
+          metadata: { username: "premium-user" },
+        },
+        checkoutSession: {
+          payment_status: "unpaid",
+        },
+      } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(mockVerificationTokenService.create).not.toHaveBeenCalled();
+      expect(mockSendVerificationRequest).not.toHaveBeenCalled();
+    });
+
+    it("should handle user found by stripeCustomerId", async () => {
+      mockPrisma.user.findFirst
+        .mockResolvedValueOnce(null) // First call by email returns null
+        .mockResolvedValueOnce({
+          // Second call by stripeCustomerId succeeds
+          id: 2,
+          email: "different@example.com",
+          locale: "en",
+          metadata: { stripeCustomerId: "cus_123" },
+        } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(mockVerificationTokenService.create).toHaveBeenCalledWith({
+        identifier: "different@example.com", // Should use user.email from found user
+        expires: expect.any(Date),
+      });
+    });
+
+    it("should update user with premium username before creating token", async () => {
+      const { default: handler } = await import("../paymentCallback");
+      const callOrder: string[] = [];
+
+      mockPrisma.user.update.mockImplementation(async () => {
+        callOrder.push("update-user");
+        return {} as any; // eslint-disable-line @typescript-eslint/no-explicit-any
+      });
+
+      mockVerificationTokenService.create.mockImplementation(async () => {
+        callOrder.push("create-token");
+        return "token";
+      });
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(callOrder).toEqual(["update-user", "create-token"]);
+    });
+
+    it("should redirect with correct parameters after successful payment", async () => {
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const redirectUrl = (mockRes.redirect as any).mock.calls[0][0] as string;
+      expect(redirectUrl).toContain("email=test%40example.com");
+      expect(redirectUrl).toContain("username=premium-user");
+      expect(redirectUrl).toContain("paymentStatus=paid");
+    });
+
+    it("should not create verification token when stripe customer is not found", async () => {
+      mockGetCustomerAndCheckoutSession.mockResolvedValue({
+        stripeCustomer: null,
+        checkoutSession: { payment_status: "paid" },
+      } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+      const { default: handler } = await import("../paymentCallback");
+
+      try {
+        await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+      } catch (error) {
+        expect(error).toBeInstanceOf(HttpError);
+        expect((error as HttpError).statusCode).toBe(404);
+      }
+
+      expect(mockVerificationTokenService.create).not.toHaveBeenCalled();
+    });
+
+    it("should not create verification token when user is not found", async () => {
+      mockPrisma.user.findFirst.mockResolvedValue(null);
+
+      const { default: handler } = await import("../paymentCallback");
+
+      try {
+        await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+      } catch (error) {
+        expect(error).toBeInstanceOf(HttpError);
+        expect((error as HttpError).statusCode).toBe(404);
+      }
+
+      expect(mockVerificationTokenService.create).not.toHaveBeenCalled();
+    });
+
+    it("should use user email if stripe customer email is missing", async () => {
+      mockGetCustomerAndCheckoutSession.mockResolvedValue({
+        stripeCustomer: {
+          id: "cus_123",
+          email: null,
+          metadata: { username: "premium-user" },
+        },
+        checkoutSession: { payment_status: "paid" },
+      } as any); // eslint-disable-line @typescript-eslint/no-explicit-any
+
+      const { default: handler } = await import("../paymentCallback");
+
+      await handler(mockReq as NextApiRequest, mockRes as NextApiResponse);
+
+      expect(mockVerificationTokenService.create).toHaveBeenCalledWith({
+        identifier: "test@example.com", // Should use user.email
+        expires: expect.any(Date),
+      });
+    });
+  });
+});