Ghost/ghost/members-api/lib/controllers/router/index.js

const common = require('../../../lib/common');
const _ = require('lodash');
const errors = require('ghost-ignition').errors;

/**
 * RouterController
 *
 * @param {object} deps
 * @param {any} deps.memberRepository
 * @param {boolean} deps.allowSelfSignup
 * @param {any} deps.magicLinkService
 * @param {any} deps.stripeAPIService
 * @param {any} deps.stripePlanService
 * @param {any} deps.tokenService
 */
module.exports = class RouterController {
    constructor({
        memberRepository,
        allowSelfSignup,
        magicLinkService,
        stripeAPIService,
        stripePlansService,
        tokenService,
        sendEmailWithMagicLink
    }) {
        this._memberRepository = memberRepository;
        this._allowSelfSignup = allowSelfSignup;
        this._magicLinkService = magicLinkService;
        this._stripeAPIService = stripeAPIService;
        this._stripePlansService = stripePlansService;
        this._tokenService = tokenService;
        this._sendEmailWithMagicLink = sendEmailWithMagicLink;
    }

    async ensureStripe(_req, res, next) {
        if (!this._stripeAPIService) {
            res.writeHead(400);
            return res.end('Stripe not configured');
        }
        try {
            await this._stripeAPIService.ready();
            next();
        } catch (err) {
            res.writeHead(500);
            return res.end('There was an error configuring stripe');
        }
    }

    async updateSubscription(req, res) {
        const identity = req.body.identity;
        const subscriptionId = req.params.id;
        const cancelAtPeriodEnd = req.body.cancel_at_period_end;
        const cancellationReason = req.body.cancellation_reason;
        const planName = req.body.planName;

        if (cancelAtPeriodEnd === undefined && planName === undefined) {
            throw new errors.BadRequestError({
                message: 'Updating subscription failed!',
                help: 'Request should contain "cancel_at_period_end" or "planName" field.'
            });
        }

        if ((cancelAtPeriodEnd === undefined || cancelAtPeriodEnd === false) && cancellationReason !== undefined) {
            throw new errors.BadRequestError({
                message: 'Updating subscription failed!',
                help: '"cancellation_reason" field requires the "cancel_at_period_end" field to be true.'
            });
        }

        if (cancellationReason && cancellationReason.length > 500) {
            throw new errors.BadRequestError({
                message: 'Updating subscription failed!',
                help: '"cancellation_reason" field can be a maximum of 500 characters.'
            });
        }

        let email;
        try {
            if (!identity) {
                throw new errors.BadRequestError({
                    message: 'Updating subscription failed! Could not find member'
                });
            }

            const claims = await this._tokenService.decodeToken(identity);
            email = claims && claims.sub;
        } catch (err) {
            res.writeHead(401);
            return res.end('Unauthorized');
        }

        const member = email ? await this._memberRepository.get({email}, {withRelated: ['stripeSubscriptions']}) : null;

        if (!member) {
            throw new errors.BadRequestError({
                message: 'Updating subscription failed! Could not find member'
            });
        }

        // Don't allow removing subscriptions that don't belong to the member
        const subscription = member.related('stripeSubscriptions').models.find(
            subscription => subscription.get('subscription_id') === subscriptionId
        );
        if (!subscription) {
            res.writeHead(403);
            return res.end('No permission');
        }

        let updatedSubscription;
        if (planName !== undefined) {
            const plan = this._stripePlansService.getPlans().find(plan => plan.nickname === planName);
            if (!plan) {
                throw new errors.BadRequestError({
                    message: 'Updating subscription failed! Could not find plan'
                });
            }
            updatedSubscription = await this._stripeAPIService.changeSubscriptionPlan(subscriptionId, plan.id);
        } else if (cancelAtPeriodEnd !== undefined) {
            if (cancelAtPeriodEnd) {
                updatedSubscription = await this._stripeAPIService.cancelSubscriptionAtPeriodEnd(
                    subscriptionId, cancellationReason
                );
            } else {
                updatedSubscription = await this._stripeAPIService.continueSubscriptionAtPeriodEnd(
                    subscriptionId
                );
            }
        }
        if (updatedSubscription) {
            await this._memberRepository.linkSubscription({
                id: member.id,
                subscription: updatedSubscription
            });
        }

        res.writeHead(204);
        res.end();
    }

    async createCheckoutSetupSession(req, res) {
        const identity = req.body.identity;

        let email;
        try {
            if (!identity) {
                email = null;
            } else {
                const claims = await this._tokenService.decodeToken(identity);
                email = claims && claims.sub;
            }
        } catch (err) {
            res.writeHead(401);
            return res.end('Unauthorized');
        }

        const member = email ? await this._memberRepository.get({email}) : null;

        if (!member) {
            res.writeHead(403);
            return res.end('Bad Request.');
        }
        const customer = await this._stripeAPIService.getCustomerForMemberCheckoutSession(member);

        const session = await this._stripeAPIService.createCheckoutSetupSession(customer, {
            successUrl: req.body.successUrl,
            cancelUrl: req.body.cancelUrl
        });
        const publicKey = this._stripeAPIService.getPublicKey();
        const sessionInfo = {
            sessionId: session.id,
            publicKey
        };
        res.writeHead(200, {
            'Content-Type': 'application/json'
        });

        res.end(JSON.stringify(sessionInfo));
    }

    async createCheckoutSession(req, res) {
        const planName = req.body.plan;
        const identity = req.body.identity;

        if (!planName) {
            res.writeHead(400);
            return res.end('Bad Request.');
        }

        // NOTE: never allow "Complimentary" plan to be subscribed to from the client
        if (planName.toLowerCase() === 'complimentary') {
            res.writeHead(400);
            return res.end('Bad Request.');
        }

        const plan = this._stripePlansService.getPlan(planName);

        let email;
        try {
            if (!identity) {
                email = null;
            } else {
                const claims = await this._tokenService.decodeToken(identity);
                email = claims && claims.sub;
            }
        } catch (err) {
            res.writeHead(401);
            return res.end('Unauthorized');
        }

        const member = email ? await this._memberRepository.get({email}, {withRelated: ['stripeCustomers', 'stripeSubscriptions']}) : null;

        if (!member) {
            const customer = null;
            const session = await this._stripeAPIService.createCheckoutSession(plan, customer, {
                successUrl: req.body.successUrl,
                cancelUrl: req.body.cancelUrl,
                customerEmail: req.body.customerEmail,
                metadata: req.body.metadata
            });
            const publicKey = this._stripeAPIService.getPublicKey();

            const sessionInfo = {
                publicKey,
                sessionId: session.id
            };

            res.writeHead(200, {
                'Content-Type': 'application/json'
            });

            return res.end(JSON.stringify(sessionInfo));
        }

        for (const subscription of member.related('stripeSubscriptions')) {
            if (['active', 'trialing', 'unpaid', 'past_due'].includes(subscription.get('status'))) {
                res.writeHead(403);
                return res.end('No permission');
            }
        }

        let stripeCustomer;

        for (const customer of member.related('stripeCustomers').models) {
            try {
                const fetchedCustomer = await this._stripeAPIService.getCustomer(customer.get('customer_id'));
                if (!fetchedCustomer.deleted) {
                    stripeCustomer = fetchedCustomer;
                    break;
                }
            } catch (err) {
                console.log('Ignoring error for fetching customer for checkout');
            }
        }

        if (!stripeCustomer) {
            stripeCustomer = await this._stripeAPIService.createCustomer({email: member.email});
        }

        try {
            const session = await this._stripeAPIService.createCheckoutSession(plan, stripeCustomer, {
                successUrl: req.body.successUrl,
                cancelUrl: req.body.cancelUrl,
                metadata: req.body.metadata
            });
            const publicKey = this._stripeAPIService.getPublicKey();

            const sessionInfo = {
                publicKey,
                sessionId: session.id
            };

            res.writeHead(200, {
                'Content-Type': 'application/json'
            });

            return res.end(JSON.stringify(sessionInfo));
        } catch (e) {
            const error = e.message || 'Unable to initiate checkout session';
            res.writeHead(400);
            return res.end(error);
        }
    }

    async sendMagicLink(req, res) {
        const {email, emailType, oldEmail, requestSrc} = req.body;
        let forceEmailType = false;
        if (!email) {
            res.writeHead(400);
            return res.end('Bad Request.');
        }

        try {
            if (oldEmail) {
                const existingMember = await this._memberRepository.get({email});
                if (existingMember) {
                    throw new errors.BadRequestError({
                        message: 'This email is already associated with a member'
                    });
                }
                forceEmailType = true;
            }

            if (!this._allowSelfSignup) {
                const member = oldEmail ? await this._memberRepository.get({oldEmail}) : await this._memberRepository.get({email});
                if (member) {
                    const tokenData = _.pick(req.body, ['oldEmail']);
                    await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, requestSrc, options: {forceEmailType}});
                }
            } else {
                const tokenData = _.pick(req.body, ['labels', 'name', 'oldEmail']);
                await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, requestSrc, options: {forceEmailType}});
            }
            res.writeHead(201);
            return res.end('Created.');
        } catch (err) {
            const statusCode = (err && err.statusCode) || 500;
            common.logging.error(err);
            res.writeHead(statusCode);
            return res.end('Internal Server Error.');
        }
    }
};