Implement Stripe payment intents

Author: haocyan0723-code

apps/api/package.json

@@ -1,19 +1,20 @@
-{
-  "name": "@freelanceflow/api",
-  "private": true,
-  "type": "module",
-  "scripts": {
-    "dev": "node src/server.js",
-    "start": "node src/server.js",
-    "test": "node --test src/tests"
-  },
-  "dependencies": {
-    "cors": "^2.8.5",
-    "express": "^4.19.2",
-    "express-rate-limit": "^7.4.0",
-    "helmet": "^7.1.0",
-    "jsonwebtoken": "^9.0.2",
-    "multer": "^2.1.1",
-    "zod": "^3.23.8"
-  }
-}
+{
+  "name": "@freelanceflow/api",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "node src/server.js",
+    "start": "node src/server.js",
+    "test": "node --test \"src/tests/**/*.test.js\""
+  },
+  "dependencies": {
+    "cors": "^2.8.5",
+    "express": "^4.19.2",
+    "express-rate-limit": "^7.4.0",
+    "helmet": "^7.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "multer": "^2.1.1",
+    "stripe": "^18.5.0",
+    "zod": "^3.23.8"
+  }
+}

apps/api/src/controllers/paymentController.js

@@ -1,6 +1,14 @@
 import { ok } from "../utils/response.js";
-import { createPaymentIntent } from "../services/paymentService.js";
+import { createPaymentIntent, PaymentValidationError } from "../services/paymentService.js";
 
 export async function createPayment(req, res) {
-  return ok(res, await createPaymentIntent(req.body), 201);
+  try {
+    return ok(res, await createPaymentIntent(req.body), 201);
+  } catch (error) {
+    if (error instanceof PaymentValidationError) {
+      return res.status(400).json({ error: error.message });
+    }
+
+    return res.status(502).json({ error: error.message });
+  }
 }

apps/api/src/services/paymentService.js

@@ -1,9 +1,87 @@
-export async function createPaymentIntent(payload) {
-  // TODO: integrate Stripe SDK and return client secret.
-  return {
-    paymentId: `pay_${Date.now()}`,
-    amount: payload.amount,
-    currency: payload.currency ?? "usd",
-    provider: "stripe"
-  };
+import Stripe from "stripe";
+
+let stripeClient;
+
+export class PaymentValidationError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PaymentValidationError";
+  }
+}
+
+function getStripeClient() {
+  if (stripeClient) {
+    return stripeClient;
+  }
+
+  if (!process.env.STRIPE_SECRET_KEY) {
+    throw new PaymentValidationError("STRIPE_SECRET_KEY is required");
+  }
+
+  stripeClient = new Stripe(process.env.STRIPE_SECRET_KEY);
+  return stripeClient;
+}
+
+export function setStripeClientForTests(client) {
+  stripeClient = client;
+}
+
+function validateAmount(amount) {
+  if (!Number.isInteger(amount) || amount <= 0) {
+    throw new PaymentValidationError("amount must be a positive integer in the smallest currency unit");
+  }
+
+  return amount;
+}
+
+function validateCurrency(currency) {
+  if (currency === undefined) {
+    return "usd";
+  }
+
+  if (typeof currency !== "string" || !/^[a-z]{3}$/i.test(currency)) {
+    throw new PaymentValidationError("currency must be a three-letter currency code");
+  }
+
+  return currency.toLowerCase();
+}
+
+function validateMetadata(metadata) {
+  if (metadata === undefined) {
+    return undefined;
+  }
+
+  if (metadata === null || Array.isArray(metadata) || typeof metadata !== "object") {
+    throw new PaymentValidationError("metadata must be an object when provided");
+  }
+
+  return metadata;
+}
+
+export async function createPaymentIntent(payload = {}) {
+  const amount = validateAmount(payload.amount);
+  const currency = validateCurrency(payload.currency);
+  const metadata = validateMetadata(payload.metadata);
+
+  try {
+    const paymentIntent = await getStripeClient().paymentIntents.create({
+      amount,
+      currency,
+      ...(metadata ? { metadata } : {})
+    });
+
+    return {
+      paymentId: paymentIntent.id,
+      clientSecret: paymentIntent.client_secret,
+      amount,
+      currency,
+      provider: "stripe"
+    };
+  } catch (error) {
+    if (error instanceof PaymentValidationError) {
+      throw error;
+    }
+
+    throw new Error(error.message || "Stripe payment intent creation failed");
+  }
 }

apps/api/src/tests/paymentRoutes.test.js

@@ -0,0 +1,63 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { createApp } from "../app.js";
+import { setStripeClientForTests } from "../services/paymentService.js";
+
+async function withServer(callback) {
+  const app = createApp();
+  const server = app.listen(0);
+
+  await new Promise((resolve, reject) => {
+    server.once("listening", resolve);
+    server.once("error", reject);
+  });
+
+  try {
+    const { port } = server.address();
+    await callback(`http://127.0.0.1:${port}`);
+  } finally {
+    await new Promise((resolve, reject) => {
+      server.close((error) => (error ? reject(error) : resolve()));
+    });
+  }
+}
+
+test("POST /api/payments returns Stripe client secret", async () => {
+  setStripeClientForTests({
+    paymentIntents: {
+      async create() {
+        return {
+          id: "pi_route_123",
+          client_secret: "pi_route_123_secret"
+        };
+      }
+    }
+  });
+
+  await withServer(async (baseUrl) => {
+    const response = await fetch(`${baseUrl}/api/payments`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ amount: 1999 })
+    });
+    const payload = await response.json();
+
+    assert.equal(response.status, 201);
+    assert.equal(payload.data.paymentId, "pi_route_123");
+    assert.equal(payload.data.clientSecret, "pi_route_123_secret");
+  });
+});
+
+test("POST /api/payments returns 400 for invalid amount", async () => {
+  await withServer(async (baseUrl) => {
+    const response = await fetch(`${baseUrl}/api/payments`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ amount: -1 })
+    });
+    const payload = await response.json();
+
+    assert.equal(response.status, 400);
+    assert.equal(payload.error, "amount must be a positive integer in the smallest currency unit");
+  });
+});

apps/api/src/tests/paymentService.test.js

@@ -0,0 +1,85 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import {
+  createPaymentIntent,
+  PaymentValidationError,
+  setStripeClientForTests
+} from "../services/paymentService.js";
+
+test("createPaymentIntent creates a Stripe payment intent", async () => {
+  const calls = [];
+
+  setStripeClientForTests({
+    paymentIntents: {
+      async create(params) {
+        calls.push(params);
+        return {
+          id: "pi_test_123",
+          client_secret: "pi_test_123_secret_456"
+        };
+      }
+    }
+  });
+
+  const result = await createPaymentIntent({
+    amount: 2500,
+    currency: "USD",
+    metadata: { orderId: "order_123" }
+  });
+
+  assert.deepEqual(calls, [
+    {
+      amount: 2500,
+      currency: "usd",
+      metadata: { orderId: "order_123" }
+    }
+  ]);
+  assert.deepEqual(result, {
+    paymentId: "pi_test_123",
+    clientSecret: "pi_test_123_secret_456",
+    amount: 2500,
+    currency: "usd",
+    provider: "stripe"
+  });
+});
+
+test("createPaymentIntent defaults currency to usd", async () => {
+  const calls = [];
+
+  setStripeClientForTests({
+    paymentIntents: {
+      async create(params) {
+        calls.push(params);
+        return {
+          id: "pi_test_default",
+          client_secret: "pi_test_default_secret"
+        };
+      }
+    }
+  });
+
+  await createPaymentIntent({ amount: 1000 });
+
+  assert.equal(calls[0].currency, "usd");
+});
+
+test("createPaymentIntent rejects invalid amounts", async () => {
+  await assert.rejects(
+    createPaymentIntent({ amount: 0 }),
+    (error) =>
+      error instanceof PaymentValidationError &&
+      error.message === "amount must be a positive integer in the smallest currency unit"
+  );
+});
+
+test("createPaymentIntent preserves Stripe error messages", async () => {
+  setStripeClientForTests({
+    paymentIntents: {
+      async create() {
+        throw new Error("Your card was declined.");
+      }
+    }
+  });
+
+  await assert.rejects(createPaymentIntent({ amount: 1000 }), /Your card was declined\./);
+});

apps/api/src/tests/paymentSmoke.test.js

@@ -0,0 +1,16 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { createPaymentIntent, setStripeClientForTests } from "../services/paymentService.js";
+
+test("creates a real Stripe test-mode payment intent when explicitly enabled", { skip: process.env.RUN_STRIPE_SMOKE_TEST !== "1" }, async () => {
+  setStripeClientForTests(undefined);
+
+  const result = await createPaymentIntent({
+    amount: 100,
+    currency: "usd",
+    metadata: { smoke: "true" }
+  });
+
+  assert.match(result.paymentId, /^pi_/);
+  assert.match(result.clientSecret, /^pi_/);
+});