Implement Stripe payment intents

[Thanhdn1984]

/claim #1

Summary

• Replaced the fake pay_${Date.now()} payment stub with Stripe PaymentIntent creation through the Stripe Node SDK
• Validates amount as a positive integer, defaults/lowercases currency, and supports optional metadata
• Returns paymentId and clientSecret from the real Stripe response while preserving Stripe error messages
• Added mocked service + POST /api/payments route coverage plus a guarded live smoke test (STRIPE_LIVE_SMOKE=1)
• Fixed the API test script to run test files via glob under Node 22

Demo / verification

• npm test -w apps/api
• git diff --check

Result: 7 passing tests, 1 skipped guarded live Stripe smoke test.

Short demo artifact: the test output exercises the mocked Stripe PaymentIntent path, validation failures, default currency, Stripe error preservation, env-key guard, POST /api/payments response, and existing health endpoint test.

[BossChaos]

Code Review

PR: Implement Stripe payment intents by @Thanhdn1984

• 🔒 Payment integration — needs security review

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

Code review for SecureBananaLabs bug-bounty

[Thanhdn1984]

Cleaned up PR scope after review: removed unrelated benchmark commit/files and rebased onto current main. The PR now only changes the Stripe payment service, API package dependency, tests, and lockfile.\n\nVerification:\n- git diff --check\n- node --test apps/api/src/tests/*.js → 6 passing, 1 skipped guarded live Stripe smoke test\n\nNote: npm test -w apps/api currently fails on upstream test script node --test src/tests under Node 22 because Node treats the directory as a module path. The explicit file glob above runs the same tests successfully.

[Thanhdn1984]

Follow-up fix after rechecking the bounty requirements and reproducibility:

• Fixed apps/api test script from node --test src/tests to node --test src/tests/*.js so the documented command works under Node 22.
• Re-ran npm test -w apps/api: 6 passing, 1 skipped guarded live Stripe smoke test.
• Re-ran git diff --check: clean.

The PR remains scoped to issue #1 only.

[Thanhdn1984]

Final recheck update:

• Added POST /api/payments route coverage so the PR verifies the caller-facing API path, not only the service function.
• Re-ran npm test -w apps/api: 7 passing, 1 skipped guarded live Stripe smoke test.
• Re-ran git diff --check: clean.

Scope remains issue #1 only: Stripe SDK dependency, payment service, payment tests, API test script, lockfile.

[Thanhdn1984]

Demo / verification for bounty claim

This PR is now fully reproducible with the documented workspace command.

Commands run

npm test -w apps/api
git diff --check

Result

> test
> node --test src/tests/*.js

TAP version 13
# Subtest: GET /health returns ok payload
ok 1 - GET /health returns ok payload
# Subtest: createPaymentIntent creates a Stripe PaymentIntent
ok 2 - createPaymentIntent creates a Stripe PaymentIntent
# Subtest: createPaymentIntent defaults currency to usd
ok 3 - createPaymentIntent defaults currency to usd
# Subtest: createPaymentIntent validates amount
ok 4 - createPaymentIntent validates amount
# Subtest: createPaymentIntent preserves Stripe error messages
ok 5 - createPaymentIntent preserves Stripe error messages
# Subtest: createPaymentIntent requires STRIPE_SECRET_KEY
ok 6 - createPaymentIntent requires STRIPE_SECRET_KEY
# Subtest: POST /api/payments returns Stripe payment data
ok 7 - POST /api/payments returns Stripe payment data
# Subtest: createPaymentIntent live Stripe smoke test
ok 8 - createPaymentIntent live Stripe smoke test # SKIP

1..8
# tests 8
# pass 7
# fail 0
# skipped 1

What this demonstrates

• Uses real Stripe SDK PaymentIntent creation via STRIPE_SECRET_KEY
• Removes fake pay_${Date.now()} ID generation
• Validates positive integer amount
• Defaults/normalizes currency
• Maps Stripe id → paymentId
• Maps Stripe client_secret → clientSecret
• Preserves Stripe error messages
• Verifies caller-facing POST /api/payments response path
• Keeps live Stripe smoke test guarded by STRIPE_LIVE_SMOKE=1

git diff --check also passes with no whitespace/errors.

[Thanhdn1984]

Closing this duplicate/noisy submission to avoid wasting maintainer time. Sorry for the duplicate PRs — I will keep only the most relevant/latest submission and follow up there if needed.