Fix: Send API key via email instead of webhook response (closes #1)

tcuong53-cell · tcuong53-cell · commit 8203a3612b85 · 2026-05-20T12:01:43.000+07:00
diff --git a/apps/web/api/webhook.ts b/apps/web/api/webhook.ts
@@ -1,9 +1,15 @@
+typescript
 import type { VercelRequest, VercelResponse } from '@vercel/node';
 import { createHash, randomBytes, createHmac, timingSafeEqual } from 'node:crypto';
+import { Resend } from 'resend'; // Add this import for Resend
 
 const SUPABASE_URL = process.env.SUPABASE_URL!;
 const SUPABASE_KEY = process.env.SUPABASE_SERVICE_KEY!;
 const POLAR_WEBHOOK_SECRET = process.env.POLAR_WEBHOOK_SECRET!;
+const RESEND_API_KEY = process.env.RESEND_API_KEY; // Allow undefined, handle gracefully
+
+// Initialize Resend conditionally to prevent errors if RESEND_API_KEY is missing at startup
+const resend = RESEND_API_KEY ? new Resend(RESEND_API_KEY) : null;
 
 // Credit mapping for Polar products
 const PRODUCT_CREDITS: Record<string, number> = {
@@ -167,14 +173,45 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
       });
     } else {
       // Generate new key (plaintext only exists in this scope, never returned to caller)
-      const { hash, prefix } = generateApiKey();
+      // Capture the plaintext 'key' here so it can be emailed.
+      const { key, hash, prefix } = generateApiKey();
+      
       await supabasePost('api_keys', {
         user_id: userId,
         key_hash: hash,
         key_prefix: prefix,
         credits_remaining: creditsToAdd,
       });
+
       // TODO: Send API key to user via email (Resend/Postmark) instead of returning it
+      try {
+        if (!resend) {
+          console.warn('RESEND_API_KEY is not set. Skipping API key email for user:', email);
+        } else {
+          await resend.emails.send({
+            from: 'Protoscan Vision <onboarding@protoscan.vision>', // IMPORTANT: Replace with your verified sender email in Resend
+            to: email, // Use the extracted customer email from the webhook payload
+            subject: 'Your New API Key for Protoscan Vision',
+            html: `
+              <p>Hello,</p>
+              <p>Thank you for your recent purchase! Here is your brand new API key:</p>
+              <p><strong><code>${key}</code></strong></p>
+              <p>Please keep this key safe and secure. For security reasons, this key will only be displayed once.</p>
+              <p>You can find more details on how to use your API key in our <a href="https://docs.protoscan.vision/api-keys" target="_blank">documentation</a>.</p>
+              <p>If you have any questions or require assistance, please don't hesitate to contact our support team.</p>
+              <p>Best regards,<br/>The Protoscan Vision Team</p>
+            `,
+            text: `Hello,\n\nThank you for your recent purchase! Here is your brand new API key: ${key}\n\nPlease keep this key safe and secure. For security reasons, this key will only be displayed once.\n\nYou can find more details on how to use your API key in our documentation.\n\nIf you have any questions or require assistance, please don't hesitate to contact our support team.\n\nBest regards,\nThe Protoscan Vision Team`,
+          });
+          console.log(`API key successfully emailed to ${email} for user ${userId}`);
+        }
+      } catch (emailError) {
+        console.error(`Failed to send API key email to ${email} for user ${userId}:`, emailError);
+        // Log the email sending failure. It's often best practice to still return a 200 OK
+        // to the webhook provider (Polar.sh) to prevent them from retrying the *purchase event*.
+        // A separate mechanism should be in place for handling failed email deliveries
+        // (e.g., retry queue, admin alert, manual follow-up).
+      }
     }
 
     // 5. Record payment
@@ -186,11 +223,12 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
       product_id: productId,
     });
 
-    return res.status(200).json({ ok: true, credits_added: creditsToAdd });
+    // The HTTP response should no longer contain the plaintext API key.
+    return res.status(200).json({ ok: true, credits_added: creditsToAdd, message: 'API key generation and email delivery initiated.' });
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     // Don't expose internal details — log server-side only
     console.error(`Webhook processing error: ${message}`);
     return res.status(500).json({ error: 'Webhook processing failed' });
   }
-}
+}
