Switch from Stripe to Paddle Billing (#34)

* skip cleaning up devices of pro plan customers

* use serverless/[email protected]

* prepare for Paddle checkout

* sync pnpm-lock.yaml

* fix jwt - should be transmitted encoded

* add first Paddle webhook handler

* expose paddle_webhook endpoint

* use correct Paddle environment

* add handlePaddleSubscriptionCanceled

* fix hasActivePaddleSubscription

* add more Paddle webhook event handlers

* improve past due handling

Author: csuermann

.github/workflows/master.yml

@@ -46,6 +46,8 @@ jobs:
           VSH_ADMIN_API_KEY: ${{ secrets.VSH_ADMIN_API_KEY }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
+          PADDLE_API_KEY: ${{ secrets.PADDLE_API_KEY }}
+          PADDLE_WEBHOOK_SECRET: ${{ secrets.PADDLE_WEBHOOK_SECRET }}
           MOMENTO_TOKEN: ${{ secrets.MOMENTO_TOKEN }}
       - name: Serverless doctor advice
         uses: serverless/[email protected]

.github/workflows/sandbox.yml

@@ -47,6 +47,8 @@ jobs:
           VSH_ADMIN_API_KEY: ${{ secrets.VSH_ADMIN_API_KEY_SANDBOX }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY_SANDBOX }}
           STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET_SANDBOX }}
+          PADDLE_API_KEY: ${{ secrets.PADDLE_API_KEY_SANDBOX }}
+          PADDLE_WEBHOOK_SECRET: ${{ secrets.PADDLE_WEBHOOK_SECRET_SANDBOX }}
           MOMENTO_TOKEN: ${{ secrets.MOMENTO_TOKEN_SANDBOX }}
       - name: Serverless doctor advice
         uses: serverless/[email protected]

Authorization.ts

@@ -19,6 +19,7 @@ export interface UserRecord {
   allowedDeviceCount?: number
   plan?: string
   stripeCustomerId?: string
+  paddleCustomerId?: string
   deleteAtUnixTime?: number
 }
 

backendApi.ts

@@ -7,6 +7,11 @@ import * as log from 'log'
 import * as logger from 'log-aws-lambda'
 import * as jwt from 'jsonwebtoken'
 import Stripe from 'stripe'
+import {
+  Environment,
+  Paddle,
+  EventName as PaddleEventName,
+} from '@paddle/paddle-node-sdk'
 
 import { fetchProfile, isProd, proactivelyUndiscoverDevices } from './helper'
 import AWS = require('aws-sdk')
@@ -21,16 +26,24 @@ import {
 } from './version'
 import { Plan, PlanName } from './Plan'
 import {
-  handleCheckoutSessionCompleted,
-  handleCustomerSubscriptionDeleted,
-  handleInvoicePaymentFailed,
-  handleInvoicePaymentSucceeded,
+  handlePaddleSubscriptionActivated,
+  handlePaddleSubscriptionCanceled,
+  handlePaddleSubscriptionPastDue,
+  handlePaddleTransactionCompleted,
+  handleStripeCheckoutSessionCompleted,
+  handleStripeCustomerSubscriptionDeleted,
+  handleStripeInvoicePaymentFailed,
+  handleStripeInvoicePaymentSucceeded,
 } from './subscription'
 
 const stripe = new Stripe(process.env.STRIPE_API_KEY, {
   apiVersion: '2023-08-16',
 })
 
+const paddle = new Paddle(process.env.PADDLE_API_KEY, {
+  environment: isProd() ? Environment.production : Environment.sandbox,
+})
+
 interface AuthenticatedRequest extends express.Request {
   userId: string
   jwt?: { [key: string]: any }
@@ -176,24 +189,28 @@ app.post('/stripe_webhook', async function (req, res) {
 
     switch (event.type) {
       case 'checkout.session.completed': //https://stripe.com/docs/api/checkout/sessions/object
-        await handleCheckoutSessionCompleted(
+        await handleStripeCheckoutSessionCompleted(
           event.data.object as Stripe.Checkout.Session
         )
         break
       case 'customer.subscription.deleted': //https://stripe.com/docs/api/subscriptions/object
-        await handleCustomerSubscriptionDeleted(
+        await handleStripeCustomerSubscriptionDeleted(
           event.data.object as Stripe.Subscription
         )
         break
       case 'invoice.payment_succeeded': //https://stripe.com/docs/api/invoices/object
-        await handleInvoicePaymentSucceeded(event.data.object as Stripe.Invoice)
+        await handleStripeInvoicePaymentSucceeded(
+          event.data.object as Stripe.Invoice
+        )
         break
       case 'invoice.payment_failed': //https://stripe.com/docs/api/invoices/object
-        await handleInvoicePaymentFailed(event.data.object as Stripe.Invoice)
+        await handleStripeInvoicePaymentFailed(
+          event.data.object as Stripe.Invoice
+        )
         break
       // ... handle other event types
       default:
-        log.warn(`Unhandled event type ${event.type}: %j`, event)
+        log.warn(`Unhandled Stripe event type ${event.type}: %j`, event)
     }
 
     // Return a 200 response to acknowledge receipt of the event
@@ -204,6 +221,52 @@ app.post('/stripe_webhook', async function (req, res) {
   }
 })
 
+app.post('/paddle_webhook', async function (req, res) {
+  const signature = (req.headers['paddle-signature'] as string) || ''
+  // req.body should be of type `buffer`, convert to string before passing it to `unmarshal`.
+  // If express returned a JSON, remove any other middleware that might have processed raw request to object
+  const rawRequestBody = (req as any).rawBody
+  // Replace `WEBHOOK_SECRET_KEY` with the secret key in notifications from vendor dashboard
+  const secretKey = process.env.PADDLE_WEBHOOK_SECRET || ''
+
+  try {
+    if (signature && rawRequestBody) {
+      // The `unmarshal` function will validate the integrity of the webhook and return an entity
+      const eventData = await paddle.webhooks.unmarshal(
+        rawRequestBody,
+        secretKey,
+        signature
+      )
+      switch (eventData.eventType) {
+        case PaddleEventName.SubscriptionActivated:
+          await handlePaddleSubscriptionActivated(eventData)
+          break
+        case PaddleEventName.SubscriptionCanceled:
+          await handlePaddleSubscriptionCanceled(eventData)
+          break
+        case PaddleEventName.SubscriptionPastDue:
+          await handlePaddleSubscriptionPastDue(eventData)
+          break
+        case PaddleEventName.TransactionCompleted:
+          await handlePaddleTransactionCompleted(eventData)
+          break
+        default:
+          log.warn(
+            `Unhandled Paddle event type ${eventData.eventType}: %j`,
+            eventData
+          )
+      }
+    } else {
+      console.log('Signature missing in header')
+    }
+  } catch (e) {
+    // Handle signature mismatch or other runtime errors
+    console.log(e)
+  }
+  // Return a response to acknowledge
+  res.send('Processed Paddle webhook event')
+})
+
 //applying middlewares for all endpoints below these lines!
 app.use(cors())
 app.use(express.urlencoded({ extended: true })) // for parsing application/x-www-form-urlencoded
@@ -404,29 +467,31 @@ app.get('/plan', needsAuth, async function (req: AuthenticatedRequest, res) {
           priceTags: [
             {
               name: 'vsh-pro-yearly',
-              tag: '12 EUR per year',
+              tag: '14 EUR per year',
               checkoutToken: jwt.sign(
                 {
                   aud: 'checkout',
                   sub: req.userId,
+                  productName: 'VSH PRO - Yearly',
                   priceId: isProd()
-                    ? 'price_1Li1C4C3eSYquofeqstbOGi9'
-                    : 'price_1LgSpdC3eSYquofeNk3MClG1',
+                    ? 'pri_01jtxvka1st9m2m6bns9cha8hp'
+                    : 'pri_01jtwt97ekjxb7xn6q1a9p8g5g',
                 },
                 process.env.HASH_SECRET,
                 { expiresIn: '30m' }
               ),
             },
             {
               name: 'vsh-pro-monthly',
-              tag: '1.49 EUR per month',
+              tag: '1.79 EUR per month',
               checkoutToken: jwt.sign(
                 {
                   aud: 'checkout',
                   sub: req.userId,
+                  productName: 'VSH PRO - Monthly',
                   priceId: isProd()
-                    ? 'price_1Li1C4C3eSYquofekuqBmkqk'
-                    : 'price_1LgSpdC3eSYquofegmyiZdQv',
+                    ? 'pri_01jtxvmaxj28qyjwyfbz6qrby4'
+                    : 'pri_01jtwt8adq0rh6t605dc4b4avn',
                 },
                 process.env.HASH_SECRET,
                 { expiresIn: '30m' }
@@ -446,47 +511,80 @@ app.get(
   '/checkout',
   needsTokenForAudience('checkout'),
   async function (req: AuthenticatedRequest, res) {
-    const { stripeCustomerId, email } = await getUserRecord(req.userId)
-
-    //init Stripe checkout session and redirect to their checkout experience
-    const stripeSession = await stripe.checkout.sessions.create({
-      mode: 'subscription',
-      client_reference_id: req.userId,
-      ...(stripeCustomerId && { customer: stripeCustomerId }), //include customer property if stripeCustomerId is truthy
-      ...(!stripeCustomerId && { customer_email: email }), //include customer_email property if stripeCustomerId is falsy
-      line_items: [
-        {
-          price: req.jwt.priceId,
-          quantity: 1,
-        },
-      ],
-      allow_promotion_codes: true,
-      // {CHECKOUT_SESSION_ID} is a string literal; do not change it!
-      // the actual Session ID is returned in the query parameter when your customer
-      // is redirected to the success page.
-      success_url: `https://${req.hostname}/dev/stripe_redirect?session_id={CHECKOUT_SESSION_ID}`,
-      cancel_url: `https://${req.hostname}/dev/stripe_redirect?cancelled=true`,
-    })
+    // redirect to the checkout page that uses Paddle Billing
+    const { email } = await getUserRecord(req.userId)
+
+    const checkoutIntend = {
+      userId: req.userId,
+      email: email,
+      priceId: req.jwt.priceId,
+      jwt: req.query.token,
+      sandbox: !isProd(),
+      productName: req.jwt.productName,
+    }
 
-    // Redirect to the URL returned on the Checkout Session.
-    res.redirect(303, stripeSession.url)
+    res.redirect(
+      303,
+      'https://vsh.csuermann.de/checkout/?checkoutIntend=' +
+        encode(JSON.stringify(checkoutIntend))
+    )
+
+    // before 2025-05-10 we used Stripe
+    // const { stripeCustomerId, email } = await getUserRecord(req.userId)
+    // //init Stripe checkout session and redirect to their checkout experience
+    // const stripeSession = await stripe.checkout.sessions.create({
+    //   mode: 'subscription',
+    //   client_reference_id: req.userId,
+    //   ...(stripeCustomerId && { customer: stripeCustomerId }), //include customer property if stripeCustomerId is truthy
+    //   ...(!stripeCustomerId && { customer_email: email }), //include customer_email property if stripeCustomerId is falsy
+    //   line_items: [
+    //     {
+    //       price: req.jwt.priceId,
+    //       quantity: 1,
+    //     },
+    //   ],
+    //   allow_promotion_codes: true,
+    //   // {CHECKOUT_SESSION_ID} is a string literal; do not change it!
+    //   // the actual Session ID is returned in the query parameter when your customer
+    //   // is redirected to the success page.
+    //   success_url: `https://${req.hostname}/dev/stripe_redirect?session_id={CHECKOUT_SESSION_ID}`,
+    //   cancel_url: `https://${req.hostname}/dev/stripe_redirect?cancelled=true`,
+    // })
+
+    // // Redirect to the URL returned on the Checkout Session.
+    // res.redirect(303, stripeSession.url)
   }
 )
 
 app.get(
   '/subscription',
   needsTokenForAudience('subscription'),
   async function (req: AuthenticatedRequest, res) {
-    const { stripeCustomerId } = await getUserRecord(req.userId)
+    const { stripeCustomerId, paddleCustomerId } = await getUserRecord(
+      req.userId
+    )
 
-    //init Stripe customer portal session and redirect to there
-    const portalSession = await stripe.billingPortal.sessions.create({
-      customer: stripeCustomerId,
-      return_url: `https://${req.hostname}/dev/stripe_redirect`,
-    })
+    if (paddleCustomerId) {
+      const paddlePortalSession = await paddle.customerPortalSessions.create(
+        paddleCustomerId,
+        []
+      )
+
+      return res.redirect(303, paddlePortalSession.urls.general.overview)
+    }
+
+    if (stripeCustomerId) {
+      //init Stripe customer portal session and redirect to there
+      const portalSession = await stripe.billingPortal.sessions.create({
+        customer: stripeCustomerId,
+        return_url: `https://${req.hostname}/dev/stripe_redirect`,
+      })
+
+      // Redirect to the URL returned on the portal session.
+      return res.redirect(303, portalSession.url)
+    }
 
-    // Redirect to the URL returned on the portal session.
-    res.redirect(303, portalSession.url)
+    res.status(400).send({ error: 'no payment provider customer found' })
   }
 )
 

package.json

@@ -13,6 +13,7 @@
   },
   "dependencies": {
     "@gomomento/sdk": "^1.41.2",
+    "@paddle/paddle-node-sdk": "^2.7.1",
     "@types/semver": "^7.5.3",
     "ask-sdk": "^2.14.0",
     "aws-sdk": "^2.1472.0",