chore(chat): migrate POST /api/stripe/{session,portal}/create#1726
chore(chat): migrate POST /api/stripe/{session,portal}/create#1726arpitgupta1214 wants to merge 3 commits intotestfrom
Conversation
Repoints createClientCheckoutSession at POST
${getClientApiBaseUrl()}/api/subscriptions/sessions and
createClientPortalSession at POST
${getClientApiBaseUrl()}/api/subscriptions/portal-sessions, both
authenticated with the Privy access token. Drops accountId from the
request body — api derives it from validateAuthContext. Deletes the
two local routes and the createSession / createBillingPortalSession
helpers that only existed to back them. (Group 4 of the chat→api
migration plan.)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 7 files
Confidence score: 3/5
- There is a concrete security risk in
lib/stripe/createClientPortalSession.ts: opening with_blankwithoutnoopener/noreferrercan enable reverse-tabnabbing, so this carries meaningful user-impact risk. lib/stripe/createClientCheckoutSession.tsuses__blankinstead of_blankinwindow.open, which is a lower-severity behavior bug but could cause inconsistent new-tab behavior.- Given the high-confidence security finding (6/10) plus a secondary navigation issue, this has some merge risk and is worth fixing before or immediately after merge.
- Pay close attention to
lib/stripe/createClientPortalSession.tsandlib/stripe/createClientCheckoutSession.ts- tab-opening behavior needs security and correctness adjustments.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/stripe/createClientCheckoutSession.ts">
<violation number="1" location="lib/stripe/createClientCheckoutSession.ts:25">
P2: Use `_blank` instead of `__blank` in `window.open` to ensure standard new-tab behavior.</violation>
</file>
<file name="lib/stripe/createClientPortalSession.ts">
<violation number="1" location="lib/stripe/createClientPortalSession.ts:25">
P2: Opening a new tab with `_blank` without `noopener`/`noreferrer` introduces a reverse-tabnabbing risk.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Per CHAT_API_MIGRATION_FINDINGS REST cleanup, the dedicated endpoints land at the REST-aligned paths: /api/subscriptions/sessions -> /api/stripe/checkout-sessions /api/subscriptions/portal-sessions -> /api/stripe/portal-sessions
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6ceebb47cf
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| headers: { | ||
| "Content-Type": "application/json", | ||
| const response = await fetch( | ||
| `${getClientApiBaseUrl()}/api/subscriptions/sessions`, |
There was a problem hiding this comment.
The new checkout caller is still targeting /api/subscriptions/sessions, but the paired API migration (recoupable/api#499, commit a326a8b) renames these endpoints to /api/stripe/checkout-sessions and /api/stripe/portal-sessions; with that backend in place this request path returns 404, so clicking Subscribe/Billing can no longer open Stripe. Please update this URL (and the matching portal caller) to the renamed route set so chat and api stay in parity.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
2 issues found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/stripe/createClientCheckoutSession.ts">
<violation number="1" location="lib/stripe/createClientCheckoutSession.ts:6">
P1: Checkout session creation is calling the wrong migrated endpoint path (`/api/stripe/checkout-sessions` instead of `/api/subscriptions/sessions`), which can break opening Stripe checkout.</violation>
</file>
<file name="lib/stripe/createClientPortalSession.ts">
<violation number="1" location="lib/stripe/createClientPortalSession.ts:6">
P1: The endpoint was changed to the old `/api/stripe/portal-sessions` route, but this migration requires `/api/subscriptions/portal-sessions`, so portal session creation can fail.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| headers: { | ||
| "Content-Type": "application/json", | ||
| const response = await fetch( | ||
| `${getClientApiBaseUrl()}/api/stripe/portal-sessions`, |
There was a problem hiding this comment.
P1: The endpoint was changed to the old /api/stripe/portal-sessions route, but this migration requires /api/subscriptions/portal-sessions, so portal session creation can fail.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At lib/stripe/createClientPortalSession.ts, line 6:
<comment>The endpoint was changed to the old `/api/stripe/portal-sessions` route, but this migration requires `/api/subscriptions/portal-sessions`, so portal session creation can fail.</comment>
<file context>
@@ -3,7 +3,7 @@ import { getClientApiBaseUrl } from "@/lib/api/getClientApiBaseUrl";
try {
const response = await fetch(
- `${getClientApiBaseUrl()}/api/subscriptions/portal-sessions`,
+ `${getClientApiBaseUrl()}/api/stripe/portal-sessions`,
{
method: "POST",
</file context>
| `${getClientApiBaseUrl()}/api/stripe/portal-sessions`, | |
| `${getClientApiBaseUrl()}/api/subscriptions/portal-sessions`, |
Resolves overlap with #1729 (which landed local /api/subscriptions/portal helper updates on test concurrently). Keeps the better error handling and noopener,noreferrer security flags from test, but points at the migration-doc-aligned /api/stripe/{checkout,portal}-sessions paths. Drops a duplicate getAccessToken declaration in useSubscribeClick.
|
Closing alongside api#499 — chat-side Group 4 cutover already shipped to |
1 participant
Repoints `createClientCheckoutSession` at `POST ${getClientApiBaseUrl()}/api/subscriptions/sessions` and `createClientPortalSession` at `POST ${getClientApiBaseUrl()}/api/subscriptions/portal-sessions` (both authenticated with the Privy access token). Deletes the two local routes and the `createSession` / `createBillingPortalSession` helpers that only existed to back them. (Group 4 of the chat→api migration plan.)
Will only merge once api parity PR api#499 lands.
Test plan