EverydayTech Platform - Developer Reference
Complete Source Code Documentation - All Applications
Loading...
Searching...
No Matches
public-invoice-payment.js
Go to the documentation of this file.
1/**
2 * @file routes/public-invoice-payment.js
3 * @module routes/public-invoice-payment
4 * @description Public invoice payment endpoints that don't require authentication.
5 * Allows customers to pay invoices via secure tokenized links sent by email.
6 *
7 * **Security:**
8 * - No authentication required (uses payment_token instead)
9 * - Tokens are cryptographically secure (64-char hex, 256-bit entropy)
10 * - One-time use recommended (can generate new token after payment)
11 * - Rate limiting should be applied at reverse proxy level
12 *
13 * **Payment Flow:**
14 * 1. Customer receives email with payment link: /pay/{token}
15 * 2. Frontend fetches invoice details via GET /api/public/pay/:token
16 * 3. Customer enters payment details (Stripe Elements)
17 * 4. Frontend creates payment intent via POST /api/public/pay/:token/create-payment
18 * 5. Stripe confirms payment
19 * 6. Frontend confirms payment via POST /api/public/pay/:token/confirm-payment
20 *
21 * @requires express
22 * @requires crypto
23 * @requires stripe
24 * @requires ../services/db
25 * @requires ../services/stripeService
26 */
27
28const express = require('express');
29const router = express.Router();
30const crypto = require('crypto');
31const pool = require('../services/db');
32
33// Initialize Stripe with correct key based on mode
34const stripeMode = process.env.STRIPE_MODE || 'test';
35const stripeSecretKey = stripeMode === 'live'
36 ? process.env.STRIPE_LIVE_SECRET_KEY
37 : process.env.STRIPE_TEST_SECRET_KEY;
38const stripe = require('stripe')(stripeSecretKey);
39
40console.log(`[Stripe] Public Invoice Payment initialized in ${stripeMode.toUpperCase()} mode`);
41
42/**
43 * @api {get} /public/pay/:token Get Invoice by Payment Token
44 * @apiName GetPublicInvoice
45 * @apiGroup PublicPayment
46 * @apiDescription Fetches invoice details using a secure payment token.
47 * No authentication required. Returns invoice data needed for payment page.
48 *
49 * @apiParam {string} token 64-character hex payment token from email link
50 *
51 * @apiSuccess {Object} invoice Invoice object
52 * @apiSuccess {number} invoice.invoice_id Invoice ID
53 * @apiSuccess {string} invoice.currency Currency code (AUD, USD, etc.)
54 * @apiSuccess {number} invoice.subtotal Subtotal amount (ex tax)
55 * @apiSuccess {number} invoice.tax_rate Tax rate percentage
56 * @apiSuccess {number} invoice.tax_amount Tax amount
57 * @apiSuccess {number} invoice.total Total amount (inc tax)
58 * @apiSuccess {string} invoice.payment_status Payment status (unpaid, paid, etc.)
59 * @apiSuccess {string} invoice.status Invoice status (draft, sent, paid, void)
60 * @apiSuccess {string} invoice.customer_name Customer name
61 * @apiSuccess {Object[]} invoice.items Line items array
62 * @apiSuccess {boolean} canPay Whether invoice can be paid (not void/paid)
63 *
64 * @apiError {Number} 404 Invoice not found or token invalid
65 * @apiError {Number} 400 Invoice already paid or voided
66 */
67router.get('/pay/:token', async (req, res) => {
68 const { token } = req.params;
69
70 try {
71 // Validate token format (64 hex chars)
72 if (!/^[0-9a-f]{64}$/i.test(token)) {
73 return res.status(400).json({ error: 'Invalid payment token format' });
74 }
75
76 // Fetch invoice by payment token
77 const result = await pool.query(`
78 SELECT
79 i.invoice_id,
80 i.customer_id,
81 i.currency,
82 i.subtotal,
83 i.tax_rate,
84 i.tax_amount,
85 i.total,
86 i.amount,
87 i.status,
88 i.payment_status,
89 i.issued_date,
90 i.due_date,
91 i.description,
92 i.created_at,
93 i.tenant_id,
94 c.name as customer_name,
95 c.email as customer_email,
96 c.phone as customer_phone,
97 c.billing_address as customer_address
98 FROM invoices i
99 LEFT JOIN customers c ON i.customer_id = c.customer_id
100 WHERE i.payment_token = $1
101 `, [token]);
102
103 if (result.rows.length === 0) {
104 return res.status(404).json({ error: 'Invoice not found' });
105 }
106
107 const invoice = result.rows[0];
108
109 // Check if invoice can be paid
110 if (invoice.status === 'void') {
111 return res.status(400).json({ error: 'This invoice has been voided and cannot be paid' });
112 }
113
114 if (invoice.payment_status === 'paid') {
115 return res.status(400).json({
116 error: 'This invoice has already been paid',
117 alreadyPaid: true
118 });
119 }
120
121 // Fetch line items
122 const itemsResult = await pool.query(
123 'SELECT * FROM invoice_items WHERE invoice_id = $1 ORDER BY item_id',
124 [invoice.invoice_id]
125 );
126
127 invoice.items = itemsResult.rows;
128 invoice.canPay = invoice.status !== 'void' && invoice.payment_status !== 'paid';
129
130 // Don't expose sensitive customer data beyond what's needed
131 const publicInvoice = {
132 invoice_id: invoice.invoice_id,
133 currency: invoice.currency,
134 subtotal: invoice.subtotal,
135 tax_rate: invoice.tax_rate,
136 tax_amount: invoice.tax_amount,
137 total: invoice.total,
138 amount: invoice.amount,
139 status: invoice.status,
140 payment_status: invoice.payment_status,
141 issued_date: invoice.issued_date,
142 due_date: invoice.due_date,
143 description: invoice.description,
144 customer_name: invoice.customer_name,
145 items: invoice.items,
146 canPay: invoice.canPay
147 };
148
149 res.json(publicInvoice);
150
151 } catch (error) {
152 console.error('Error fetching public invoice:', error);
153 res.status(500).json({ error: 'Server error', details: error.message });
154 }
155});
156
157/**
158 * @api {post} /public/pay/:token/create-payment Create Payment Intent (Public)
159 * @apiName CreatePublicPaymentIntent
160 * @apiGroup PublicPayment
161 * @apiDescription Creates a Stripe payment intent for public invoice payment.
162 * No authentication required - uses payment token for security.
163 */
164router.post('/pay/:token/create-payment', async (req, res) => {
165 const { token } = req.params;
166
167 try {
168 // Validate token format
169 if (!/^[0-9a-f]{64}$/i.test(token)) {
170 return res.status(400).json({ error: 'Invalid payment token format' });
171 }
172
173 // Fetch invoice
174 const result = await pool.query(`
175 SELECT
176 i.invoice_id,
177 i.customer_id,
178 i.tenant_id,
179 i.currency,
180 i.total,
181 i.amount,
182 i.status,
183 i.payment_status,
184 i.description,
185 c.name as customer_name,
186 sc.stripe_account_id
187 FROM invoices i
188 LEFT JOIN customers c ON i.customer_id = c.customer_id
189 LEFT JOIN stripe_config sc ON i.tenant_id = sc.tenant_id
190 WHERE i.payment_token = $1
191 `, [token]);
192
193 if (result.rows.length === 0) {
194 return res.status(404).json({ error: 'Invoice not found' });
195 }
196
197 const invoice = result.rows[0];
198
199 // Validate invoice can be paid
200 if (invoice.status === 'void') {
201 return res.status(400).json({ error: 'Invoice has been voided' });
202 }
203
204 if (invoice.payment_status === 'paid') {
205 return res.status(400).json({ error: 'Invoice already paid' });
206 }
207
208 // Get Stripe connected account
209 const stripeAccountId = invoice.stripe_account_id;
210 if (!stripeAccountId) {
211 return res.status(400).json({ error: 'Payment processing not configured for this invoice' });
212 }
213
214 // Calculate amount in cents
215 const amountInCents = Math.round(parseFloat(invoice.total || invoice.amount || 0) * 100);
216
217 if (amountInCents <= 0) {
218 return res.status(400).json({ error: 'Invalid invoice amount' });
219 }
220
221 // Create payment intent on connected account
222 const paymentIntent = await stripe.paymentIntents.create({
223 amount: amountInCents,
224 currency: (invoice.currency || 'AUD').toLowerCase(),
225 description: `Invoice #${invoice.invoice_id}${invoice.description ? ' - ' + invoice.description : ''}`,
226 metadata: {
227 invoice_id: invoice.invoice_id.toString(),
228 customer_id: invoice.customer_id?.toString() || '',
229 tenant_id: invoice.tenant_id,
230 customer_name: invoice.customer_name || '',
231 payment_type: 'public_invoice_payment'
232 },
233 application_fee_amount: Math.round(amountInCents * 0.03), // 3% platform fee
234 }, {
235 stripeAccount: stripeAccountId,
236 });
237
238 res.json({
239 clientSecret: paymentIntent.client_secret,
240 publishableKey: process.env.STRIPE_TEST_PUBLISHABLE_KEY,
241 stripeAccount: stripeAccountId,
242 amount: amountInCents,
243 currency: (invoice.currency || 'AUD').toLowerCase(),
244 });
245
246 } catch (error) {
247 console.error('Error creating public payment intent:', error);
248 res.status(500).json({ error: error.message || 'Failed to create payment intent' });
249 }
250});
251
252/**
253 * @api {post} /public/pay/:token/confirm-payment Confirm Payment (Public)
254 * @apiName ConfirmPublicPayment
255 * @apiGroup PublicPayment
256 * @apiDescription Confirms successful payment and updates invoice status.
257 * Called after Stripe payment succeeds on the frontend.
258 */
259router.post('/pay/:token/confirm-payment', async (req, res) => {
260 const { token } = req.params;
261 const { paymentIntentId } = req.body;
262
263 const client = await pool.connect();
264
265 try {
266 // Validate token
267 if (!/^[0-9a-f]{64}$/i.test(token)) {
268 return res.status(400).json({ error: 'Invalid payment token format' });
269 }
270
271 if (!paymentIntentId) {
272 return res.status(400).json({ error: 'Payment intent ID required' });
273 }
274
275 await client.query('BEGIN');
276
277 // Fetch invoice
278 const invoiceResult = await client.query(`
279 SELECT
280 i.invoice_id,
281 i.customer_id,
282 i.tenant_id,
283 i.total,
284 i.amount,
285 i.currency,
286 i.status,
287 i.payment_status,
288 sc.stripe_account_id
289 FROM invoices i
290 LEFT JOIN stripe_config sc ON i.tenant_id = sc.tenant_id
291 WHERE i.payment_token = $1
292 FOR UPDATE
293 `, [token]);
294
295 if (invoiceResult.rows.length === 0) {
296 await client.query('ROLLBACK');
297 return res.status(404).json({ error: 'Invoice not found' });
298 }
299
300 const invoice = invoiceResult.rows[0];
301
302 // Retrieve payment intent from Stripe
303 const paymentIntent = await stripe.paymentIntents.retrieve(
304 paymentIntentId,
305 { stripeAccount: invoice.stripe_account_id }
306 );
307
308 if (paymentIntent.status !== 'succeeded') {
309 await client.query('ROLLBACK');
310 return res.status(400).json({ error: 'Payment not completed' });
311 }
312
313 // Update invoice status
314 await client.query(`
315 UPDATE invoices
316 SET
317 status = 'paid',
318 payment_status = 'paid',
319 payment_date = CURRENT_TIMESTAMP,
320 updated_at = CURRENT_TIMESTAMP
321 WHERE invoice_id = $1
322 `, [invoice.invoice_id]);
323
324 // Record payment
325 await client.query(`
326 INSERT INTO payments (
327 invoice_id, customer_id, tenant_id,
328 amount, currency, status,
329 stripe_payment_intent_id, stripe_account_id,
330 payment_method_type, card_brand, card_last4,
331 application_fee_amount, net_amount,
332 created_at, updated_at
333 ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
334 `, [
335 invoice.invoice_id,
336 invoice.customer_id,
337 invoice.tenant_id,
338 paymentIntent.amount,
339 paymentIntent.currency,
340 paymentIntent.status,
341 paymentIntent.id,
342 invoice.stripe_account_id,
343 paymentIntent.payment_method_types?.[0] || 'card',
344 paymentIntent.charges?.data?.[0]?.payment_method_details?.card?.brand || null,
345 paymentIntent.charges?.data?.[0]?.payment_method_details?.card?.last4 || null,
346 paymentIntent.application_fee_amount,
347 paymentIntent.amount - (paymentIntent.application_fee_amount || 0)
348 ]);
349
350 await client.query('COMMIT');
351
352 res.json({
353 success: true,
354 message: 'Payment confirmed',
355 invoice_id: invoice.invoice_id
356 });
357
358 } catch (error) {
359 await client.query('ROLLBACK');
360 console.error('Error confirming public payment:', error);
361 res.status(500).json({ error: error.message || 'Failed to confirm payment' });
362 } finally {
363 client.release();
364 }
365});
366
367module.exports = router;