feat(payments): support custom cancel path for Stripe top-up checkout

RSO · RSO · commit 3b4308a3fece · 2026-03-23T09:28:31.000+01:00
Add an optional cancel-path query param to the /payments/topup route,
validated with isValidReturnUrl to prevent open redirects. The claw
CreditsNudge now passes cancel-path=/claw so users return to the
onboarding page instead of /profile when they cancel checkout.
diff --git a/src/app/(app)/claw/components/CreditsNudge.tsx b/src/app/(app)/claw/components/CreditsNudge.tsx
@@ -62,7 +62,7 @@ export function CreditsNudge({
       {/* Hidden form for POST to /payments/topup */}
       <form
         ref={formRef}
-        action={`/payments/topup?amount=${selectedAmount}`}
+        action={`/payments/topup?amount=${selectedAmount}&cancel-path=${encodeURIComponent('/claw')}`}
         method="post"
         className="hidden"
       />
diff --git a/src/app/payments/topup/route.ts b/src/app/payments/topup/route.ts
@@ -3,6 +3,7 @@ import { NextResponse } from 'next/server';
 import { getUserFromAuth } from '@/lib/user.server';
 import { getStripeTopUpCheckoutUrl } from '@/lib/stripe';
 import { MAXIMUM_TOP_UP_AMOUNT, MINIMUM_TOP_UP_AMOUNT } from '@/lib/constants';
+import { isValidReturnUrl } from '@/lib/payment-return-url';
 import { captureException } from '@sentry/nextjs';
 import { getOrCreateStripeCustomerIdForOrganization } from '@/lib/organizations/organization-billing';
 
@@ -67,12 +68,16 @@ export async function POST(request: NextRequest): Promise<NextResponse<unknown>>
       await getOrCreateStripeCustomerIdForOrganization(organizationId)
     : currentUser.stripe_customer_id;
 
+  const cancelPathRaw = searchParams.get('cancel-path');
+  const cancelPath = cancelPathRaw && isValidReturnUrl(cancelPathRaw) ? cancelPathRaw : null;
+
   const url = await getStripeTopUpCheckoutUrl(
     currentUser.id,
     stripeCustomerId,
     validationResult.amount as number,
     origin,
-    organizationId
+    organizationId,
+    cancelPath
   );
 
   if (!url) {
diff --git a/src/lib/stripe.ts b/src/lib/stripe.ts
@@ -993,7 +993,9 @@ export async function getStripeTopUpCheckoutUrl(
   stripeCustomerId: User['stripe_customer_id'],
   amount: number,
   origin: string = 'web',
-  organizationId?: string | null
+  organizationId?: string | null,
+  /** Optional internal path to redirect to when the user cancels checkout. */
+  cancelPath?: string | null
 ): Promise<string | null> {
   const line_items = amount
     ? [
@@ -1016,9 +1018,13 @@ export async function getStripeTopUpCheckoutUrl(
       ];
 
   const isOrganizationTopUp = Boolean(organizationId);
-  let cancelUrl = `${APP_URL}/profile?payment_status=topup_cancelled&origin=${origin}`;
-  if (isOrganizationTopUp) {
+  let cancelUrl: string;
+  if (cancelPath) {
+    cancelUrl = `${APP_URL}${cancelPath}`;
+  } else if (isOrganizationTopUp) {
     cancelUrl = `${APP_URL}/organizations/${organizationId}?${TOPUP_CANCELED_QUERY_STRING_KEY}=true`;
+  } else {
+    cancelUrl = `${APP_URL}/profile?payment_status=topup_cancelled&origin=${origin}`;
   }
 
   const rewardfulReferral = await getRewardfulReferral();
