fix(billing): require org owner role for Stripe checkout URL creation

Previously getSubscriptionStripeUrl used baseProcedure and only enforced
ownership when existing subscriptions were found, allowing unauthenticated
Stripe customer creation for new orgs. Switch to organizationOwnerProcedure
to enforce ownership unconditionally.

Author: jeanduplessis

src/routers/organizations/organization-subscription-router.test.ts

@@ -57,6 +57,32 @@ describe('organizations subscription trpc router', () => {
     });
   });
 
+  describe('getSubscriptionStripeUrl procedure', () => {
+    it('should throw UNAUTHORIZED error for non-owner members', async () => {
+      const caller = await createCallerForUser(memberUser.id);
+
+      await expect(
+        caller.organizations.subscription.getSubscriptionStripeUrl({
+          organizationId: testOrganization.id,
+          seats: 1,
+          cancelUrl: 'https://example.com',
+        })
+      ).rejects.toThrow('You do not have the required organizational role to access this feature');
+    });
+
+    it('should throw UNAUTHORIZED error for non-member users', async () => {
+      const caller = await createCallerForUser(_nonMemberUser.id);
+
+      await expect(
+        caller.organizations.subscription.getSubscriptionStripeUrl({
+          organizationId: testOrganization.id,
+          seats: 1,
+          cancelUrl: 'https://example.com',
+        })
+      ).rejects.toThrow('You do not have access to this organization');
+    });
+  });
+
   describe('cancel procedure', () => {
     it('should throw UNAUTHORIZED error for non-owner users', async () => {
       const caller = await createCallerForUser(memberUser.id);

src/routers/organizations/organization-subscription-router.ts

@@ -15,7 +15,6 @@ import { baseProcedure, createTRPCRouter } from '@/lib/trpc/init';
 import {
   OrganizationIdInputSchema,
   organizationOwnerProcedure,
-  ensureOrganizationAccess,
   organizationMemberProcedure,
 } from '@/routers/organizations/utils';
 import { TRPCError } from '@trpc/server';
@@ -117,7 +116,7 @@ export const organizationsSubscriptionRouter = createTRPCRouter({
       return { status: paymentStatus };
     }),
 
-  getSubscriptionStripeUrl: baseProcedure
+  getSubscriptionStripeUrl: organizationOwnerProcedure
     .input(SubscriptionRequestSchema)
     .mutation(async ({ input, ctx }) => {
       const { user } = ctx;
@@ -132,20 +131,13 @@ export const organizationsSubscriptionRouter = createTRPCRouter({
       const customerId = await getOrCreateStripeCustomerIdForOrganization(org.id);
       const subscriptions = await getSubscriptionsForStripeCustomerId(customerId);
 
-      // if any subscriptions are not ended, throw bad request error
       if (subscriptions.find(sub => sub.ended_at == null)) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Organization has active subscription(s)',
         });
       }
 
-      // if any subscriptions exist we need to enforce security
-      // otherwise, we can't enforce ownership as the org is still not finished being set up
-      if (subscriptions.length) {
-        await ensureOrganizationAccess(ctx, organizationId, ['owner', 'billing_manager']);
-      }
-
       const result = await getStripeSeatsCheckoutUrl({
         kiloUserId: user.id,
         stripeCustomerId: customerId,