Partner account verification via Veriff (dubinc#3614)

Author: devkiran

apps/web/.env.example

@@ -188,4 +188,8 @@ HUBSPOT_CLIENT_SECRET=
 # E2E Playwright Tests
 PLAYWRIGHT_BASE_URL=http://partners.localhost:8888
 E2E_PARTNER_EMAIL=
-E2E_PARTNER_PASSWORD=
+E2E_PARTNER_PASSWORD=
+
+# Veriff (Identity Verification)
+VERIFF_API_KEY=
+VERIFF_SHARED_SECRET=

apps/web/app/(ee)/api/cron/partners/verify-country-change/route.ts

@@ -0,0 +1,150 @@
+import { withCron } from "@/lib/cron/with-cron";
+import { fetchVeriffSessionDecision } from "@/lib/veriff/fetch-veriff-session-decision";
+import {
+  mergeVeriffMetadata,
+  parseVeriffMetadata,
+} from "@/lib/veriff/veriff-metadata";
+import { sendEmail } from "@dub/email";
+import PartnerIdentityVerificationFailed from "@dub/email/templates/partner-identity-verification-failed";
+import PartnerIdentityVerified from "@dub/email/templates/partner-identity-verified";
+import { prisma } from "@dub/prisma";
+import { logAndRespond } from "app/(ee)/api/cron/utils";
+import * as z from "zod/v4";
+
+export const dynamic = "force-dynamic";
+
+const schema = z.object({
+  partnerId: z.string(),
+});
+
+// POST /api/cron/partners/verify-country-change
+export const POST = withCron(async ({ rawBody }) => {
+  const { partnerId } = schema.parse(JSON.parse(rawBody));
+
+  const partner = await prisma.partner.findUnique({
+    where: {
+      id: partnerId,
+    },
+    select: {
+      id: true,
+      name: true,
+      email: true,
+      country: true,
+      identityVerificationStatus: true,
+      identityVerifiedAt: true,
+      veriffSessionId: true,
+      veriffMetadata: true,
+    },
+  });
+
+  if (!partner) {
+    return logAndRespond("Partner not found.");
+  }
+
+  if (!partner.veriffSessionId) {
+    return logAndRespond("No Veriff session ID found. Skipping.");
+  }
+
+  if (!partner.country) {
+    return logAndRespond("Partner has no country set. Skipping.");
+  }
+
+  // Fetch the original Veriff decision to get the document country
+  let documentCountry: string | null = null;
+
+  try {
+    const { verification } = await fetchVeriffSessionDecision(
+      partner.veriffSessionId,
+    );
+
+    documentCountry =
+      (verification.document?.country || verification.person?.nationality) ??
+      null;
+  } catch (error) {
+    console.error(
+      `Failed to fetch Veriff decision for partner ${partnerId}:`,
+      error,
+    );
+
+    // Don't revoke on uncertainty — QStash will retry
+    throw error;
+  }
+
+  if (!documentCountry) {
+    return logAndRespond(
+      "Could not determine document country from Veriff decision. Skipping.",
+    );
+  }
+
+  // Compare partner's current country with the verified document country
+  if (partner.country.toLowerCase() === documentCountry.toLowerCase()) {
+    if (partner.identityVerifiedAt) {
+      return logAndRespond(
+        "Country matches and partner is already verified. No action needed.",
+      );
+    }
+    await prisma.partner.update({
+      where: {
+        id: partner.id,
+      },
+      data: {
+        identityVerifiedAt: new Date(),
+      },
+    });
+    if (partner.email) {
+      await sendEmail({
+        to: partner.email,
+        subject: "Your identity has been verified",
+        react: PartnerIdentityVerified({
+          partner: {
+            name: partner.name,
+            email: partner.email,
+          },
+        }),
+      });
+    }
+    return logAndRespond("Country matches, verified partner.");
+  } else {
+    // Mismatch — reset identity verification, but preserve attemptCount
+    const declineReason =
+      "Your account country no longer matches your verified identity document country. Please re-verify.";
+
+    const { attemptCount } = parseVeriffMetadata(partner.veriffMetadata);
+
+    await prisma.partner.update({
+      where: {
+        id: partner.id,
+      },
+      data: {
+        identityVerificationStatus: null,
+        identityVerifiedAt: null,
+        veriffSessionId: null,
+        veriffMetadata: mergeVeriffMetadata(partner.veriffMetadata, {
+          sessionUrl: null,
+          sessionExpiresAt: null,
+          declineReason,
+          attemptCount,
+        }),
+      },
+    });
+
+    if (partner.email) {
+      await sendEmail({
+        to: partner.email,
+        subject: "Identity re-verification required",
+        react: PartnerIdentityVerificationFailed({
+          failureType: "countryChange",
+          failureReasonText: declineReason,
+          partner: {
+            name: partner.name,
+            email: partner.email,
+          },
+        }),
+      });
+    }
+
+    return logAndRespond(
+      `Country mismatch detected for partner ${partnerId}. Verification reset and email sent.`,
+    );
+  }
+});

apps/web/app/(ee)/api/network/partners/route.ts

@@ -83,6 +83,11 @@ export const GET = withWorkspace(
           starredAt: partner.starredAt ? new Date(partner.starredAt) : null,
           ignoredAt: partner.ignoredAt ? new Date(partner.ignoredAt) : null,
           invitedAt: partner.invitedAt ? new Date(partner.invitedAt) : null,
+          identityVerificationStatus:
+            partner.identityVerificationStatus ?? null,
+          identityVerifiedAt: partner.identityVerifiedAt
+            ? new Date(partner.identityVerifiedAt)
+            : null,
           categories: partner.categories
             ? partner.categories.split(",").map((c: string) => c.trim())
             : [],

apps/web/app/(ee)/partners.dub.co/(dashboard)/profile/identity-verification-section.tsx

@@ -0,0 +1,201 @@
+"use client";
+
+import { parseActionError } from "@/lib/actions/parse-action-errors";
+import { startIdentityVerificationAction } from "@/lib/actions/partners/start-identity-verification";
+import { hasPermission } from "@/lib/auth/partner-users/partner-user-permissions";
+import usePartnerProfile from "@/lib/swr/use-partner-profile";
+import { PartnerProps } from "@/lib/types";
+import { MAX_PARTNER_IDENTITY_VERIFICATION_ATTEMPTS } from "@/lib/zod/schemas/partners";
+import { Button, StatusBadge } from "@dub/ui";
+import {
+  ShieldCheck,
+  TriangleWarning,
+  Veriff,
+  VerifiedBadge,
+} from "@dub/ui/icons";
+import { cn } from "@dub/utils";
+import { useAction } from "next-safe-action/hooks";
+import { toast } from "sonner";
+
+export function IdentityVerificationSection({
+  partner,
+}: {
+  partner?: PartnerProps;
+}) {
+  const { mutate } = usePartnerProfile();
+
+  const { executeAsync, isPending } = useAction(
+    startIdentityVerificationAction,
+    {
+      onError: ({ error }) => {
+        toast.error(
+          parseActionError(error, "Failed to start identity verification."),
+        );
+      },
+      onSuccess: async ({ data }) => {
+        const { createVeriffFrame, MESSAGES } = await import(
+          "@veriff/incontext-sdk"
+        );
+
+        createVeriffFrame({
+          url: data.sessionUrl,
+          onEvent: (msg) => {
+            if (msg === MESSAGES.FINISHED) {
+              toast.success(
+                "Verification submitted. We'll update your status shortly.",
+              );
+              mutate();
+            }
+          },
+        });
+
+        mutate();
+      },
+    },
+  );
+
+  if (!partner) {
+    return null;
+  }
+
+  const {
+    identityVerificationStatus,
+    identityVerificationDeclineReason,
+    identityVerificationAttemptCount,
+  } = partner;
+
+  const cannotUpdateProfile = !hasPermission(
+    partner.role,
+    "partner_profile.update",
+  );
+
+  const isPendingReview =
+    identityVerificationStatus === "submitted" ||
+    identityVerificationStatus === "review";
+
+  const isMaxAttemptsReached =
+    identityVerificationAttemptCount >=
+      MAX_PARTNER_IDENTITY_VERIFICATION_ATTEMPTS &&
+    identityVerificationStatus !== "approved" &&
+    !isPendingReview;
+
+  const isFailed = [
+    "declined",
+    "resubmissionRequested",
+    "expired",
+    "abandoned",
+  ].includes(identityVerificationStatus || "");
+
+  let buttonText = "Start verification";
+  let failedReason = identityVerificationDeclineReason || null;
+
+  // If the verification failed and no reason is provided, set the reason based on the status
+  if (isFailed && failedReason === null) {
+    switch (identityVerificationStatus) {
+      case "declined":
+        failedReason =
+          "We couldn't verify your identity. Please check your information or documents and try again.";
+        break;
+      case "resubmissionRequested":
+        failedReason =
+          "Verification couldn't be completed. Please check your information and resubmit.";
+        break;
+      case "expired":
+        failedReason =
+          "Verification attempt expired. Please start a new verification";
+        break;
+      case "abandoned":
+        failedReason =
+          "Verification attempt abandoned. Please start a new verification";
+        break;
+    }
+  }
+
+  switch (identityVerificationStatus) {
+    case "started":
+      buttonText = "Complete verification";
+      break;
+    case "declined":
+    case "resubmissionRequested":
+      buttonText = "Resubmit verification";
+      break;
+  }
+
+  return (
+    <div
+      id="identity-verification"
+      className={cn(
+        failedReason && "overflow-hidden rounded-lg bg-amber-100 p-1",
+      )}
+    >
+      {failedReason && (
+        <div className="flex items-center gap-2 px-2 py-2">
+          <TriangleWarning className="size-3.5 shrink-0 text-amber-500" />
+          <p className="leading-0 text-sm font-medium text-amber-900">
+            <span className="font-semibold">Verification failed:</span>{" "}
+            {failedReason}
+          </p>
+        </div>
+      )}
+
+      <div className="border-border-subtle relative overflow-hidden rounded-lg border bg-neutral-50">
+        <div
+          className="pointer-events-none absolute inset-0 opacity-[0.4] [-webkit-mask-image:radial-gradient(ellipse_95%_85%_at_50%_42%,#000_0%,transparent_68%)] [background-image:radial-gradient(rgb(163_163_163)_1px,transparent_1px)] [background-size:4px_4px] [mask-image:radial-gradient(ellipse_95%_85%_at_50%_42%,#000_0%,transparent_68%)]"
+          aria-hidden
+        />
+        <div className="relative flex flex-col items-center gap-3 px-6 py-3">
+          {identityVerificationStatus === "approved" ? (
+            <VerifiedBadge className="size-6" />
+          ) : (
+            <ShieldCheck className="size-6 text-neutral-400" />
+          )}
+
+          {identityVerificationStatus === "approved" && (
+            <StatusBadge
+              variant="success"
+              className="rounded-lg font-semibold"
+              icon={null}
+            >
+              Identity verified
+            </StatusBadge>
+          )}
+
+          {isPendingReview && (
+            <StatusBadge
+              variant="pending"
+              className="rounded-lg font-semibold"
+              icon={null}
+            >
+              Pending review
+            </StatusBadge>
+          )}
+
+          {identityVerificationStatus !== "approved" &&
+            !isPendingReview &&
+            buttonText && (
+              <Button
+                text={buttonText}
+                variant="secondary"
+                disabled={isMaxAttemptsReached || cannotUpdateProfile}
+                disabledTooltip={
+                  cannotUpdateProfile
+                    ? "You don't have permission to update this field"
+                    : isMaxAttemptsReached
+                      ? "You have reached the maximum number of verification attempts. Please contact support if you need help."
+                      : undefined
+                }
+                onClick={() => executeAsync()}
+                loading={isPending}
+                className="h-10 w-fit rounded-lg px-4 py-1.5"
+              />
+            )}
+
+          <div className="flex items-center gap-1 text-xs font-medium text-neutral-400">
+            <span>Powered by</span>
+            <Veriff className="w-auto" />
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}

apps/web/app/(ee)/partners.dub.co/(dashboard)/profile/page-client.tsx

@@ -4,6 +4,7 @@ import { hasPermission } from "@/lib/auth/partner-users/partner-user-permissions
 import usePartnerProfile from "@/lib/swr/use-partner-profile";
 import { PageContent } from "@/ui/layout/page-content";
 import { PageWidthWrapper } from "@/ui/layout/page-width-wrapper";
+
 import { useMergePartnerAccountsModal } from "@/ui/partners/merge-accounts/merge-partner-accounts-modal";
 import { ThreeDots } from "@/ui/shared/icons";
 import { Button, Popover, Users2 } from "@dub/ui";