feat: extract product ids to helper, sanitize dates returned from stripe for subscription

stripe mock gives us invalifd subscription dates which means we dont get the item. so we sanitize it to make it a valid range. In prod, this is unlikely to happen but it will serve as a guard.

Author: nams1570

apps/backend/prisma/seed.ts

@@ -11,6 +11,7 @@ import { getPrismaClientForTenancy, globalPrismaClient, PrismaClientTransaction
 import { ALL_APPS } from '@stackframe/stack-shared/dist/apps/apps-config';
 import { DEFAULT_EMAIL_THEME_ID } from '@stackframe/stack-shared/dist/helpers/emails';
 import { AdminUserProjectsCrud, ProjectsCrud } from '@stackframe/stack-shared/dist/interface/crud/projects';
+import { ITEM_IDS, PLAN_LIMITS } from '@stackframe/stack-shared/dist/plans';
 import { DayInterval } from '@stackframe/stack-shared/dist/utils/dates';
 import { throwErr } from '@stackframe/stack-shared/dist/utils/errors';
 import { typedEntries, typedFromEntries } from '@stackframe/stack-shared/dist/utils/objects';
@@ -119,26 +120,41 @@ export async function seed() {
           },
         },
         products: {
-          team_plans: {
+          free: {
+            productLineId: "plans",
+            displayName: "Free",
+            customerType: "team",
+            serverOnly: false,
+            stackable: false,
+            prices: "include-by-default",
+            includedItems: {
+              [ITEM_IDS.seats]: { quantity: PLAN_LIMITS.free.seats, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.authUsers]: { quantity: PLAN_LIMITS.free.authUsers, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.free.emailsPerMonth, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.free.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.free.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+            },
+          },
+          team: {
             productLineId: "plans",
-            displayName: "Team Plans",
+            displayName: "Team",
             customerType: "team",
             serverOnly: false,
             stackable: false,
             prices: {
               monthly: {
                 USD: "49",
                 interval: [1, "month"] as any,
-                serverOnly: false
-              }
+                serverOnly: false,
+              },
             },
             includedItems: {
-              dashboard_admins: {
-                quantity: 3,
-                repeat: "never",
-                expires: "when-purchase-expires"
-              }
-            }
+              [ITEM_IDS.seats]: { quantity: PLAN_LIMITS.team.seats, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.authUsers]: { quantity: PLAN_LIMITS.team.authUsers, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.team.emailsPerMonth, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.team.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.team.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+            },
           },
           growth: {
             productLineId: "plans",
@@ -150,63 +166,45 @@ export async function seed() {
               monthly: {
                 USD: "299",
                 interval: [1, "month"] as any,
-                serverOnly: false
-              }
+                serverOnly: false,
+              },
             },
             includedItems: {
-              dashboard_admins: {
-                quantity: 5,
-                repeat: "never",
-                expires: "when-purchase-expires"
-              }
-            }
-          },
-          free: {
-            productLineId: "plans",
-            displayName: "Free",
-            customerType: "team",
-            serverOnly: false,
-            stackable: false,
-            prices: "include-by-default",
-            includedItems: {
-              dashboard_admins: {
-                quantity: 1,
-                repeat: "never",
-                expires: "when-purchase-expires"
-              }
-            }
+              [ITEM_IDS.seats]: { quantity: PLAN_LIMITS.growth.seats, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.authUsers]: { quantity: PLAN_LIMITS.growth.authUsers, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.emailsPerMonth]: { quantity: PLAN_LIMITS.growth.emailsPerMonth, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsTimeoutSeconds]: { quantity: PLAN_LIMITS.growth.analyticsTimeoutSeconds, repeat: "never" as const, expires: "when-purchase-expires" as const },
+              [ITEM_IDS.analyticsEvents]: { quantity: PLAN_LIMITS.growth.analyticsEvents, repeat: "never" as const, expires: "when-purchase-expires" as const },
+            },
           },
-          "extra-admins": {
+          "extra-seats": {
             productLineId: "plans",
-            displayName: "Extra Admins",
+            displayName: "Extra Seats",
             customerType: "team",
             serverOnly: false,
             stackable: true,
             prices: {
               monthly: {
-                USD: "49",
+                USD: "29",
                 interval: [1, "month"] as any,
-                serverOnly: false
-              }
+                serverOnly: false,
+              },
             },
             includedItems: {
-              dashboard_admins: {
-                quantity: 1,
-                repeat: "never",
-                expires: "when-purchase-expires"
-              }
+              [ITEM_IDS.seats]: { quantity: 1, repeat: "never" as const, expires: "when-purchase-expires" as const },
             },
             isAddOnTo: {
               team: true,
               growth: true,
-            }
-          }
+            },
+          },
         },
         items: {
-          dashboard_admins: {
-            displayName: "Dashboard Admins",
-            customerType: "team"
-          }
+          [ITEM_IDS.seats]: { displayName: "Dashboard Admins", customerType: "team" as const },
+          [ITEM_IDS.authUsers]: { displayName: "Auth Users", customerType: "team" as const },
+          [ITEM_IDS.emailsPerMonth]: { displayName: "Emails per Month", customerType: "team" as const },
+          [ITEM_IDS.analyticsTimeoutSeconds]: { displayName: "Analytics Timeout (seconds)", customerType: "team" as const },
+          [ITEM_IDS.analyticsEvents]: { displayName: "Analytics Events", customerType: "team" as const },
         },
       },
       apps: {

apps/backend/src/app/api/latest/payments/products/[customer_type]/[customer_id]/switch/route.ts

@@ -1,14 +1,13 @@
+import { SubscriptionStatus } from "@/generated/prisma/client";
 import { ensureClientCanAccessCustomer, getCustomerPurchaseContext, getDefaultCardPaymentMethodSummary, getStripeCustomerForCustomerOrNull } from "@/lib/payments";
-import { ensureUserTeamPermissionExists } from "@/lib/request-checks";
-import { getStripeForAccount } from "@/lib/stripe";
+import { getStripeForAccount, sanitizeStripePeriodDates } from "@/lib/stripe";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { adaptSchema, clientOrHigherAuthTypeSchema, yupBoolean, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { StackAssertionError, StatusError } from "@stackframe/stack-shared/dist/utils/errors";
 import { getOrUndefined, typedEntries, typedKeys } from "@stackframe/stack-shared/dist/utils/objects";
 import { typedToUppercase } from "@stackframe/stack-shared/dist/utils/strings";
-import { SubscriptionStatus } from "@/generated/prisma/client";
 import Stripe from "stripe";
 
 
@@ -200,6 +199,7 @@ export const POST = createSmartRouteHandler({
         },
       });
       const updatedSubscription = updated as Stripe.Subscription;
+      const sanitizedUpdateDates = sanitizeStripePeriodDates(existingItem.current_period_start, existingItem.current_period_end);
 
       await prisma.subscription.update({
         where: {
@@ -214,8 +214,8 @@ export const POST = createSmartRouteHandler({
           priceId: selectedPriceId,
           quantity,
           status: updatedSubscription.status,
-          currentPeriodStart: new Date(existingItem.current_period_start * 1000),
-          currentPeriodEnd: new Date(existingItem.current_period_end * 1000),
+          currentPeriodStart: sanitizedUpdateDates.start,
+          currentPeriodEnd: sanitizedUpdateDates.end,
           cancelAtPeriodEnd: updatedSubscription.cancel_at_period_end,
         },
       });
@@ -248,6 +248,7 @@ export const POST = createSmartRouteHandler({
         throw new StackAssertionError("Stripe subscription has no items", { stripeSubscriptionId: createdSubscription.id });
       }
       const createdItem = createdSubscription.items.data[0];
+      const sanitizedCreateDates = sanitizeStripePeriodDates(createdItem.current_period_start, createdItem.current_period_end);
 
       await prisma.subscription.create({
         data: {
@@ -260,8 +261,8 @@ export const POST = createSmartRouteHandler({
           quantity,
           stripeSubscriptionId: createdSubscription.id,
           status: createdSubscription.status,
-          currentPeriodStart: new Date(createdItem.current_period_start * 1000),
-          currentPeriodEnd: new Date(createdItem.current_period_end * 1000),
+          currentPeriodStart: sanitizedCreateDates.start,
+          currentPeriodEnd: sanitizedCreateDates.end,
           cancelAtPeriodEnd: createdSubscription.cancel_at_period_end,
           creationSource: "PURCHASE_PAGE",
         },

apps/backend/src/lib/stripe.tsx

@@ -1,12 +1,12 @@
+import { CustomerType } from "@/generated/prisma/client";
 import { getTenancy, Tenancy } from "@/lib/tenancies";
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
-import { CustomerType } from "@/generated/prisma/client";
+import { InputJsonValue } from "@prisma/client/runtime/client";
 import { typedIncludes } from "@stackframe/stack-shared/dist/utils/arrays";
 import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import Stripe from "stripe";
 import { createStripeProxy, type StripeOverridesMap } from "./stripe-proxy";
-import { InputJsonValue } from "@prisma/client/runtime/client";
 
 const stripeSecretKey = getEnvVariable("STACK_STRIPE_SECRET_KEY", "");
 const useStripeMock = stripeSecretKey === "sk_test_mockstripekey" && ["development", "test"].includes(getNodeEnvironment());
@@ -17,6 +17,43 @@ const stripeConfig: Stripe.StripeConfig = useStripeMock ? {
   port: Number(`${stackPortPrefix}23`),
 } : {};
 
+/**
+ * Sanitizes subscription period dates from Stripe.
+ *
+ * The Stripe mock returns hardcoded fixture dates that are invalid (e.g., start in 2030, end in 2000).
+ * This function detects invalid dates and replaces them with sensible defaults.
+ *
+ * @param startTimestamp - Unix timestamp in seconds for period start
+ * @param endTimestamp - Unix timestamp in seconds for period end
+ * @param intervalMonths - Billing interval in months (default: 1)
+ * @returns Sanitized Date objects for start and end
+ */
+export function sanitizeStripePeriodDates(
+  startTimestamp: number,
+  endTimestamp: number,
+  intervalMonths: number = 1
+): { start: Date, end: Date } {
+  const now = new Date();
+  const startDate = new Date(startTimestamp * 1000);
+  const endDate = new Date(endTimestamp * 1000);
+
+  const tenYearsMs = 10 * 365 * 24 * 60 * 60 * 1000;
+  const isStartValid = startDate.getTime() > 0 && Math.abs(startDate.getTime() - now.getTime()) < tenYearsMs;
+  const isEndValid = endDate.getTime() > 0 && Math.abs(endDate.getTime() - now.getTime()) < tenYearsMs;
+  const isOrderValid = startDate < endDate;
+
+  if (isStartValid && isEndValid && isOrderValid) {
+    return { start: startDate, end: endDate };
+  }
+
+  // Dates are invalid (likely from Stripe mock), use sensible defaults
+  const defaultStart = now;
+  const defaultEnd = new Date(now);
+  defaultEnd.setMonth(defaultEnd.getMonth() + intervalMonths);
+
+  return { start: defaultStart, end: defaultEnd };
+}
+
 export const getStackStripe = (overrides?: StripeOverridesMap) => {
   if (!stripeSecretKey) {
     throw new StackAssertionError("STACK_STRIPE_SECRET_KEY environment variable is not set");
@@ -92,6 +129,7 @@ export async function syncStripeSubscriptions(stripe: Stripe, stripeAccountId: s
       continue;
     }
     const item = subscription.items.data[0];
+    const sanitizedDates = sanitizeStripePeriodDates(item.current_period_start, item.current_period_end);
     const priceId = subscription.metadata.priceId as string | undefined;
     // old subscriptions were created with offer metadata instead of product metadata
     const productString = subscription.metadata.product as string | undefined ?? subscription.metadata.offer as string | undefined;
@@ -116,8 +154,8 @@ export async function syncStripeSubscriptions(stripe: Stripe, stripeAccountId: s
         status: subscription.status,
         product: productJson,
         quantity: item.quantity ?? 1,
-        currentPeriodEnd: new Date(item.current_period_end * 1000),
-        currentPeriodStart: new Date(item.current_period_start * 1000),
+        currentPeriodEnd: sanitizedDates.end,
+        currentPeriodStart: sanitizedDates.start,
         cancelAtPeriodEnd: subscription.cancel_at_period_end,
         priceId: priceId ?? null,
       },
@@ -131,8 +169,8 @@ export async function syncStripeSubscriptions(stripe: Stripe, stripeAccountId: s
         quantity: item.quantity ?? 1,
         stripeSubscriptionId: subscription.id,
         status: subscription.status,
-        currentPeriodEnd: new Date(item.current_period_end * 1000),
-        currentPeriodStart: new Date(item.current_period_start * 1000),
+        currentPeriodEnd: sanitizedDates.end,
+        currentPeriodStart: sanitizedDates.start,
         cancelAtPeriodEnd: subscription.cancel_at_period_end,
         creationSource: "PURCHASE_PAGE"
       },

packages/stack-shared/src/plans.ts

@@ -0,0 +1,65 @@
+/**
+ * Plan configuration for Stack Auth pricing tiers.
+ *
+ * This file defines the limits for each plan and the item IDs used to track them.
+ * Import these constants in seed.ts and backend code for limit enforcement.
+ */
+
+export const UNLIMITED = 1_000_000_000;
+
+/**
+ * Item IDs used across the codebase for tracking plan limits.
+ */
+export const ITEM_IDS = {
+  seats: "dashboard_admins",
+  authUsers: "auth_users",
+  emailsPerMonth: "emails_per_month",
+  analyticsTimeoutSeconds: "analytics_timeout_seconds",
+  analyticsEvents: "analytics_events",
+} as const;
+
+export type ItemId = typeof ITEM_IDS[keyof typeof ITEM_IDS];
+
+/**
+ * The offerings/limits included in a plan.
+ */
+export type PlanProductOfferings = {
+  seats: number,
+  authUsers: number,
+  emailsPerMonth: number,
+  analyticsTimeoutSeconds: number,
+  analyticsEvents: number,
+};
+
+/**
+ * Plan limits by plan ID.
+ */
+export const PLAN_LIMITS: {
+  free: PlanProductOfferings,
+  team: PlanProductOfferings,
+  growth: PlanProductOfferings,
+} = {
+  free: {
+    seats: 1,
+    authUsers: 10_000,
+    emailsPerMonth: 1_000,
+    analyticsTimeoutSeconds: 10,
+    analyticsEvents: 100_000,
+  },
+  team: {
+    seats: 4,
+    authUsers: 50_000,
+    emailsPerMonth: 25_000,
+    analyticsTimeoutSeconds: 60,
+    analyticsEvents: 500_000,
+  },
+  growth: {
+    seats: UNLIMITED,
+    authUsers: UNLIMITED,
+    emailsPerMonth: 25_000,
+    analyticsTimeoutSeconds: 300,
+    analyticsEvents: 1_000_000,
+  },
+};
+
+export type PlanId = keyof typeof PLAN_LIMITS;