merge dev

Author: BilalG1

AGENTS.md

@@ -92,6 +92,7 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - IMPORTANT: Any assumption you make should either be validated through type system (preferred), assertions, or tests. Optimally, two out of three.
 - If there is an external browser tool connected, use it to test changes you make to the frontend when possible.
 - Whenever you update an SDK implementation in `sdks/implementations`, make sure to update the specs accordingly in `sdks/specs` such that if you reimplemented the entire SDK from the specs again, you would get the same implementation. (For example, if the specs are not precise enough to describe a change you made, make the specs more precise.)
+- When building internal tools for Stack Auth developers (eg. internal interfaces like the WAL info log etc.): Make the interfaces look very concise, assume the user is a pro-user. This only applies to internal tools that are used primarily by Stack Auth developers.
 
 ### Code-related
 - Use ES6 maps instead of records wherever you can.

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ---
 
+## 2026.01.23
+
+### Payments
+Introduced a redesigned payments onboarding flow
+
 ## 2026.01.21
 
 ### Payments

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-backend",
-  "version": "2.8.60",
+  "version": "2.8.61",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "type": "module",
@@ -89,7 +89,7 @@
     "freestyle-sandboxes": "^0.1.6",
     "jose": "^6.1.3",
     "json-diff": "^1.0.6",
-    "next": "16.1.1",
+    "next": "16.1.5",
     "nodemailer": "^6.9.10",
     "oidc-provider": "^8.5.1",
     "openid-client": "5.6.4",

apps/backend/prisma/seed.ts

@@ -3,7 +3,7 @@ import { teamMembershipsCrudHandlers } from '@/app/api/latest/team-memberships/c
 import { teamsCrudHandlers } from '@/app/api/latest/teams/crud';
 import { usersCrudHandlers } from '@/app/api/latest/users/crud';
 import { CustomerType, EmailOutboxCreatedWith, Prisma, PurchaseCreationSource, SubscriptionStatus } from '@/generated/prisma/client';
-import { overrideEnvironmentConfigOverride, setBranchConfigOverrideSource } from '@/lib/config';
+import { overrideBranchConfigOverride, overrideEnvironmentConfigOverride, setBranchConfigOverrideSource } from '@/lib/config';
 import { ensurePermissionDefinition, grantTeamPermission } from '@/lib/permissions';
 import { createOrUpdateProjectWithLegacyConfig, getProject } from '@/lib/projects';
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch, type Tenancy } from '@/lib/tenancies';
@@ -96,10 +96,10 @@ export async function seed() {
     },
   });
 
-  await overrideEnvironmentConfigOverride({
+  await overrideBranchConfigOverride({
     projectId: 'internal',
     branchId: DEFAULT_BRANCH_ID,
-    environmentConfigOverrideOverride: {
+    branchConfigOverrideOverride: {
       // Disable email verification for internal project - dashboard admins shouldn't need to verify their email
       onboarding: {
         requireEmailVerification: false,
@@ -547,7 +547,8 @@ type SeedDummyUsersOptions = {
 
 type PaymentsSetup = {
   paymentsProducts: Record<string, unknown>,
-  paymentsOverride: Record<string, unknown>,
+  paymentsBranchOverride: Record<string, unknown>,
+  paymentsEnvironmentOverride: Record<string, unknown>,
 };
 
 async function seedDummyTeams(options: SeedDummyTeamsOptions): Promise<Map<string, string>> {
@@ -904,8 +905,8 @@ function buildDummyPaymentsSetup(): PaymentsSetup {
     },
   };
 
-  const paymentsOverride = {
-    testMode: true,
+  // Branch config - products, items, productLines
+  const paymentsBranchOverride = {
     productLines: {
       workspace: {
         displayName: 'Workspace Plans',
@@ -937,9 +938,15 @@ function buildDummyPaymentsSetup(): PaymentsSetup {
     products: paymentsProducts,
   };
 
+  // Environment config - only testMode
+  const paymentsEnvironmentOverride = {
+    testMode: true,
+  };
+
   return {
     paymentsProducts,
-    paymentsOverride,
+    paymentsBranchOverride,
+    paymentsEnvironmentOverride,
   };
 }
 
@@ -1003,19 +1010,29 @@ async function seedDummyProject(options: DummyProjectSeedOptions) {
     tenancy: dummyTenancy,
     teamNameToId,
   });
-  const { paymentsProducts, paymentsOverride } = buildDummyPaymentsSetup();
+  const { paymentsProducts, paymentsBranchOverride, paymentsEnvironmentOverride } = buildDummyPaymentsSetup();
 
-  await overrideEnvironmentConfigOverride({
+  // Set branch-level config (products, items, productLines, apps)
+  await overrideBranchConfigOverride({
     projectId: DUMMY_PROJECT_ID,
     branchId: DEFAULT_BRANCH_ID,
-    environmentConfigOverrideOverride: {
-      payments: paymentsOverride as any,
+    branchConfigOverrideOverride: {
+      payments: paymentsBranchOverride as any,
       apps: {
         installed: typedFromEntries(typedEntries(ALL_APPS).map(([key]) => [key, { enabled: true }])),
       },
     },
   });
 
+  // Set environment-level config (testMode)
+  await overrideEnvironmentConfigOverride({
+    projectId: DUMMY_PROJECT_ID,
+    branchId: DEFAULT_BRANCH_ID,
+    environmentConfigOverrideOverride: {
+      payments: paymentsEnvironmentOverride as any,
+    },
+  });
+
   // Set the dummy project's branch config source to pushed-from-github with dummy values
   await setBranchConfigOverrideSource({
     projectId: DUMMY_PROJECT_ID,

apps/backend/src/app/api/latest/payments/items/[customer_type]/[customer_id]/[item_id]/route.ts

@@ -1,4 +1,4 @@
-import { ensureCustomerExists, getItemQuantityForCustomer } from "@/lib/payments";
+import { ensureClientCanAccessCustomer, ensureCustomerExists, getItemQuantityForCustomer } from "@/lib/payments";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
@@ -64,7 +64,16 @@ export const GET = createSmartRouteHandler({
       }),
     }).defined(),
   }),
-  handler: async (req) => {
+  handler: async (req, fullReq) => {
+    if (req.auth.type === "client") {
+      await ensureClientCanAccessCustomer({
+        customerType: req.params.customer_type,
+        customerId: req.params.customer_id,
+        user: fullReq.auth?.user,
+        tenancy: req.auth.tenancy,
+        forbiddenMessage: "Clients can only access their own user or team items.",
+      });
+    }
     const { tenancy } = req.auth;
     const paymentsConfig = tenancy.config.payments;
 
@@ -100,5 +109,3 @@ export const GET = createSmartRouteHandler({
     };
   },
 });
-
-

apps/backend/src/app/api/latest/payments/products/[customer_type]/[customer_id]/route.ts

@@ -1,4 +1,4 @@
-import { ensureProductIdOrInlineProduct, getOwnedProductsForCustomer, grantProductToCustomer, productToInlineProduct } from "@/lib/payments";
+import { ensureClientCanAccessCustomer, ensureProductIdOrInlineProduct, getOwnedProductsForCustomer, grantProductToCustomer, productToInlineProduct } from "@/lib/payments";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { adaptSchema, clientOrHigherAuthTypeSchema, inlineProductSchema, serverOrHigherAuthTypeSchema, yupBoolean, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
@@ -32,7 +32,16 @@ export const GET = createSmartRouteHandler({
     bodyType: yupString().oneOf(["json"]).defined(),
     body: customerProductsListResponseSchema,
   }),
-  handler: async ({ auth, params, query }) => {
+  handler: async ({ auth, params, query }, fullReq) => {
+    if (auth.type === "client") {
+      await ensureClientCanAccessCustomer({
+        customerType: params.customer_type,
+        customerId: params.customer_id,
+        user: fullReq.auth?.user,
+        tenancy: auth.tenancy,
+        forbiddenMessage: "Clients can only access their own user or team products.",
+      });
+    }
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     const ownedProducts = await getOwnedProductsForCustomer({
       prisma,
@@ -191,4 +200,3 @@ export const POST = createSmartRouteHandler({
     };
   },
 });
-

apps/backend/src/app/api/latest/payments/purchases/create-purchase-url/route.ts

@@ -1,4 +1,4 @@
-import { ensureProductIdOrInlineProduct, getCustomerPurchaseContext } from "@/lib/payments";
+import { ensureClientCanAccessCustomer, ensureProductIdOrInlineProduct, getCustomerPurchaseContext } from "@/lib/payments";
 import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { getStackStripe, getStripeForAccount } from "@/lib/stripe";
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
@@ -66,11 +66,22 @@ export const POST = createSmartRouteHandler({
       }),
     }).defined(),
   }),
-  handler: async (req) => {
+  handler: async (req, fullReq) => {
     const { tenancy } = req.auth;
     if (tenancy.config.payments.blockNewPurchases) {
       throw new KnownErrors.NewPurchasesBlocked();
     }
+
+    if (req.auth.type === "client") {
+      await ensureClientCanAccessCustomer({
+        customerType: req.body.customer_type,
+        customerId: req.body.customer_id,
+        user: fullReq.auth?.user,
+        tenancy,
+        forbiddenMessage: "Clients can only create purchase URLs for their own user or teams they have admin access to.",
+      });
+    }
+
     const stripe = await getStripeForAccount({ tenancy });
     const productConfig = await ensureProductIdOrInlineProduct(tenancy, req.auth.type, req.body.product_id, req.body.product_inline);
     const customerType = productConfig.customerType;

apps/backend/src/lib/email-queue-step.tsx

@@ -619,6 +619,23 @@ async function processSingleEmail(context: TenancyProcessingContext, row: EmailO
       }
     }
 
+    const BLOCKED_PROJECT_ID = "2397ef60-a33e-4efb-ad9b-300da67ee29e";
+    const BLOCKED_DOMAIN = "gsmoal.com";
+    if (context.tenancy.project.id === BLOCKED_PROJECT_ID) {
+      for (const email of resolution.emails) {
+        const emailDomain = email.split("@")[1]?.toLowerCase();
+        if (emailDomain === BLOCKED_DOMAIN || emailDomain.endsWith(`.${BLOCKED_DOMAIN}`)) {
+          console.warn(`[email-queue] Blocked email to ${email} from project ${BLOCKED_PROJECT_ID} — domain @${BLOCKED_DOMAIN} (or subdomain) is blocked for this project`);
+          await markSkipped(row, EmailOutboxSkippedReason.LIKELY_NOT_DELIVERABLE, {
+            reason: "domain_blocked_for_project",
+            blockedDomain: BLOCKED_DOMAIN,
+            email,
+          });
+          return;
+        }
+      }
+    }
+
     const result = getEnvBoolean("STACK_EMAIL_BRANCHING_DISABLE_QUEUE_SENDING")
       ? Result.error({ errorType: "email-sending-disabled", canRetry: false, message: "Email sending is disabled", rawError: new Error("Email sending is disabled") })
       : await lowLevelSendEmailDirectViaProvider({

apps/backend/src/lib/payments.tsx

@@ -26,7 +26,7 @@ type ProductWithMetadata = yup.InferType<typeof productSchemaWithMetadata>;
 type SelectedPrice = Exclude<Product["prices"], "include-by-default">[string];
 
 export async function ensureClientCanAccessCustomer(options: {
-  customerType: "user" | "team",
+  customerType: "user" | "team" | "custom",
   customerId: string,
   user: UsersCrud["Admin"]["Read"] | undefined,
   tenancy: Tenancy,
@@ -36,6 +36,9 @@ export async function ensureClientCanAccessCustomer(options: {
   if (!currentUser) {
     throw new KnownErrors.UserAuthenticationRequired();
   }
+  if (options.customerType === "custom") {
+    throw new StatusError(StatusError.Forbidden, options.forbiddenMessage);
+  }
   if (options.customerType === "user") {
     if (options.customerId !== currentUser.id) {
       throw new StatusError(StatusError.Forbidden, options.forbiddenMessage);

apps/dashboard/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-dashboard",
-  "version": "2.8.60",
+  "version": "2.8.61",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "scripts": {
@@ -79,7 +79,7 @@
     "input-otp": "^1.4.1",
     "jose": "^6.1.3",
     "lodash": "^4.17.21",
-    "next": "16.1.1",
+    "next": "16.1.5",
     "next-themes": "^0.2.1",
     "posthog-js": "^1.235.0",
     "react": "19.2.3",