Add plan to tenant to avoid exposing subscription entity to non-owners

tjementum · tjementum · commit d340d87d6fc6 · 2026-03-16T09:56:12.000+01:00
diff --git a/application/account/Core/Database/Migrations/20260303023200_Initial.cs b/application/account/Core/Database/Migrations/20260303023200_Initial.cs
@@ -19,9 +19,10 @@ protected override void Up(MigrationBuilder migrationBuilder)
                 deleted_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
                 name = table.Column<string>("text", nullable: false),
                 state = table.Column<string>("text", nullable: false),
-                logo = table.Column<string>("jsonb", nullable: false, defaultValue: "{}"),
+                plan = table.Column<string>("text", nullable: false, defaultValue: "Basis"),
                 suspension_reason = table.Column<string>("text", nullable: true),
-                suspended_at = table.Column<DateTimeOffset>("timestamptz", nullable: true)
+                suspended_at = table.Column<DateTimeOffset>("timestamptz", nullable: true),
+                logo = table.Column<string>("jsonb", nullable: false, defaultValue: "{}")
             },
             constraints: table => { table.PrimaryKey("pk_tenants", x => x.id); }
         );
diff --git a/application/account/Core/Features/Billing/Queries/GetPaymentHistory.cs b/application/account/Core/Features/Billing/Queries/GetPaymentHistory.cs
@@ -1,6 +1,8 @@
 using Account.Features.Subscriptions.Domain;
+using Account.Features.Users.Domain;
 using JetBrains.Annotations;
 using SharedKernel.Cqrs;
+using SharedKernel.ExecutionContext;
 
 namespace Account.Features.Billing.Queries;
 
@@ -21,11 +23,16 @@ public sealed record PaymentTransactionResponse(
     string? CreditNoteUrl
 );
 
-public sealed class GetPaymentHistoryHandler(ISubscriptionRepository subscriptionRepository)
+public sealed class GetPaymentHistoryHandler(ISubscriptionRepository subscriptionRepository, IExecutionContext executionContext)
     : IRequestHandler<GetPaymentHistoryQuery, Result<PaymentHistoryResponse>>
 {
     public async Task<Result<PaymentHistoryResponse>> Handle(GetPaymentHistoryQuery query, CancellationToken cancellationToken)
     {
+        if (executionContext.UserInfo.Role != nameof(UserRole.Owner))
+        {
+            return Result<PaymentHistoryResponse>.Forbidden("Only owners can view payment history.");
+        }
+
         var subscription = await subscriptionRepository.GetCurrentAsync(cancellationToken);
 
         var allTransactions = subscription.PaymentTransactions
diff --git a/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs b/application/account/Core/Features/Subscriptions/Shared/ProcessPendingStripeEvents.cs
@@ -77,6 +77,7 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,
         if (customerResult.IsCustomerDeleted)
         {
             subscription.ResetToFreePlan();
+            tenant.UpdatePlan(SubscriptionPlan.Basis);
             tenant.Suspend(SuspensionReason.CustomerDeleted, timeProvider.GetUtcNow());
             tenantRepository.Update(tenant);
             subscriptionRepository.Update(subscription);
@@ -112,6 +113,7 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,
         if (stripeState is not null)
         {
             subscription.SetStripeSubscription(stripeState.StripeSubscriptionId, stripeState.Plan, stripeState.CurrentPriceAmount, stripeState.CurrentPriceCurrency, stripeState.CurrentPeriodEnd, stripeState.PaymentMethod);
+            tenant.UpdatePlan(stripeState.Plan);
         }
 
         // Always sync payment transactions from Stripe (via subscription when active, via invoices when cancelled)
@@ -201,18 +203,21 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,
         if (subscriptionExpired)
         {
             subscription.ResetToFreePlan();
+            tenant.UpdatePlan(SubscriptionPlan.Basis);
             events.CollectEvent(new SubscriptionExpired(subscription.Id, previousPlan, daysOnCurrentPlan, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));
         }
 
         if (subscriptionImmediatelyCancelled)
         {
             subscription.ResetToFreePlan();
+            tenant.UpdatePlan(SubscriptionPlan.Basis);
             events.CollectEvent(new SubscriptionCancelled(subscription.Id, previousPlan, CancellationReason.CancelledByAdmin, 0, daysOnCurrentPlan, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));
         }
 
         if (subscriptionSuspended)
         {
             subscription.ResetToFreePlan();
+            tenant.UpdatePlan(SubscriptionPlan.Basis);
             tenant.Suspend(SuspensionReason.PaymentFailed, timeProvider.GetUtcNow());
             events.CollectEvent(new SubscriptionSuspended(subscription.Id, previousPlan, SuspensionReason.PaymentFailed, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));
         }
@@ -240,7 +245,8 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,
         }
 
         // Persist all aggregate mutations and mark pending events as processed
-        if (subscriptionCreated || subscriptionSuspended)
+        var tenantChanged = stripeState is not null || subscriptionCreated || subscriptionExpired || subscriptionImmediatelyCancelled || subscriptionSuspended;
+        if (tenantChanged)
         {
             tenantRepository.Update(tenant);
         }
diff --git a/application/account/Core/Features/Tenants/Domain/Tenant.cs b/application/account/Core/Features/Tenants/Domain/Tenant.cs
@@ -1,3 +1,4 @@
+using Account.Features.Subscriptions.Domain;
 using SharedKernel.Domain;
 
 namespace Account.Features.Tenants.Domain;
@@ -7,13 +8,16 @@ public sealed class Tenant : SoftDeletableAggregateRoot<TenantId>
     private Tenant() : base(TenantId.NewId())
     {
         State = TenantState.Active;
+        Plan = SubscriptionPlan.Basis;
         Logo = new Logo();
     }
 
     public string Name { get; private set; } = string.Empty;
 
     public TenantState State { get; private set; }
 
+    public SubscriptionPlan Plan { get; private set; }
+
     public SuspensionReason? SuspensionReason { get; private set; }
 
     public DateTimeOffset? SuspendedAt { get; private set; }
@@ -55,6 +59,11 @@ public void RemoveLogo()
     {
         Logo = new Logo(Version: Logo.Version);
     }
+
+    public void UpdatePlan(SubscriptionPlan plan)
+    {
+        Plan = plan;
+    }
 }
 
 public sealed record Logo(string? Url = null, int Version = 0);
diff --git a/application/account/Tests/Authentication/GetUserSessionsTests.cs b/application/account/Tests/Authentication/GetUserSessionsTests.cs
@@ -2,6 +2,7 @@
 using Account.Database;
 using Account.Features.Authentication.Domain;
 using Account.Features.Authentication.Queries;
+using Account.Features.Subscriptions.Domain;
 using FluentAssertions;
 using SharedKernel.Authentication.TokenGeneration;
 using SharedKernel.Domain;
@@ -134,7 +135,8 @@ private long InsertTenant(string name)
                 ("ModifiedAt", null),
                 ("Name", name),
                 ("State", "Active"),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
diff --git a/application/account/Tests/Authentication/SwitchTenantTests.cs b/application/account/Tests/Authentication/SwitchTenantTests.cs
@@ -30,7 +30,8 @@ public async Task SwitchTenant_WhenUserExistsInTargetTenant_ShouldSwitchSuccessf
                 ("ModifiedAt", null),
                 ("Name", tenant2Name),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -110,7 +111,8 @@ public async Task SwitchTenant_WhenUserDoesNotExistInTargetTenant_ShouldReturnFo
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -170,7 +172,8 @@ public async Task SwitchTenant_WhenUserEmailNotConfirmed_ShouldConfirmEmail()
                 ("ModifiedAt", null),
                 ("Name", tenant2Name),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -240,7 +243,8 @@ public async Task SwitchTenant_WhenAcceptingInvite_ShouldCopyProfileData()
                 ("ModifiedAt", null),
                 ("Name", tenant2Name),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -318,7 +322,8 @@ public async Task SwitchTenant_WhenSessionAlreadyRevoked_ShouldReturnUnauthorize
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
diff --git a/application/account/Tests/Billing/GetPaymentHistoryTests.cs b/application/account/Tests/Billing/GetPaymentHistoryTests.cs
@@ -1,3 +1,4 @@
+using System.Net;
 using System.Net.Http.Json;
 using Account.Database;
 using Account.Features.Billing.Queries;
@@ -38,4 +39,14 @@ public async Task GetPaymentHistory_WhenTransactionsExist_ShouldReturnPaginatedH
         result.Transactions[0].Currency.Should().Be("usd");
         result.Transactions[0].Status.Should().Be(PaymentTransactionStatus.Succeeded);
     }
+
+    [Fact]
+    public async Task GetPaymentHistory_WhenNotOwner_ShouldReturnForbidden()
+    {
+        // Act
+        var response = await AuthenticatedMemberHttpClient.GetAsync("/api/account/billing/payment-history");
+
+        // Assert
+        response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+    }
 }
diff --git a/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs b/application/account/Tests/EmailAuthentication/CompleteEmailLoginTests.cs
@@ -218,7 +218,8 @@ public async Task CompleteEmailLogin_WithValidPreferredTenant_ShouldLoginToPrefe
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -316,7 +317,8 @@ public async Task CompleteEmailLogin_WithPreferredTenantUserDoesNotHaveAccess_Sh
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
diff --git a/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs b/application/account/Tests/ExternalAuthentication/CompleteExternalLoginTests.cs
@@ -407,7 +407,8 @@ public async Task CompleteExternalLogin_WithValidPreferredTenant_ShouldLoginToPr
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -584,7 +585,8 @@ public async Task CompleteExternalLogin_WithPreferredTenantUserDoesNotHaveAccess
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
diff --git a/application/account/Tests/Tenants/GetTenantsForUserTests.cs b/application/account/Tests/Tenants/GetTenantsForUserTests.cs
@@ -2,6 +2,7 @@
 using System.Net.Http.Json;
 using System.Text.Json;
 using Account.Database;
+using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Features.Tenants.Queries;
 using Account.Features.Users.Domain;
@@ -29,7 +30,8 @@ public async Task GetTenants_UserWithMultipleTenants_ReturnsAllTenants()
                 ("ModifiedAt", null),
                 ("Name", tenant2Name),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -103,7 +105,8 @@ public async Task GetTenants_CurrentTenantIncluded_VerifyCurrentTenantInResponse
                 ("ModifiedAt", null),
                 ("Name", "Other Tenant"),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -148,7 +151,8 @@ public async Task GetTenants_UsersOnlySeeTheirOwnTenants_DoesNotReturnOtherUsers
                 ("ModifiedAt", null),
                 ("Name", "Other User Tenant"),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -194,7 +198,8 @@ public async Task GetTenants_UserWithUnconfirmedEmail_ShowsAsNewTenant()
                 ("ModifiedAt", null),
                 ("Name", tenant2Name),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
diff --git a/application/account/Tests/Users/DeclineInvitationTests.cs b/application/account/Tests/Users/DeclineInvitationTests.cs
@@ -2,6 +2,7 @@
 using System.Net.Http.Json;
 using System.Text.Json;
 using Account.Database;
+using Account.Features.Subscriptions.Domain;
 using Account.Features.Tenants.Domain;
 using Account.Features.Users.Commands;
 using Account.Features.Users.Domain;
@@ -28,7 +29,8 @@ public async Task DeclineInvitation_WhenValidInviteExists_ShouldDeleteUserAndCol
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -100,7 +102,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 
@@ -110,7 +113,8 @@ public async Task DeclineInvitation_WhenMultipleInvitesExist_ShouldDeclineSpecif
                 ("ModifiedAt", null),
                 ("Name", Faker.Company.CompanyName()),
                 ("State", nameof(TenantState.Active)),
-                ("Logo", """{"Url":null,"Version":0}""")
+                ("Logo", """{"Url":null,"Version":0}"""),
+                ("Plan", nameof(SubscriptionPlan.Basis))
             ]
         );
 

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,7 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,`
`77`	`77`	`if (customerResult.IsCustomerDeleted)`
`78`	`78`	`{`
`79`	`79`	`subscription.ResetToFreePlan();`
	`80`	`+ tenant.UpdatePlan(SubscriptionPlan.Basis);`
`80`	`81`	`tenant.Suspend(SuspensionReason.CustomerDeleted, timeProvider.GetUtcNow());`
`81`	`82`	`tenantRepository.Update(tenant);`
`82`	`83`	`subscriptionRepository.Update(subscription);`
`@@ -112,6 +113,7 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,`
`112`	`113`	`if (stripeState is not null)`
`113`	`114`	`{`
`114`	`115`	`subscription.SetStripeSubscription(stripeState.StripeSubscriptionId, stripeState.Plan, stripeState.CurrentPriceAmount, stripeState.CurrentPriceCurrency, stripeState.CurrentPeriodEnd, stripeState.PaymentMethod);`
	`116`	`+ tenant.UpdatePlan(stripeState.Plan);`
`115`	`117`	`}`
`116`	`118`
`117`	`119`	`// Always sync payment transactions from Stripe (via subscription when active, via invoices when cancelled)`
`@@ -201,18 +203,21 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,`
`201`	`203`	`if (subscriptionExpired)`
`202`	`204`	`{`
`203`	`205`	`subscription.ResetToFreePlan();`
	`206`	`+ tenant.UpdatePlan(SubscriptionPlan.Basis);`
`204`	`207`	`events.CollectEvent(new SubscriptionExpired(subscription.Id, previousPlan, daysOnCurrentPlan, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));`
`205`	`208`	`}`
`206`	`209`
`207`	`210`	`if (subscriptionImmediatelyCancelled)`
`208`	`211`	`{`
`209`	`212`	`subscription.ResetToFreePlan();`
	`213`	`+ tenant.UpdatePlan(SubscriptionPlan.Basis);`
`210`	`214`	`events.CollectEvent(new SubscriptionCancelled(subscription.Id, previousPlan, CancellationReason.CancelledByAdmin, 0, daysOnCurrentPlan, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));`
`211`	`215`	`}`
`212`	`216`
`213`	`217`	`if (subscriptionSuspended)`
`214`	`218`	`{`
`215`	`219`	`subscription.ResetToFreePlan();`
	`220`	`+ tenant.UpdatePlan(SubscriptionPlan.Basis);`
`216`	`221`	`tenant.Suspend(SuspensionReason.PaymentFailed, timeProvider.GetUtcNow());`
`217`	`222`	`events.CollectEvent(new SubscriptionSuspended(subscription.Id, previousPlan, SuspensionReason.PaymentFailed, previousPriceAmount!.Value, -previousPriceAmount.Value, previousPriceCurrency!));`
`218`	`223`	`}`
`@@ -240,7 +245,8 @@ private async Task SyncStateFromStripe(Tenant tenant, Subscription subscription,`
`240`	`245`	`}`
`241`	`246`
`242`	`247`	`// Persist all aggregate mutations and mark pending events as processed`
`243`		`- if (subscriptionCreated \|\| subscriptionSuspended)`
	`248`	`+ var tenantChanged = stripeState is not null \|\| subscriptionCreated \|\| subscriptionExpired \|\| subscriptionImmediatelyCancelled \|\| subscriptionSuspended;`
	`249`	`+ if (tenantChanged)`
`244`	`250`	`{`
`245`	`251`	`tenantRepository.Update(tenant);`
`246`	`252`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+using Account.Features.Subscriptions.Domain;`
`1`	`2`	`using SharedKernel.Domain;`
`2`	`3`
`3`	`4`	`namespace Account.Features.Tenants.Domain;`
`@@ -7,13 +8,16 @@ public sealed class Tenant : SoftDeletableAggregateRoot<TenantId>`
`7`	`8`	`private Tenant() : base(TenantId.NewId())`
`8`	`9`	`{`
`9`	`10`	`State = TenantState.Active;`
	`11`	`+ Plan = SubscriptionPlan.Basis;`
`10`	`12`	`Logo = new Logo();`
`11`	`13`	`}`
`12`	`14`
`13`	`15`	`public string Name { get; private set; } = string.Empty;`
`14`	`16`
`15`	`17`	`public TenantState State { get; private set; }`
`16`	`18`
	`19`	`+ public SubscriptionPlan Plan { get; private set; }`
	`20`	`+`
`17`	`21`	`public SuspensionReason? SuspensionReason { get; private set; }`
`18`	`22`
`19`	`23`	`public DateTimeOffset? SuspendedAt { get; private set; }`
`@@ -55,6 +59,11 @@ public void RemoveLogo()`
`55`	`59`	`{`
`56`	`60`	`Logo = new Logo(Version: Logo.Version);`
`57`	`61`	`}`
	`62`	`+`
	`63`	`+ public void UpdatePlan(SubscriptionPlan plan)`
	`64`	`+ {`
	`65`	`+ Plan = plan;`
	`66`	`+ }`
`58`	`67`	`}`
`59`	`68`
`60`	`69`	`public sealed record Logo(string? Url = null, int Version = 0);`