improve upsell behaviour during onboarding

Author: brendan-kellam

packages/web/src/__mocks__/prisma.ts

@@ -40,6 +40,7 @@ export const MOCK_USER_WITH_ACCOUNTS: User & { accounts: Account[] } = {
     updatedAt: new Date(),
     hashedPassword: null,
     emailVerified: null,
+    lastActiveAt: null,
     image: null,
     sessionVersion: 0,
     accounts: [],

packages/web/src/app/onboard/components/trialStep.tsx

@@ -1,9 +1,7 @@
 "use client";
 
 import { useCallback, useEffect, useRef, useState } from "react";
-import { useRouter } from "next/navigation";
-import { Loader2 } from "lucide-react";
-import { Button } from "@/components/ui/button";
+import { useRouter, useSearchParams } from "next/navigation";
 import { LoadingButton } from "@/components/ui/loading-button";
 import { Skeleton } from "@/components/ui/skeleton";
 import { completeOnboarding } from "@/actions";
@@ -66,28 +64,64 @@ export function TrialStepSubtitle() {
 
 interface TrialStepProps {
     memberCount: number;
+    stepIndex: number;
 }
 
-export function TrialStep({ memberCount }: TrialStepProps) {
+export function TrialStep({ memberCount, stepIndex }: TrialStepProps) {
     const { data: offers, isPending, isError } = useOffers();
     const { toast } = useToast();
     const router = useRouter();
+    const searchParams = useSearchParams();
     const captureEvent = useCaptureEvent();
     const [billingInterval, setBillingInterval] = useState<BillingInterval>("year");
     const [isPrimaryLoading, setIsPrimaryLoading] = useState(false);
     const [isSkipLoading, setIsSkipLoading] = useState(false);
 
+    const [isReturningFromCheckoutSuccess, setIsReturningFromCheckoutSuccess] = useState(searchParams.get('checkout') === 'success');
+
     // Fire-once when offers resolve, so isTrialEligible is reliable and react-query
     // refetches don't cause duplicate views.
     const hasCapturedViewRef = useRef(false);
     useEffect(() => {
+        if (isReturningFromCheckoutSuccess) {
+            return;
+        }
         if (offers && !hasCapturedViewRef.current) {
             hasCapturedViewRef.current = true;
             captureEvent('wa_onboard_trial_step_viewed', {
                 isTrialEligible: offers.trial.eligible,
             });
         }
-    }, [offers, captureEvent]);
+    }, [offers, captureEvent, isReturningFromCheckoutSuccess]);
+
+    // Post-checkout: complete onboarding, then forward `session_id` to `/` so
+    // CheckoutReturnHandler (mounted in the (app) layout) can fire the activation
+    // dialog. We defer completeOnboarding until after Stripe actually returns
+    // success — abandoning checkout leaves the user on /onboard to retry.
+    const hasHandledReturnRef = useRef(false);
+    useEffect(() => {
+        if (!isReturningFromCheckoutSuccess || hasHandledReturnRef.current) {
+            return;
+        }
+        hasHandledReturnRef.current = true;
+
+        const sessionId = searchParams.get('session_id');
+        void (async () => {
+            const result = await completeOnboarding();
+            if (isServiceError(result)) {
+                toast({
+                    description: `Failed to complete onboarding: ${result.message}`,
+                    variant: "destructive",
+                });
+                setIsReturningFromCheckoutSuccess(false);
+                return;
+            }
+            const dest = sessionId
+                ? `/?session_id=${encodeURIComponent(sessionId)}`
+                : "/";
+            router.push(dest);
+        })();
+    }, [isReturningFromCheckoutSuccess, searchParams, router, toast]);
 
     const onSkipCheckout = useCallback(async () => {
         setIsSkipLoading(true);
@@ -106,39 +140,24 @@ export function TrialStep({ memberCount }: TrialStepProps) {
     const onCheckout = useCallback(async (requestTrial: boolean) => {
         setIsPrimaryLoading(true);
 
-        // Mark onboarding complete first so the post-checkout return lands inside
-        // the (app) layout where CheckoutReturnHandler can fire. Otherwise the
-        // layout's !isOnboarded guard would bounce them back to /onboard.
-        const completeResult = await completeOnboarding();
-        if (isServiceError(completeResult)) {
-            toast({
-                description: `Failed to complete onboarding: ${completeResult.message}`,
-                variant: "destructive",
-            });
-            setIsPrimaryLoading(false);
-            return;
-        }
-
         const checkoutResult = await createCheckoutSession({
             source: "onboard",
             requestTrial,
             interval: billingInterval,
-            returnPath: "/",
+            returnPath: `/onboard?step=${stepIndex}`,
         });
 
         if (isServiceError(checkoutResult)) {
             toast({
                 description: `Failed to start checkout: ${checkoutResult.message}`,
                 variant: "destructive",
             });
-            // Onboarding is already marked complete — send them to the app where
-            // they can retry the upgrade from /settings/license.
-            router.push("/");
+            setIsPrimaryLoading(false);
             return;
         }
 
         window.location.assign(checkoutResult.url);
-    }, [billingInterval, router, toast]);
+    }, [billingInterval, stepIndex, toast]);
 
     if (isPending) {
         return (
@@ -180,27 +199,27 @@ export function TrialStep({ memberCount }: TrialStepProps) {
             <div className="space-y-2">
                 <LoadingButton
                     onClick={() => onCheckout(isTrialEligible)}
-                    loading={isPrimaryLoading}
+                    loading={isPrimaryLoading || isReturningFromCheckoutSuccess}
                     disabled={isSkipLoading}
                     className="w-full"
                 >
                     {primaryButtonText}
                 </LoadingButton>
-                <Button
+                <LoadingButton
                     variant="ghost"
                     onClick={() => {
                         captureEvent('wa_onboard_trial_step_skipped', { isTrialEligible });
                         onSkipCheckout();
                     }}
-                    disabled={isPrimaryLoading || isSkipLoading}
+                    loading={isSkipLoading}
+                    disabled={
+                        isPrimaryLoading ||
+                        isReturningFromCheckoutSuccess
+                    }
                     className="w-full text-muted-foreground hover:text-foreground"
                 >
-                    {isSkipLoading ? (
-                        <Loader2 className="h-4 w-4 animate-spin" />
-                    ) : (
-                        "Skip for now"
-                    )}
-                </Button>
+                    Skip for now
+                </LoadingButton>
             </div>
 
             {memberCount > 1 && (

packages/web/src/app/onboard/page.tsx

@@ -77,83 +77,87 @@ export default async function Onboarding(props: OnboardingProps) {
         where: { orgId: org.id },
     });
 
-    const steps: OnboardingStep[] = [
-        {
-            id: "welcome",
-            title: "Welcome to Sourcebot",
-            subtitle: "This onboarding flow will guide you through creating your owner account and configuring your organization.",
-            component: (
-                <div className="space-y-6">
-                    <Button asChild className="w-full">
-                        <Link href="/onboard?step=1">Get Started →</Link>
-                    </Button>
-                </div>
-            ),
-        },
-        {
-            id: "owner-signup",
-            title: "Create Owner Account",
-            subtitle: (
-                <>
-                    Use your preferred authentication method to create your owner account. To set up additional authentication providers, check out our{" "}
-                    <a
-                        href="https://docs.sourcebot.dev/docs/configuration/auth/overview"
-                        target="_blank"
-                        rel="noopener"
-                        className="underline text-primary hover:text-primary/80 transition-colors"
-                    >
-                        documentation
-                    </a>.
-                </>
-            ),
-            component: (
-                <div className="space-y-6">
-                    <AuthMethodSelector
-                        callbackUrl="/onboard"
-                        context="signup"
-                        securityNoticeClosable={false}
-                    />
-                </div>
-            ),
-        },
-        {
-            id: "configure-org",
-            title: "Configure Access Settings",
-            subtitle: (
-                <>
-                    Set up your organization&apos;s access settings.{" "}
-                    <a
-                        href="https://docs.sourcebot.dev/docs/configuration/auth/access-settings"
-                        target="_blank"
-                        rel="noopener"
-                        className="underline text-primary hover:text-primary/80 transition-colors"
-                    >
-                        Learn more
-                    </a>
-                </>
-            ),
-            component: (
-                <div className="space-y-6">
-                    <OrganizationAccessSettings />
-                    <Button asChild className="w-full">
-                        <Link href="/onboard?step=3">Continue →</Link>
-                    </Button>
-                </div>
-            ),
-        },
-        isLicensed ? {
-            id: "complete",
-            title: "You're all set",
-            subtitle: "Your Sourcebot deployment is ready to go.",
-            component: <AlreadyLicensedStep />,
-        } : {
-            id: "trial",
-            title: "Try Sourcebot Pro",
-            headerTitle: <TrialStepTitle />,
-            subtitle: <TrialStepSubtitle />,
-            component: <TrialStep memberCount={memberCount} />,
-        },
-    ]
+    const steps: OnboardingStep[] = [];
+
+    steps.push({
+        id: "welcome",
+        title: "Welcome to Sourcebot",
+        subtitle: "This onboarding flow will guide you through creating your owner account and configuring your organization.",
+        component: (
+            <div className="space-y-6">
+                <Button asChild className="w-full">
+                    <Link href={`/onboard?step=${steps.length + 1}`}>Get Started →</Link>
+                </Button>
+            </div>
+        ),
+    });
+
+    steps.push({
+        id: "owner-signup",
+        title: "Create Owner Account",
+        subtitle: (
+            <>
+                Use your preferred authentication method to create your owner account. To set up additional authentication providers, check out our{" "}
+                <a
+                    href="https://docs.sourcebot.dev/docs/configuration/auth/overview"
+                    target="_blank"
+                    rel="noopener"
+                    className="underline text-primary hover:text-primary/80 transition-colors"
+                >
+                    documentation
+                </a>.
+            </>
+        ),
+        component: (
+            <div className="space-y-6">
+                <AuthMethodSelector
+                    callbackUrl={`/onboard?step=${steps.length + 1}`}
+                    context="signup"
+                    securityNoticeClosable={false}
+                />
+            </div>
+        ),
+    });
+
+    steps.push({
+        id: "configure-org",
+        title: "Configure Access Settings",
+        subtitle: (
+            <>
+                Set up your organization&apos;s access settings.{" "}
+                <a
+                    href="https://docs.sourcebot.dev/docs/configuration/auth/access-settings"
+                    target="_blank"
+                    rel="noopener"
+                    className="underline text-primary hover:text-primary/80 transition-colors"
+                >
+                    Learn more
+                </a>
+            </>
+        ),
+        component: (
+            <div className="space-y-6">
+                <OrganizationAccessSettings />
+                <Button asChild className="w-full">
+                    <Link href={`/onboard?step=${steps.length + 1}`}>Continue →</Link>
+                </Button>
+            </div>
+        ),
+    });
+
+    const finalStepIndex = steps.length;
+    steps.push(isLicensed ? {
+        id: "complete",
+        title: "You're all set",
+        subtitle: "Your Sourcebot deployment is ready to go.",
+        component: <AlreadyLicensedStep />,
+    } : {
+        id: "trial",
+        title: "Try Sourcebot Pro",
+        headerTitle: <TrialStepTitle />,
+        subtitle: <TrialStepSubtitle />,
+        component: <TrialStep memberCount={memberCount} stepIndex={finalStepIndex} />,
+    });
 
     const currentStepData = steps[currentStep]
 

packages/web/src/ee/features/lighthouse/actions.ts

@@ -142,18 +142,26 @@ export const createCheckoutSession = async ({
             // Resolve the candidate against AUTH_URL so absolute paths, protocol-
             // relative paths (`//evil.com`), and bare relative paths all get
             // normalized through the URL parser. Reject anything that lands off-
-            // origin or carries its own query / fragment — we own those.
-            let returnPath: string;
+            // origin, carries a fragment, or already uses the reserved query keys
+            // we append below.
+            let returnPathname: string;
+            let returnSearch: string;
             try {
                 const candidate = new URL(_returnPath, env.AUTH_URL);
                 const authOrigin = new URL(env.AUTH_URL).origin;
                 if (candidate.origin !== authOrigin) {
                     throw new Error('returnPath escapes AUTH_URL origin');
                 }
-                if (candidate.search || candidate.hash) {
-                    throw new Error('returnPath must not include query string or fragment');
+                if (candidate.hash) {
+                    throw new Error('returnPath must not include a fragment');
                 }
-                returnPath = candidate.pathname;
+                for (const reservedKey of ['checkout', 'session_id']) {
+                    if (candidate.searchParams.has(reservedKey)) {
+                        throw new Error(`returnPath must not include reserved query parameter: ${reservedKey}`);
+                    }
+                }
+                returnPathname = candidate.pathname;
+                returnSearch = candidate.search;
             } catch {
                 return {
                     statusCode: StatusCodes.BAD_REQUEST,
@@ -166,20 +174,24 @@ export const createCheckoutSession = async ({
                 source,
                 requestTrial,
                 interval,
-                returnPath,
+                returnPath: `${returnPathname}${returnSearch}`,
                 quantity,
             });
 
+            // Build success/cancel URLs as raw strings so Stripe's literal
+            // `{CHECKOUT_SESSION_ID}` placeholder isn't URL-encoded by URL/
+            // URLSearchParams (Stripe substitutes the raw token, not %7B...%7D).
+            const stripeSuccessQuery = 'checkout=success&session_id={CHECKOUT_SESSION_ID}';
+            const successQuerySeparator = returnSearch ? '&' : '?';
+
             const result = await client.checkout({
                 email: user.email,
                 installId: env.SOURCEBOT_INSTALL_ID,
                 quantity,
                 requestTrial,
                 interval,
-                // `{CHECKOUT_SESSION_ID}` is substituted server-side by Stripe at
-                // redirect time with the real session ID.
-                successUrl: `${env.AUTH_URL}${returnPath}?checkout=success&session_id={CHECKOUT_SESSION_ID}`,
-                cancelUrl: `${env.AUTH_URL}${returnPath}`,
+                successUrl: `${env.AUTH_URL}${returnPathname}${returnSearch}${successQuerySeparator}${stripeSuccessQuery}`,
+                cancelUrl: `${env.AUTH_URL}${returnPathname}${returnSearch}`,
             });
 
             if (isServiceError(result)) {