Merge pull request #2756 from trycompai/fix/move-stripe-auto-approve-to-api

refactor(stripe): move upgrade-page auto-approval into API

Author: tofikwest

apps/api/src/app.module.ts

@@ -14,6 +14,7 @@ import { awsConfig } from './config/aws.config';
 import { betterAuthConfig } from './config/better-auth.config';
 import { HealthModule } from './health/health.module';
 import { OrganizationModule } from './organization/organization.module';
+import { OrganizationAccessModule } from './organization-access/organization-access.module';
 import { PoliciesModule } from './policies/policies.module';
 import { RisksModule } from './risks/risks.module';
 import { TasksModule } from './tasks/tasks.module';
@@ -74,6 +75,7 @@ import { BillingModule } from './billing/billing.module';
     ]),
     AuthModule,
     OrganizationModule,
+    OrganizationAccessModule,
     PeopleModule,
     RisksModule,
     VendorsModule,

apps/api/src/organization-access/organization-access.controller.ts

@@ -0,0 +1,44 @@
+import {
+  Controller,
+  HttpCode,
+  HttpStatus,
+  Post,
+  UseGuards,
+} from '@nestjs/common';
+import { ApiOperation, ApiTags } from '@nestjs/swagger';
+import { AuthContext, OrganizationId } from '../auth/auth-context.decorator';
+import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { PermissionGuard } from '../auth/permission.guard';
+import { RequirePermission } from '../auth/require-permission.decorator';
+import type { AuthContext as AuthContextType } from '../auth/types';
+import {
+  AutoApproveResult,
+  OrganizationAccessService,
+} from './organization-access.service';
+
+@ApiTags('Organization')
+@Controller({ path: 'organization-access', version: '1' })
+@UseGuards(HybridAuthGuard, PermissionGuard)
+export class OrganizationAccessController {
+  constructor(
+    private readonly organizationAccessService: OrganizationAccessService,
+  ) {}
+
+  @Post('auto-approve')
+  @HttpCode(HttpStatus.OK)
+  @RequirePermission('organization', 'update')
+  @ApiOperation({
+    summary: 'Auto-approve organization access via domain or self-hosted check',
+    description:
+      'Grants hasAccess on the active organization if the requesting user is an internal trycomp.ai user, the deployment is self-hosted, or the user email domain matches the organization website domain and is an active Stripe customer.',
+  })
+  async autoApprove(
+    @OrganizationId() organizationId: string,
+    @AuthContext() authContext: AuthContextType,
+  ): Promise<AutoApproveResult> {
+    return this.organizationAccessService.autoApproveAccess({
+      organizationId,
+      userEmail: authContext.userEmail,
+    });
+  }
+}

apps/api/src/organization-access/organization-access.module.ts

@@ -0,0 +1,11 @@
+import { Module } from '@nestjs/common';
+import { AuthModule } from '../auth/auth.module';
+import { OrganizationAccessController } from './organization-access.controller';
+import { OrganizationAccessService } from './organization-access.service';
+
+@Module({
+  imports: [AuthModule],
+  controllers: [OrganizationAccessController],
+  providers: [OrganizationAccessService],
+})
+export class OrganizationAccessModule {}

apps/api/src/organization-access/organization-access.service.spec.ts

@@ -0,0 +1,239 @@
+import { NotFoundException } from '@nestjs/common';
+import { db } from '@db';
+import { OrganizationAccessService } from './organization-access.service';
+
+jest.mock('@db', () => ({
+  db: {
+    organization: {
+      findUnique: jest.fn(),
+      update: jest.fn(),
+    },
+  },
+}));
+
+const mockedDb = db as unknown as {
+  organization: {
+    findUnique: jest.Mock;
+    update: jest.Mock;
+  };
+};
+
+const buildService = (
+  overrides: Partial<{ isDomainActiveCustomer: jest.Mock }> = {},
+) => {
+  const isDomainActiveCustomer =
+    overrides.isDomainActiveCustomer ?? jest.fn().mockResolvedValue(false);
+  const stripeService = { isDomainActiveCustomer } as never;
+  return {
+    service: new OrganizationAccessService(stripeService),
+    isDomainActiveCustomer,
+  };
+};
+
+describe('OrganizationAccessService', () => {
+  const ORIGINAL_SELF_HOSTED = process.env.SELF_HOSTED;
+  const ORIGINAL_NEXT_SELF_HOSTED = process.env.NEXT_PUBLIC_SELF_HOSTED;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    delete process.env.SELF_HOSTED;
+    delete process.env.NEXT_PUBLIC_SELF_HOSTED;
+    mockedDb.organization.update.mockResolvedValue({});
+  });
+
+  afterAll(() => {
+    if (ORIGINAL_SELF_HOSTED === undefined) {
+      delete process.env.SELF_HOSTED;
+    } else {
+      process.env.SELF_HOSTED = ORIGINAL_SELF_HOSTED;
+    }
+    if (ORIGINAL_NEXT_SELF_HOSTED === undefined) {
+      delete process.env.NEXT_PUBLIC_SELF_HOSTED;
+    } else {
+      process.env.NEXT_PUBLIC_SELF_HOSTED = ORIGINAL_NEXT_SELF_HOSTED;
+    }
+  });
+
+  it('throws NotFoundException when org does not exist', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue(null);
+    const { service } = buildService();
+
+    await expect(
+      service.autoApproveAccess({
+        organizationId: 'org_x',
+        userEmail: 'a@b.com',
+      }),
+    ).rejects.toBeInstanceOf(NotFoundException);
+  });
+
+  it('returns already-has-access without writing when org has access', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: true,
+      website: 'acme.com',
+    });
+    const { service } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'user@acme.com',
+    });
+
+    expect(result).toEqual({
+      hasAccess: true,
+      autoApproved: false,
+      reason: 'already-has-access',
+    });
+    expect(mockedDb.organization.update).not.toHaveBeenCalled();
+  });
+
+  it('grants on self-hosted via SELF_HOSTED env', async () => {
+    process.env.SELF_HOSTED = 'true';
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: null,
+    });
+    const { service, isDomainActiveCustomer } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'user@gmail.com',
+    });
+
+    expect(result).toEqual({
+      hasAccess: true,
+      autoApproved: true,
+      reason: 'self-hosted',
+    });
+    expect(mockedDb.organization.update).toHaveBeenCalledWith({
+      where: { id: 'org_1' },
+      data: { hasAccess: true },
+    });
+    expect(isDomainActiveCustomer).not.toHaveBeenCalled();
+  });
+
+  it('grants on @trycomp.ai email without consulting Stripe', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'acme.com',
+    });
+    const { service, isDomainActiveCustomer } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'tofik@trycomp.ai',
+    });
+
+    expect(result).toEqual({
+      hasAccess: true,
+      autoApproved: true,
+      reason: 'trycomp-email',
+    });
+    expect(isDomainActiveCustomer).not.toHaveBeenCalled();
+    expect(mockedDb.organization.update).toHaveBeenCalled();
+  });
+
+  it('grants when user email domain matches org website AND is an active Stripe customer', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'https://acme.com',
+    });
+    const { service, isDomainActiveCustomer } = buildService({
+      isDomainActiveCustomer: jest.fn().mockResolvedValue(true),
+    });
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'cfo@acme.com',
+    });
+
+    expect(result).toEqual({
+      hasAccess: true,
+      autoApproved: true,
+      reason: 'stripe-customer',
+    });
+    expect(isDomainActiveCustomer).toHaveBeenCalledWith('acme.com');
+    expect(mockedDb.organization.update).toHaveBeenCalled();
+  });
+
+  it('does not grant when domain matches but Stripe says not an active customer', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'acme.com',
+    });
+    const { service } = buildService({
+      isDomainActiveCustomer: jest.fn().mockResolvedValue(false),
+    });
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'cfo@acme.com',
+    });
+
+    expect(result).toEqual({
+      hasAccess: false,
+      autoApproved: false,
+      reason: 'not-eligible',
+    });
+    expect(mockedDb.organization.update).not.toHaveBeenCalled();
+  });
+
+  it('does not grant when user email domain mismatches org website', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'acme.com',
+    });
+    const { service, isDomainActiveCustomer } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'cfo@example.com',
+    });
+
+    expect(result.autoApproved).toBe(false);
+    expect(result.reason).toBe('not-eligible');
+    expect(isDomainActiveCustomer).not.toHaveBeenCalled();
+  });
+
+  it('does not grant when user domain is a public mailbox provider', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'gmail.com', // pathological — even if website "matches", we refuse
+    });
+    const { service, isDomainActiveCustomer } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: 'someone@gmail.com',
+    });
+
+    expect(result.autoApproved).toBe(false);
+    expect(isDomainActiveCustomer).not.toHaveBeenCalled();
+  });
+
+  it('does not grant when user email is missing', async () => {
+    mockedDb.organization.findUnique.mockResolvedValue({
+      id: 'org_1',
+      hasAccess: false,
+      website: 'acme.com',
+    });
+    const { service } = buildService();
+
+    const result = await service.autoApproveAccess({
+      organizationId: 'org_1',
+      userEmail: undefined,
+    });
+
+    expect(result).toEqual({
+      hasAccess: false,
+      autoApproved: false,
+      reason: 'not-eligible',
+    });
+  });
+});