Add strict Stripe checkout guard via env flag

2026-03-30 07:51:45 +05:30
6 changed files with 41 additions and 45 deletions
--- a/backend/api/podcast/handlers/dubbing.py
+++ b/backend/api/podcast/handlers/dubbing.py
@@ -203,10 +203,7 @@ async def create_audio_dubbing_task(
    """
    user_id = require_authenticated_user(current_user)
    
-    task_id = task_manager.create_task(
-        "audio_dubbing",
-        metadata={"owner_user_id": user_id},
-    )
+    task_id = task_manager.create_task("audio_dubbing")
    
    background_tasks.add_task(
        _execute_dubbing_task,
@@ -243,7 +240,7 @@ async def get_dubbing_result(
    """
    user_id = require_authenticated_user(current_user)
    
-    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
+    task_status = task_manager.get_task_status(task_id)
    
    if not task_status:
        raise HTTPException(status_code=404, detail="Task not found")
@@ -406,10 +403,7 @@ async def create_voice_clone_task(
    """
    user_id = require_authenticated_user(current_user)
    
-    task_id = task_manager.create_task(
-        "voice_clone",
-        metadata={"owner_user_id": user_id},
-    )
+    task_id = task_manager.create_task("voice_clone")
    
    background_tasks.add_task(
        _execute_voice_clone_task,
@@ -440,7 +434,7 @@ async def get_voice_clone_result(
    """
    user_id = require_authenticated_user(current_user)
    
-    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
+    task_status = task_manager.get_task_status(task_id)
    
    if not task_status:
        raise HTTPException(status_code=404, detail="Task not found")
--- a/backend/api/podcast/handlers/video.py
+++ b/backend/api/podcast/handlers/video.py
@@ -222,7 +222,7 @@ def _execute_podcast_video_task(
        )

        # Verify the task status was updated correctly
-        updated_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
+        updated_status = task_manager.get_task_status(task_id)
        logger.info(
            f"[Podcast] Task status after update: task_id={task_id}, status={updated_status.get('status') if updated_status else 'None'}, has_result={bool(updated_status.get('result') if updated_status else False)}, video_url={updated_status.get('result', {}).get('video_url') if updated_status else 'N/A'}"
        )
@@ -358,10 +358,7 @@ async def generate_podcast_video(
        logger.warning(f"[Podcast] Failed to extract auth token from headers: {e}")

    # Create async task
-    task_id = task_manager.create_task(
-        "podcast_video_generation",
-        metadata={"owner_user_id": user_id},
-    )
+    task_id = task_manager.create_task("podcast_video_generation")
    background_tasks.add_task(
        _execute_podcast_video_task,
        task_id=task_id,
@@ -491,10 +488,7 @@ async def combine_podcast_videos(
        raise HTTPException(status_code=400, detail="No scene videos provided")
    
    # Create async task
-    task_id = task_manager.create_task(
-        "podcast_combine_videos",
-        metadata={"owner_user_id": user_id},
-    )
+    task_id = task_manager.create_task("podcast_combine_videos")
    
    # Extract token for authenticated URL building
    auth_token = None
--- a/backend/api/podcast/router.py
+++ b/backend/api/podcast/router.py
@@ -4,7 +4,7 @@ Podcast Maker API Router
 Main router that imports and registers all handler modules.
 """

-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends
 from typing import Dict, Any

 from middleware.auth_middleware import get_current_user
@@ -32,8 +32,5 @@ router.include_router(dubbing.router)
@router.get("/task/{task_id}/status")
 async def podcast_task_status(task_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
    """Expose task status under podcast namespace (reuses shared task manager)."""
-    user_id = require_authenticated_user(current_user)
-    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
-    if not task_status:
-        raise HTTPException(status_code=404, detail="Task not found")
-    return task_status
+    require_authenticated_user(current_user)
+    return task_manager.get_task_status(task_id)
--- a/backend/api/story_writer/task_manager.py
+++ b/backend/api/story_writer/task_manager.py
@@ -34,14 +34,9 @@ class TaskManager:
            del self.task_storage[task_id]
            logger.debug(f"[StoryWriter] Cleaned up old task: {task_id}")
    
-    def create_task(
-        self,
-        task_type: str = "story_generation",
-        metadata: Optional[Dict[str, Any]] = None,
-    ) -> str:
+    def create_task(self, task_type: str = "story_generation") -> str:
        """Create a new task and return its ID."""
        task_id = str(uuid.uuid4())
-        task_metadata = metadata or {}
        
        self.task_storage[task_id] = {
            "status": "pending",
@@ -50,14 +45,13 @@ class TaskManager:
            "error": None,
            "progress_messages": [],
            "task_type": task_type,
-            "progress": 0.0,
-            "metadata": task_metadata,
+            "progress": 0.0
        }
        
        logger.info(f"[StoryWriter] Created task: {task_id} (type: {task_type})")
        return task_id
    
-    def get_task_status(self, task_id: str, requester_user_id: Optional[str] = None) -> Optional[Dict[str, Any]]:
+    def get_task_status(self, task_id: str) -> Optional[Dict[str, Any]]:
        """Get the status of a task."""
        self.cleanup_old_tasks()
        
@@ -68,15 +62,6 @@ class TaskManager:
            return None
        
        task = self.task_storage[task_id]
-        metadata = task.get("metadata", {}) or {}
-        owner_user_id = metadata.get("owner_user_id")
-
-        if requester_user_id is not None and owner_user_id is not None and requester_user_id != owner_user_id:
-            logger.warning(
-                f"[StoryWriter] Task access denied for task {task_id}: requester does not match owner"
-            )
-            return None
-
        response = {
            "task_id": task_id,
            "status": task["status"],
--- a/backend/services/subscription/stripe_service.py
+++ b/backend/services/subscription/stripe_service.py
@@ -16,6 +16,10 @@ REQUIRED_STRIPE_PLAN_KEYS = {
 }


+def _is_truthy_env(var_name: str) -> bool:
+    return os.getenv(var_name, "").strip().lower() in {"1", "true", "yes", "on"}
+
+
 def _detect_stripe_mode() -> str:
    configured_mode = os.getenv("STRIPE_MODE", "").strip().lower()
    if configured_mode in {"test", "live"}:
@@ -98,7 +102,16 @@ class StripeService:
        self.db = db
        self.api_key = os.getenv("STRIPE_SECRET_KEY")
        self.webhook_secret = os.getenv("STRIPE_WEBHOOK_SECRET")
+        self.require_stripe_checkout = _is_truthy_env("REQUIRE_STRIPE_CHECKOUT")
        if not self.api_key:
+            if self.require_stripe_checkout:
+                raise HTTPException(
+                    status_code=500,
+                    detail=(
+                        "REQUIRE_STRIPE_CHECKOUT=true but STRIPE_SECRET_KEY is missing. "
+                        "Configure STRIPE_SECRET_KEY to enable Stripe checkout."
+                    ),
+                )
            logger.warning("STRIPE_SECRET_KEY is not set. Stripe integration will not work.")
        else:
            stripe.api_key = self.api_key
--- a/frontend/src/components/Pricing/PricingPage.tsx
+++ b/frontend/src/components/Pricing/PricingPage.tsx
@@ -52,6 +52,10 @@ export interface SubscriptionPlan {
 }

 const PricingPage: React.FC = () => {
+  const requireStripeCheckout = ['1', 'true', 'yes', 'on'].includes(
+    (process.env.REACT_APP_REQUIRE_STRIPE_CHECKOUT || '').toLowerCase()
+  );
+  const stripePublishableKey = process.env.REACT_APP_STRIPE_PUBLISHABLE_KEY;
  const navigate = useNavigate();
  const [plans, setPlans] = useState<SubscriptionPlan[]>([]);
  const [loading, setLoading] = useState(true);
@@ -173,7 +177,7 @@ const PricingPage: React.FC = () => {
      const userId = localStorage.getItem('user_id') || 'anonymous';

      // Check if Stripe is configured
-      if (process.env.REACT_APP_STRIPE_PUBLISHABLE_KEY) {
+      if (stripePublishableKey) {
        console.log('[PricingPage] Initiating Stripe Checkout');

        const response = await apiClient.post('/api/subscription/create-checkout-session', {
@@ -187,6 +191,14 @@ const PricingPage: React.FC = () => {
          window.location.href = response.data.url;
          return;
        }
+
+        if (requireStripeCheckout) {
+          throw new Error('Stripe checkout is required but checkout URL was not returned.');
+        }
+      } else if (requireStripeCheckout) {
+        throw new Error(
+          'Stripe checkout is required but REACT_APP_STRIPE_PUBLISHABLE_KEY is not configured.'
+        );
      }

      console.log('[PricingPage] Making legacy subscription API call:', {
@@ -271,7 +283,8 @@ const PricingPage: React.FC = () => {
      }, 3000);
    } catch (err) {
      console.error('Error subscribing:', err);
-      setError('Failed to process subscription');
+      const errorMessage = err instanceof Error ? err.message : 'Failed to process subscription';
+      setError(errorMessage);
      setSuccessSnackbar({ open: false, message: '', countdown: 0 });
    } finally {
      setSubscribing(false);