Create stripe customer IDs for users when syncing identity (#348)

devksingh4 · coderabbitai[bot] · web-flow · commit cfe9bb8d4dab · 2025-10-26T22:24:22.000-05:00
&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;

## Summary by CodeRabbit

* **New Features**
* Added customer profile integration with Stripe checkout for improved
payment session management.

* **Bug Fixes**
* Enhanced profile synchronization to reliably maintain customer data
during checkout operations.

* **Improvements**
* Refined checkout flow to leverage user customer profiles for more
consistent transaction handling.

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;

---------

Co-authored-by: coderabbitai[bot] &lt;136622811+coderabbitai[bot]@users.noreply.github.com&gt;
diff --git a/src/api/functions/identity.ts b/src/api/functions/identity.ts
@@ -0,0 +1,49 @@
+import { DynamoDBClient, GetItemCommand } from "@aws-sdk/client-dynamodb";
+import { unmarshall } from "@aws-sdk/util-dynamodb";
+import { ValidLoggers } from "api/types.js";
+import { genericConfig } from "common/config.js";
+
+export interface UserIdentity {
+  id: string;
+  uinHash?: string;
+  netId?: string;
+  firstName?: string;
+  lastName?: string;
+  stripeCustomerId?: string;
+  updatedAt?: string;
+}
+
+export interface GetUserIdentityInputs {
+  netId: string;
+  dynamoClient: DynamoDBClient;
+  logger: ValidLoggers;
+}
+
+export async function getUserIdentity({
+  netId,
+  dynamoClient,
+  logger,
+}: GetUserIdentityInputs): Promise<UserIdentity | null> {
+  const userId = `${netId}@illinois.edu`;
+
+  try {
+    const result = await dynamoClient.send(
+      new GetItemCommand({
+        TableName: genericConfig.UserInfoTable,
+        Key: {
+          id: { S: userId },
+        },
+        ConsistentRead: true,
+      }),
+    );
+
+    if (!result.Item) {
+      logger.info(`No user found for netId: ${netId}`);
+      return null;
+    }
+    return unmarshall(result.Item) as UserIdentity;
+  } catch (error) {
+    logger.error(`Error fetching user identity for ${netId}: ${error}`);
+    throw error;
+  }
+}
diff --git a/src/api/functions/stripe.ts b/src/api/functions/stripe.ts
@@ -1,3 +1,4 @@
+import { isProd } from "api/utils.js";
 import { InternalServerError, ValidationError } from "common/errors/index.js";
 import { capitalizeFirstLetter } from "common/types/roomRequest.js";
 import Stripe from "stripe";
@@ -23,6 +24,18 @@ export type StripeCheckoutSessionCreateParams = {
   customFields?: Stripe.Checkout.SessionCreateParams.CustomField[];
 };
 
+export type StripeCheckoutSessionCreateWithCustomerParams = {
+  successUrl?: string;
+  returnUrl?: string;
+  customerId: string;
+  stripeApiKey: string;
+  items: { price: string; quantity: number }[];
+  initiator: string;
+  metadata?: Record<string, string>;
+  allowPromotionCodes: boolean;
+  customFields?: Stripe.Checkout.SessionCreateParams.CustomField[];
+};
+
 /**
  * Create a Stripe payment link for an invoice. Note that invoiceAmountUsd MUST IN CENTS!!
  * @param {StripeLinkCreateParams} options
@@ -107,6 +120,44 @@ export const createCheckoutSession = async ({
   return session.url;
 };
 
+export const createCheckoutSessionWithCustomer = async ({
+  successUrl,
+  returnUrl,
+  stripeApiKey,
+  customerId,
+  items,
+  initiator,
+  allowPromotionCodes,
+  customFields,
+  metadata,
+}: StripeCheckoutSessionCreateWithCustomerParams): Promise<string> => {
+  const stripe = new Stripe(stripeApiKey);
+  const payload: Stripe.Checkout.SessionCreateParams = {
+    success_url: successUrl || "",
+    cancel_url: returnUrl || "",
+    payment_method_types: ["card"],
+    line_items: items.map((item) => ({
+      price: item.price,
+      quantity: item.quantity,
+    })),
+    mode: "payment",
+    customer: customerId,
+    metadata: {
+      ...(metadata || {}),
+      initiator,
+    },
+    allow_promotion_codes: allowPromotionCodes,
+    custom_fields: customFields,
+  };
+  const session = await stripe.checkout.sessions.create(payload);
+  if (!session.url) {
+    throw new InternalServerError({
+      message: "Could not create Stripe checkout session.",
+    });
+  }
+  return session.url;
+};
+
 export const deactivateStripeLink = async ({
   linkId,
   stripeApiKey,
@@ -244,3 +295,33 @@ export const getPaymentMethodDescriptionString = ({
       return `${friendlyName} (${cardBrandMap[cardPresentData.brand || "unknown"]} ending in ${cardPresentData.last4})`;
   }
 };
+
+export type StripeCustomerCreateParams = {
+  email: string;
+  name: string;
+  stripeApiKey: string;
+  metadata?: Record<string, string>;
+  idempotencyKey?: string;
+};
+
+export const createStripeCustomer = async ({
+  email,
+  name,
+  stripeApiKey,
+  metadata,
+  idempotencyKey,
+}: StripeCustomerCreateParams): Promise<string> => {
+  const stripe = new Stripe(stripeApiKey, { maxNetworkRetries: 2 });
+  const customer = await stripe.customers.create(
+    {
+      email,
+      name,
+      metadata: {
+        ...(metadata ?? {}),
+        ...(isProd ? {} : { environment: process.env.RunEnvironment }),
+      },
+    },
+    idempotencyKey ? { idempotencyKey } : undefined,
+  );
+  return customer.id;
+};
diff --git a/src/api/functions/sync.ts b/src/api/functions/sync.ts
@@ -2,14 +2,22 @@ import {
   UpdateItemCommand,
   type DynamoDBClient,
 } from "@aws-sdk/client-dynamodb";
+import { Redis, ValidLoggers } from "api/types.js";
 import { genericConfig } from "common/config.js";
+import { createLock, IoredisAdapter } from "redlock-universal";
+import { createStripeCustomer } from "./stripe.js";
+import { InternalServerError } from "common/errors/index.js";
+import { unmarshall } from "@aws-sdk/util-dynamodb";
 
 export interface SyncFullProfileInputs {
   uinHash: string;
   netId: string;
   firstName: string;
   lastName: string;
   dynamoClient: DynamoDBClient;
+  redisClient: Redis;
+  stripeApiKey: string;
+  logger: ValidLoggers;
 }
 
 export async function syncFullProfile({
@@ -18,29 +26,85 @@ export async function syncFullProfile({
   firstName,
   lastName,
   dynamoClient,
+  redisClient,
+  stripeApiKey,
+  logger,
 }: SyncFullProfileInputs) {
-  return dynamoClient.send(
-    new UpdateItemCommand({
-      TableName: genericConfig.UserInfoTable,
-      Key: {
-        id: { S: `${netId}@illinois.edu` },
-      },
-      UpdateExpression:
-        "SET #uinHash = :uinHash, #netId = :netId, #updatedAt = :updatedAt, #firstName = :firstName, #lastName = :lastName",
-      ExpressionAttributeNames: {
-        "#uinHash": "uinHash",
-        "#netId": "netId",
-        "#updatedAt": "updatedAt",
-        "#firstName": "firstName",
-        "#lastName": "lastName",
-      },
-      ExpressionAttributeValues: {
-        ":uinHash": { S: uinHash },
-        ":netId": { S: netId },
-        ":firstName": { S: firstName },
-        ":lastName": { S: lastName },
-        ":updatedAt": { S: new Date().toISOString() },
-      },
-    }),
-  );
+  const lock = createLock({
+    adapter: new IoredisAdapter(redisClient),
+    key: `userSync:${netId}`,
+    retryAttempts: 5,
+    retryDelay: 300,
+  });
+
+  return await lock.using(async (signal) => {
+    const userId = `${netId}@illinois.edu`;
+    const updateResult = await dynamoClient.send(
+      new UpdateItemCommand({
+        TableName: genericConfig.UserInfoTable,
+        Key: {
+          id: { S: userId },
+        },
+        UpdateExpression:
+          "SET #uinHash = :uinHash, #netId = :netId, #updatedAt = :updatedAt, #firstName = :firstName, #lastName = :lastName",
+        ExpressionAttributeNames: {
+          "#uinHash": "uinHash",
+          "#netId": "netId",
+          "#updatedAt": "updatedAt",
+          "#firstName": "firstName",
+          "#lastName": "lastName",
+        },
+        ExpressionAttributeValues: {
+          ":uinHash": { S: uinHash },
+          ":netId": { S: netId },
+          ":firstName": { S: firstName },
+          ":lastName": { S: lastName },
+          ":updatedAt": { S: new Date().toISOString() },
+        },
+        ReturnValues: "ALL_NEW",
+      }),
+    );
+
+    const stripeCustomerId = updateResult.Attributes?.stripeCustomerId?.S;
+
+    if (!stripeCustomerId) {
+      if (signal.aborted) {
+        throw new InternalServerError({
+          message:
+            "Checked on lock before creating Stripe customer, we've lost the lock!",
+        });
+      }
+      const newStripeCustomerId = await createStripeCustomer({
+        email: userId,
+        name: `${firstName} ${lastName}`,
+        stripeApiKey,
+      });
+      logger.info(`Created new Stripe customer for ${userId}.`);
+      const newInfo = await dynamoClient.send(
+        new UpdateItemCommand({
+          TableName: genericConfig.UserInfoTable,
+          Key: {
+            id: { S: userId },
+          },
+          UpdateExpression: "SET #stripeCustomerId = :stripeCustomerId",
+          ExpressionAttributeNames: {
+            "#stripeCustomerId": "stripeCustomerId",
+          },
+          ExpressionAttributeValues: {
+            ":stripeCustomerId": { S: newStripeCustomerId },
+          },
+          ReturnValues: "ALL_NEW",
+        }),
+      );
+      return newInfo && newInfo.Attributes
+        ? unmarshall(newInfo.Attributes)
+        : updateResult && updateResult.Attributes
+          ? unmarshall(updateResult.Attributes)
+          : undefined;
+    }
+
+    return updateResult && updateResult.Attributes
+      ? unmarshall(updateResult.Attributes)
+      : undefined;
+  });
 }
diff --git a/src/api/routes/syncIdentity.ts b/src/api/routes/syncIdentity.ts
@@ -19,6 +19,7 @@ import {
   resolveEmailToOid,
 } from "api/functions/entraId.js";
 import { syncFullProfile } from "api/functions/sync.js";
+import { getUserIdentity, UserIdentity } from "api/functions/identity.js";
 
 const syncIdentityPlugin: FastifyPluginAsync = async (fastify, _options) => {
   const getAuthorizedClients = async () => {
@@ -109,6 +110,9 @@ const syncIdentityPlugin: FastifyPluginAsync = async (fastify, _options) => {
           lastName: surname,
           netId,
           dynamoClient: fastify.dynamoClient,
+          redisClient: fastify.redisClient,
+          stripeApiKey: fastify.secretConfig.stripe_secret_key,
+          logger: request.log,
         });
         let isPaidMember = await checkPaidMembershipFromRedis(
           netId,
@@ -123,7 +127,7 @@ const syncIdentityPlugin: FastifyPluginAsync = async (fastify, _options) => {
         }
         if (isPaidMember) {
           const username = `${netId}@illinois.edu`;
-          request.log.info("User is paid member, syncing profile!");
+          request.log.info("User is paid member, syncing Entra user!");
           const entraIdToken = await getEntraIdToken({
             clients: await getAuthorizedClients(),
             clientId: fastify.environmentConfig.AadValidClientId,
@@ -141,6 +145,66 @@ const syncIdentityPlugin: FastifyPluginAsync = async (fastify, _options) => {
         return reply.status(201).send();
       },
     );
+    fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().get(
+      "/isRequired",
+      {
+        schema: withTags(["Generic"], {
+          headers: z.object({
+            "x-uiuc-token": z.jwt().min(1).meta({
+              description:
+                "An access token for the user in the UIUC Entra ID tenant.",
+            }),
+          }),
+          summary: "Check if a user needs a full user identity sync.",
+          response: {
+            200: {
+              description: "The status was retrieved.",
+              content: {
+                "application/json": {
+                  schema: z.object({
+                    syncRequired: z.boolean().default(false),
+                  }),
+                },
+              },
+            },
+            403: notAuthenticatedError,
+          },
+        }),
+      },
+      async (request, reply) => {
+        const accessToken = request.headers["x-uiuc-token"];
+        const verifiedData = await verifyUiucAccessToken({
+          accessToken,
+          logger: request.log,
+        });
+        const { userPrincipalName: upn, givenName, surname } = verifiedData;
+        const netId = upn.replace("@illinois.edu", "");
+        if (netId.includes("@")) {
+          request.log.error(
+            `Found UPN ${upn} which cannot be turned into NetID via simple replacement.`,
+          );
+          throw new ValidationError({
+            message: "ID token could not be parsed.",
+          });
+        }
+        const userIdentity = await getUserIdentity({
+          netId,
+          dynamoClient: fastify.dynamoClient,
+          logger: request.log,
+        });
+
+        const requiredFields: (keyof UserIdentity)[] = [
+          "uinHash",
+          "firstName",
+          "lastName",
+          "stripeCustomerId",
+        ];
+
+        const syncRequired =
+          !userIdentity || requiredFields.some((field) => !userIdentity[field]);
+        return reply.send({ syncRequired });
+      },
+    );
   };
   fastify.register(limitedRoutes);
 };
diff --git a/src/api/routes/v2/membership.ts b/src/api/routes/v2/membership.ts
diff --git a/src/api/utils.ts b/src/api/utils.ts
