pieced/pieced-portal
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase7: Void/Refund logic
Some checks failed
Build and Push / build (push) Failing after 52s
Details

Browse Source
This commit is contained in:
admin
2026-05-25 21:54:51 +02:00
parent 9cd9879a18
commit e15a668f8e
19 changed files with 2679 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

368
src/lib/billing.ts
View File

@@ -30,6 +30,7 @@
*/
import type {
CreditNote,
Invoice,
InvoiceBillingSnapshot,
InvoiceDraft,
@@ -44,6 +45,8 @@ import type {
TenantSuspensionEvent,
} from "@/types";
import {
attachCreditNotePdf,
createCreditNote,
createInvoice,
getInvoiceById,
getOrgBilling,
@@ -53,6 +56,8 @@ import {
listSkillEventsForTenant,
listSkillPricing,
listSuspensionEventsForTenant,
markInvoiceVoided,
recordInvoiceRefund,
tenantHasSetupFeeBilled,
tenantSkillHasBeenBilled,
updateInvoicePdf,
@@ -61,7 +66,9 @@ import { listTenants } from "./k8s";
import { getTeamSpendLogsV2 } from "./litellm";
import { getUsage as getThreemaUsage } from "./threema-relay";
import { renderInvoicePdf } from "./billing-pdf";
import { sendInvoiceIssuedEmail } from "./email";
import { renderCreditNotePdf } from "./credit-note-pdf";
import { sendCreditNoteEmail, sendInvoiceIssuedEmail } from "./email";
import { createInvoiceRefund } from "./stripe";
import { formatLineDescription } from "./billing-i18n";
// ---------------------------------------------------------------------------
@@ -836,3 +843,362 @@ export async function generateInvoice(opts: {
);
}
}
// ---------------------------------------------------------------------------
// Phase 7 — void and refund orchestration
// ---------------------------------------------------------------------------
export class VoidNotAllowedError extends Error {
constructor(message: string, public readonly currentStatus: string) {
super(message);
this.name = "VoidNotAllowedError";
}
}
export class RefundNotAllowedError extends Error {
constructor(message: string, public readonly currentStatus: string) {
super(message);
this.name = "RefundNotAllowedError";
}
}
/**
* Sanitize a locale string to the supported four. Used when picking
* which translation block to render emails/PDFs with. We never
* fall back to admin's locale here — the credit note inherits the
* invoice's locale so both documents read consistently to the
* customer.
*/
function pickSupportedLocale(
locale: string | null | undefined
): "de" | "en" | "fr" | "it" {
const supported = ["de", "en", "fr", "it"] as const;
return (supported as readonly string[]).includes(locale ?? "")
? (locale as "de" | "en" | "fr" | "it")
: "de";
}
/**
* Round a CHF amount to 2 decimal places. Used when proportionally
* splitting VAT between subtotal and refund amount — avoids
* accumulating fractional rappen across operations.
*/
function roundChf(amount: number): number {
return Math.round(amount * 100) / 100;
}
/**
* Void an unpaid invoice. State transition: open/overdue → void.
*
* Side effects, in order:
* 1. Mark the invoice voided (status, void_reason, voided_at, voided_by)
* 2. Insert credit_notes row (kind='void', amount=full invoice total)
* 3. Render the credit-note PDF and attach it to the row
* 4. Best-effort email to the billing contact
*
* Not allowed:
* - status='paid' (use refundInvoice instead — voiding paid
* invoices would create a record mismatch with the payment
* processor)
* - status='void' (already voided)
* - status='draft' (drafts aren't issued; nothing to void)
* - status='partially_refunded' / 'fully_refunded' (use refund
* for the remaining amount instead)
*
* Throws VoidNotAllowedError if the invoice is in a non-voidable
* state. Caller surfaces this as 409 Conflict to the admin.
*/
export async function voidInvoice(params: {
invoiceId: string;
reason: string;
voidedBy: string;
}): Promise<CreditNote> {
const invoice = await getInvoiceById(params.invoiceId);
if (!invoice) {
throw new Error(`Invoice not found: ${params.invoiceId}`);
}
// Only unpaid invoices can be voided. The state machine puts
// paid invoices on the refund path; voiding them would skip the
// payment reversal and leave the customer's money in our account
// with no obligation showing in the portal.
if (!["open", "overdue"].includes(invoice.status)) {
throw new VoidNotAllowedError(
`Cannot void invoice in status '${invoice.status}'. Voids are allowed only for open or overdue invoices; paid invoices must be refunded.`,
invoice.status
);
}
const locale = pickSupportedLocale(invoice.locale);
// The credit note matches the invoice 1:1 in amount and VAT.
// We carry the same VAT breakdown so the PDF can render
// "subtotal + VAT" the same way the original invoice did.
const creditNote = await createCreditNote({
invoiceId: invoice.id,
zitadelOrgId: invoice.zitadelOrgId,
kind: "void",
amountChf: invoice.totalChf,
vatAmountChf: invoice.vatAmountChf,
reason: params.reason || null,
issuedBy: params.voidedBy,
locale,
billingSnapshot: invoice.billingSnapshot,
});
// Mark invoice voided AFTER the credit note row exists, so the
// status change has a credit note to point at. If anything below
// here fails (PDF render, email), the invoice is still correctly
// voided and the credit note row exists — just without a PDF
// until manually re-rendered.
await markInvoiceVoided({
invoiceId: invoice.id,
reason: params.reason,
voidedBy: params.voidedBy,
});
// Render PDF + attach. PDF failure here doesn't undo the void —
// the customer can be told their invoice is voided and the PDF
// can be re-issued later. We surface the error in the response
// so admin knows to retry, but the void itself stands.
try {
const pdfBuffer = await renderCreditNotePdf(creditNote, invoice);
const filename = `${creditNote.creditNoteNumber}.pdf`;
await attachCreditNotePdf(creditNote.id, pdfBuffer, filename);
} catch (e) {
console.error(
`Credit note ${creditNote.creditNoteNumber} created but PDF render failed; re-render manually.`,
e
);
}
// Best-effort email. Same fail-soft pattern as invoice issuance.
try {
const snap = invoice.billingSnapshot;
if (snap.billingEmail) {
await sendCreditNoteEmail({
to: snap.billingEmail,
contactName: snap.contactName || snap.companyName,
companyName: snap.companyName,
creditNoteNumber: creditNote.creditNoteNumber,
invoiceNumber: invoice.invoiceNumber,
amountChf: creditNote.amountChf,
currency: "CHF",
kind: "void",
reason: params.reason || null,
locale,
});
}
} catch (e) {
console.error(
`Credit note ${creditNote.creditNoteNumber} issued; email send failed.`,
e
);
}
return creditNote;
}
/**
* Refund a paid invoice (in part or in full). State transition:
* paid → partially_refunded (if amount < remaining)
* paid → fully_refunded (if amount >= remaining)
* partially_refunded → fully_refunded (if cumulative >= total)
*
* Side effects, in order:
* 1. If the invoice was Stripe-paid (payment_method='card' with a
* stripe_payment_intent_id) AND no `existingStripeRefund` was
* passed, call Stripe to issue the refund. Stripe is the source
* of truth for actual money movement; we mirror its outcome
* locally.
* 2. Insert credit_notes row (kind='refund', amount=refund amount,
* VAT proportional)
* 3. Insert invoice_refunds row, linking to the credit note and to
* the Stripe refund (if any). recordInvoiceRefund updates the
* invoice's status atomically based on the new running total.
* 4. Render PDF + attach
* 5. Best-effort email
*
* `existingStripeRefund` is for the webhook path: when Stripe fires
* `charge.refunded` for a refund that was initiated directly in the
* Stripe Dashboard (not via this portal), the webhook needs to
* mirror the refund into the DB and issue a credit note WITHOUT
* calling Stripe again. Pass the refund id and status to skip the
* Stripe call.
*
* Not allowed:
* - status not in {paid, partially_refunded} — full refunds are
* only meaningful against actual payment
* - amount <= 0 or > remaining refundable
*
* For invoice-paid (non-Stripe) customers the Stripe step is
* skipped; refund settlement happens out-of-band (bank transfer)
* and admin records the action in the portal.
*/
export async function refundInvoice(params: {
invoiceId: string;
amountChf: number;
reason: string;
refundedBy: string;
/**
* Webhook path: a Stripe refund that has already been created
* (in the Stripe Dashboard or via a prior API call) and now needs
* to be mirrored into the portal. When set, the Stripe API call
* is skipped and the provided id/status are recorded as-is.
*/
existingStripeRefund?: {
id: string;
status: "pending" | "succeeded" | "failed" | "canceled";
};
}): Promise<CreditNote> {
const invoice = await getInvoiceById(params.invoiceId);
if (!invoice) {
throw new Error(`Invoice not found: ${params.invoiceId}`);
}
if (!["paid", "partially_refunded"].includes(invoice.status)) {
throw new RefundNotAllowedError(
`Cannot refund invoice in status '${invoice.status}'. Refunds are allowed only for paid invoices.`,
invoice.status
);
}
if (params.amountChf <= 0) {
throw new RefundNotAllowedError(
"Refund amount must be greater than zero.",
invoice.status
);
}
const remaining = roundChf(invoice.totalChf - invoice.refundedTotalChf);
if (params.amountChf - remaining > 0.005) {
// Allow a 0.005 tolerance to account for floating-point dust;
// anything genuinely larger is a real over-refund attempt.
throw new RefundNotAllowedError(
`Refund amount CHF ${params.amountChf.toFixed(2)} exceeds remaining refundable CHF ${remaining.toFixed(2)}.`,
invoice.status
);
}
const locale = pickSupportedLocale(invoice.locale);
// Proportional VAT split: refunded VAT / total VAT = refunded
// amount / total amount. Keep the proportion explicit so the
// credit note's "subtotal + VAT" lines reconcile to the same
// VAT rate as the original invoice.
const vatPortion =
invoice.totalChf > 0
? roundChf((params.amountChf * invoice.vatAmountChf) / invoice.totalChf)
: 0;
// Step 1: Stripe (only for card-paid invoices, and only when the
// caller hasn't already created the refund). We do this BEFORE
// any local DB writes for refund tracking — Stripe is the source
// of truth for money movement, and if the Stripe call fails we
// must NOT have recorded the refund locally (the customer would
// see a credit note for money they never received).
//
// The charge.refunded webhook will also fire later, but we record
// the refund here too so the admin gets immediate confirmation
// and the credit note can be issued without waiting for the
// webhook round-trip. The webhook is idempotent (dedups by
// stripe_refund_id) so it's safe to do both.
let stripeRefundId: string | null = null;
let stripeStatus: "pending" | "succeeded" | "failed" | "canceled" =
"succeeded";
const isStripePaid =
invoice.paymentMethod === "card" && !!invoice.stripePaymentIntentId;
if (params.existingStripeRefund) {
// Webhook path: don't call Stripe again; trust the provided id.
stripeRefundId = params.existingStripeRefund.id;
stripeStatus = params.existingStripeRefund.status;
} else if (isStripePaid) {
try {
const refund = await createInvoiceRefund({
paymentIntentId: invoice.stripePaymentIntentId!,
amountChf: params.amountChf,
reason: "requested_by_customer",
metadata: {
invoice_number: invoice.invoiceNumber,
refunded_by: params.refundedBy,
},
});
stripeRefundId = refund.id;
// Map Stripe statuses to our enum. Anything other than
// 'succeeded' or 'pending' is treated as a failure — we
// don't record the credit note in that case (see below).
if (refund.status === "succeeded") stripeStatus = "succeeded";
else if (refund.status === "pending") stripeStatus = "pending";
else if (refund.status === "canceled") stripeStatus = "canceled";
else stripeStatus = "failed";
} catch (e) {
throw new Error(
`Stripe refund failed: ${e instanceof Error ? e.message : String(e)}`
);
}
if (stripeStatus === "failed" || stripeStatus === "canceled") {
throw new Error(
`Stripe refund returned non-success status: ${stripeStatus}`
);
}
}
// Step 2: insert credit note (PDF still null at this point).
const creditNote = await createCreditNote({
invoiceId: invoice.id,
zitadelOrgId: invoice.zitadelOrgId,
kind: "refund",
amountChf: params.amountChf,
vatAmountChf: vatPortion,
reason: params.reason || null,
issuedBy: params.refundedBy,
locale,
billingSnapshot: invoice.billingSnapshot,
});
// Step 3: record the refund event and bump invoice status.
// recordInvoiceRefund handles status transitions and idempotency.
await recordInvoiceRefund({
invoiceId: invoice.id,
stripeRefundId,
amountChf: params.amountChf,
reason: params.reason || null,
refundedBy: params.refundedBy,
creditNoteId: creditNote.id,
status: stripeStatus,
});
// Step 4: render + attach PDF. As with voidInvoice, a PDF failure
// here doesn't undo the refund — the refund happened (in Stripe
// and the DB), only the document is missing. Admin can re-render.
try {
const pdfBuffer = await renderCreditNotePdf(creditNote, invoice);
const filename = `${creditNote.creditNoteNumber}.pdf`;
await attachCreditNotePdf(creditNote.id, pdfBuffer, filename);
} catch (e) {
console.error(
`Credit note ${creditNote.creditNoteNumber} created but PDF render failed; re-render manually.`,
e
);
}
// Step 5: best-effort email.
try {
const snap = invoice.billingSnapshot;
if (snap.billingEmail) {
await sendCreditNoteEmail({
to: snap.billingEmail,
contactName: snap.contactName || snap.companyName,
companyName: snap.companyName,
creditNoteNumber: creditNote.creditNoteNumber,
invoiceNumber: invoice.invoiceNumber,
amountChf: creditNote.amountChf,
currency: "CHF",
kind: "refund",
reason: params.reason || null,
locale,
});
}
} catch (e) {
console.error(
`Credit note ${creditNote.creditNoteNumber} issued; email send failed.`,
e
);
}
return creditNote;
}