feat: Stripe Tax, Vercel Preview Protection, Supabase PITR Runbook, GitHub OAuth Scope Validation#700
Merged
Conversation
…ithub oauth scope validation ## StellerCraft#655 – Stripe Tax Rate Configuration for Regional Pricing Compliance - Added `apps/backend/src/lib/stripe/tax.ts` with `getTaxConfiguration`, `buildCheckoutTaxParams`, `buildTaxExemptUpdate`, and `isTaxExempt` helpers. - Integrated automatic Stripe Tax into `PaymentService.createCheckoutSession` via the new `buildCheckoutTaxParams` helper — tax collection is gated on the `STRIPE_TAX_ENABLED=true` env var so non-tax environments are unaffected. - Added optional `tax_id_collection` for checkout sessions when `STRIPE_TAX_COLLECT_ID=true`. - Added `PaymentService.updateTaxExemptStatus` to set a customer's `tax_exempt` field (`none` | `exempt` | `reverse`) on their Stripe Customer record, supporting non-profit, government, and B2B VAT reverse-charge cases. ## StellerCraft#656 – Vercel Deployment Protection Rules for Preview Access Control - Updated `vercel.json` with `deploymentProtection` config scoped to the `preview` environment — standard protection enabled with bypass token support. - Added `apps/backend/src/lib/vercel/preview-protection.ts` with `issueBypassToken` and `validateBypassToken` using HMAC-SHA256 signatures scoped to a single deployment ID with a 1-hour TTL. - Added `apps/backend/src/app/api/preview/access/route.ts` (`POST /api/preview/access`) — authenticated endpoint to issue a bypass token for a given deployment ID; returns the token, expiry, and ready-to-use preview URL with the query parameter appended. ## StellerCraft#657 – Supabase Database Backup Strategy with Point-in-Time Recovery - Created `docs/backup-recovery-runbook.md` — full PITR operational runbook covering backup configuration, step-by-step restore procedures, post-restore verification checklist, sensitive-column checks, RTO/RPO targets, and escalation guidance. Referenced by the existing test suite in `supabase/tests/backup/recovery.test.ts`. - Updated `docs/migration-procedures.md` with a new "Database Backup and Point-in-Time Recovery" section documenting pre-migration PITR checkpoints, recovery-point identification after a failed migration, idempotency requirements, and an RTO/RPO reference table. ## StellerCraft#658 – GitHub OAuth Scope Validation for Required Repository Permissions - Added `apps/backend/src/lib/github/scope-validator.ts` with `fetchAndValidateScopes`, `validateScopes`, `parseGrantedScopes`, and `buildMissingScopeMessage`. Validates `repo` and `read:user` scopes using the `X-OAuth-Scopes` response header; handles scope hierarchy so that a parent scope (e.g. `user`) satisfies narrower children (e.g. `read:user`). - Updated `apps/backend/src/app/api/auth/github/callback/route.ts` to run scope validation immediately after the token exchange (step 4 of the OAuth flow). Tokens with missing scopes redirect to `/app?github=error&reason=insufficient_scopes&missing=<scopes>` with a clear list of missing scopes, prompting the user to re-authorize rather than failing mid-deployment. Closes StellerCraft#655 Closes StellerCraft#656 Closes StellerCraft#657 Closes StellerCraft#658
|
@Emmyt24 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements four platform improvements spanning payments compliance, preview security, database resilience, and OAuth hardening.
#655 – Stripe Tax Rate Configuration for Regional Pricing Compliance
New files:
apps/backend/src/lib/stripe/tax.ts— tax configuration helpers (getTaxConfiguration,buildCheckoutTaxParams,buildTaxExemptUpdate,isTaxExempt)Modified files:
apps/backend/src/services/payment.service.ts— integratesautomatic_taxandtax_id_collectionintocreateCheckoutSession; addsupdateTaxExemptStatusfor managing per-customer exemption (none|exempt|reverse)Tax collection is gated on
STRIPE_TAX_ENABLED=trueso existing environments are unaffected. Tax-exempt customers (non-profits, B2B VAT reverse charge) are handled via the Stripe Customertax_exemptfield.#656 – Vercel Deployment Protection Rules for Preview Access Control
New files:
apps/backend/src/lib/vercel/preview-protection.ts— HMAC-SHA256 bypass token issuance and validation (scoped to deployment ID, 1-hour TTL)apps/backend/src/app/api/preview/access/route.ts— authenticatedPOST /api/preview/accessendpoint; issues a token and returns a ready-to-use preview URLModified files:
vercel.json— addsdeploymentProtectionwith standard protection for thepreviewenvironment and bypass token support enabledPreview environments are protected by default. Unauthorized users receive a 401 from Vercel; authorised users access previews via a signed, time-limited bypass token.
#657 – Supabase Database Backup Strategy with Point-in-Time Recovery
New files:
docs/backup-recovery-runbook.md— full operational runbook: PITR configuration, step-by-step restore procedures, post-restore verification checklist, sensitive-column checks, RTO (< 30 min) / RPO (< 1 min) targets, and escalation guidanceModified files:
docs/migration-procedures.md— new "Database Backup and Point-in-Time Recovery" section with pre-migration PITR checkpoints, recovery-point identification after a failed migration, idempotency requirements, and an RTO/RPO reference tableThe runbook is referenced by the automated schema verification tests in
supabase/tests/backup/recovery.test.ts.#658 – GitHub OAuth Scope Validation for Required Repository Permissions
New files:
apps/backend/src/lib/github/scope-validator.ts—fetchAndValidateScopes,validateScopes,parseGrantedScopes,buildMissingScopeMessage; handles GitHub's scope hierarchy (parent scope satisfies children)Modified files:
apps/backend/src/app/api/auth/github/callback/route.ts— scope validation runs immediately after token exchange (step 4); tokens missingrepoorread:userredirect to/app?github=error&reason=insufficient_scopes&missing=<scopes>to prompt re-authorization before any deployment work beginsRequired scopes:
reporead:userTest plan
STRIPE_TAX_ENABLED=true, create a checkout session, confirmautomatic_tax.enabledin Stripe dashboardupdateTaxExemptStatus(userId, 'exempt'), verify customertax_exemptfield in StripePOST /api/preview/accesswith a deployment ID, confirm token is returned and bypass URL is validrepo, confirm redirect toinsufficient_scopesconnectedredirectdocs/backup-recovery-runbook.mdrestore checklist against a test Supabase projectCloses #655
Closes #656
Closes #657
Closes #658