soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: complete node-agent pipeline, TLS proxy, billing cancel, password reset

Browse Source 
Node-agent — full render pipeline (items 1-3):
- render-svc: ClaimedJob now includes aep_download_url (presigned MinIO GET,
  2h TTL, path=templates/{original_project_id}/template.aep)
- render-svc: POST /v1/internal/render/jobs/:id/output-upload-url
  allocates Export row + returns presigned MinIO PUT URL + export_id
- render-svc: db.CreateExportForJob() inserts export row with 30-day retention
- render-svc: InternalHandler now owns minio client (templatesBucket + exportsBucket)
  MINIO_TEMPLATES_BUCKET env var (default flatrender-templates)
- node-agent: runner/download.go — DownloadFile() + UploadFile() (stdlib only)
- node-agent: client.GetOutputUploadURL() + ClaimedJob.AEPDownloadURL field
- node-agent: runJob() full flow: download AEP → render → get upload URL →
  PUT output to MinIO → Complete(export_id)
  All steps are non-fatal with fallback (AEP miss → mock, upload fail → no export)

TLS reverse proxy (item 15):
- Caddyfile: three virtual hosts (DOMAIN, API_DOMAIN, STORAGE_DOMAIN)
  auto-TLS via Let's Encrypt; security headers; 512MB upload limit on API
- docker-compose.v2.yml: caddy:2-alpine service, ports 80/443/443udp,
  caddy_data + caddy_config volumes; env vars DOMAIN/API_DOMAIN/STORAGE_DOMAIN/ACME_EMAIL
- .env.v2.example: new Caddy + MINIO_TEMPLATES_BUCKET entries

Billing portal (item 5):
- Identity: POST /v1/users/me/plan/cancel — sets cancelled_at, auto_renew=false
  (access continues to expiry); 404 when no active plan
- POST /api/billing/cancel — frontend proxy, validates auth
- GET /api/billing/portal — redirects to /dashboard/settings?tab=billing
- SettingsBilling: "Cancel plan" button with confirm dialog + optimistic UI,
  "Change plan" button; becomes "use client" component

Password reset UI (item 7):
- POST /api/auth/password-reset — proxies /v1/auth/password/reset/request
  (always 200, anti-enumeration)
- POST /api/auth/password-reset-confirm — proxies /v1/auth/password/reset/confirm
- AuthPageContent: "Forgot password?" link on sign-in tab opens 2-step reset flow
  (email → OTP+new-password) without leaving the auth page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-01 16:41:13 +03:30
parent 12773e125a
commit bcc69f0a2e
19 changed files with 767 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.v2.example
+12
View File
@@ -56,3 +56,15 @@ TARA_CALLBACK_URL=https://yourdomain.com/v1/payments/callback/tara
# Get keys from https://dashboard.stripe.com/apikeys
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
# ── Caddy TLS reverse proxy ───────────────────────────────────────────────────
# Public-facing domains (Let's Encrypt will provision certs automatically).
# Leave as localhost for local dev (Caddy uses self-signed cert).
DOMAIN=flatrender.io
API_DOMAIN=api.flatrender.io
STORAGE_DOMAIN=storage.flatrender.io
ACME_EMAIL=admin@flatrender.io
# ── MinIO templates bucket ────────────────────────────────────────────────────
# Bucket where .aep template files are stored (uploaded via admin panel).
MINIO_TEMPLATES_BUCKET=flatrender-templates
Caddyfile
+57
View File
@@ -0,0 +1,57 @@
# FlatRender V2 — Caddy reverse proxy
#
# Domains are injected via environment variables so this file is environment-agnostic.
# Set in .env.v2:
# DOMAIN e.g. flatrender.io (→ https://flatrender.io)
# API_DOMAIN e.g. api.flatrender.io (→ https://api.flatrender.io)
# STORAGE_DOMAIN e.g. storage.flatrender.io (→ https://storage.flatrender.io)
#
# Caddy auto-provisions Let's Encrypt TLS for all three. For local dev without
# real domains, replace with http:// blocks and remove the ACME config.
{env.DOMAIN} {
# Frontend (Next.js standalone, port 3000 inside Docker)
reverse_proxy frontend:3000
# Security headers
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
-Server
}
encode gzip
}
{env.API_DOMAIN} {
# V2 API gateway (port 8080 inside Docker)
reverse_proxy gateway:8080
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
-Server
}
# Allow large body for file uploads routed through the gateway
request_body {
max_size 512MB
}
}
{env.STORAGE_DOMAIN} {
# MinIO S3 API (port 9000 inside Docker) — used for presigned URL downloads
reverse_proxy minio:9000
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
-Server
}
# Pre-flight (CORS) passthrough — MinIO handles its own CORS headers
@options method OPTIONS
respond @options 204
}
docker-compose.v2.yml
+35
View File
@@ -296,6 +296,41 @@ services:
retries: 3
start_period: 30s
# ── Caddy (TLS reverse proxy) ───────────────────────────────────────────────
# Handles Let's Encrypt certificates and terminates HTTPS for all three
# public domains: frontend, API gateway, and MinIO storage.
#
# Required .env.v2 vars: DOMAIN, API_DOMAIN, STORAGE_DOMAIN
# Set ACME_EMAIL to a real address so Let's Encrypt can contact you.
#
# For local dev (no real domain), comment out this block and access
# services directly on their host ports (:3000, :8088, :9000).
caddy:
image: caddy:2-alpine
container_name: fr2-caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp" # HTTP/3 QUIC
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data
- caddy_config:/config
environment:
DOMAIN: "${DOMAIN:-localhost}"
API_DOMAIN: "${API_DOMAIN:-api.localhost}"
STORAGE_DOMAIN: "${STORAGE_DOMAIN:-storage.localhost}"
ACME_EMAIL: "${ACME_EMAIL:-admin@example.com}"
depends_on:
- frontend
- gateway
- minio
networks:
- default
volumes:
pgdata:
caddy_data:
caddy_config:
miniodata:
services/identity/FlatRender.IdentitySvc/Application/Services/Interfaces/IPlanService.cs
+3
View File
@@ -9,4 +9,7 @@ public interface IPlanService
Task<PlanResponse> GetByIdAsync(Guid planId);
Task<UserPlanResponse?> GetCurrentPlanAsync(Guid userId);
Task<PurchasePlanResponse> PurchasePlanAsync(Guid userId, Guid tenantId, PurchasePlanRequest request);
/// <summary>Cancel the current active plan. The subscription is marked cancelled
/// and will not auto-renew. Access continues until the expiry date.</summary>
Task CancelPlanAsync(Guid userId);
}
services/identity/FlatRender.IdentitySvc/Application/Services/PlanService.cs
+13
View File
@@ -161,6 +161,19 @@ public class PlanService(IdentityDbContext db) : IPlanService
await Task.CompletedTask; // placeholder for future async work
}
public async Task CancelPlanAsync(Guid userId)
{
var userPlan = await db.UserPlans
.Where(up => up.UserId == userId && up.CancelledAt == null && up.ExpiresAt > DateTime.UtcNow)
.OrderByDescending(up => up.StartsAt)
.FirstOrDefaultAsync()
?? throw new KeyNotFoundException("No active plan to cancel");
userPlan.CancelledAt = DateTime.UtcNow;
userPlan.AutoRenew = false;
await db.SaveChangesAsync();
}
private static PlanResponse MapPlanResponse(Plan p) => new(
p.Id, p.Code, p.Name, p.Description,
p.PriceMinor, p.BeforePriceMinor, p.Currency, p.BillingPeriod.ToString(),
services/identity/FlatRender.IdentitySvc/Controllers/PlansController.cs
+20
View File
@@ -39,6 +39,26 @@ public class PlansController(IPlanService planService) : ControllerBase
return Ok(result);
}
/// <summary>
/// Cancel the current active subscription. The plan stays active until its
/// expiry date but will not auto-renew. Returns 404 when no active plan exists.
/// </summary>
[HttpPost("users/me/plan/cancel")]
[ProducesResponseType(204)]
[ProducesResponseType(404)]
public async Task<IActionResult> Cancel()
{
try
{
await planService.CancelPlanAsync(GetUserId());
return NoContent();
}
catch (KeyNotFoundException ex)
{
return NotFound(new { error = ex.Message });
}
}
private Guid GetUserId() => Guid.Parse(User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value
?? User.FindFirst("sub")?.Value ?? throw new UnauthorizedAccessException());
services/node-agent/cmd/agent/main.go
+40 -14
View File
@@ -28,6 +28,7 @@ import (
"net/http"
"os"
"os/signal"
"path/filepath"
"runtime"
"sync"
"syscall"
@@ -227,12 +228,20 @@ func (a *Agent) tryClaimAndRun(ctx context.Context) {
func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
log.Printf("[job %s] starting render", job.JobID)
// In a full implementation, the agent would:
// 1. Fetch the saved project from the studio service
// 2. Download the .aep template from MinIO
// 3. Inject user customisations into the composition via JSXB/AE scripting
// Then call runner.Run().
// For the skeleton we pass an empty AEPFilePath, which triggers mock mode.
// ── Step 1: Download .aep template ───────────────────────────────────────
aepPath := ""
if job.AEPDownloadURL != "" && a.cfg.AEPath != "" {
localAEP := filepath.Join(a.cfg.WorkDir, "templates", job.JobID, "template.aep")
dlCtx, dlCancel := context.WithTimeout(ctx, 10*time.Minute)
n, dlErr := runner.DownloadFile(dlCtx, job.AEPDownloadURL, localAEP)
dlCancel()
if dlErr != nil {
log.Printf("[job %s] AEP download failed (%v) — falling back to mock", job.JobID, dlErr)
} else {
log.Printf("[job %s] AEP downloaded (%d bytes) → %s", job.JobID, n, localAEP)
aepPath = localAEP
}
}
rJob := &runner.Job{
JobID: job.JobID,
@@ -242,7 +251,7 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
FrameRate: job.FrameRate,
HasMusic: job.HasMusic,
HasVoiceover: job.HasVoiceover,
AEPFilePath: "", // TODO: download from MinIO
AEPFilePath: aepPath,
}
onProgress := func(ctx context.Context, pct int, msg string) error {
@@ -259,6 +268,7 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
return nil
}
// ── Step 2: Render ───────────────────────────────────────────────────────
outputPath, err := runner.Run(ctx, a.cfg.AEPath, a.cfg.WorkDir, rJob, onProgress, onPreview)
if err != nil {
if ctx.Err() != nil {
@@ -273,17 +283,33 @@ func (a *Agent) runJob(ctx context.Context, job *client.ClaimedJob) {
}
return
}
log.Printf("[job %s] render done → %s", job.JobID, outputPath)
// In full production: upload outputPath to MinIO, create an Export record,
// pass the export UUID to Complete(). Skeleton passes nil (no export yet).
completeCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
if err := a.orch.Complete(completeCtx, job.JobID, nil); err != nil {
// ── Step 3: Get presigned upload URL + upload output to MinIO ─────────────
var exportID *string
uploadCtx, uploadCancel := context.WithTimeout(context.Background(), 5*time.Minute)
defer uploadCancel()
uploadInfo, urlErr := a.orch.GetOutputUploadURL(uploadCtx, job.JobID)
if urlErr != nil {
log.Printf("[job %s] get upload URL failed: %v — completing without export", job.JobID, urlErr)
} else {
log.Printf("[job %s] uploading output to %s", job.JobID, uploadInfo.ObjectKey)
if _, upErr := runner.UploadFile(uploadCtx, uploadInfo.UploadURL, outputPath); upErr != nil {
log.Printf("[job %s] upload failed: %v — completing without export", job.JobID, upErr)
} else {
log.Printf("[job %s] upload complete (export %s)", job.JobID, uploadInfo.ExportID)
exportID = &uploadInfo.ExportID
}
}
// ── Step 4: Report complete ───────────────────────────────────────────────
completeCtx, completeCancel := context.WithTimeout(context.Background(), 10*time.Second)
defer completeCancel()
if err := a.orch.Complete(completeCtx, job.JobID, exportID); err != nil {
log.Printf("[job %s] complete report error: %v", job.JobID, err)
} else {
log.Printf("[job %s] reported as completed", job.JobID)
log.Printf("[job %s] reported as completed (export=%v)", job.JobID, exportID)
}
}
services/node-agent/internal/client/client.go
+29
View File
@@ -106,6 +106,16 @@ type ClaimedJob struct {
FrameRate int `json:"frame_rate"`
HasMusic bool `json:"has_music"`
HasVoiceover bool `json:"has_voiceover"`
// AEPDownloadURL is a presigned MinIO GET URL for the .aep template file.
// Empty when the template has not been uploaded yet — triggers mock render.
AEPDownloadURL string `json:"aep_download_url,omitempty"`
}
// OutputUploadURLResponse is returned by GetOutputUploadURL.
type OutputUploadURLResponse struct {
ExportID string `json:"export_id"`
UploadURL string `json:"upload_url"`
ObjectKey string `json:"object_key"`
}
// ProgressRequest reports render progress (frame-level) for a job.
@@ -204,6 +214,25 @@ func (c *Client) UpdatePreview(ctx context.Context, jobID, imageB64 string) erro
return nil
}
// GetOutputUploadURL asks the orchestrator to allocate an Export row and
// return a presigned MinIO PUT URL for the rendered output file.
func (c *Client) GetOutputUploadURL(ctx context.Context, jobID string) (*OutputUploadURLResponse, error) {
resp, err := c.do(ctx, http.MethodPost,
fmt.Sprintf("/v1/internal/render/jobs/%s/output-upload-url", jobID), nil)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
return nil, fmt.Errorf("output-upload-url: HTTP %d", resp.StatusCode)
}
var out OutputUploadURLResponse
if err := json.NewDecoder(resp.Body).Decode(&out); err != nil {
return nil, fmt.Errorf("decode: %w", err)
}
return &out, nil
}
// Complete marks a render job as Done.
func (c *Client) Complete(ctx context.Context, jobID string, exportID *string) error {
resp, err := c.do(ctx, http.MethodPost,
services/node-agent/internal/runner/download.go
+82
View File
@@ -0,0 +1,82 @@
// download.go fetches a remote file (presigned MinIO URL or any HTTP URL) and
// saves it to a local path. Uses stdlib only — no external HTTP client needed.
package runner
import (
"context"
"fmt"
"io"
"net/http"
"os"
"path/filepath"
)
// DownloadFile fetches the resource at rawURL and writes it to destPath,
// creating parent directories as needed. Returns the number of bytes written.
func DownloadFile(ctx context.Context, rawURL, destPath string) (int64, error) {
if err := os.MkdirAll(filepath.Dir(destPath), 0o755); err != nil {
return 0, fmt.Errorf("mkdir: %w", err)
}
req, err := http.NewRequestWithContext(ctx, http.MethodGet, rawURL, nil)
if err != nil {
return 0, fmt.Errorf("new request: %w", err)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
return 0, fmt.Errorf("GET: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return 0, fmt.Errorf("server returned %d", resp.StatusCode)
}
f, err := os.Create(destPath)
if err != nil {
return 0, fmt.Errorf("create file: %w", err)
}
defer f.Close()
n, err := io.Copy(f, resp.Body)
if err != nil {
return 0, fmt.Errorf("write: %w", err)
}
return n, nil
}
// UploadFile PUTs a local file to a presigned MinIO/S3 URL.
// MinIO presigned PUT expects the raw bytes in the request body with
// Content-Type application/octet-stream.
func UploadFile(ctx context.Context, rawURL, filePath string) (int64, error) {
f, err := os.Open(filePath)
if err != nil {
return 0, fmt.Errorf("open: %w", err)
}
defer f.Close()
stat, err := f.Stat()
if err != nil {
return 0, fmt.Errorf("stat: %w", err)
}
req, err := http.NewRequestWithContext(ctx, http.MethodPut, rawURL, f)
if err != nil {
return 0, fmt.Errorf("new request: %w", err)
}
req.ContentLength = stat.Size()
req.Header.Set("Content-Type", "application/octet-stream")
resp, err := http.DefaultClient.Do(req)
if err != nil {
return 0, fmt.Errorf("PUT: %w", err)
}
defer resp.Body.Close()
// MinIO returns 200 on successful PUT of presigned objects
if resp.StatusCode >= 300 {
return 0, fmt.Errorf("upload server returned %d", resp.StatusCode)
}
return stat.Size(), nil
}
services/render/cmd/server/main.go
+4 -2
View File
@@ -32,7 +32,8 @@ func main() {
minioAccessKey := getEnv("MINIO_ACCESS_KEY", "minioadmin")
minioSecretKey := getEnv("MINIO_SECRET_KEY", "minioadmin")
minioUseSSL := getEnv("MINIO_USE_SSL", "false") == "true"
minioBucket := getEnv("MINIO_BUCKET", "flatrender-exports")
minioBucket := getEnv("MINIO_BUCKET", "flatrender-exports")
minioTemplatesBucket := getEnv("MINIO_TEMPLATES_BUCKET", "flatrender-templates")
notificationURL := getEnv("NOTIFICATION_URL", "http://localhost:8080")
serviceToken := getEnv("SERVICE_TOKEN", "internal-service-secret")
port := getEnv("PORT", "8080")
@@ -63,7 +64,7 @@ func main() {
snapH := handlers.NewSnapshotHandler(store)
exportH := handlers.NewExportHandler(store, mc, minioBucket)
nodeH := handlers.NewNodeHandler(store)
internalH := handlers.NewInternalHandler(store, notifyClient)
internalH := handlers.NewInternalHandler(store, notifyClient, mc, minioTemplatesBucket, minioBucket)
// ── Router ────────────────────────────────────────────────────────────────
r := gin.Default()
@@ -138,6 +139,7 @@ func main() {
internal.POST("/nodes/:node_id/cache-update", internalH.CacheUpdate)
internal.POST("/render/jobs/claim", internalH.Claim)
internal.POST("/render/jobs/:job_id/preview", internalH.Preview)
internal.POST("/render/jobs/:job_id/output-upload-url", internalH.OutputUploadURL)
internal.POST("/render/jobs/:job_id/frames", internalH.FrameProgress)
internal.POST("/render/jobs/:job_id/complete", internalH.Complete)
internal.POST("/render/jobs/:job_id/fail", internalH.Fail)
services/render/internal/db/db.go
+51
View File
@@ -519,6 +519,57 @@ func (s *Store) ClaimJob(ctx context.Context, nodeID uuid.UUID, region string) (
return s.getJobByIDInternal(ctx, jobID)
}
// CreateExportForJob allocates a new Export row for a completed render job.
// The export starts with a placeholder path `exports/{export_id}/output.mp4`.
// The node agent uploads the MP4 to that MinIO path, then calls CompleteJob
// with the returned export_id.
func (s *Store) CreateExportForJob(ctx context.Context, jobID uuid.UUID) (*models.Export, error) {
// Look up the job to get tenant/user/project context
job, err := s.getJobByIDInternal(ctx, jobID)
if err != nil {
return nil, fmt.Errorf("job not found: %w", err)
}
exportID := uuid.New()
path := fmt.Sprintf("exports/%s/output.mp4", exportID)
now := time.Now()
autoDelete := now.AddDate(0, 0, 30) // 30-day retention
_, err = s.pool.Exec(ctx, `
INSERT INTO render.exports
(id, tenant_id, user_id, saved_project_id, original_project_id,
render_job_id, path, file_extension, file_type, render_quality,
create_type, size_bytes, produce_date, auto_delete_date,
delete_notified, created_at)
VALUES
($1, $2, $3, $4, $5,
$6, $7, 'mp4', 'video', $8,
'render', 0, $9, $10,
false, $9)`,
exportID, job.TenantID, job.UserID, job.SavedProjectID, job.OriginalProjectID,
job.ID, path, job.Quality,
now, autoDelete,
)
if err != nil {
return nil, fmt.Errorf("create export: %w", err)
}
return &models.Export{
ID: exportID,
TenantID: job.TenantID,
UserID: job.UserID,
SavedProjectID: job.SavedProjectID,
Path: path,
FileExtension: "mp4",
FileType: "video",
RenderQuality: job.Quality,
CreateType: "render",
ProduceDate: now,
AutoDeleteDate: autoDelete,
CreatedAt: now,
}, nil
}
// UpdateJobPreview stores a base64-encoded preview frame for a running job.
// Called by the node agent every N frames to power the live preview UI.
func (s *Store) UpdateJobPreview(ctx context.Context, jobID uuid.UUID, imageB64 string) error {
services/render/internal/handlers/internal.go
+69 -4
View File
@@ -1,22 +1,35 @@
package handlers
import (
"context"
"fmt"
"net/http"
"time"
"github.com/flatrender/render-svc/internal/db"
"github.com/flatrender/render-svc/internal/models"
"github.com/flatrender/render-svc/internal/notifier"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/minio/minio-go/v7"
)
type InternalHandler struct {
store *db.Store
notifier *notifier.Client // may be nil — notifications are best-effort
store *db.Store
notifier *notifier.Client // may be nil — notifications are best-effort
minio *minio.Client
templatesBucket string // bucket that holds .aep project files
exportsBucket string // bucket that receives rendered MP4 outputs
}
func NewInternalHandler(store *db.Store, n *notifier.Client) *InternalHandler {
return &InternalHandler{store: store, notifier: n}
func NewInternalHandler(store *db.Store, n *notifier.Client, mc *minio.Client, templatesBucket, exportsBucket string) *InternalHandler {
return &InternalHandler{
store: store,
notifier: n,
minio: mc,
templatesBucket: templatesBucket,
exportsBucket: exportsBucket,
}
}
// completeRequest is the body for POST .../complete
@@ -241,6 +254,21 @@ func (h *InternalHandler) Claim(c *gin.Context) {
return
}
// Generate presigned AEP download URL. AEP files are stored at
// templates/{original_project_id}/template.aep in the templates bucket.
// Errors are non-fatal — node agent falls back to mock render when URL is empty.
aepURL := ""
if h.minio != nil {
objectKey := fmt.Sprintf("templates/%s/template.aep", job.OriginalProjectID)
purl, perr := h.minio.PresignedGetObject(
context.Background(), h.templatesBucket, objectKey,
2*time.Hour, nil,
)
if perr == nil {
aepURL = purl.String()
}
}
c.JSON(http.StatusOK, models.ClaimedJob{
JobID: job.ID,
SavedProjectID: job.SavedProjectID,
@@ -249,6 +277,43 @@ func (h *InternalHandler) Claim(c *gin.Context) {
FrameRate: job.FrameRate,
HasMusic: job.HasMusic,
HasVoiceover: job.HasVoiceover,
AEPDownloadURL: aepURL,
})
}
// POST /v1/internal/render/jobs/:job_id/output-upload-url
// Node agent calls this after rendering to get a presigned MinIO PUT URL.
// Creates an Export record in the DB and returns the export_id + upload URL.
func (h *InternalHandler) OutputUploadURL(c *gin.Context) {
jobID, err := uuid.Parse(c.Param("job_id"))
if err != nil {
c.JSON(http.StatusBadRequest, models.APIError{Code: "bad_request", Message: "invalid job_id"})
return
}
export, err := h.store.CreateExportForJob(c.Request.Context(), jobID)
if err != nil {
c.JSON(http.StatusInternalServerError, models.APIError{Code: "internal_error", Message: err.Error()})
return
}
expiry := 2 * time.Hour
purl, err := h.minio.PresignedPutObject(
context.Background(), h.exportsBucket, export.Path, expiry,
)
if err != nil {
c.JSON(http.StatusInternalServerError, models.APIError{
Code: "presign_error",
Message: "could not generate upload URL",
})
return
}
c.JSON(http.StatusOK, models.OutputUploadURLResponse{
ExportID: export.ID,
UploadURL: purl.String(),
ObjectKey: export.Path,
ExpiresAt: time.Now().Add(expiry),
})
}
services/render/internal/models/models.go
+11
View File
@@ -415,6 +415,17 @@ type ClaimedJob struct {
FrameRate int `json:"frame_rate"`
HasMusic bool `json:"has_music"`
HasVoiceover bool `json:"has_voiceover"`
// AEPDownloadURL is a presigned MinIO GET URL for the .aep project file.
// Valid for 2 hours. Empty when the template is not yet uploaded.
AEPDownloadURL string `json:"aep_download_url,omitempty"`
}
// OutputUploadURLResponse is returned by POST .../output-upload-url.
type OutputUploadURLResponse struct {
ExportID uuid.UUID `json:"export_id"`
UploadURL string `json:"upload_url"`
ObjectKey string `json:"object_key"`
ExpiresAt time.Time `json:"expires_at"`
}
type CacheUpdateRequest struct {
src/app/api/auth/password-reset-confirm/route.ts
+29
View File
@@ -0,0 +1,29 @@
import { NextResponse } from "next/server";
import { gatewayFetch } from "@/lib/api/gateway";
export const dynamic = "force-dynamic";
/** POST /api/auth/password-reset-confirm — confirm reset with OTP + new password */
export async function POST(request: Request) {
let body: unknown;
try { body = await request.json(); } catch {
return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
}
const { email, otp, new_password } = body as { email?: string; otp?: string; new_password?: string };
if (!email || !otp || !new_password) {
return NextResponse.json({ error: "email, otp, and new_password are required" }, { status: 400 });
}
const res = await gatewayFetch("/v1/auth/password/reset/confirm", {
method: "POST",
body: JSON.stringify({ email, otp, new_password }),
});
const data = await res.json().catch(() => null) as { message?: string } | null;
if (!res.ok) {
return NextResponse.json(
{ error: data?.message ?? "Invalid or expired code" },
{ status: res.status }
);
}
return NextResponse.json({ ok: true });
}
src/app/api/auth/password-reset/route.ts
+24
View File
@@ -0,0 +1,24 @@
import { NextResponse } from "next/server";
import { gatewayFetch } from "@/lib/api/gateway";
export const dynamic = "force-dynamic";
/** POST /api/auth/password-reset — request a password reset OTP email */
export async function POST(request: Request) {
let body: unknown;
try { body = await request.json(); } catch {
return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
}
const { email } = body as { email?: string };
if (!email) return NextResponse.json({ error: "email required" }, { status: 400 });
const res = await gatewayFetch("/v1/auth/password/reset/request", {
method: "POST",
body: JSON.stringify({ email }),
});
// Always return 200 to avoid user enumeration
if (!res.ok && res.status !== 404) {
return NextResponse.json({ error: "Request failed" }, { status: 500 });
}
return NextResponse.json({ ok: true });
}
src/app/api/billing/cancel/route.ts
+32
View File
@@ -0,0 +1,32 @@
import { NextResponse } from "next/server";
import { gatewayUrl } from "@/lib/api/gateway";
import { getAccessToken } from "@/lib/auth/session";
export const runtime = "nodejs";
/** POST /api/billing/cancel — cancel the current active plan. */
export async function POST() {
const token = await getAccessToken();
if (!token) {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
const res = await fetch(gatewayUrl("/v1/users/me/plan/cancel"), {
method: "POST",
cache: "no-store",
headers: {
Accept: "application/json",
Authorization: `Bearer ${token}`,
},
});
if (!res.ok) {
const err = (await res.json().catch(() => null)) as { error?: string } | null;
return NextResponse.json(
{ error: err?.error ?? "Failed to cancel plan" },
{ status: res.status }
);
}
return NextResponse.json({ ok: true });
}
src/app/api/billing/portal/route.ts
+14
View File
@@ -0,0 +1,14 @@
import { redirect } from "next/navigation";
export const runtime = "nodejs";
/**
* GET /api/billing/portal
*
* In the Stripe era this redirected to a Stripe-hosted portal.
* With V2 (ZarinPal / SnapPay) the portal is in-app — redirect to the
* billing tab in settings.
*/
export async function GET() {
redirect("/dashboard/settings?tab=billing");
}
src/components/auth/AuthPageContent.tsx
+179 -40
View File
@@ -13,6 +13,7 @@ import { Button } from "@/components/ui/button";
import { cn } from "@/lib/utils";
type AuthTab = "sign-in" | "sign-up";
type AuthView = "main" | "forgot-password" | "reset-confirm";
/** Only allow same-origin relative redirects to avoid open-redirect issues. */
function safeNext(next: string | null): string {
@@ -29,11 +30,17 @@ export function AuthPageContent() {
searchParams.get("tab") === "sign-up" ? "sign-up" : "sign-in";
const [activeTab, setActiveTab] = useState<AuthTab>(initialTab);
const [view, setView] = useState<AuthView>("main");
const [authLoading, setAuthLoading] = useState(true);
const [submitting, setSubmitting] = useState(false);
const [formError, setFormError] = useState<string | null>(null);
const [formMessage, setFormMessage] = useState<string | null>(null);
// Forgot-password state
const [resetEmail, setResetEmail] = useState("");
const [resetOtp, setResetOtp] = useState("");
const [resetNewPassword, setResetNewPassword] = useState("");
const {
register,
handleSubmit,
@@ -64,9 +71,7 @@ export function AuthPageContent() {
checkSession().then((redirected) => {
if (mounted && !redirected) setAuthLoading(false);
});
return () => {
mounted = false;
};
return () => { mounted = false; };
}, [checkSession]);
const handleTabChange = (tab: AuthTab) => {
@@ -76,13 +81,22 @@ export function AuthPageContent() {
reset();
};
const goBack = () => {
setView("main");
setFormError(null);
setFormMessage(null);
setResetEmail("");
setResetOtp("");
setResetNewPassword("");
};
// ── Main sign-in / sign-up submit ──────────────────────────────────────────
const onSubmit = async (values: AuthFormValues) => {
setSubmitting(true);
setFormError(null);
setFormMessage(null);
const endpoint =
activeTab === "sign-in" ? "/api/auth/login" : "/api/auth/register";
const endpoint = activeTab === "sign-in" ? "/api/auth/login" : "/api/auth/register";
try {
const res = await fetch(endpoint, {
@@ -98,7 +112,6 @@ export function AuthPageContent() {
return;
}
// Registered but not auto-logged-in (verification gate) — prompt sign-in.
if (data?.registered && !data?.user) {
setFormMessage(
data.verificationRequired
@@ -111,7 +124,6 @@ export function AuthPageContent() {
return;
}
// Logged in — cookies are set; refresh server components and go.
router.replace(nextPath);
router.refresh();
} catch {
@@ -120,6 +132,54 @@ export function AuthPageContent() {
}
};
// ── Forgot password — step 1: request OTP ─────────────────────────────────
const handleForgotRequest = async (e: React.FormEvent) => {
e.preventDefault();
if (!resetEmail) return;
setSubmitting(true);
setFormError(null);
try {
await fetch("/api/auth/password-reset", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ email: resetEmail }),
});
// Always succeed (anti-enumeration)
setView("reset-confirm");
setFormMessage("If that email is registered, we sent a reset code.");
} catch {
setFormError("Network error. Please try again.");
} finally {
setSubmitting(false);
}
};
// ── Forgot password — step 2: confirm OTP + new password ──────────────────
const handleResetConfirm = async (e: React.FormEvent) => {
e.preventDefault();
if (!resetOtp || !resetNewPassword) return;
setSubmitting(true);
setFormError(null);
try {
const res = await fetch("/api/auth/password-reset-confirm", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ email: resetEmail, otp: resetOtp, new_password: resetNewPassword }),
});
const data = await res.json().catch(() => null) as { error?: string } | null;
if (!res.ok) {
setFormError(data?.error ?? "Invalid or expired code.");
} else {
setFormMessage("Password updated. You can now sign in.");
goBack();
}
} catch {
setFormError("Network error. Please try again.");
} finally {
setSubmitting(false);
}
};
if (authLoading) {
return (
<div className="flex min-h-[calc(100vh-4rem)] items-center justify-center py-20">
@@ -128,6 +188,96 @@ export function AuthPageContent() {
);
}
// ── Forgot password views ──────────────────────────────────────────────────
if (view === "forgot-password" || view === "reset-confirm") {
return (
<div className="mx-auto w-full max-w-md px-4 py-12 sm:py-16">
<div className="text-center">
<h1 className="font-heading text-2xl font-bold text-neutral-900">
{view === "forgot-password" ? "Reset your password" : "Enter reset code"}
</h1>
<p className="mt-2 text-sm text-neutral-600">
{view === "forgot-password"
? "We'll send a one-time code to your email."
: `Check your email for the code sent to ${resetEmail}`}
</p>
</div>
<div className="mt-8 rounded-xl border border-gray-100 bg-white p-6 shadow-sm">
{view === "forgot-password" ? (
<form onSubmit={handleForgotRequest} className="space-y-4" noValidate>
<div>
<label htmlFor="reset-email" className="block text-sm font-medium text-neutral-700">
Email address
</label>
<input
id="reset-email"
type="email"
value={resetEmail}
onChange={(e) => setResetEmail(e.target.value)}
disabled={submitting}
required
className="mt-1.5 w-full rounded-lg border border-gray-100 bg-white px-3 py-2.5 text-sm text-neutral-900 shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-600 disabled:opacity-50"
/>
</div>
{formError && <p className="rounded-lg bg-red-50 px-3 py-2 text-sm text-red-700">{formError}</p>}
<Button type="submit" className="w-full" disabled={submitting || !resetEmail}>
{submitting && <Loader2 className="h-4 w-4 animate-spin" />}
Send reset code
</Button>
</form>
) : (
<form onSubmit={handleResetConfirm} className="space-y-4" noValidate>
<div>
<label htmlFor="reset-otp" className="block text-sm font-medium text-neutral-700">
Reset code
</label>
<input
id="reset-otp"
type="text"
inputMode="numeric"
value={resetOtp}
onChange={(e) => setResetOtp(e.target.value)}
disabled={submitting}
required
placeholder="6-digit code"
className="mt-1.5 w-full rounded-lg border border-gray-100 bg-white px-3 py-2.5 text-sm text-neutral-900 shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-600 disabled:opacity-50"
/>
</div>
<div>
<label htmlFor="new-password" className="block text-sm font-medium text-neutral-700">
New password
</label>
<input
id="new-password"
type="password"
autoComplete="new-password"
value={resetNewPassword}
onChange={(e) => setResetNewPassword(e.target.value)}
disabled={submitting}
required
minLength={8}
className="mt-1.5 w-full rounded-lg border border-gray-100 bg-white px-3 py-2.5 text-sm text-neutral-900 shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-600 disabled:opacity-50"
/>
</div>
{formError && <p className="rounded-lg bg-red-50 px-3 py-2 text-sm text-red-700">{formError}</p>}
{formMessage && <p className="rounded-lg bg-primary-50 px-3 py-2 text-sm text-primary-700">{formMessage}</p>}
<Button type="submit" className="w-full" disabled={submitting || !resetOtp || !resetNewPassword}>
{submitting && <Loader2 className="h-4 w-4 animate-spin" />}
Set new password
</Button>
</form>
)}
</div>
<button type="button" onClick={goBack} className="mt-4 block w-full text-center text-sm text-neutral-500 hover:text-neutral-700 transition-colors">
Back to sign in
</button>
</div>
);
}
// ── Main sign-in / sign-up view ────────────────────────────────────────────
return (
<div className="mx-auto w-full max-w-md px-4 py-12 sm:py-16">
<div className="text-center">
@@ -162,10 +312,7 @@ export function AuthPageContent() {
<div className="mt-6 rounded-xl border border-gray-100 bg-white p-6 shadow-sm">
<form onSubmit={handleSubmit(onSubmit)} className="space-y-4" noValidate>
<div>
<label
htmlFor="email"
className="block text-sm font-medium text-neutral-700"
>
<label htmlFor="email" className="block text-sm font-medium text-neutral-700">
Email
</label>
<input
@@ -185,18 +332,24 @@ export function AuthPageContent() {
</div>
<div>
<label
htmlFor="password"
className="block text-sm font-medium text-neutral-700"
>
Password
</label>
<div className="flex items-center justify-between">
<label htmlFor="password" className="block text-sm font-medium text-neutral-700">
Password
</label>
{activeTab === "sign-in" && (
<button
type="button"
onClick={() => { setView("forgot-password"); setFormError(null); setFormMessage(null); }}
className="text-xs text-primary-600 hover:underline focus-visible:outline-none"
>
Forgot password?
</button>
)}
</div>
<input
id="password"
type="password"
autoComplete={
activeTab === "sign-in" ? "current-password" : "new-password"
}
autoComplete={activeTab === "sign-in" ? "current-password" : "new-password"}
disabled={submitting}
className={cn(
"mt-1.5 w-full rounded-lg border bg-white px-3 py-2.5 text-sm text-neutral-900 shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-600 focus-visible:ring-offset-2 disabled:opacity-50",
@@ -205,28 +358,19 @@ export function AuthPageContent() {
{...register("password")}
/>
{errors.password && (
<p className="mt-1.5 text-xs text-red-600">
{errors.password.message}
</p>
<p className="mt-1.5 text-xs text-red-600">{errors.password.message}</p>
)}
</div>
{formError && (
<p className="rounded-lg bg-red-50 px-3 py-2 text-sm text-red-700">
{formError}
</p>
<p className="rounded-lg bg-red-50 px-3 py-2 text-sm text-red-700">{formError}</p>
)}
{formMessage && (
<p className="rounded-lg bg-primary-50 px-3 py-2 text-sm text-primary-700">
{formMessage}
</p>
<p className="rounded-lg bg-primary-50 px-3 py-2 text-sm text-primary-700">{formMessage}</p>
)}
<Button type="submit" className="w-full" disabled={submitting}>
{submitting ? (
<Loader2 className="h-4 w-4 animate-spin" aria-hidden />
) : null}
{submitting ? <Loader2 className="h-4 w-4 animate-spin" aria-hidden /> : null}
{activeTab === "sign-in" ? "Sign In" : "Create Account"}
</Button>
</form>
@@ -234,14 +378,9 @@ export function AuthPageContent() {
<p className="mt-6 text-center text-xs text-neutral-500">
By continuing, you agree to our{" "}
<Link href="/terms" className="text-primary-600 hover:underline">
Terms
</Link>{" "}
<Link href="/terms" className="text-primary-600 hover:underline">Terms</Link>{" "}
and{" "}
<Link href="/privacy" className="text-primary-600 hover:underline">
Privacy Policy
</Link>
.
<Link href="/privacy" className="text-primary-600 hover:underline">Privacy Policy</Link>.
</p>
</div>
);
src/components/dashboard/settings/SettingsBilling.tsx
+63 -12
View File
@@ -1,5 +1,9 @@
import { CreditCard, ExternalLink, Zap } from "lucide-react";
"use client";
import { useState } from "react";
import { CreditCard, Loader2, Zap } from "lucide-react";
import { apiFetch } from "@/lib/api/fetch";
import type { PlanId } from "@/lib/plans";
interface SettingsBillingProps {
@@ -26,6 +30,28 @@ const PLAN_FEATURES: Record<PlanId, string[]> = {
export function SettingsBilling({ plan }: SettingsBillingProps) {
const isPaid = plan !== "free";
const [cancelling, setCancelling] = useState(false);
const [cancelled, setCancelled] = useState(false);
const [cancelError, setCancelError] = useState<string | null>(null);
const handleCancel = async () => {
if (!confirm("Cancel your plan? You'll keep access until the current period ends.")) return;
setCancelling(true);
setCancelError(null);
try {
const res = await apiFetch("/api/billing/cancel", { method: "POST" });
if (!res.ok) {
const data = (await res.json().catch(() => null)) as { error?: string } | null;
setCancelError(data?.error ?? "Failed to cancel plan. Please try again.");
} else {
setCancelled(true);
}
} catch {
setCancelError("Network error. Please try again.");
} finally {
setCancelling(false);
}
};
return (
<div className="rounded-xl border border-gray-100 bg-white p-6">
@@ -44,21 +70,12 @@ export function SettingsBilling({ plan }: SettingsBillingProps) {
<div className="flex items-center gap-2">
<p className="font-heading text-lg font-bold text-neutral-900">{PLAN_LABELS[plan]}</p>
<span className={`rounded-full px-2 py-0.5 text-xs font-semibold ${PLAN_COLORS[plan]}`}>
{isPaid ? "Active" : "Free tier"}
{cancelled ? "Cancels at period end" : isPaid ? "Active" : "Free tier"}
</span>
</div>
</div>
</div>
{isPaid ? (
<a
href="/api/billing/portal"
className="inline-flex items-center gap-1.5 rounded-lg border border-gray-200 bg-white px-3 py-1.5 text-sm font-medium text-neutral-700 transition-colors hover:bg-neutral-50 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-500"
>
<CreditCard className="h-4 w-4" aria-hidden />
Manage billing
<ExternalLink className="h-3 w-3" aria-hidden />
</a>
) : (
{!isPaid && (
<a
href="/#pricing"
className="inline-flex items-center gap-1.5 rounded-lg bg-primary-600 px-3 py-1.5 text-sm font-semibold text-white transition-colors hover:bg-primary-700 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary-500"
@@ -80,6 +97,40 @@ export function SettingsBilling({ plan }: SettingsBillingProps) {
</ul>
</div>
{/* Paid plan actions */}
{isPaid && !cancelled && (
<div className="mt-4 flex items-center gap-3">
<a
href="/#pricing"
className="inline-flex items-center gap-1.5 rounded-lg border border-gray-200 bg-white px-3 py-1.5 text-sm font-medium text-neutral-700 transition-colors hover:bg-neutral-50"
>
<CreditCard className="h-4 w-4" aria-hidden />
Change plan
</a>
<button
type="button"
onClick={handleCancel}
disabled={cancelling}
className="inline-flex items-center gap-1.5 rounded-lg border border-red-200 px-3 py-1.5 text-sm font-medium text-red-600 transition-colors hover:bg-red-50 disabled:opacity-50 disabled:cursor-not-allowed"
>
{cancelling ? <Loader2 className="h-4 w-4 animate-spin" /> : null}
{cancelling ? "Cancelling…" : "Cancel plan"}
</button>
</div>
)}
{cancelError && (
<p className="mt-3 rounded-lg border border-red-200 bg-red-50 px-3 py-2 text-sm text-red-600">
{cancelError}
</p>
)}
{cancelled && (
<p className="mt-3 rounded-lg border border-amber-200 bg-amber-50 px-3 py-2 text-sm text-amber-700">
Your plan has been cancelled. You&apos;ll keep access until the end of your billing period.
</p>
)}
{!isPaid && (
<p className="mt-4 text-xs text-neutral-400">
Upgrade to unlock unlimited projects, 4K export, and premium templates.