feat(payment): standalone ZarinPal broker on pay.flatrender.ir
A generic multi-client payment gateway so FlatRender, meezi.ir and bargevasat.ir can all pay through ZarinPal's single verified callback domain (pay.flatrender.ir). New Go service services/payment (clones the notification skeleton + vendored deps): - migration 31_payment_broker.sql — `payment` schema: client_apps, transactions, webhook_deliveries. - ZarinPal v4 client ported from the proven identity PaymentService (request.json -> StartPay -> verify.json; codes 100/101). - client API: POST /v1/pay/request + /v1/pay/inquiry, authed by X-Api-Key + HMAC body signature; GET /callback/zarinpal (the single verified endpoint) verifies, then 302s the user back to the site's return_url (signed) and fires a signed, retried webhook. - per-client ZarinPal merchant override (default = shared merchant); amount stored canonically in Rial, unit to ZarinPal env-configurable. - admin API /v1/admin/* (FlatRender admin JWT): client-app CRUD + key issue/rotate + transactions list. Deploy wiring: payment-svc in docker-compose.v2.yml (host port 1607), pay.flatrender.ir server block in mirror-nginx conf, ENV_FILE + README updates (cert SAN + manual migration note). Admin UI: src/components/admin/PaymentsAdmin.tsx (client apps with one-time key reveal + rotate, transactions table) + /admin/payments page + nav link + fa/en strings; pay-admin proxy route to payment-svc. Docs/SDK: deploy/PAYMENTS.md (integration contract) + deploy/sdk/flatpay.js (zero-dep Node client + webhook verifier) for meezi/any site. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -59,6 +59,7 @@ export default async function AdminLayout({
|
||||
{ href: "/admin/users", label: t("users") },
|
||||
{ href: "/admin/plans", label: t("plans") },
|
||||
{ href: "/admin/discounts", label: t("discounts") },
|
||||
{ href: "/admin/payments", label: t("payments") },
|
||||
],
|
||||
},
|
||||
{
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
"use client";
|
||||
|
||||
import { PaymentsAdmin } from "@/components/admin/PaymentsAdmin";
|
||||
|
||||
export default function Page() {
|
||||
return <PaymentsAdmin />;
|
||||
}
|
||||
@@ -0,0 +1,89 @@
|
||||
import { type NextRequest, NextResponse } from "next/server";
|
||||
|
||||
import { getAccessToken } from "@/lib/auth/session";
|
||||
import { decodeJwt } from "@/lib/auth/jwt";
|
||||
|
||||
export const dynamic = "force-dynamic";
|
||||
export const runtime = "nodejs";
|
||||
|
||||
/**
|
||||
* Admin proxy for the standalone payment broker (pay.flatrender.ir / payment-svc).
|
||||
* Forwards to ${PAYMENT_SVC_URL}/v1/admin/<path> with the admin bearer. The broker
|
||||
* is NOT behind the API gateway, so this proxy targets it directly.
|
||||
*
|
||||
* /api/admin/pay/clients → {PAYMENT_SVC_URL}/v1/admin/clients
|
||||
* /api/admin/pay/clients/<id> → .../v1/admin/clients/<id>
|
||||
* /api/admin/pay/transactions?... → .../v1/admin/transactions?...
|
||||
*/
|
||||
function paymentBase(): string {
|
||||
return (process.env.PAYMENT_SVC_URL || "http://localhost:8090").replace(/\/+$/, "");
|
||||
}
|
||||
|
||||
async function forward(
|
||||
req: NextRequest,
|
||||
path: string[],
|
||||
method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE"
|
||||
): Promise<NextResponse> {
|
||||
const token = await getAccessToken();
|
||||
if (!token) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
|
||||
|
||||
const claims = decodeJwt(token);
|
||||
const isAdmin =
|
||||
String(claims?.is_admin) === "true" ||
|
||||
claims?.is_admin === true ||
|
||||
String(claims?.is_tenant_admin) === "true";
|
||||
if (!isAdmin) return NextResponse.json({ error: "Forbidden" }, { status: 403 });
|
||||
|
||||
const search = req.nextUrl.search ?? "";
|
||||
const url = `${paymentBase()}/v1/admin/${path.join("/")}${search}`;
|
||||
|
||||
let body: string | undefined;
|
||||
if (method === "POST" || method === "PUT" || method === "PATCH") {
|
||||
const json = await req.json().catch(() => ({}));
|
||||
body = JSON.stringify(json);
|
||||
}
|
||||
|
||||
const res = await fetch(url, {
|
||||
method,
|
||||
cache: "no-store",
|
||||
headers: {
|
||||
Accept: "application/json",
|
||||
"Content-Type": "application/json",
|
||||
Authorization: `Bearer ${token}`,
|
||||
},
|
||||
body,
|
||||
});
|
||||
|
||||
if (res.status === 204) return new NextResponse(null, { status: 204 });
|
||||
|
||||
const text = await res.text();
|
||||
const data = text ? safeJson(text) : null;
|
||||
if (!res.ok) {
|
||||
const message =
|
||||
(data && (data.message || (typeof data.error === "string" ? data.error : undefined))) ||
|
||||
"Payment service error";
|
||||
return NextResponse.json({ error: message }, { status: res.status });
|
||||
}
|
||||
return NextResponse.json(data ?? {}, { status: 200 });
|
||||
}
|
||||
|
||||
function safeJson(t: string): { message?: string; error?: unknown; [k: string]: unknown } | null {
|
||||
try {
|
||||
return JSON.parse(t);
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export async function GET(req: NextRequest, ctx: { params: { path: string[] } }) {
|
||||
return forward(req, ctx.params.path, "GET");
|
||||
}
|
||||
export async function POST(req: NextRequest, ctx: { params: { path: string[] } }) {
|
||||
return forward(req, ctx.params.path, "POST");
|
||||
}
|
||||
export async function PUT(req: NextRequest, ctx: { params: { path: string[] } }) {
|
||||
return forward(req, ctx.params.path, "PUT");
|
||||
}
|
||||
export async function DELETE(req: NextRequest, ctx: { params: { path: string[] } }) {
|
||||
return forward(req, ctx.params.path, "DELETE");
|
||||
}
|
||||
Reference in New Issue
Block a user