php-commerce/routes/api.php

<?php

declare(strict_types=1);

use Illuminate\Support\Facades\Route;
use Core\Mod\Commerce\Controllers\Api\CommerceController;
use Core\Mod\Commerce\Controllers\Webhooks\BTCPayWebhookController;
use Core\Mod\Commerce\Controllers\Webhooks\StripeWebhookController;

/*
|--------------------------------------------------------------------------
| Commerce API Routes
|--------------------------------------------------------------------------
|
| API routes for the Commerce module including payment webhooks,
| billing management, and provisioning endpoints.
|
*/

// ─────────────────────────────────────────────────────────────────────────────
// Payment Webhooks (no auth - uses signature verification + IP-based rate limiting)
// ─────────────────────────────────────────────────────────────────────────────

Route::prefix('webhooks')->group(function () {
    // Rate limiting is handled per-IP in the controllers via WebhookRateLimiter
    // This provides better protection than global throttle middleware:
    // - Per-IP limits (60/min default, 300/min for trusted gateway IPs)
    // - Different limits per gateway
    // - Proper 429 responses with Retry-After headers
    Route::post('/btcpay', [BTCPayWebhookController::class, 'handle'])
        ->name('api.webhook.btcpay');
    Route::post('/stripe', [StripeWebhookController::class, 'handle'])
        ->name('api.webhook.stripe');
});

// ─────────────────────────────────────────────────────────────────────────────
// Commerce Provisioning API (Bearer token auth)
// TODO: Create ProductApiController and EntitlementApiController in
//       Mod\Commerce\Controllers\Api\ for provisioning endpoints
// ─────────────────────────────────────────────────────────────────────────────

// Route::middleware('commerce.api')->prefix('provisioning')->group(function () {
//     Route::get('/ping', [ProductApiController::class, 'ping'])->name('api.commerce.ping');
//     Route::get('/products', [ProductApiController::class, 'index'])->name('api.commerce.products');
//     Route::get('/products/{code}', [ProductApiController::class, 'show'])->name('api.commerce.products.show');
//     Route::post('/entitlements', [EntitlementApiController::class, 'store'])->name('api.commerce.entitlements.store');
//     Route::get('/entitlements/{id}', [EntitlementApiController::class, 'show'])->name('api.commerce.entitlements.show');
//     Route::post('/entitlements/{id}/suspend', [EntitlementApiController::class, 'suspend'])->name('api.commerce.entitlements.suspend');
//     Route::post('/entitlements/{id}/unsuspend', [EntitlementApiController::class, 'unsuspend'])->name('api.commerce.entitlements.unsuspend');
//     Route::post('/entitlements/{id}/cancel', [EntitlementApiController::class, 'cancel'])->name('api.commerce.entitlements.cancel');
//     Route::post('/entitlements/{id}/renew', [EntitlementApiController::class, 'renew'])->name('api.commerce.entitlements.renew');
// });

// ─────────────────────────────────────────────────────────────────────────────
// Commerce Billing API (authenticated)
// ─────────────────────────────────────────────────────────────────────────────

Route::middleware('auth')->prefix('commerce')->group(function () {
    // Billing overview
    Route::get('/billing', [CommerceController::class, 'billing'])
        ->name('api.commerce.billing');

    // Orders
    Route::get('/orders', [CommerceController::class, 'orders'])
        ->name('api.commerce.orders.index');
    Route::get('/orders/{order}', [CommerceController::class, 'showOrder'])
        ->name('api.commerce.orders.show');

    // Invoices
    Route::get('/invoices', [CommerceController::class, 'invoices'])
        ->name('api.commerce.invoices.index');
    Route::get('/invoices/{invoice}', [CommerceController::class, 'showInvoice'])
        ->name('api.commerce.invoices.show');
    Route::get('/invoices/{invoice}/download', [CommerceController::class, 'downloadInvoice'])
        ->name('api.commerce.invoices.download');

    // Subscription
    Route::get('/subscription', [CommerceController::class, 'subscription'])
        ->name('api.commerce.subscription');
    Route::post('/cancel', [CommerceController::class, 'cancelSubscription'])
        ->name('api.commerce.cancel');
    Route::post('/resume', [CommerceController::class, 'resumeSubscription'])
        ->name('api.commerce.resume');

    // Usage
    Route::get('/usage', [CommerceController::class, 'usage'])
        ->name('api.commerce.usage');

    // Plan changes
    Route::post('/upgrade/preview', [CommerceController::class, 'previewUpgrade'])
        ->name('api.commerce.upgrade.preview');
    Route::post('/upgrade', [CommerceController::class, 'executeUpgrade'])
        ->name('api.commerce.upgrade');
});
Initial commit 2026-01-26 23:18:22 +00:00			`<?php`

monorepo sepration 2026-01-27 00:24:22 +00:00			`declare(strict_types=1);`

Initial commit 2026-01-26 23:18:22 +00:00			`use Illuminate\Support\Facades\Route;`
refactor: migrate namespace from Core\Commerce to Core\Mod\Commerce Align commerce module with the monorepo module structure by updating all namespaces to use the Core\Mod\Commerce convention. This change supports the recent monorepo separation and ensures consistency with other modules. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-27 16:23:12 +00:00			`use Core\Mod\Commerce\Controllers\Api\CommerceController;`
			`use Core\Mod\Commerce\Controllers\Webhooks\BTCPayWebhookController;`
			`use Core\Mod\Commerce\Controllers\Webhooks\StripeWebhookController;`
monorepo sepration 2026-01-27 00:24:22 +00:00
			`/*`
			`\|--------------------------------------------------------------------------`
			`\| Commerce API Routes`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| API routes for the Commerce module including payment webhooks,`
			`\| billing management, and provisioning endpoints.`
			`\|`
			`*/`

			`// ─────────────────────────────────────────────────────────────────────────────`
security(webhooks): add per-IP rate limiting for webhook endpoints (P2-075) Add WebhookRateLimiter service with IP-based rate limiting for webhook endpoints to prevent rate limit exhaustion attacks against legitimate payment webhooks. Changes: - Add WebhookRateLimiter service with per-IP tracking - Default: 60 req/min for unknown IPs, 300 req/min for trusted gateway IPs - Support CIDR ranges for IP allowlisting - Configure via commerce.webhooks.rate_limits and trusted_ips - Update BTCPayWebhookController and StripeWebhookController - Return proper 429 responses with Retry-After headers - Replace global throttle:120,1 middleware with granular controls - Add comprehensive tests for rate limiting behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 18:11:02 +00:00			`// Payment Webhooks (no auth - uses signature verification + IP-based rate limiting)`
monorepo sepration 2026-01-27 00:24:22 +00:00			`// ─────────────────────────────────────────────────────────────────────────────`

security(webhooks): add per-IP rate limiting for webhook endpoints (P2-075) Add WebhookRateLimiter service with IP-based rate limiting for webhook endpoints to prevent rate limit exhaustion attacks against legitimate payment webhooks. Changes: - Add WebhookRateLimiter service with per-IP tracking - Default: 60 req/min for unknown IPs, 300 req/min for trusted gateway IPs - Support CIDR ranges for IP allowlisting - Configure via commerce.webhooks.rate_limits and trusted_ips - Update BTCPayWebhookController and StripeWebhookController - Return proper 429 responses with Retry-After headers - Replace global throttle:120,1 middleware with granular controls - Add comprehensive tests for rate limiting behaviour Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 18:11:02 +00:00			`Route::prefix('webhooks')->group(function () {`
			`// Rate limiting is handled per-IP in the controllers via WebhookRateLimiter`
			`// This provides better protection than global throttle middleware:`
			`// - Per-IP limits (60/min default, 300/min for trusted gateway IPs)`
			`// - Different limits per gateway`
			`// - Proper 429 responses with Retry-After headers`
monorepo sepration 2026-01-27 00:24:22 +00:00			`Route::post('/btcpay', [BTCPayWebhookController::class, 'handle'])`
			`->name('api.webhook.btcpay');`
			`Route::post('/stripe', [StripeWebhookController::class, 'handle'])`
			`->name('api.webhook.stripe');`
			`});`

			`// ─────────────────────────────────────────────────────────────────────────────`
			`// Commerce Provisioning API (Bearer token auth)`
			`// TODO: Create ProductApiController and EntitlementApiController in`
			`// Mod\Commerce\Controllers\Api\ for provisioning endpoints`
			`// ─────────────────────────────────────────────────────────────────────────────`

			`// Route::middleware('commerce.api')->prefix('provisioning')->group(function () {`
			`// Route::get('/ping', [ProductApiController::class, 'ping'])->name('api.commerce.ping');`
			`// Route::get('/products', [ProductApiController::class, 'index'])->name('api.commerce.products');`
			`// Route::get('/products/{code}', [ProductApiController::class, 'show'])->name('api.commerce.products.show');`
			`// Route::post('/entitlements', [EntitlementApiController::class, 'store'])->name('api.commerce.entitlements.store');`
			`// Route::get('/entitlements/{id}', [EntitlementApiController::class, 'show'])->name('api.commerce.entitlements.show');`
			`// Route::post('/entitlements/{id}/suspend', [EntitlementApiController::class, 'suspend'])->name('api.commerce.entitlements.suspend');`
			`// Route::post('/entitlements/{id}/unsuspend', [EntitlementApiController::class, 'unsuspend'])->name('api.commerce.entitlements.unsuspend');`
			`// Route::post('/entitlements/{id}/cancel', [EntitlementApiController::class, 'cancel'])->name('api.commerce.entitlements.cancel');`
			`// Route::post('/entitlements/{id}/renew', [EntitlementApiController::class, 'renew'])->name('api.commerce.entitlements.renew');`
			`// });`

			`// ─────────────────────────────────────────────────────────────────────────────`
			`// Commerce Billing API (authenticated)`
			`// ─────────────────────────────────────────────────────────────────────────────`

			`Route::middleware('auth')->prefix('commerce')->group(function () {`
			`// Billing overview`
			`Route::get('/billing', [CommerceController::class, 'billing'])`
			`->name('api.commerce.billing');`

			`// Orders`
			`Route::get('/orders', [CommerceController::class, 'orders'])`
			`->name('api.commerce.orders.index');`
			`Route::get('/orders/{order}', [CommerceController::class, 'showOrder'])`
			`->name('api.commerce.orders.show');`

			`// Invoices`
			`Route::get('/invoices', [CommerceController::class, 'invoices'])`
			`->name('api.commerce.invoices.index');`
			`Route::get('/invoices/{invoice}', [CommerceController::class, 'showInvoice'])`
			`->name('api.commerce.invoices.show');`
			`Route::get('/invoices/{invoice}/download', [CommerceController::class, 'downloadInvoice'])`
			`->name('api.commerce.invoices.download');`

			`// Subscription`
			`Route::get('/subscription', [CommerceController::class, 'subscription'])`
			`->name('api.commerce.subscription');`
			`Route::post('/cancel', [CommerceController::class, 'cancelSubscription'])`
			`->name('api.commerce.cancel');`
			`Route::post('/resume', [CommerceController::class, 'resumeSubscription'])`
			`->name('api.commerce.resume');`

			`// Usage`
			`Route::get('/usage', [CommerceController::class, 'usage'])`
			`->name('api.commerce.usage');`
Initial commit 2026-01-26 23:18:22 +00:00
monorepo sepration 2026-01-27 00:24:22 +00:00			`// Plan changes`
			`Route::post('/upgrade/preview', [CommerceController::class, 'previewUpgrade'])`
			`->name('api.commerce.upgrade.preview');`
			`Route::post('/upgrade', [CommerceController::class, 'executeUpgrade'])`
			`->name('api.commerce.upgrade');`
			`});`