core/php-commerce
8
0
Fork 0
Code Issues 16 Pull requests 11 Projects Releases Packages Wiki Activity Actions
43 commits 13 branches 3 tags 753 KiB
Commit graph

5 commits

Author SHA1 Message Date
Snider
4e4337e412 feat(commerce): implement RFC.md — billing, subscriptions, Stripe + BTCPay, Commerce Matrix (#845) 
Extends prior #860 DunningService with the full RFC.md surface.

Lands across 44 modified/new files:
* Contracts/PaymentGatewayContract.php — implemented by both
  Services/StripeGateway.php and Services/BTCPayGateway.php
* Boot.php — provider bindings + route groups + Commerce Matrix training
  mode middleware
* Services/WebhookService.php — DB::transaction wrapping + ProcessWebhookEvent
  job dispatched ->afterCommit; idempotency via webhook_events unique
  (gateway, event_id) — duplicates rejected silently
* Jobs/ProcessWebhookEvent.php
* DTOs/ — readonly PHP 8.2+ classes per RFC.dto.md
* Services/SubscriptionStateMachine.php — active → suspended (failed
  payment) → cancelled → expired transitions
* Services/ProrationService.php — credit unused old plan time, charge
  new plan remainder, applied via CreditNote + Invoice
* DunningService extended — 1d/3d/7d/14d retry config + cancel
* Migrations — guarded migrations for missing short-name billing tables
  (orders/payments/invoices) + RFC compatibility columns
* routes/api.php — /v1/* endpoints
* Checkout success/cancel routes
* Commerce Matrix training-mode endpoint + record-permissions logic
* Console/Commands — RFC.commands.md signatures
* Events per RFC.events.md
* Models extended

php -l clean. composer validate passes. pest unrunnable in sandbox.

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=845
 2026-04-25 22:55:51 +01:00
Snider
df167eb423 fix(dx): add declare(strict_types=1) and fix PSR-12 compliance
Some checks failed
CI / PHP 8.3 (pull_request) Failing after 3s
Details
CI / PHP 8.4 (pull_request) Failing after 3s
Details 
Added missing strict_types declarations to 65 PHP files and ran
Laravel Pint to fix PSR-12 violations (ordered imports, unary
operator spacing, brace positioning, fully qualified strict types).

Co-Authored-By: Virgil <virgil@lethean.io>
 2026-03-17 09:08:03 +00:00
Snider
c169f4161f security(webhooks): add per-IP rate limiting for webhook endpoints (P2-075) 
Add WebhookRateLimiter service with IP-based rate limiting for webhook
endpoints to prevent rate limit exhaustion attacks against legitimate
payment webhooks.

Changes:
- Add WebhookRateLimiter service with per-IP tracking
- Default: 60 req/min for unknown IPs, 300 req/min for trusted gateway IPs
- Support CIDR ranges for IP allowlisting
- Configure via commerce.webhooks.rate_limits and trusted_ips
- Update BTCPayWebhookController and StripeWebhookController
- Return proper 429 responses with Retry-After headers
- Replace global throttle:120,1 middleware with granular controls
- Add comprehensive tests for rate limiting behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-29 18:11:02 +00:00
Snider
2e5cd499b9 security: complete rate limiting and fraud service implementation (P1-040) 
Add missing files from P1-040/P1-041 implementation:
- CheckoutRateLimitException for 429 responses when rate limit exceeded
- FraudAssessment data object for fraud scoring results
- FraudService for velocity checks and Stripe Radar integration
- Register services in Boot.php
- Add fraud detection configuration in config.php
- Add CouponServiceTest for input sanitisation

The CheckoutRateLimiter (already tracked) is now properly integrated with
the exception handling, and the FraudService provides defence-in-depth
with velocity-based and geo-anomaly detection.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-29 16:09:29 +00:00
Snider
a74a02f406 monorepo sepration 2026-01-27 00:24:22 +00:00