Update app.js

app.js

@@ -1,10 +1,11 @@
 // paystack-webhook.js
 // Node >= 14, install dependencies:
-// npm install express firebase-admin
+// npm install express firebase-admin axios
 
 const express = require('express');
 const crypto = require('crypto');
 const admin = require('firebase-admin');
+const axios = require('axios');
 
 const app = express();
 
@@ -12,7 +13,8 @@ const app = express();
 // Environment variables (set these in your env/secrets)
 // -------------------------------------------------
 // - FIREBASE_CREDENTIALS: stringified JSON service account
-// - PAYSTACK_SECRET: your Paystack webhook secret
+// - PAYSTACK_DEMO_SECRET
+// - PAYSTACK_LIVE_SECRET
 // - PORT (optional)
 // -------------------------------------------------
 
@@ -20,13 +22,14 @@ const {
   FIREBASE_CREDENTIALS,
   PAYSTACK_DEMO_SECRET,
   PAYSTACK_LIVE_SECRET,
-  PORT, 
+  PORT = 3000,
 } = process.env;
 
-const PAYSTACK_SECRET = PAYSTACK_DEMO_SECRET; // PAYSTACK_LIVE_SECRET
+// choose which secret to use (dev/demo by default)
+const PAYSTACK_SECRET = PAYSTACK_DEMO_SECRET || PAYSTACK_LIVE_SECRET;
 
 if (!PAYSTACK_SECRET) {
-  console.warn('WARNING: PAYSTACK_SECRET is not set. Webhook signature verification will fail.');
+  console.warn('WARNING: PAYSTACK_SECRET is not set. Outgoing Paystack calls and webhook verification will fail.');
 }
 
 // Initialize Firebase Admin using credentials read from env
@@ -45,8 +48,9 @@ if (FIREBASE_CREDENTIALS) {
   console.warn('FIREBASE_CREDENTIALS not provided. Firebase admin not initialized.');
 }
 
-// Important: use raw body parser to verify Paystack signature.
-// Paystack signs the raw request body (HMAC SHA512) and puts signature in header `x-paystack-signature`
+// -------------------------------------------------
+// Webhook raw parser (required to verify Paystack signature)
+// -------------------------------------------------
 app.use(
   express.raw({
     type: 'application/json',
@@ -60,8 +64,11 @@ function verifyPaystackSignature(rawBodyBuffer, signatureHeader) {
   const hmac = crypto.createHmac('sha512', PAYSTACK_SECRET);
   hmac.update(rawBodyBuffer);
   const expected = hmac.digest('hex');
-  // Paystack header is hex string; compare in constant-time
-  return crypto.timingSafeEqual(Buffer.from(expected, 'utf8'), Buffer.from(signatureHeader || '', 'utf8'));
+  try {
+    return crypto.timingSafeEqual(Buffer.from(expected, 'utf8'), Buffer.from(signatureHeader || '', 'utf8'));
+  } catch (e) {
+    return false;
+  }
 }
 
 // Helper: safe JSON parse
@@ -73,7 +80,9 @@ function safeParseJSON(raw) {
   }
 }
 
-// Webhook endpoint
+// ------------------------
+// Existing webhook endpoint
+// ------------------------
 app.post('/webhook/paystack', (req, res) => {
   const raw = req.body; // Buffer because we used express.raw
   const signature = req.get('x-paystack-signature') || req.get('X-Paystack-Signature');
@@ -81,7 +90,6 @@ app.post('/webhook/paystack', (req, res) => {
   // Verify signature
   if (!signature || !verifyPaystackSignature(raw, signature)) {
     console.warn('Paystack webhook signature verification failed. Signature header:', signature);
-    // Respond 400 to indicate invalid signature
     return res.status(400).json({ ok: false, message: 'Invalid signature' });
   }
 
@@ -94,44 +102,96 @@ app.post('/webhook/paystack', (req, res) => {
     return res.status(400).json({ ok: false, message: 'Invalid JSON' });
   }
 
-  // Paystack typically uses an "event" field: e.g. "charge.success", "refund.create", ...
   const event = (payload.event || payload.type || '').toString();
-
-  // Identify refund events and payment events (first-time or recurring)
-  const isRefund = /refund/i.test(event); // matches refund.* etc.
-  const isChargeSuccess = /charge\.success/i.test(event); // common payment event
-  // add some broad matches for invoice/subscription events that might indicate recurring payments
+  const isRefund = /refund/i.test(event);
+  const isChargeSuccess = /charge\.success/i.test(event);
   const isInvoiceOrSubscription = /invoice\.(payment_succeeded|paid)|subscription\./i.test(event);
-
   const isPayment = isChargeSuccess || isInvoiceOrSubscription;
 
-  // Only interested in refunds and payments
   if (isRefund || isPayment) {
     console.log('--- PAYSTACK WEBHOOK (INTERESTING EVENT) ---');
     console.log('event:', event);
     console.log('payload:', JSON.stringify(payload, null, 2));
 
-    // TODO: add your business logic here:
-    // - update Firestore / user subscription state
-    // - create refund records, notify user, retry flows, etc.
-    // Example (pseudo):
+    // Example: persist webhook to Firestore (uncomment if you want)
     // const db = admin.firestore();
-    // await db.collection('paystack-webhooks').add({ receivedAt: admin.firestore.FieldValue.serverTimestamp(), event, payload });
-
-    // If you want to persist the webhook to Firestore for auditing, uncomment above and ensure Firebase is initialized
+    // db.collection('paystack-webhooks').add({
+    //   event,
+    //   payload,
+    //   receivedAt: admin.firestore.FieldValue.serverTimestamp(),
+    // });
   } else {
-    // For debugging, you can log minimal info for non-interesting events
     console.log(`Received Paystack webhook for event "${event}" — ignored (not refund/payment).`);
   }
 
-  // Acknowledge the webhook promptly with 200 OK so Paystack stops retrying
   return res.status(200).json({ ok: true });
 });
 
+// ------------------------
+// New: Create Payment Page (link) for a plan
+// ------------------------
+// This endpoint expects JSON body, so we attach express.json() for this route.
+// Required fields in body: planId, userId, name (friendly page name) optionally: amount, redirect_url, collect_phone, fixed_amount
+app.post('/create-payment-link', express.json(), async (req, res) => {
+  const { planId, userId, name, amount, redirect_url, collect_phone = false, fixed_amount = false } = req.body || {};
+
+  if (!planId) return res.status(400).json({ ok: false, message: 'planId is required' });
+  if (!userId) return res.status(400).json({ ok: false, message: 'userId is required' });
+  if (!name) return res.status(400).json({ ok: false, message: 'name is required (page title)' });
+
+  // Build the body per Paystack's Payment Pages API.
+  // We'll set type to "subscription" (so it links to a plan) and pass metadata.userId
+  // Also add a custom_fields array so the dashboard shows the user id if you open the transaction.
+  // See: Paystack Payment Pages and Metadata docs. 1
+  const payload = {
+    name,
+    type: 'subscription',
+    plan: planId,
+    metadata: {
+      userId,
+    },
+    custom_fields: [
+      {
+        display_name: 'User ID',
+        variable_name: 'user_id',
+        value: userId,
+      },
+    ],
+    // optional properties
+    collect_phone,
+    fixed_amount,
+  };
+
+  if (amount) payload.amount = amount; // amount is optional (in kobo/cents)
+  if (redirect_url) payload.redirect_url = redirect_url;
+
+  try {
+    const response = await axios.post('https://api.paystack.co/page', payload, {
+      headers: {
+        Authorization: `Bearer ${PAYSTACK_SECRET}`,
+        'Content-Type': 'application/json',
+      },
+      timeout: 10_000,
+    });
+
+    // Paystack returns a response with data object. Return minimal info to caller.
+    const pageData = response.data && response.data.data ? response.data.data : response.data;
+
+    // The created page usually has a slug; you can build public url with https://paystack.com/pay/[slug]
+    // Return the page data so caller can redirect or store details.
+    return res.status(201).json({ ok: true, page: pageData });
+  } catch (err) {
+    console.error('Error creating Paystack payment page:', err?.response?.data || err.message || err);
+    const errorDetail = err?.response?.data || { message: err.message };
+    return res.status(500).json({ ok: false, error: errorDetail });
+  }
+});
+
 // Simple health check
 app.get('/health', (_req, res) => res.json({ ok: true }));
 
 app.listen(PORT, () => {
   console.log(`Paystack webhook server listening on port ${PORT}`);
   console.log('POST /webhook/paystack to receive Paystack callbacks');
+  console.log('POST /create-payment-link to create a subscription payment page (expects JSON body).');
 });