238 lines
8.2 KiB
PHP
238 lines
8.2 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* Thin Stripe API wrapper — no SDK, pure curl + HMAC.
|
|
*
|
|
* Configuration is loaded from /etc/bnl/stripe.php (production) or env vars (local).
|
|
* Required keys:
|
|
* STRIPE_SECRET_KEY sk_live_... or sk_test_...
|
|
* STRIPE_PUBLISHABLE_KEY pk_live_... or pk_test_...
|
|
* STRIPE_WEBHOOK_SECRET whsec_...
|
|
* STRIPE_PRICE_TOPUP_S / _M / _L
|
|
* STRIPE_PRICE_PLUS_NOK / STRIPE_PRICE_PRO_NOK
|
|
*/
|
|
final class StripeClient
|
|
{
|
|
private const API_BASE = 'https://api.stripe.com/v1';
|
|
private const TIMEOUT = 30;
|
|
|
|
private string $secretKey;
|
|
|
|
public function __construct(?string $secretKey = null)
|
|
{
|
|
$this->secretKey = $secretKey ?? self::config('STRIPE_SECRET_KEY');
|
|
if ($this->secretKey === '') {
|
|
throw new RuntimeException('StripeClient: STRIPE_SECRET_KEY not configured.');
|
|
}
|
|
}
|
|
|
|
/** Load a Stripe config value from /etc/bnl/stripe.php OR env. */
|
|
public static function config(string $key): string
|
|
{
|
|
static $fileConfig = null;
|
|
if ($fileConfig === null) {
|
|
$path = '/etc/bnl/stripe.php';
|
|
$fileConfig = is_readable($path) ? (require $path) : [];
|
|
if (!is_array($fileConfig)) {
|
|
$fileConfig = [];
|
|
}
|
|
}
|
|
|
|
$envValue = getenv($key);
|
|
if ($envValue !== false && $envValue !== '') {
|
|
return $envValue;
|
|
}
|
|
return (string)($fileConfig[$key] ?? '');
|
|
}
|
|
|
|
/** Map an internal SKU to a Stripe price ID. */
|
|
public static function priceId(string $sku): string
|
|
{
|
|
static $map = null;
|
|
if ($map === null) {
|
|
$map = [
|
|
'topup_s' => self::config('STRIPE_PRICE_TOPUP_S'),
|
|
'topup_m' => self::config('STRIPE_PRICE_TOPUP_M'),
|
|
'topup_l' => self::config('STRIPE_PRICE_TOPUP_L'),
|
|
'plus' => self::config('STRIPE_PRICE_PLUS_NOK'),
|
|
'pro' => self::config('STRIPE_PRICE_PRO_NOK'),
|
|
];
|
|
}
|
|
$id = $map[$sku] ?? '';
|
|
if ($id === '') {
|
|
throw new InvalidArgumentException("Unknown Stripe SKU: {$sku}");
|
|
}
|
|
return $id;
|
|
}
|
|
|
|
/** Topup credit grants — must match values shown on pricing.php. */
|
|
public static function topupCredits(string $sku): int
|
|
{
|
|
return match ($sku) {
|
|
'topup_s' => 30,
|
|
'topup_m' => 100,
|
|
'topup_l' => 300,
|
|
default => 0,
|
|
};
|
|
}
|
|
|
|
/** Map a Stripe price ID back to the internal subscription tier (plus/pro). */
|
|
public static function tierForPrice(string $priceId): ?string
|
|
{
|
|
$map = [
|
|
'plus' => self::config('STRIPE_PRICE_PLUS_NOK'),
|
|
'pro' => self::config('STRIPE_PRICE_PRO_NOK'),
|
|
];
|
|
foreach ($map as $tier => $configuredPriceId) {
|
|
if ($configuredPriceId !== '' && hash_equals($configuredPriceId, $priceId)) {
|
|
return (string)$tier;
|
|
}
|
|
}
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Create a Checkout Session.
|
|
*
|
|
* @param array $params Stripe parameters (flat form-encoded — see request() docs).
|
|
*/
|
|
public function createCheckoutSession(array $params): array
|
|
{
|
|
return $this->request('POST', '/checkout/sessions', $params);
|
|
}
|
|
|
|
/** Create a Customer Portal session for self-serve subscription management. */
|
|
public function createPortalSession(string $customerId, string $returnUrl): array
|
|
{
|
|
return $this->request('POST', '/billing_portal/sessions', [
|
|
'customer' => $customerId,
|
|
'return_url' => $returnUrl,
|
|
]);
|
|
}
|
|
|
|
/** Retrieve a subscription. */
|
|
public function getSubscription(string $subscriptionId): array
|
|
{
|
|
return $this->request('GET', '/subscriptions/' . urlencode($subscriptionId));
|
|
}
|
|
|
|
/** Find-or-create a Stripe customer for a given email. */
|
|
public function ensureCustomer(string $email, ?int $userId = null): string
|
|
{
|
|
$found = $this->request('GET', '/customers', ['email' => $email, 'limit' => 1]);
|
|
if (!empty($found['data'][0]['id'])) {
|
|
return (string)$found['data'][0]['id'];
|
|
}
|
|
$params = ['email' => $email];
|
|
if ($userId !== null) {
|
|
$params['metadata'] = ['user_id' => (string)$userId];
|
|
}
|
|
$created = $this->request('POST', '/customers', $params);
|
|
return (string)($created['id'] ?? '');
|
|
}
|
|
|
|
/**
|
|
* Verify a Stripe webhook signature.
|
|
* Stripe-Signature header format: t=<timestamp>,v1=<signature>[,v1=<signature>...]
|
|
*/
|
|
public static function verifyWebhookSignature(string $payload, string $sigHeader, string $secret, int $toleranceSeconds = 300): bool
|
|
{
|
|
if ($secret === '' || $sigHeader === '') {
|
|
return false;
|
|
}
|
|
$parts = [];
|
|
foreach (explode(',', $sigHeader) as $pair) {
|
|
$kv = explode('=', $pair, 2);
|
|
if (count($kv) === 2) {
|
|
$parts[trim($kv[0])][] = trim($kv[1]);
|
|
}
|
|
}
|
|
$timestamp = isset($parts['t'][0]) ? (int)$parts['t'][0] : 0;
|
|
$sigs = $parts['v1'] ?? [];
|
|
if ($timestamp === 0 || empty($sigs)) {
|
|
return false;
|
|
}
|
|
if (abs(time() - $timestamp) > $toleranceSeconds) {
|
|
return false;
|
|
}
|
|
$signedPayload = $timestamp . '.' . $payload;
|
|
$expected = hash_hmac('sha256', $signedPayload, $secret);
|
|
foreach ($sigs as $sig) {
|
|
if (hash_equals($expected, $sig)) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Low-level HTTP request to Stripe API. Returns decoded JSON or throws on error.
|
|
* Stripe uses form-encoded bodies even for nested params (foo[bar]=baz).
|
|
*/
|
|
public function request(string $method, string $path, array $params = []): array
|
|
{
|
|
$url = self::API_BASE . $path;
|
|
$method = strtoupper($method);
|
|
$headers = [
|
|
'Authorization: Bearer ' . $this->secretKey,
|
|
'Stripe-Version: 2026-02-25.clover',
|
|
];
|
|
|
|
$ch = curl_init();
|
|
$body = '';
|
|
if ($method === 'GET' && !empty($params)) {
|
|
$url .= '?' . self::flattenFormParams($params);
|
|
} elseif (!empty($params)) {
|
|
$body = self::flattenFormParams($params);
|
|
$headers[] = 'Content-Type: application/x-www-form-urlencoded';
|
|
}
|
|
|
|
curl_setopt($ch, CURLOPT_URL, $url);
|
|
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
|
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
|
curl_setopt($ch, CURLOPT_TIMEOUT, self::TIMEOUT);
|
|
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
|
|
if ($body !== '') {
|
|
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
|
|
}
|
|
|
|
$raw = curl_exec($ch);
|
|
$errno = curl_errno($ch);
|
|
$status = (int)curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
|
|
curl_close($ch);
|
|
|
|
if ($errno !== 0 || $raw === false) {
|
|
throw new RuntimeException('Stripe curl error: ' . curl_strerror($errno));
|
|
}
|
|
|
|
$decoded = json_decode((string)$raw, true);
|
|
if (!is_array($decoded)) {
|
|
throw new RuntimeException('Stripe response was not JSON: ' . substr((string)$raw, 0, 200));
|
|
}
|
|
if ($status >= 400) {
|
|
$msg = $decoded['error']['message'] ?? 'Unknown Stripe error';
|
|
$code = $decoded['error']['code'] ?? 'unknown';
|
|
throw new RuntimeException("Stripe API error ({$status}/{$code}): {$msg}");
|
|
}
|
|
return $decoded;
|
|
}
|
|
|
|
/** Flatten nested arrays into Stripe's form-encoding scheme (foo[bar]=baz). */
|
|
private static function flattenFormParams(array $params, string $prefix = ''): string
|
|
{
|
|
$pairs = [];
|
|
foreach ($params as $key => $value) {
|
|
$name = $prefix === '' ? (string)$key : $prefix . '[' . $key . ']';
|
|
if (is_array($value)) {
|
|
$pairs[] = self::flattenFormParams($value, $name);
|
|
} elseif (is_bool($value)) {
|
|
$pairs[] = rawurlencode($name) . '=' . ($value ? 'true' : 'false');
|
|
} elseif ($value !== null) {
|
|
$pairs[] = rawurlencode($name) . '=' . rawurlencode((string)$value);
|
|
}
|
|
}
|
|
return implode('&', $pairs);
|
|
}
|
|
}
|