Add monthly subscriptions

.kamal/secrets.beta

@@ -1,4 +1,4 @@
-SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Beta/RAILS_MASTER_KEY Beta/MYSQL_ALTER_PASSWORD Beta/MYSQL_ALTER_USER Beta/MYSQL_APP_PASSWORD Beta/MYSQL_APP_USER Beta/MYSQL_READONLY_PASSWORD Beta/MYSQL_READONLY_USER Beta/SECRET_KEY_BASE Beta/VAPID_PUBLIC_KEY Beta/VAPID_PRIVATE_KEY Beta/ACTIVE_STORAGE_ACCESS_KEY_ID Beta/ACTIVE_STORAGE_SECRET_ACCESS_KEY Beta/QUEENBEE_API_TOKEN Beta/SIGNAL_ID_SECRET Beta/SENTRY_DSN Beta/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Beta/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Beta/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT)
+SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Beta/RAILS_MASTER_KEY Beta/MYSQL_ALTER_PASSWORD Beta/MYSQL_ALTER_USER Beta/MYSQL_APP_PASSWORD Beta/MYSQL_APP_USER Beta/MYSQL_READONLY_PASSWORD Beta/MYSQL_READONLY_USER Beta/SECRET_KEY_BASE Beta/VAPID_PUBLIC_KEY Beta/VAPID_PRIVATE_KEY Beta/ACTIVE_STORAGE_ACCESS_KEY_ID Beta/ACTIVE_STORAGE_SECRET_ACCESS_KEY Beta/QUEENBEE_API_TOKEN Beta/SIGNAL_ID_SECRET Beta/SENTRY_DSN Beta/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Beta/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Beta/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT Beta/STRIPE_MONTHLY_V1_PRICE_ID Beta/STRIPE_SECRET_KEY Beta/STRIPE_WEBHOOK_SECRET)
 
 GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
 BASECAMP_REGISTRY_PASSWORD=$(kamal secrets extract BASECAMP_REGISTRY_PASSWORD $SECRETS)
@@ -21,3 +21,6 @@ SENTRY_DSN=$(kamal secrets extract SENTRY_DSN $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT $SECRETS)
+STRIPE_MONTHLY_V1_PRICE_ID=$(kamal secrets extract STRIPE_MONTHLY_V1_PRICE_ID $SECRETS)
+STRIPE_SECRET_KEY=$(kamal secrets extract STRIPE_SECRET_KEY $SECRETS)
+STRIPE_WEBHOOK_SECRET=$(kamal secrets extract STRIPE_WEBHOOK_SECRET $SECRETS)

.kamal/secrets.production

@@ -1,4 +1,4 @@
-SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Production/RAILS_MASTER_KEY Production/MYSQL_ALTER_PASSWORD Production/MYSQL_ALTER_USER Production/MYSQL_APP_PASSWORD Production/MYSQL_APP_USER Production/MYSQL_READONLY_PASSWORD Production/MYSQL_READONLY_USER Production/SECRET_KEY_BASE Production/VAPID_PUBLIC_KEY Production/VAPID_PRIVATE_KEY Production/ACTIVE_STORAGE_ACCESS_KEY_ID Production/ACTIVE_STORAGE_SECRET_ACCESS_KEY Production/QUEENBEE_API_TOKEN Production/SIGNAL_ID_SECRET Production/SENTRY_DSN Production/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Production/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Production/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT)
+SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Production/RAILS_MASTER_KEY Production/MYSQL_ALTER_PASSWORD Production/MYSQL_ALTER_USER Production/MYSQL_APP_PASSWORD Production/MYSQL_APP_USER Production/MYSQL_READONLY_PASSWORD Production/MYSQL_READONLY_USER Production/SECRET_KEY_BASE Production/VAPID_PUBLIC_KEY Production/VAPID_PRIVATE_KEY Production/ACTIVE_STORAGE_ACCESS_KEY_ID Production/ACTIVE_STORAGE_SECRET_ACCESS_KEY Production/QUEENBEE_API_TOKEN Production/SIGNAL_ID_SECRET Production/SENTRY_DSN Production/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Production/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Production/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT Production/STRIPE_MONTHLY_V1_PRICE_ID Production/STRIPE_SECRET_KEY Production/STRIPE_WEBHOOK_SECRET)
 
 GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
 BASECAMP_REGISTRY_PASSWORD=$(kamal secrets extract BASECAMP_REGISTRY_PASSWORD $SECRETS)
@@ -21,3 +21,6 @@ SENTRY_DSN=$(kamal secrets extract SENTRY_DSN $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT $SECRETS)
+STRIPE_MONTHLY_V1_PRICE_ID=$(kamal secrets extract STRIPE_MONTHLY_V1_PRICE_ID $SECRETS)
+STRIPE_SECRET_KEY=$(kamal secrets extract STRIPE_SECRET_KEY $SECRETS)
+STRIPE_WEBHOOK_SECRET=$(kamal secrets extract STRIPE_WEBHOOK_SECRET $SECRETS)

.kamal/secrets.staging

@@ -1,4 +1,4 @@
-SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Staging/RAILS_MASTER_KEY Staging/MYSQL_ALTER_PASSWORD Staging/MYSQL_ALTER_USER Staging/MYSQL_APP_PASSWORD Staging/MYSQL_APP_USER Staging/MYSQL_READONLY_PASSWORD Staging/MYSQL_READONLY_USER Staging/SECRET_KEY_BASE Staging/VAPID_PUBLIC_KEY Staging/VAPID_PRIVATE_KEY Staging/ACTIVE_STORAGE_ACCESS_KEY_ID Staging/ACTIVE_STORAGE_SECRET_ACCESS_KEY Staging/QUEENBEE_API_TOKEN Staging/SIGNAL_ID_SECRET Staging/SENTRY_DSN Staging/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Staging/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Staging/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT)
+SECRETS=$(kamal secrets fetch --adapter 1password --account basecamp --from Deploy/Fizzy Deployments/BASECAMP_REGISTRY_PASSWORD Deployments/DASH_BASIC_AUTH_SECRET Staging/RAILS_MASTER_KEY Staging/MYSQL_ALTER_PASSWORD Staging/MYSQL_ALTER_USER Staging/MYSQL_APP_PASSWORD Staging/MYSQL_APP_USER Staging/MYSQL_READONLY_PASSWORD Staging/MYSQL_READONLY_USER Staging/SECRET_KEY_BASE Staging/VAPID_PUBLIC_KEY Staging/VAPID_PRIVATE_KEY Staging/ACTIVE_STORAGE_ACCESS_KEY_ID Staging/ACTIVE_STORAGE_SECRET_ACCESS_KEY Staging/QUEENBEE_API_TOKEN Staging/SIGNAL_ID_SECRET Staging/SENTRY_DSN Staging/ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY Staging/ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY Staging/ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT Staging/STRIPE_MONTHLY_V1_PRICE_ID Staging/STRIPE_SECRET_KEY Staging/STRIPE_WEBHOOK_SECRET)
 
 GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
 BASECAMP_REGISTRY_PASSWORD=$(kamal secrets extract BASECAMP_REGISTRY_PASSWORD $SECRETS)
@@ -21,3 +21,6 @@ SENTRY_DSN=$(kamal secrets extract SENTRY_DSN $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY $SECRETS)
 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=$(kamal secrets extract ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT $SECRETS)
+STRIPE_MONTHLY_V1_PRICE_ID=$(kamal secrets extract STRIPE_MONTHLY_V1_PRICE_ID $SECRETS)
+STRIPE_SECRET_KEY=$(kamal secrets extract STRIPE_SECRET_KEY $SECRETS)
+STRIPE_WEBHOOK_SECRET=$(kamal secrets extract STRIPE_WEBHOOK_SECRET $SECRETS)

README.md

@@ -24,6 +24,28 @@ After making changes to this gem, you need to update Fizzy to pick up the change
 BUNDLE_GEMFILE=Gemfile.saas bundle update --conservative fizzy-saas
 ```
 
+## Working with Stripe
+
+The first time, you need to:
+
+1. Install Stripe CLI: https://stripe.com/docs/stripe-cli
+2. Run `stripe login` and authorize the environment `37signals Development`
+
+Then, for working on the Stripe integration locally, you need to run this script to start the tunneling and set the environment variables:
+
+```sh
+eval "$(BUNDLE_GEMFILE=Gemfile.saas bundle exec stripe-dev)"
+bin/dev # You need to start the dev server in the same terminal session
+```
+
+This will ask for your 1password authorization to read and set the environment variables that Stripe needs.
+
+### Stripe environments
+
+* [Development](https://dashboard.stripe.com/acct_1SdTFtRus34tgjsJ/test/dashboard)
+* [Staging](https://dashboard.stripe.com/acct_1SdTbuRvb8txnPBR/test/dashboard)
+* [Production](https://dashboard.stripe.com/acct_1SNy97RwChFE4it8/dashboard)
+
 ## Environments
 
 Fizzy is deployed with [Kamal](https://kamal-deploy.org/). You'll need to have the 1Password CLI set up in order to access the secrets that are used when deploying. Provided you have that, it should be as simple as `bin/kamal deploy` to the correct environment.

app/assets/stylesheets/fizzy/saas.css

@@ -0,0 +1,64 @@
+/* Subscriptions
+/* ------------------------------------------------------------------------ */
+:root {
+  --settings-subscription-background: linear-gradient(to bottom, var(--color-canvas), oklch(var(--lch-violet-lighter)));
+  --settings-subscription-color: oklch(var(--lch-violet-medium));
+  --settings-subscription-text-color: oklch(var(--lch-violet-dark));
+
+  .settings-subscription__button {
+    --btn-background: var(--settings-subscription-color);
+    --btn-border-color: var(--color-canvas);
+    --btn-color: var(--color-canvas);
+    --focus-ring-color: var(--color-ink);
+  }
+
+  .settings-subscription__divider {
+    --divider-color: currentColor;
+
+    color: var(--settings-subscription-color);
+    margin-block-start: calc(var(--block-space-half) * -1);
+  }
+
+  .settings-subscription__footer {
+    color: var(--settings-subscription-text-color);
+
+    &::before {
+      content: "————";
+      display: block;
+      margin: auto;
+      text-align: center;
+    }
+  }
+
+  .settings-subscription__notch {
+    animation: wiggle 500ms ease;
+    background: var(--settings-subscription-background);
+    box-shadow: 0 0 0.3em 0.2em var(--settings-subscription-color);
+    border-radius: 3em;
+    color: var(--settings-subscription-text-color);
+    margin-inline: auto;
+    padding: 0 0.3em 0 1.2em;
+    transform: rotate(-1deg);
+
+    @media (max-width: 640px) {
+      padding-block: 0.6em;
+      padding-inline-start: 0.3em;
+    }
+
+    .btn {
+      margin-block: 0.3em;
+    }
+  }
+
+  .settings-subscription__panel {
+    background: var(--settings-subscription-background);
+  }
+
+  .settings_subscription__warning {
+    color: var(--settings-subscription-text-color);
+
+    a {
+      color: var(--settings-subscription-text-color);
+    }
+  }
+}

app/controllers/account/billing_portals_controller.rb

@@ -0,0 +1,19 @@
+class Account::BillingPortalsController < ApplicationController
+  before_action :ensure_admin
+  before_action :ensure_subscribed_account
+
+  def show
+    redirect_to create_stripe_billing_portal_session.url, allow_other_host: true
+  end
+
+  private
+    def ensure_subscribed_account
+      unless Current.account.subscribed?
+        redirect_to account_subscription_path, alert: "No billing information found"
+      end
+    end
+
+    def create_stripe_billing_portal_session
+      Stripe::BillingPortal::Session.create(customer: Current.account.subscription.stripe_customer_id, return_url: account_settings_url)
+    end
+end

app/controllers/account/subscriptions_controller.rb

@@ -0,0 +1,42 @@
+class Account::SubscriptionsController < ApplicationController
+  before_action :ensure_admin
+  before_action :set_stripe_session, only: :show
+
+  def show
+  end
+
+  def create
+    session = Stripe::Checkout::Session.create \
+      customer: find_or_create_stripe_customer,
+      mode: "subscription",
+      line_items: [ { price: Plan.paid.stripe_price_id, quantity: 1 } ],
+      success_url: account_subscription_url + "?session_id={CHECKOUT_SESSION_ID}",
+      cancel_url: account_subscription_url,
+      metadata: { account_id: Current.account.id, plan_key: Plan.paid.key },
+      automatic_tax: { enabled: true },
+      tax_id_collection: { enabled: true },
+      billing_address_collection: "required",
+      customer_update: { address: "auto", name: "auto" }
+
+    redirect_to session.url, allow_other_host: true
+  end
+
+  private
+    def set_stripe_session
+      @stripe_session = Stripe::Checkout::Session.retrieve(params[:session_id]) if params[:session_id]
+    end
+
+    def find_or_create_stripe_customer
+      find_stripe_customer || create_stripe_customer
+    end
+
+    def find_stripe_customer
+      Stripe::Customer.retrieve(Current.account.subscription.stripe_customer_id) if Current.account.subscription&.stripe_customer_id
+    end
+
+    def create_stripe_customer
+      Stripe::Customer.create(email: Current.user.identity.email_address, name: Current.account.name, metadata: { account_id: Current.account.id }).tap do |customer|
+        Current.account.create_subscription!(stripe_customer_id: customer.id, plan_key: Plan.paid.key, status: "incomplete")
+      end
+    end
+end

app/controllers/admin/account_searches_controller.rb

@@ -0,0 +1,5 @@
+class Admin::AccountSearchesController < AdminController
+  def create
+    redirect_to saas.edit_admin_account_path(params[:q])
+  end
+end

app/controllers/admin/accounts_controller.rb

@@ -0,0 +1,27 @@
+class Admin::AccountsController < AdminController
+  include Admin::AccountScoped
+
+  layout "public"
+
+  before_action :set_account, only: %i[ edit update ]
+
+  def index
+  end
+
+  def edit
+  end
+
+  def update
+    @account.override_limits(card_count: overridden_card_count_param)
+    redirect_to saas.edit_admin_account_path(@account.external_account_id), notice: "Account limits updated"
+  end
+
+  private
+    def set_account
+      @account = Account.find_by!(external_account_id: params[:id])
+    end
+
+    def overridden_card_count_param
+      params[:account][:overridden_card_count].to_i
+    end
+end

app/controllers/admin/billing_waivers_controller.rb

@@ -0,0 +1,13 @@
+class Admin::BillingWaiversController < AdminController
+  include Admin::AccountScoped
+
+  def create
+    @account.comp
+    redirect_to saas.edit_admin_account_path(@account.external_account_id), notice: "Account comped"
+  end
+
+  def destroy
+    @account.uncomp
+    redirect_to saas.edit_admin_account_path(@account.external_account_id), notice: "Account uncomped"
+  end
+end

app/controllers/admin/overridden_limits_controller.rb

@@ -0,0 +1,8 @@
+class Admin::OverriddenLimitsController < AdminController
+  include Admin::AccountScoped
+
+  def destroy
+    @account.reset_overridden_limits
+    redirect_to saas.edit_admin_account_path(@account.external_account_id), notice: "Limits reset"
+  end
+end

app/controllers/admin/stats_controller.rb

@@ -0,0 +1,20 @@
+class Admin::StatsController < AdminController
+  layout "public"
+
+  def show
+    @accounts_total = Account.count
+    @accounts_last_7_days = Account.where(created_at: 7.days.ago..).count
+    @accounts_last_24_hours = Account.where(created_at: 24.hours.ago..).count
+
+    @identities_total = Identity.count
+    @identities_last_7_days = Identity.where(created_at: 7.days.ago..).count
+    @identities_last_24_hours = Identity.where(created_at: 24.hours.ago..).count
+
+    @top_accounts = Account
+      .where("cards_count > 0")
+      .order(cards_count: :desc)
+      .limit(20)
+
+    @recent_accounts = Account.order(created_at: :desc).limit(10)
+  end
+end

app/controllers/concerns/admin/account_scoped.rb

@@ -0,0 +1,12 @@
+module Admin::AccountScoped
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :set_account
+  end
+
+  private
+    def set_account
+      @account = Account.find_by!(external_account_id: params[:account_id] || params[:id])
+    end
+end

app/controllers/concerns/card/limited_creation.rb

@@ -0,0 +1,14 @@
+module Card::LimitedCreation
+  extend ActiveSupport::Concern
+
+  included do
+    # Only limit API requests. We let you create drafts in the app to actually show the banner, no matter the card count.
+    # We limit card publications separately. See +Card::LimitedPublishing+.
+    before_action :ensure_can_create_cards, only: %i[ create ], if: -> { request.format.json? }
+  end
+
+  private
+    def ensure_can_create_cards
+      head :forbidden if Current.account.exceeding_card_limit?
+    end
+end

app/controllers/concerns/card/limited_publishing.rb

@@ -0,0 +1,12 @@
+module Card::LimitedPublishing
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :ensure_can_publish_cards, only: %i[ create ]
+  end
+
+  private
+    def ensure_can_publish_cards
+      head :forbidden if Current.account.exceeding_card_limit?
+    end
+end