Skip to content

feat(billing): audit customer portal session creation#1714

Merged
rohilsurana merged 1 commit into
mainfrom
feat/audit-billing-portal-session
Jun 30, 2026
Merged

feat(billing): audit customer portal session creation#1714
rohilsurana merged 1 commit into
mainfrom
feat/audit-billing-portal-session

Conversation

@rohilsurana

Copy link
Copy Markdown
Member

What

Emit an audit record whenever a Stripe customer portal session is created via FrontierService/CreateCheckout (setupBody.customerPortal = true).

The portal is how billing details (address, tax IDs, etc.) get updated. Recording every session creation lets us trace who opened the portal to update — or attempt to update — billing details, including whether the actor was a platform super-user.

How

  • New event billing_customer.portal_session_created in pkg/auditrecord/consts.go.
  • In the CreateCheckout handler's customer-portal branch, emit an audit record after the session is created successfully:
    • Resource = organization, Target = billing customer, with checkout_id in metadata.
    • Actor and the is_super_user flag are auto-enriched from request context (same mechanism as role/PAT audit records).
  • Emission is non-fatal: a failure is logged and does not fail the portal request.

This covers both the client app flow and the upcoming admin-app super-user flow, since both go through the same RPC.

Notes

  • No authz or KYC changes. Super-users already pass CreateCheckout authz via the platform->superuser schema cascade, and the service has no KYC gate.

Test plan

  • New focused test TestConnectHandler_CreateCheckout_CustomerPortalAuditRecord asserts the record is emitted with the correct event, org, and billing-customer target.
  • Existing CreateCheckout table tests updated to allow the emission.
  • go test ./internal/api/v1beta1connect/... and golangci-lint pass.

@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Jun 30, 2026 9:51am

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@rohilsurana, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 29 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b13b3674-311a-45f5-8de3-8bd0be406dc8

📥 Commits

Reviewing files that changed from the base of the PR and between 4406e27 and 760a54c.

📒 Files selected for processing (3)
  • internal/api/v1beta1connect/billing_checkout.go
  • internal/api/v1beta1connect/billing_checkout_test.go
  • pkg/auditrecord/consts.go
📝 Walkthrough

Walkthrough

A new audit event constant BillingCustomerPortalSessionCreatedEvent (billing_customer.portal_session_created) is added to pkg/auditrecord/consts.go. The CreateCheckout handler in billing_checkout.go gains imports for time, auditrecord, and metadata, and after a successful customer-portal session creation, calls auditRecordService.Create with event/org/resource/target fields and checkout_id metadata. Audit failures are logged rather than returned. Tests are updated to wire in an AuditRecordService mock and a dedicated test verifies the audit record fields.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding audit logging for customer portal checkout creation.
Description check ✅ Passed The PR includes the key summary, change details, context, and test plan, covering the template's required information.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coveralls

coveralls commented Jun 30, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28435609189

Coverage increased (+0.03%) to 43.819%

Details

  • Coverage increased (+0.03%) from the base build.
  • Patch coverage: 3 uncovered changes across 1 file (22 of 25 lines covered, 88.0%).
  • No coverage regressions found.

Uncovered Changes

File Changed Covered %
internal/api/v1beta1connect/billing_checkout.go 25 22 88.0%

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 37096
Covered Lines: 16255
Line Coverage: 43.82%
Coverage Strength: 12.38 hits per line

💛 - Coveralls

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
internal/api/v1beta1connect/billing_checkout_test.go (1)

378-414: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add coverage for the non-fatal audit-failure path.

The PR's key behavioral guarantee is that a failing audit emission is logged but does not fail the portal request. None of the tests exercise auditRecordService.Create returning an error. Consider a case where Create returns an error and assert CreateCheckout still returns the session with NoError.

💚 Suggested test
func TestConnectHandler_CreateCheckout_CustomerPortalAuditFailureNonFatal(t *testing.T) {
	mockCheckoutSvc := mocks.NewCheckoutService(t)
	mockCustomerSvc := mocks.NewCustomerService(t)
	mockAuditSvc := mocks.NewAuditRecordService(t)

	mockCustomerSvc.EXPECT().GetByOrgID(mock.Anything, "org-123").
		Return(customer.Customer{ID: "customer-123", OrgID: "org-123"}, nil)
	mockCheckoutSvc.EXPECT().CreateSessionForCustomerPortal(mock.Anything, mock.Anything).
		Return(testCheckout, nil)
	mockAuditSvc.EXPECT().Create(mock.Anything, mock.Anything).
		Return(auditrecord.AuditRecord{}, false, errors.New("audit error"))

	h := &ConnectHandler{
		checkoutService:    mockCheckoutSvc,
		customerService:    mockCustomerSvc,
		auditRecordService: mockAuditSvc,
	}

	got, err := h.CreateCheckout(context.Background(), connect.NewRequest(&frontierv1beta1.CreateCheckoutRequest{
		OrgId:      "org-123",
		SuccessUrl: "https://example.com/success",
		CancelUrl:  "https://example.com/cancel",
		SetupBody:  &frontierv1beta1.CheckoutSetupBody{CustomerPortal: true},
	}))

	assert.NoError(t, err)
	assert.Equal(t, testCheckoutID, got.Msg.GetCheckoutSession().GetId())
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/api/v1beta1connect/billing_checkout_test.go` around lines 378 - 414,
Add a test for the non-fatal audit failure path in CreateCheckout: in the
CustomerPortal flow, make auditRecordService.Create return an error and verify
ConnectHandler.CreateCheckout still succeeds with NoError and returns the
checkout session. Reuse the existing
TestConnectHandler_CreateCheckout_CustomerPortalAuditRecord setup and the same
symbols (ConnectHandler, CreateCheckout, auditRecordService.Create) to locate
the behavior, but change the assertion to confirm the audit error is swallowed
rather than bubbling up.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/api/v1beta1connect/billing_checkout_test.go`:
- Around line 378-414: Add a test for the non-fatal audit failure path in
CreateCheckout: in the CustomerPortal flow, make auditRecordService.Create
return an error and verify ConnectHandler.CreateCheckout still succeeds with
NoError and returns the checkout session. Reuse the existing
TestConnectHandler_CreateCheckout_CustomerPortalAuditRecord setup and the same
symbols (ConnectHandler, CreateCheckout, auditRecordService.Create) to locate
the behavior, but change the assertion to confirm the audit error is swallowed
rather than bubbling up.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a4f0fdc-290a-4a56-94ce-d451a16bc4ce

📥 Commits

Reviewing files that changed from the base of the PR and between 6dc16f9 and 4406e27.

📒 Files selected for processing (3)
  • internal/api/v1beta1connect/billing_checkout.go
  • internal/api/v1beta1connect/billing_checkout_test.go
  • pkg/auditrecord/consts.go

@rohilsurana rohilsurana merged commit 989719a into main Jun 30, 2026
8 checks passed
@rohilsurana rohilsurana deleted the feat/audit-billing-portal-session branch June 30, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants