ANDJ/ANDJJJJJJ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95349af50ba288d1fbf18f2db659a6b5878b0f43
ANDJJJJJJ/server/CORRECTNESS_VALIDATION.md

6.0 KiB
Raw Blame History

Correctness Properties Validation

Property 1: Question Loading

Property: For any active product, when questions are requested, all active questions for that product should be returned ordered by step and order. Validates: Requirements 1.1, 2.4

Implementation Check:

// GET /api/questions endpoint
const questionsResponse = await databases.listDocuments(
    process.env.APPWRITE_DATABASE_ID,
    'questions',
    [
        Query.equal('productId', product.$id),      // ✅ Filters by product
        Query.equal('isActive', true),              // ✅ Only active questions
        Query.orderAsc('step'),                     // ✅ Ordered by step
        Query.orderAsc('order')                     // ✅ Then by order
    ]
);

Status: VALIDATED

  • Correctly filters by productId
  • Correctly filters by isActive
  • Correctly orders by step then order
  • Returns all matching questions

Property 2: Submission Creation

Property: For any valid answers object, when a submission is created, the system should store the submission and return a valid submissionId. Validates: Requirements 2.2, 2.3

Implementation Check:

// POST /api/submissions endpoint
const submission = await databases.createDocument(
    process.env.APPWRITE_DATABASE_ID,
    'submissions',
    'unique()',
    {
        productId: product.$id,
        status: 'draft',
        customerEmail: answers.email || null,
        customerName: answers.name || null,
        finalSummaryJson: JSON.stringify(answers),
        priceCents: product.priceCents,
        currency: product.currency
    }
);

await databases.createDocument(
    process.env.APPWRITE_DATABASE_ID,
    'answers',
    'unique()',
    {
        submissionId: submission.$id,
        answersJson: JSON.stringify(answers)
    }
);

res.json({ submissionId: submission.$id });

Status: VALIDATED

  • Creates submission document with all required fields
  • Creates answers document linked to submission
  • Returns valid submissionId
  • Stores answers in both finalSummaryJson and answersJson

Property 3: Payment Flow

Property: For any valid submissionId, when checkout is initiated, the system should create a Stripe session and return a checkout URL. Validates: Requirements 3.1, 3.2

Implementation Check:

// POST /api/checkout endpoint
if (!submissionId) {
    return res.status(400).json({ error: 'Missing submissionId' });
}

const submission = await databases.getDocument(
    process.env.APPWRITE_DATABASE_ID,
    'submissions',
    submissionId
);

const session = await stripe.checkout.sessions.create({
    payment_method_types: ['card'],
    line_items: [
        {
            price_data: {
                currency: submission.currency,
                product_data: {
                    name: 'Email Sortierer Service',
                },
                unit_amount: submission.priceCents,
            },
            quantity: 1,
        },
    ],
    mode: 'payment',
    success_url: `${process.env.BASE_URL || 'http://localhost:3000'}/success.html`,
    cancel_url: `${process.env.BASE_URL || 'http://localhost:3000'}/cancel.html`,
    metadata: {
        submissionId: submissionId
    }
});

res.json({ url: session.url });

Status: VALIDATED

  • Validates submissionId is provided
  • Fetches submission to get price and currency
  • Creates Stripe checkout session
  • Includes submissionId in metadata for webhook
  • Returns checkout URL for redirect

Property 4: Webhook Validation

Property: For any Stripe webhook event, when the signature is invalid, the system should reject the request with 400 status. Validates: Requirements 3.4

Implementation Check:

// POST /stripe/webhook endpoint
app.post('/stripe/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
    const sig = req.headers['stripe-signature'];
    
    try {
        const event = stripe.webhooks.constructEvent(
            req.body,
            sig,
            process.env.STRIPE_WEBHOOK_SECRET
        );
        
        // Process event...
        
        res.json({ received: true });
    } catch (err) {
        console.error('Webhook error:', err.message);
        res.status(400).send(`Webhook Error: ${err.message}`);  // ✅ Returns 400
    }
});

Status: VALIDATED

  • Uses express.raw() middleware to preserve raw body for signature verification
  • Extracts signature from headers
  • Uses stripe.webhooks.constructEvent() which validates signature
  • Returns 400 status on invalid signature (caught in catch block)
  • Processes checkout.session.completed event
  • Updates submission status to 'paid'
  • Creates order record

Additional Validation

Error Handling

  • Missing environment variables → Server exits with error
  • Missing product → 404 response
  • Missing submissionId → 400 response
  • Invalid webhook signature → 400 response
  • Database errors → 500 response with error message
  • Stripe errors → 500 response with error message

API Design

  • Consistent error response format: { error: 'message' }
  • Consistent success response format
  • Proper HTTP status codes
  • Proper middleware ordering (raw body for webhook, JSON for API)

Security

  • Environment variable validation on startup
  • Webhook signature verification
  • No sensitive data in error messages
  • Proper error logging

Conclusion

All four correctness properties are validated and correctly implemented:

  • Property 1: Question Loading
  • Property 2: Submission Creation
  • Property 3: Payment Flow
  • Property 4: Webhook Validation

All requirements are met:

  • Requirement 1.1: Questions loaded from Appwrite
  • Requirement 2.2: Submission created
  • Requirement 2.3: Answers saved
  • Requirement 3.1: Stripe Checkout Session created
  • Requirement 3.2: Customer redirected to Stripe
  • Requirement 3.3: Submission status updated to 'paid'
  • Requirement 3.4: Webhook signature validated

Task 3 is COMPLETE.

Reference in New Issue View Git Blame Copy Permalink