feat: add razorpay

[bajrangCoder]

ENV to be Updated before Merger.

• PG_KEY_ID
• PG_KEY_SECRET
• PG_WEBHOOK_SECRET

[gemini-code-assist]

Summary of Changes

Hello @bajrangCoder, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the platform's monetization capabilities by integrating Razorpay as a new payment gateway for web-based plugin purchases. It provides a complete end-to-end solution, from a user-friendly "Buy" button on the client-side to robust server-side APIs for secure transaction processing, payment verification, and webhook handling. The underlying database schema has been extended to support user-specific purchase records across different payment providers, ensuring that once a plugin is bought, it's permanently linked to the user's account for seamless access and download.

Highlights

• Razorpay Integration: Introduced a new payment gateway for web-based plugin purchases.
• Client-Side Purchase UI: Added a "BuyButton" component and logic to display purchase status (owned, buy, login) on plugin pages.
• Server-Side Payment APIs: Implemented API endpoints for creating Razorpay orders, verifying payments, checking plugin ownership, and handling webhooks.
• Database Enhancements: Updated the purchase_order schema to link purchases to user accounts and support multiple payment providers (Google Play, Razorpay).
• Dynamic Plugin Download: Modified the plugin download API to recognize user-linked purchases from any provider, allowing access to paid plugins.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[bajrangCoder]

@greptileai

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds Razorpay payment gateway integration to enable web-based plugin purchases, complementing the existing Google Play integration for mobile.

Key Changes

Backend (Server)

• New /api/razorpay routes for order creation, payment verification, webhook handling, and purchase queries
• Extended purchase_order table with user_id and provider columns to support multiple payment providers
• Modified plugin download endpoint to check user-linked purchases (Razorpay) before falling back to token-based validation (Google Play)
• Migration script to add new database columns

Frontend (Client)

• New Razorpay checkout component with dynamic script loading and payment modal integration
• Updated plugin page to display purchase UI (buy button, ownership badge, or login prompt) for paid plugins
• Added styles for purchase buttons and badges

Configuration

• Added Razorpay npm package (v2.9.6)
• Configured express.raw() middleware for webhook endpoint signature verification
• Minor formatting changes across several client pages (whitespace only)

Critical Issues Found

1. Type mismatch in state comparisons (lines 294, 352 in razorpay.js): SQLite returns state as string but code compares against number, causing logic errors
2. Timing attack vulnerability (line 271): Webhook signature verification uses non-constant-time comparison
3. Inadequate error handling in client payment verification (line 100 in razorpayCheckout/index.js)
4. Potential race condition in order verification between webhook and client callback
5. Missing input validation for webhook payment notes

Architecture

The implementation follows a dual-verification pattern: client-side payment verification for immediate user feedback, with webhook handlers providing redundancy and handling edge cases where the client callback fails. This is a sound approach for payment systems.

Confidence Score: 2/5

• This PR has critical bugs that will cause payment processing failures in production
• Score of 2 reflects multiple critical bugs that will break core functionality: (1) State comparison type mismatch will cause webhook updates to fail or execute incorrectly, (2) Timing attack vulnerability in webhook signature verification poses security risk, (3) Race condition between webhook and client callback could cause order insertion failures. While the overall architecture is sound, these bugs must be fixed before deployment to production
• Pay critical attention to server/apis/razorpay.js (lines 271, 294, 307, 352) and client/components/razorpayCheckout/index.js (line 100) - these contain bugs that will break payment processing

Important Files Changed

File Analysis

Filename	Score	Overview
server/apis/razorpay.js	2/5	New Razorpay payment integration with critical bugs: state comparison type mismatch (lines 294, 352), timing attack vulnerability in webhook signature verification (line 271), missing input validation in webhook handler, and potential race condition in order verification
client/components/razorpayCheckout/index.js	3/5	New Razorpay checkout component with inadequate error handling in payment verification handler (line 100) - could leave users in uncertain state if verification request fails
server/entities/purchaseOrder.js	4/5	Added user_id and provider columns with proper constants and foreign keys. Schema changes are appropriate for multi-provider payment support
server/migrations/add_purchase_order_columns.js	4/5	Migration script to add new columns - handles duplicate column errors gracefully but doesn't close database connection properly before exit
server/main.js	4/5	Correctly configured express.raw() middleware for webhook endpoint before express.json() - order is critical for signature verification
server/apis/plugin.js	4/5	Added user-based purchase verification for web downloads, falling back to token-based for mobile. Refactored download recording into helper function. Changes integrate well with existing Google Play flow
client/pages/plugin/index.js	4/5	Added purchase UI for web users with ownership checking and buy button integration. Clean separation of purchased/not-logged-in/logged-in states

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant Server
    participant Razorpay
    participant Database

    Note over User,Database: Payment Flow for Web Purchase

    User->>Browser: Click "Buy" button
    Browser->>Server: POST /api/razorpay/create-order
    Server->>Database: Check user already owns plugin
    Database-->>Server: No existing purchase
    Server->>Razorpay: Create order (amount, receipt, notes)
    Razorpay-->>Server: Order details (orderId, amount)
    Server-->>Browser: Order data + keyId
    
    Browser->>Razorpay: Open checkout modal
    User->>Razorpay: Complete payment
    Razorpay->>Razorpay: Process payment
    
    alt Payment Success
        Razorpay-->>Browser: Payment response (orderId, paymentId, signature)
        Browser->>Server: POST /api/razorpay/verify
        Server->>Server: Verify signature (HMAC-SHA256)
        Server->>Database: Check order doesn't exist
        Server->>Database: Insert purchase order
        Database-->>Server: Success
        Server-->>Browser: Payment verified
        Browser-->>User: Show success message
        
        Note over Razorpay,Server: Webhook (async, for redundancy)
        Razorpay->>Server: POST /api/razorpay/webhook (payment.captured)
        Server->>Server: Verify webhook signature
        Server->>Database: Check/update order state
        Server-->>Razorpay: 200 OK
    else Payment Failed
        Razorpay-->>Browser: Payment failed event
        Browser-->>User: Show error message
        Razorpay->>Server: POST /api/razorpay/webhook (payment.failed)
        Server->>Database: Update order state to CANCELED
        Server-->>Razorpay: 200 OK
    end

    Note over User,Database: Download Flow

    User->>Browser: Request plugin download
    Browser->>Server: GET /api/plugin/download/:id
    Server->>Database: Get user's orders
    Database-->>Server: Purchase order found
    Server-->>Browser: Plugin ZIP file
    Browser-->>User: Download starts

Loading