feat: handle Stripe refunds via webhook and admin UI (#62)

* feat: handle Stripe refunds via webhook and admin UI

Add full refund handling for both Stripe Dashboard-initiated refunds
(charge.refunded webhook) and admin-initiated refunds (POST endpoint).
When a refund occurs: Stripe subscription is canceled, membership is
deactivated, Hugo profile is drafted, and newsletter is unsubscribed.
Uses state-based idempotency to prevent double-processing.

Manual step required: add charge.refunded to Stripe webhook events.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: improve error handling for Stripe refund processing

cancelStripeSubscription now throws on failure instead of returning false,
preventing billing integrity issues where a member could be deactivated
while their Stripe subscription remains active. processRefundActions now
throws on critical Firestore deactivation failure so Stripe retries the
webhook. Added Firestore error handling to findMemberByStripeCustomer,
fixed misleading docstring about pre-marking, and added missing HttpError
test coverage for the webhook refund path.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing processChargeRefunded mock to handler integration test

The handler.test.ts mock was missing the processChargeRefunded method
added to StripeWebhookService, causing typecheck:tests to fail in CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: markgoho

functions/src/admin-members-api/plugins/admin-members-plugin.ts

@@ -1,6 +1,7 @@
 import { Elysia } from "elysia";
 import { logger as firebaseLogger } from "firebase-functions/v2";
 import { AuthService } from "../../shared-api/services/auth/index.js";
+import { EmailService } from "../../shared-api/services/email/index.js";
 import { adminDerive } from "../../shared-api/utils/admin-derive.js";
 import { adminGuard } from "../../shared-api/utils/admin-guard.js";
 import { getAdminUid } from "../../shared-api/utils/get-admin-uid.js";
@@ -11,6 +12,7 @@ import {
   extendMembershipLogic,
   getMemberLogic,
   listMembersLogic,
+  refundMembershipLogic,
   updateClaimsLogic,
   updateMemberLogic,
 } from "../routes/index.js";
@@ -24,6 +26,8 @@ import {
   GetMemberApiResponseSchema,
   ListMembersApiResponseSchema,
   MemberIdParameterSchema,
+  RefundMembershipApiResponseSchema,
+  RefundMembershipBodySchema,
   UpdateClaimsApiResponseSchema,
   UpdateClaimsBodySchema,
   UpdateMemberApiResponseSchema,
@@ -55,6 +59,10 @@ export function createAdminMembersPlugin(services?: PartialServices) {
         services?.memberAdminService ?? MemberAdminService,
       )
       .decorate(SERVICE_KEYS.AUTH_SERVICE, services?.authService ?? AuthService)
+      .decorate(
+        SERVICE_KEYS.EMAIL_SERVICE,
+        services?.emailService ?? EmailService,
+      )
       .decorate(SERVICE_KEYS.LOGGER, services?.logger ?? firebaseLogger)
       .derive(adminDerive)
       .onBeforeHandle({ as: "local" }, adminGuard)
@@ -214,6 +222,36 @@ export function createAdminMembersPlugin(services?: PartialServices) {
                   body: ExtendMembershipBodySchema,
                   response: ExtendMembershipApiResponseSchema,
                 },
+              )
+              // POST /:memberId/membership/refund (served at /api/admin/members/:memberId/membership/refund)
+              .post(
+                "/refund",
+                async ({
+                  params,
+                  body,
+                  adminToken,
+                  memberAdminService,
+                  emailService,
+                  logger,
+                  set,
+                }) => {
+                  const typedBody = body as { reason?: string } | undefined;
+                  return refundMembershipLogic({
+                    memberId: params.memberId,
+                    ...(typedBody?.reason !== undefined && {
+                      reason: typedBody.reason,
+                    }),
+                    adminUid: getAdminUid(adminToken, logger),
+                    memberAdminService,
+                    emailService,
+                    logger,
+                    set,
+                  });
+                },
+                {
+                  body: RefundMembershipBodySchema,
+                  response: RefundMembershipApiResponseSchema,
+                },
               ),
           )
           // PATCH /:memberId/claims - Update custom claims (served at /api/admin/members/:memberId/claims)

functions/src/admin-members-api/routes/index.ts

@@ -4,5 +4,6 @@ export { deleteUserLogic } from "./delete-user.js";
 export { extendMembershipLogic } from "./extend-membership.js";
 export { getMemberLogic } from "./get-member.js";
 export { listMembersLogic } from "./list-members.js";
+export { refundMembershipLogic } from "./refund-membership.js";
 export { updateClaimsLogic } from "./update-claims.js";
 export { updateMemberLogic } from "./update-member.js";

functions/src/admin-members-api/routes/refund-membership.test.ts

@@ -0,0 +1,214 @@
+import { describe, expect, it, mock } from "bun:test";
+import { Timestamp } from "firebase-admin/firestore";
+import {
+  NotFoundError,
+  ValidationError,
+} from "../../shared-api/errors/http-error.js";
+import { handleRequest } from "../../test-utils/handle-request.js";
+import type { MemberDocument } from "../../types/member-document.js";
+import type { RefundMembershipResult } from "../services/refund-membership.js";
+import { createAdminTestPlugin } from "../test-utils/create-admin-test-plugin.js";
+
+/**
+ * Tests for POST /:memberId/membership/refund.
+ *
+ * Uses createAdminTestPlugin() factory with mocked services.
+ */
+describe("POST /:memberId/membership/refund", () => {
+  interface SetupOptions {
+    // Request parameters
+    memberId?: string;
+    authToken?: string | null;
+    body?: Record<string, unknown>;
+
+    // Scenario flags
+    memberNotFound?: boolean;
+    noStripeData?: boolean;
+    stripeApiError?: boolean;
+    refundResult?: RefundMembershipResult;
+  }
+
+  function setup({
+    memberId = "test-id",
+    authToken = "admin-token",
+    body = {},
+    memberNotFound = false,
+    noStripeData = false,
+    stripeApiError = false,
+    refundResult,
+  }: SetupOptions = {}) {
+    const defaultMember: MemberDocument = {
+      uid: "test-id",
+      email: "test@example.com",
+      createdAt: Timestamp.now(),
+      membershipActive: false,
+      subscriptionStatus: "refunded",
+      stripeCustomerId: "cus_test",
+      stripeSubscriptionId: "sub_test",
+      refundedAt: Timestamp.now(),
+    };
+
+    const defaultResult: RefundMembershipResult = {
+      member: defaultMember,
+      stripeRefundCreated: true,
+      subscriptionCanceled: true,
+      refundActions: {
+        memberDeactivated: true,
+      },
+    };
+
+    const mockRefundMembership = mock((): Promise<RefundMembershipResult> => {
+      if (memberNotFound) {
+        return Promise.reject(new NotFoundError("Member not found"));
+      }
+      if (noStripeData) {
+        return Promise.reject(
+          new ValidationError(
+            "Member does not have Stripe subscription data. Use manual deactivation instead.",
+          ),
+        );
+      }
+      if (stripeApiError) {
+        return Promise.reject(new Error("Stripe API error"));
+      }
+      return Promise.resolve(refundResult ?? defaultResult);
+    });
+
+    const testApp = createAdminTestPlugin({
+      memberAdminService: {
+        refundMembership: mockRefundMembership,
+      },
+    });
+
+    // Build request from parameters
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+    if (authToken) {
+      headers["Authorization"] = `Bearer ${authToken}`;
+    }
+
+    const request = new Request(
+      `http://localhost/${memberId}/membership/refund`,
+      {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body),
+      },
+    );
+
+    return { testApp, request };
+  }
+
+  describe("Authentication", () => {
+    it("should return 401 when no authorization header is provided", async () => {
+      const { testApp, request } = setup({ authToken: null });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(401);
+    });
+
+    it("should return 403 when non-admin tries to refund", async () => {
+      const { testApp, request } = setup({ authToken: "non-admin-token" });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(403);
+    });
+  });
+
+  describe("Successful refund", () => {
+    it("should refund membership successfully", async () => {
+      const { testApp, request } = setup();
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(200);
+      const responseBody = (await response.json()) as {
+        success?: boolean;
+        refundResult?: {
+          stripeRefundCreated?: boolean;
+          subscriptionCanceled?: boolean;
+          memberDeactivated?: boolean;
+        };
+      };
+      expect(responseBody.success).toBe(true);
+      expect(responseBody.refundResult?.stripeRefundCreated).toBe(true);
+      expect(responseBody.refundResult?.subscriptionCanceled).toBe(true);
+      expect(responseBody.refundResult?.memberDeactivated).toBe(true);
+    });
+
+    it("should accept optional reason in body", async () => {
+      const { testApp, request } = setup({
+        body: { reason: "Customer requested refund" },
+      });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(200);
+    });
+
+    it("should include warning when non-critical actions fail", async () => {
+      const { testApp, request } = setup({
+        refundResult: {
+          member: {
+            uid: "test-id",
+            email: "test@example.com",
+            createdAt: Timestamp.now(),
+            membershipActive: false,
+            subscriptionStatus: "refunded",
+            refundedAt: Timestamp.now(),
+          },
+          stripeRefundCreated: true,
+          subscriptionCanceled: true,
+          refundActions: {
+            memberDeactivated: true,
+            profileDrafted: false,
+            warning: "Non-critical actions failed: Draft profile failed",
+          },
+        },
+      });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(200);
+      const responseBody = (await response.json()) as {
+        success?: boolean;
+        refundResult?: { warning?: string };
+      };
+      expect(responseBody.success).toBe(true);
+      expect(responseBody.refundResult?.warning).toContain(
+        "Non-critical actions failed",
+      );
+    });
+  });
+
+  describe("Error handling", () => {
+    it("should return 404 for non-existent member", async () => {
+      const { testApp, request } = setup({ memberNotFound: true });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(404);
+    });
+
+    it("should return 400 when member has no Stripe data", async () => {
+      const { testApp, request } = setup({ noStripeData: true });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(400);
+      const responseBody = (await response.json()) as { error?: string };
+      expect(responseBody.error).toContain("Stripe subscription data");
+    });
+
+    it("should return 500 for Stripe API errors", async () => {
+      const { testApp, request } = setup({ stripeApiError: true });
+
+      const response = await handleRequest(testApp, request);
+
+      expect(response.status).toBe(500);
+    });
+  });
+});

functions/src/admin-members-api/routes/refund-membership.ts

@@ -0,0 +1,77 @@
+import { ERROR_IDS } from "../../constants/error-ids.js";
+import type { EmailServiceInterface } from "../../shared-api/services/email/index.js";
+import type { Logger } from "../../shared-api/types/logger.js";
+import { handleRouteError } from "../../shared-api/utils/route-error-handler.js";
+import type { RefundMembershipApiResponse } from "../schemas/member-schemas.js";
+import { toMemberResponse } from "../schemas/member-schemas.js";
+import type { MemberAdminService } from "../services/interface.js";
+
+/**
+ * Route handler for POST /:memberId/membership/refund.
+ *
+ * Custom handler (not factory) since refund returns a richer result
+ * than just a MemberDocument wrapped in MemberSuccessResponse.
+ */
+export async function refundMembershipLogic({
+  memberId,
+  reason,
+  adminUid,
+  memberAdminService,
+  emailService,
+  logger,
+  set,
+}: {
+  memberId: string;
+  reason?: string;
+  adminUid: string;
+  memberAdminService: MemberAdminService;
+  emailService?: EmailServiceInterface;
+  logger: Logger;
+  set: { status?: number | string };
+}): Promise<RefundMembershipApiResponse> {
+  try {
+    const result = await memberAdminService.refundMembership({
+      memberId,
+      ...(reason !== undefined && { reason }),
+      ...(emailService !== undefined && { emailService }),
+    });
+
+    logger.info("Admin refunded membership", {
+      adminUid,
+      targetMemberId: memberId,
+      stripeRefundCreated: result.stripeRefundCreated,
+      subscriptionCanceled: result.subscriptionCanceled,
+      memberDeactivated: result.refundActions.memberDeactivated,
+    });
+
+    const isAdmin = await memberAdminService.isAdmin(memberId, logger);
+
+    return {
+      success: true,
+      member: toMemberResponse(result.member, isAdmin),
+      refundResult: {
+        stripeRefundCreated: result.stripeRefundCreated,
+        subscriptionCanceled: result.subscriptionCanceled,
+        memberDeactivated: result.refundActions.memberDeactivated,
+        ...(result.refundActions.profileDrafted !== undefined && {
+          profileDrafted: result.refundActions.profileDrafted,
+        }),
+        ...(result.refundActions.newsletterUnsubscribed !== undefined && {
+          newsletterUnsubscribed: result.refundActions.newsletterUnsubscribed,
+        }),
+        ...(result.refundActions.warning !== undefined && {
+          warning: result.refundActions.warning,
+        }),
+      },
+    };
+  } catch (error) {
+    return handleRouteError({
+      error,
+      operation: "refund membership",
+      errorId: ERROR_IDS.API_ADMIN_REFUND_MEMBERSHIP_FAILED,
+      logger,
+      set,
+      context: { memberId, adminUid },
+    });
+  }
+}