refactor: production-grade service layer architecture

- New /services/productService.ts — all product read logic, 5-min cache
- New /services/orderService.ts — all order CRUD + Stripe refunds
- New /services/checkoutService.ts — cart validation, pricing lock, Stripe session
- New /types/product.ts — shared Product, ProductCard, CartItem types
- Updated /types/order.ts — full OrderStatus/FulfillmentStatus unions
- New /lib/api/errorHandler.ts — withErrorHandler wrapper + ApiError class
- New /lib/api/rateLimit.ts — in-memory per-IP rate limiter
- Refactored /api/products route.ts — thin controller (delegates to productService)
- Refactored /api/products/[id] route.ts — thin controller
- Refactored /api/checkout route.ts — thin controller + rate limiting
- Refactored /api/orders route.ts — thin controller + auth guard
- Build verified: Exit code 0, all routes intact

Author: lead-matrix

app/api/checkout/route.ts

@@ -1,264 +1,26 @@
-import { NextResponse } from "next/server";
-import Stripe from "stripe";
-import { createClient as createAdminClient } from "@/lib/supabase/admin";
-
-const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {
-    apiVersion: "2026-02-25.clover",
-});
-
-// Countries where we ship internationally
-const INTL_COUNTRIES = [
-    "CA","GB","AU","NZ","FR","DE","ES","IT","NL","BE","SE","NO","DK","FI",
-    "JP","KR","SG","MY","PH","TH","VN","IN","AE","SA","MX","BR","ZA","PL","TR",
-] as Stripe.Checkout.SessionCreateParams.ShippingAddressCollection.AllowedCountry[];
-
-const ALL_COUNTRIES = ["US", ...INTL_COUNTRIES] as Stripe.Checkout.SessionCreateParams.ShippingAddressCollection.AllowedCountry[];
-
-// ─── Caching ──────────────────────────────────────────────────────────
-let cachedShippingConfig: any = null;
-let cacheTimestamp = 0;
-const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+import { NextResponse } from 'next/server';
+import { createCheckoutSession } from '@/services/checkoutService';
+import { checkoutLimiter } from '@/lib/api/rateLimit';
 
 export async function POST(req: Request) {
-    try {
-        const { items } = await req.json();
-
-        if (!items || items.length === 0) {
-            return NextResponse.json({ error: "Cart is empty" }, { status: 400 });
-        }
-
-        const supabase = await createAdminClient();
-
-        // ─── Fetch & validate products ───────────────────────────────────────
-        const itemIds = items.map((i: any) => i.productId);
-        const { data: dbProducts } = await supabase
-            .from("products")
-            .select("id, title, base_price, sale_price, on_sale, stock, weight_oz")
-            .in("id", itemIds);
-
-        if (!dbProducts || dbProducts.length === 0) {
-            return NextResponse.json({ error: "Some products are invalid or unavailable" }, { status: 400 });
-        }
-
-        const variantIds = items.filter((i: any) => i.variantId).map((i: any) => i.variantId);
-        let dbVariants: any[] = [];
-        if (variantIds.length > 0) {
-            const { data } = await supabase
-                .from("product_variants")
-                .select("id, name, price_override, weight")
-                .in("id", variantIds);
-            dbVariants = data || [];
-        }
-
-        // ─── Lock prices & weight server-side ───────────────────────────────
-        const validatedItems = items.map((item: any) => {
-            const product = dbProducts.find((p: any) => p.id === item.productId);
-            if (!product) throw new Error("Invalid product");
-
-            if (product.stock < item.quantity) {
-                throw new Error(`Insufficient stock for ${product.title}`);
-            }
-
-            const variant = dbVariants.find((v: any) => v.id === item.variantId);
-
-            let price = product.base_price || 0;
-            if (variant?.price_override != null) price = variant.price_override;
-            if (product.on_sale && product.sale_price != null) price = product.sale_price;
-
-            const name = variant?.name ? `${product.title} — ${variant.name}` : product.title;
-
-            return {
-                ...item,
-                name,
-                price: Number(price),
-                variant_weight_oz: variant?.weight ? Number(variant.weight) : null,
-                product_weight_oz: product?.weight_oz ? Number(product.weight_oz) : null,
-            };
-        });
-
-        // ─── Compute weight & subtotal ───────────────────────────────────────
-        const { calculateTotalWeightLb, calculateShippingRate } = await import("@/lib/utils/shippo");
-        const totalWeightLb = calculateTotalWeightLb(validatedItems);
-        const subtotal = validatedItems.reduce(
-            (acc: number, item: any) => acc + item.price * item.quantity,
-            0
-        );
-
-        // ─── Load shipping config (cached) ──────────────────────────────────
-        const now = Date.now();
-        if (!cachedShippingConfig || (now - cacheTimestamp) > CACHE_TTL) {
-            const { data: shippingConfig } = await supabase
-                .from("site_settings")
-                .select("setting_value")
-                .eq("setting_key", "shipping_settings")
-                .maybeSingle();
-
-            cachedShippingConfig = shippingConfig?.setting_value || {};
-            cacheTimestamp = now;
-        }
-
-        const cfg = cachedShippingConfig;
-        const isFree = subtotal >= parseFloat(cfg.free_shipping_threshold ?? "100");
-
-        // Calculate all 4 options based on actual weight
-        const stdRate = calculateShippingRate(totalWeightLb, subtotal, cfg, "standard");
-        const expRate = calculateShippingRate(totalWeightLb, subtotal, cfg, "express");
-        const intlStdRate = calculateShippingRate(totalWeightLb, subtotal, cfg, "intl_standard");
-        const intlExpRate = calculateShippingRate(totalWeightLb, subtotal, cfg, "intl_express");
-
-        const shippingOptions: Stripe.Checkout.SessionCreateParams.ShippingOption[] = [
-            // Option 1: US Domestic Standard (or FREE if threshold met)
-            {
-                shipping_rate_data: {
-                    type: "fixed_amount",
-                    fixed_amount: {
-                        amount: Math.round(stdRate.cost * 100),
-                        currency: "usd",
-                    },
-                    display_name: stdRate.name,
-                    delivery_estimate: {
-                        minimum: { unit: "business_day", value: stdRate.minDays },
-                        maximum: { unit: "business_day", value: stdRate.maxDays },
-                    },
-                },
-            },
-            // Option 2: US Domestic Express
-            {
-                shipping_rate_data: {
-                    type: "fixed_amount",
-                    fixed_amount: {
-                        amount: Math.round(expRate.cost * 100),
-                        currency: "usd",
-                    },
-                    display_name: expRate.name,
-                    delivery_estimate: {
-                        minimum: { unit: "business_day", value: expRate.minDays },
-                        maximum: { unit: "business_day", value: expRate.maxDays },
-                    },
-                },
-            },
-            // Option 3: International Standard
-            {
-                shipping_rate_data: {
-                    type: "fixed_amount",
-                    fixed_amount: {
-                        amount: Math.round(intlStdRate.cost * 100),
-                        currency: "usd",
-                    },
-                    display_name: intlStdRate.name,
-                    delivery_estimate: {
-                        minimum: { unit: "business_day", value: intlStdRate.minDays },
-                        maximum: { unit: "business_day", value: intlStdRate.maxDays },
-                    },
-                },
-            },
-            // Option 4: International Express
-            {
-                shipping_rate_data: {
-                    type: "fixed_amount",
-                    fixed_amount: {
-                        amount: Math.round(intlExpRate.cost * 100),
-                        currency: "usd",
-                    },
-                    display_name: intlExpRate.name,
-                    delivery_estimate: {
-                        minimum: { unit: "business_day", value: intlExpRate.minDays },
-                        maximum: { unit: "business_day", value: intlExpRate.maxDays },
-                    },
-                },
-            },
-        ];
-
-        // ─── Create pending order (no email yet – webhook will fill it) ──────
-        const estimatedTotal = subtotal + stdRate.cost; // worst case; webhook corrects it
-        const { data: order, error: orderError } = await supabase
-            .from("orders")
-            .insert({
-                status: "pending",
-                customer_email: "pending@stripe",
-                amount_total: estimatedTotal,
-                shipping_address: null,
-                metadata: {
-                    weight_lb: totalWeightLb.toFixed(3),
-                    subtotal: subtotal.toFixed(2),
-                    is_free_shipping: isFree,
-                },
-            })
-            .select("id")
-            .single();
-
-        if (orderError) {
-            console.error("Order creation failed:", orderError);
-            return NextResponse.json({ error: "Order creation failed" }, { status: 500 });
-        }
-
-        // ─── Stripe line items ───────────────────────────────────────────────
-        const lineItems = validatedItems.map((item: any) => ({
-            price_data: {
-                currency: "usd",
-                product_data: {
-                    name: item.name,
-                    metadata: {
-                        product_id: item.productId,
-                        variant_id: item.variantId || "",
-                    },
-                },
-                unit_amount: Math.round(item.price * 100),
-            },
-            quantity: item.quantity,
-        }));
-
-        const SITE_URL = process.env.NEXT_PUBLIC_SITE_URL || "https://dinacosmetic.store";
-
-        // ─── Create Stripe session ───────────────────────────────────────────
-        const session = await stripe.checkout.sessions.create(
-            {
-                payment_method_types: ["card"],
-                mode: "payment",
-                line_items: lineItems,
-
-                // Customer enters email, name, shipping address ONCE inside Stripe
-                customer_creation: "always",
-                billing_address_collection: "auto",
-                shipping_address_collection: {
-                    allowed_countries: ALL_COUNTRIES,
-                },
-                phone_number_collection: { enabled: true },
-
-                // Stripe shows ALL options — customer picks the one that fits their location
-                shipping_options: shippingOptions,
-
-                success_url: `${SITE_URL}/checkout/success?session_id={CHECKOUT_SESSION_ID}`,
-                cancel_url: `${SITE_URL}/shop`,
-
-                automatic_tax: { enabled: true },
-                expires_at: Math.floor(Date.now() / 1000) + 1800, // 30 min
-
-                metadata: {
-                    order_id: order.id,
-                    subtotal: subtotal.toFixed(2),
-                    weight_lb: totalWeightLb.toFixed(3),
-                    items: JSON.stringify(
-                        validatedItems.map((i: any) => ({
-                            product_id: i.productId,
-                            variant_id: i.variantId || null,
-                            quantity: i.quantity,
-                            price: i.price,
-                        }))
-                    ),
-                },
-            },
-            {
-                idempotencyKey: `checkout_${order.id}`,
-            }
-        );
-
-        return NextResponse.json({ url: session.url });
-    } catch (error: any) {
-        console.error("Checkout error:", error);
-        return NextResponse.json(
-            { error: error.message || "Internal error" },
-            { status: 500 }
-        );
+  // Rate limit: max 10 checkout attempts per IP per minute
+  const { success } = checkoutLimiter.check(req);
+  if (!success) {
+    return NextResponse.json({ error: 'Too many requests. Please wait before trying again.' }, { status: 429 });
+  }
+
+  try {
+    const body = await req.json();
+    const { items } = body;
+
+    if (!items || !Array.isArray(items) || items.length === 0) {
+      return NextResponse.json({ error: 'Cart is empty' }, { status: 400 });
     }
+
+    const { url } = await createCheckoutSession(items);
+    return NextResponse.json({ url });
+  } catch (err: any) {
+    console.error('[POST /api/checkout]', err.message);
+    return NextResponse.json({ error: err.message || 'Internal error' }, { status: 500 });
+  }
 }

app/api/orders/route.ts

@@ -1,39 +1,49 @@
-import { NextResponse } from 'next/server';
-import { createClient } from '@/lib/supabase/server';
-
-export async function POST(request: Request) {
-    try {
-        const payload = await request.json();
-        const { customer_name, email, phone, address, total_amount, items } = payload;
-
-        const supabase = await createClient();
-
-        // Basic insertion, since production orders generally verify against Stripe webhooks.
-        // This endpoint supports the prompt's minimum flow requirement.
-        const { data: order, error } = await supabase
-            .from('orders')
-            .insert({
-                customer_email: email,
-                amount_total: total_amount,
-                status: 'pending'
-            })
-            .select()
-            .single();
-
-        if (error) throw error;
-
-        return NextResponse.json({
-            id: order.id,
-            customer_name,
-            email,
-            phone,
-            address,
-            amount_total: order.amount_total,
-            status: order.status,
-            created_at: order.created_at
-        });
-
-    } catch (error) {
-        return NextResponse.json({ error: 'Failed to create order' }, { status: 500 });
-    }
-}
+import { NextResponse } from 'next/server';
+import { createClient } from '@/lib/supabase/server';
+import { listOrders, getOrderById } from '@/services/orderService';
+
+export async function GET(req: Request) {
+  try {
+    const supabase = await createClient();
+    const { data: { user } } = await supabase.auth.getUser();
+    if (!user) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+    // Check admin role
+    const { data: profile } = await supabase.from('profiles').select('role').eq('id', user.id).single();
+    if (profile?.role !== 'admin') return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+
+    const { searchParams } = new URL(req.url);
+    const orders = await listOrders({
+      status: searchParams.get('status') ?? undefined,
+      search: searchParams.get('q') ?? undefined,
+      limit: Number(searchParams.get('limit') ?? 50),
+      offset: Number(searchParams.get('offset') ?? 0),
+    });
+
+    return NextResponse.json(orders);
+  } catch (err: any) {
+    console.error('[GET /api/orders]', err);
+    return NextResponse.json({ error: 'Failed to fetch orders' }, { status: 500 });
+  }
+}
+
+// POST remains for any direct order creation needs (rare — Stripe webhook handles production flow)
+export async function POST(req: Request) {
+  try {
+    const { email, total_amount } = await req.json();
+    if (!email) return NextResponse.json({ error: 'email is required' }, { status: 400 });
+
+    const supabase = await createClient();
+    const { data: order, error } = await supabase
+      .from('orders')
+      .insert({ customer_email: email, amount_total: total_amount ?? 0, status: 'pending' })
+      .select()
+      .single();
+
+    if (error) throw error;
+    return NextResponse.json(order, { status: 201 });
+  } catch (err: any) {
+    console.error('[POST /api/orders]', err);
+    return NextResponse.json({ error: 'Failed to create order' }, { status: 500 });
+  }
+}