feat(PayPal): CRON to check enabled APIs

Benjamin Piouffle · Benjamin Piouffle · commit 41094c670f5e · 2026-03-12T17:40:33.000+01:00
diff --git a/cron/daily/53-check-paypal-enabled-apis.ts b/cron/daily/53-check-paypal-enabled-apis.ts
@@ -0,0 +1,112 @@
+/**
+ * Daily CRON job to verify that the PayPal API scopes configured on host ConnectedAccounts
+ * are consistent with the PayPal features they have enabled (paypalPayouts, paypalDonations).
+ *
+ * If any mismatches are found, a report is posted to the engineering-alerts Slack channel.
+ * See: https://github.com/opencollective/opencollective/issues/8381
+ */
+
+import '../../server/env';
+
+import config from 'config';
+
+import FEATURE from '../../server/constants/feature';
+import { hasFeature } from '../../server/lib/allowed-features';
+import logger from '../../server/lib/logger';
+import { getHostsWithPayPalConnected } from '../../server/lib/paypal';
+import { reportErrorToSentry, HandlerType } from '../../server/lib/sentry';
+import slackLib, { OPEN_COLLECTIVE_SLACK_CHANNEL } from '../../server/lib/slack';
+import { checkPaypalScopes, retrieveGrantedScopes } from '../../server/paymentProviders/paypal/api';
+import { runCronJob } from '../utils';
+
+const DRY_RUN = process.env.DRY_RUN === 'true';
+
+interface ScopeIssue {
+  hostSlug: string;
+  feature: FEATURE;
+  missingScopes: string[];
+}
+
+const run = async () => {
+  const hosts = await getHostsWithPayPalConnected();
+  logger.info(`Checking PayPal API scopes for ${hosts.length} host(s)...`);
+
+  const allIssues: ScopeIssue[] = [];
+  const errors: string[] = [];
+
+  for (const host of hosts) {
+    try {
+      const [connectedAccount] = await host.getConnectedAccounts({
+        where: { service: 'paypal' },
+        order: [['createdAt', 'DESC']],
+        limit: 1,
+      });
+
+      if (!connectedAccount?.clientId || !connectedAccount?.token) {
+        continue;
+      }
+
+      const grantedScopes = await retrieveGrantedScopes(connectedAccount.clientId, connectedAccount.token);
+
+      const enabledFeatures = [FEATURE.PAYPAL_PAYOUTS, FEATURE.PAYPAL_DONATIONS].filter(f => hasFeature(host, f));
+
+      const issues = checkPaypalScopes(grantedScopes, enabledFeatures);
+      for (const issue of issues) {
+        allIssues.push({ hostSlug: host.slug, ...issue });
+        logger.warn(
+          `[${host.slug}] PayPal feature "${issue.feature}" is enabled but missing scopes: ${issue.missingScopes.join(', ')}`,
+        );
+      }
+    } catch (err) {
+      const msg = `Failed to check PayPal scopes for host "${host.slug}": ${err.message}`;
+      logger.error(msg);
+      errors.push(msg);
+      reportErrorToSentry(err, { handler: HandlerType.CRON, extra: { hostSlug: host.slug } });
+    }
+  }
+
+  if (allIssues.length === 0 && errors.length === 0) {
+    logger.info('All PayPal host accounts have the required API scopes configured correctly.');
+    return;
+  }
+
+  const lines: string[] = ['*PayPal API Scope Check — Daily Report*'];
+
+  if (allIssues.length > 0) {
+    lines.push('');
+    lines.push(`*Scope Mismatches (${allIssues.length}):*`);
+    for (const issue of allIssues) {
+      lines.push(
+        `• \`${issue.hostSlug}\` | Feature: \`${issue.feature}\` | Missing: ${issue.missingScopes.join(', ')}`,
+      );
+    }
+    lines.push('');
+    lines.push(
+      'These hosts have PayPal features enabled that require additional API scopes. Please verify their PayPal application settings at https://developer.paypal.com/developer/applications.',
+    );
+  }
+
+  if (errors.length > 0) {
+    lines.push('');
+    lines.push(`*Errors during check (${errors.length}):*`);
+    for (const err of errors) {
+      lines.push(`• ${err}`);
+    }
+  }
+
+  const message = lines.join('\n');
+  logger.info(message);
+
+  if (!DRY_RUN && config.slack?.webhooks?.engineeringAlerts) {
+    try {
+      await slackLib.postMessageToOpenCollectiveSlack(message, OPEN_COLLECTIVE_SLACK_CHANNEL.ENGINEERING_ALERTS);
+    } catch (slackError) {
+      logger.error('Failed to post PayPal scope check report to Slack', slackError);
+      reportErrorToSentry(slackError, { handler: HandlerType.CRON });
+    }
+  }
+};
+
+if (require.main === module) {
+  runCronJob('check-paypal-enabled-apis', run, 24 * 60 * 60);
+}
diff --git a/server/paymentProviders/paypal/api.ts b/server/paymentProviders/paypal/api.ts
@@ -1,11 +1,20 @@
 import config from 'config';
 import fetch, { Response } from 'node-fetch';
 
+import FEATURE from '../../constants/feature';
 import logger from '../../lib/logger';
 import { getHostPaypalAccount } from '../../lib/paypal';
 import { reportMessageToSentry } from '../../lib/sentry';
 import { Collective } from '../../models';
 
+import { PaypalUserInfo } from './types';
+
+/** PayPal scopes required by each platform feature */
+export const PAYPAL_SCOPE_REQUIREMENTS: Partial<Record<FEATURE, string[]>> = {
+  [FEATURE.PAYPAL_PAYOUTS]: ['https://uri.paypal.com/services/payouts'],
+  [FEATURE.PAYPAL_DONATIONS]: ['https://uri.paypal.com/services/payments/payment/authcapture'],
+};
+
 /** Build an URL for the PayPal API */
 export function paypalUrl(path: string, version = 'v1'): string {
   if (path.startsWith('/')) {
@@ -19,6 +28,13 @@ export function paypalUrl(path: string, version = 'v1'): string {
   return new URL(baseUrl + path).toString();
 }
 
+/** Build the PayPal authorization URL for "Log in with PayPal" */
+export function paypalConnectAuthorizeUrl(): string {
+  return config.paypal.payment.environment === 'sandbox'
+    ? 'https://www.sandbox.paypal.com/connect/'
+    : 'https://www.paypal.com/connect/';
+}
+
 /** Exchange clientid and secretid by an auth token with PayPal API */
 export async function retrieveOAuthToken({ clientId, clientSecret }): Promise<string> {
   const url = paypalUrl('oauth2/token');
@@ -33,6 +49,123 @@ export async function retrieveOAuthToken({ clientId, clientSecret }): Promise<st
   return jsonOutput.access_token;
 }
 
+/**
+ * Exchange an authorization code for a user access + refresh token using the platform PayPal Connect app.
+ * Used in the "Log in with PayPal" flow.
+ */
+export async function exchangeAuthCodeForToken(code: string): Promise<{
+  access_token: string;
+  refresh_token: string;
+  token_type: string;
+  expires_in: number;
+  scope: string;
+  nonce: string;
+  state: string;
+}> {
+  const url = paypalUrl('oauth2/token');
+  const authStr = `${config.paypal.connect.clientId}:${config.paypal.connect.clientSecret}`;
+  const basicAuth = Buffer.from(authStr).toString('base64');
+  const headers = { Authorization: `Basic ${basicAuth}`, 'Content-Type': 'application/x-www-form-urlencoded' };
+  const body = new URLSearchParams();
+  body.set('grant_type', 'authorization_code');
+  body.set('code', code);
+  body.set('redirect_uri', config.paypal.connect.redirectUri); // TODO: Should be auto-generated if missing
+
+  const response = await fetch(url, { method: 'post', body, headers });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(
+      `PayPal token exchange failed (${response.status}): ${(error as any).error_description || response.statusText}`,
+    );
+  }
+
+  return response.json();
+}
+
+/**
+ * Refresh a user's PayPal access token using their stored refresh token.
+ */
+export async function refreshPaypalUserToken(
+  refreshToken: string,
+): Promise<{ access_token: string; refresh_token: string; expires_in: number }> {
+  const url = paypalUrl('oauth2/token');
+  const authStr = `${config.paypal.connect.clientId}:${config.paypal.connect.clientSecret}`;
+  const basicAuth = Buffer.from(authStr).toString('base64');
+  const headers = { Authorization: `Basic ${basicAuth}`, 'Content-Type': 'application/x-www-form-urlencoded' };
+  const body = new URLSearchParams();
+  body.set('grant_type', 'refresh_token');
+  body.set('refresh_token', refreshToken);
+
+  const response = await fetch(url, { method: 'post', body, headers });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(
+      `PayPal token refresh failed (${response.status}): ${(error as any).error_description || response.statusText}`,
+    );
+  }
+  return response.json();
+}
+
+/**
+ * Retrieve the authenticated user's PayPal identity information using their access token.
+ * Requires the `openid`, `email`, and `https://uri.paypal.com/services/paypalattributes` scopes.
+ */
+export async function retrievePaypalUserInfo(accessToken: string): Promise<PaypalUserInfo> {
+  const url = `${paypalUrl('identity/oauth2/userinfo')}?schema=paypalv1.1`;
+  const headers = { Authorization: `Bearer ${accessToken}`, 'Content-Type': 'application/json' };
+  const response = await fetch(url, { method: 'get', headers });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(
+      `PayPal userinfo request failed (${response.status}): ${(error as any).message || response.statusText}`,
+    );
+  }
+  return response.json();
+}
+
+/**
+ * Retrieve the list of scopes granted to a host's PayPal application credentials.
+ * Used to verify that required APIs are enabled on the PayPal account.
+ */
+export async function retrieveGrantedScopes(clientId: string, clientSecret: string): Promise<string[]> {
+  const url = paypalUrl('oauth2/token');
+  const body = 'grant_type=client_credentials';
+  const authStr = `${clientId}:${clientSecret}`;
+  const basicAuth = Buffer.from(authStr).toString('base64');
+  const headers = { Authorization: `Basic ${basicAuth}`, 'Content-Type': 'application/x-www-form-urlencoded' };
+  const response = await fetch(url, { method: 'post', body, headers });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(
+      `PayPal credentials check failed (${response.status}): ${(error as any).error_description || response.statusText}`,
+    );
+  }
+  const result = (await response.json()) as { scope?: string };
+  return result.scope ? result.scope.split(' ') : [];
+}
+
+/**
+ * Check whether the granted scopes satisfy the requirements for the given set of enabled features.
+ * Returns a list of missing scope descriptions for any unsatisfied features.
+ */
+export function checkPaypalScopes(
+  grantedScopes: string[],
+  enabledFeatures: FEATURE[],
+): { feature: FEATURE; missingScopes: string[] }[] {
+  const issues: { feature: FEATURE; missingScopes: string[] }[] = [];
+  for (const feature of enabledFeatures) {
+    const required = PAYPAL_SCOPE_REQUIREMENTS[feature];
+    if (!required) {
+      continue;
+    }
+    const missing = required.filter(scope => !grantedScopes.includes(scope));
+    if (missing.length > 0) {
+      issues.push({ feature, missingScopes: missing });
+    }
+  }
+  return issues;
+}
+
 const parsePaypalError = async (
   response: Response,
   defaultMessage = 'PayPal request failed',
