fix: omit payment_url from admin payments list response

Use a list-specific DTO so GET /api/v1/admin/payments no longer exposes checkout URLs while get-by-id is unchanged. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-09 04:33:14 -07:00 · 2026-06-09 04:33:14 -07:00 · ad4c739722
commit ad4c739722
parent 8dd1d40a16
1 changed files with 64 additions and 6 deletions
--- a/internal/web_server/handlers/payments_admin.go
+++ b/internal/web_server/handlers/payments_admin.go
@ -37,11 +37,34 @@ type adminPaymentRes struct {
 	UpdatedAt      *string `json:"updated_at,omitempty"`
 }

+type adminPaymentListItemRes struct {
+	ID             int64   `json:"id"`
+	UserID         int64   `json:"user_id"`
+	PlanID         *int64  `json:"plan_id,omitempty"`
+	SubscriptionID *int64  `json:"subscription_id,omitempty"`
+	SessionID      *string `json:"session_id,omitempty"`
+	TransactionID  *string `json:"transaction_id,omitempty"`
+	Nonce          string  `json:"nonce"`
+	Amount         float64 `json:"amount"`
+	Currency       string  `json:"currency"`
+	PaymentMethod  *string `json:"payment_method,omitempty"`
+	Status         string  `json:"status"`
+	PlanName       *string `json:"plan_name,omitempty"`
+	PlanCategory   *string `json:"plan_category,omitempty"`
+	UserEmail      *string `json:"user_email,omitempty"`
+	UserFirstName  *string `json:"user_first_name,omitempty"`
+	UserLastName   *string `json:"user_last_name,omitempty"`
+	PaidAt         *string `json:"paid_at,omitempty"`
+	ExpiresAt      *string `json:"expires_at,omitempty"`
+	CreatedAt      string  `json:"created_at"`
+	UpdatedAt      *string `json:"updated_at,omitempty"`
+}
+
 type listAdminPaymentsRes struct {
-	Payments   []adminPaymentRes `json:"payments"`
-	TotalCount int64             `json:"total_count"`
-	Limit      int32             `json:"limit"`
-	Offset     int32             `json:"offset"`
+	Payments   []adminPaymentListItemRes `json:"payments"`
+	TotalCount int64                     `json:"total_count"`
+	Limit      int32                     `json:"limit"`
+	Offset     int32                     `json:"offset"`
 }

 // ListAdminPayments godoc
@ -86,9 +109,9 @@ func (h *Handler) ListAdminPayments(c *fiber.Ctx) error {
 		})
 	}

-	out := make([]adminPaymentRes, len(page.Items))
+	out := make([]adminPaymentListItemRes, len(page.Items))
 	for i := range page.Items {
-		out[i] = adminPaymentToRes(&page.Items[i])
+		out[i] = adminPaymentListToRes(&page.Items[i])
 	}

 	return c.JSON(domain.Response{
@ -270,6 +293,41 @@ func parseQueryTime(raw string) (time.Time, error) {
 	return time.Time{}, fmt.Errorf("unsupported time format")
 }

+func adminPaymentListToRes(p *domain.Payment) adminPaymentListItemRes {
+	res := adminPaymentListItemRes{
+		ID:             p.ID,
+		UserID:         p.UserID,
+		PlanID:         p.PlanID,
+		SubscriptionID: p.SubscriptionID,
+		SessionID:      p.SessionID,
+		TransactionID:  p.TransactionID,
+		Nonce:          p.Nonce,
+		Amount:         p.Amount,
+		Currency:       p.Currency,
+		PaymentMethod:  p.PaymentMethod,
+		Status:         p.Status,
+		PlanName:       p.PlanName,
+		PlanCategory:   p.PlanCategory,
+		UserEmail:      p.UserEmail,
+		UserFirstName:  p.UserFirstName,
+		UserLastName:   p.UserLastName,
+		CreatedAt:      p.CreatedAt.Format(time.RFC3339),
+	}
+	if p.PaidAt != nil {
+		t := p.PaidAt.Format(time.RFC3339)
+		res.PaidAt = &t
+	}
+	if p.ExpiresAt != nil {
+		t := p.ExpiresAt.Format(time.RFC3339)
+		res.ExpiresAt = &t
+	}
+	if p.UpdatedAt != nil {
+		t := p.UpdatedAt.Format(time.RFC3339)
+		res.UpdatedAt = &t
+	}
+	return res
+}
+
 func adminPaymentToRes(p *domain.Payment) adminPaymentRes {
 	res := adminPaymentRes{
 		ID:             p.ID,