[PM-32216] Create Stripe Checkout Session Endpoint

[sbrown-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-32216

📔 Objective

This pull request introduces a new API endpoint to enable users to initiate a Stripe Checkout Session for purchasing a premium subscription via mobile platforms (iOS/Android). It adds the necessary request/response models, command, and service integration with Stripe, along with platform and app version tracking for analytics.

New Premium Checkout Session Flow:

• Added a new POST endpoint /premium/checkout in AccountBillingVNextController for creating a Stripe Checkout Session, requiring the Bitwarden-Client-Version header and a platform (iOS/Android).
• Introduced the CreatePremiumCheckoutSessionRequest model with validation to ensure only supported platforms are accepted.
• Implemented ICreatePremiumCheckoutSessionCommand and its handler to orchestrate the creation of a Stripe Checkout Session, including customer creation if needed, and returning the session URL.
• Added PremiumCheckoutSessionResponseModel to encapsulate the session URL response.

📸 Screenshots

CheckoutSession-Recording.mp4

[claude]

Claude finished @sbrown-livefront's task in 1m 57s —— View job

---

Code Review: PM-32216 Create Stripe Checkout Session Endpoint

• Gather context and read changed files
• Analyze code for security, correctness, and best practices
• Post review findings

---

Review Summary

No issues found — this PR is clean and well-implemented.

The implementation adds a Stripe Checkout Session endpoint for mobile premium purchases with solid patterns throughout:

• Controller (AccountBillingVNextController.cs): Follows existing endpoint patterns with proper auth, user injection, header validation, and feature flag gating.
• Command (CreatePremiumCheckoutSessionCommand.cs): Uses BaseBillingCommand for consistent error handling, properly separates customer creation from session creation, and stores originating platform/version metadata on the Stripe subscription.
• Request Model (CreatePremiumCheckoutSessionRequest.cs): Validates that only supported platforms (iOS/Android) are accepted.
• Stripe Integration (StripeAdapter.cs, StripeConstants.cs): Clean additions for checkout session creation and well-organized constant definitions for metadata keys, price IDs, and checkout modes.
• Settings (GlobalSettings.cs, IGlobalSettings.cs): Success/cancel URL settings added cleanly.
• Tests: Comprehensive coverage across both controller and command tests — success paths, validation failures, existing vs. new customer scenarios, and error propagation are all covered.

No security, correctness, performance, or breaking change concerns were identified. The Checkmarx CSRF finding is a false positive — the endpoint is protected by bearer token authentication ([Authorize]), which is not vulnerable to CSRF.

[github-actions]

Checkmarx One – Scan Summary & Details – b66c56ce-8aca-4734-9fe4-96d7ee84d01e

---

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 49	details Method at line 49 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

❌ Patch coverage is 88.88889% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.71%. Comparing base (753c8c8) to head (0692d6c).

Files with missing lines	Patch %	Lines
...sts/Premium/CreatePremiumCheckoutSessionRequest.cs	10.00%	9 Missing ⚠️
.../Billing/Services/Implementations/StripeAdapter.cs	33.33%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7246      +/-   ##
==========================================
+ Coverage   57.68%   57.71%   +0.03%     
==========================================
  Files        2035     2038       +3     
  Lines       89645    89743      +98     
  Branches     7993     7995       +2     
==========================================
+ Hits        51709    51797      +88     
- Misses      36072    36082      +10     
  Partials     1864     1864              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.