fix(webapp): enforce manage:billing on billing/plan/portal routes

Migrate the billing settings, standalone select-plan page, select-plan
mutation, billing-alerts (loader + action), and Stripe customer-portal
routes to dashboardLoader/dashboardAction with a manage:billing
authorization block, resolving the org for the auth scope from the URL
slug. The isManagedCloud guards and org-membership queries are unchanged;
gating the page loaders means denied roles can't reach the billing UI at
all. Permissive in OSS, enforced under the enterprise plugin.

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.billing-alerts/route.tsx

@@ -1,7 +1,7 @@
 import { conform, list, requestIntent, useFieldList, useForm } from "@conform-to/react";
 import { parse } from "@conform-to/zod";
 import { Form, useActionData, type MetaFunction } from "@remix-run/react";
-import { json, type ActionFunction, type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { json } from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core";
 import { Fragment, useEffect, useRef, useState } from "react";
 import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
@@ -25,11 +25,11 @@ import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/Page
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { TextLink } from "~/components/primitives/TextLink";
 import { InfoIconTooltip } from "~/components/primitives/Tooltip";
-import { prisma } from "~/db.server";
+import { $replica, prisma } from "~/db.server";
 import { featuresForRequest } from "~/features.server";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
 import { getBillingAlerts, setBillingAlert } from "~/services/platform.v3.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { formatCurrency, formatNumber } from "~/utils/numberFormatter";
 import {
   docsPath,
@@ -47,39 +47,54 @@ export const meta: MetaFunction = () => {
   ];
 };
 
-export async function loader({ params, request }: LoaderFunctionArgs) {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = OrganizationParamsSchema.parse(params);
+async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
+  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
+  return org?.id ?? null;
+}
 
-  const { isManagedCloud } = featuresForRequest(request);
-  if (!isManagedCloud) {
-    return redirect(organizationPath({ slug: organizationSlug }));
-  }
+export const loader = dashboardLoader(
+  {
+    params: OrganizationParamsSchema,
+    context: async (params) => {
+      const organizationId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: { action: "manage", resource: { type: "billing" } },
+  },
+  async ({ params, request, user }) => {
+    const userId = user.id;
+    const { organizationSlug } = params;
 
-  const organization = await prisma.organization.findFirst({
-    where: { slug: organizationSlug, members: { some: { userId } } },
-  });
+    const { isManagedCloud } = featuresForRequest(request);
+    if (!isManagedCloud) {
+      return redirect(organizationPath({ slug: organizationSlug }));
+    }
 
-  if (!organization) {
-    throw new Response(null, { status: 404, statusText: "Organization not found" });
-  }
+    const organization = await prisma.organization.findFirst({
+      where: { slug: organizationSlug, members: { some: { userId } } },
+    });
 
-  const [error, alerts] = await tryCatch(getBillingAlerts(organization.id));
-  if (error) {
-    throw new Response(null, { status: 404, statusText: `Billing alerts error: ${error}` });
-  }
+    if (!organization) {
+      throw new Response(null, { status: 404, statusText: "Organization not found" });
+    }
 
-  if (!alerts) {
-    throw new Response(null, { status: 404, statusText: "Billing alerts not found" });
-  }
+    const [error, alerts] = await tryCatch(getBillingAlerts(organization.id));
+    if (error) {
+      throw new Response(null, { status: 404, statusText: `Billing alerts error: ${error}` });
+    }
 
-  return typedjson({
-    alerts: {
-      ...alerts,
-      amount: alerts.amount / 100,
-    },
-  });
-}
+    if (!alerts) {
+      throw new Response(null, { status: 404, statusText: "Billing alerts not found" });
+    }
+
+    return typedjson({
+      alerts: {
+        ...alerts,
+        amount: alerts.amount / 100,
+      },
+    });
+  }
+);
 
 const schema = z.object({
   amount: z
@@ -104,61 +119,71 @@ const schema = z.object({
   }, z.coerce.number().array().nonempty("At least one alert level is required")),
 });
 
-export const action: ActionFunction = async ({ request, params }) => {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = OrganizationParamsSchema.parse(params);
+export const action = dashboardAction(
+  {
+    params: OrganizationParamsSchema,
+    context: async (params) => {
+      const organizationId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: { action: "manage", resource: { type: "billing" } },
+  },
+  async ({ request, params, user }) => {
+    const userId = user.id;
+    const { organizationSlug } = params;
 
-  const formData = await request.formData();
-  const submission = parse(formData, { schema });
+    const formData = await request.formData();
+    const submission = parse(formData, { schema });
 
-  if (!submission.value || submission.intent !== "submit") {
-    return json(submission);
-  }
+    if (!submission.value || submission.intent !== "submit") {
+      return json(submission);
+    }
 
-  try {
-    const organization = await prisma.organization.findFirst({
-      where: { slug: organizationSlug, members: { some: { userId } } },
-    });
+    try {
+      const organization = await prisma.organization.findFirst({
+        where: { slug: organizationSlug, members: { some: { userId } } },
+      });
 
-    if (!organization) {
-      return redirectWithErrorMessage(
-        v3BillingAlertsPath({ slug: organizationSlug }),
-        request,
-        "You are not authorized to update billing alerts"
-      );
-    }
+      if (!organization) {
+        return redirectWithErrorMessage(
+          v3BillingAlertsPath({ slug: organizationSlug }),
+          request,
+          "You are not authorized to update billing alerts"
+        );
+      }
 
-    const [error, updatedAlert] = await tryCatch(
-      setBillingAlert(organization.id, {
-        ...submission.value,
-        amount: submission.value.amount * 100,
-      })
-    );
-    if (error) {
-      return redirectWithErrorMessage(
-        v3BillingAlertsPath({ slug: organizationSlug }),
-        request,
-        "Failed to update billing alert"
+      const [error, updatedAlert] = await tryCatch(
+        setBillingAlert(organization.id, {
+          ...submission.value,
+          amount: submission.value.amount * 100,
+        })
       );
-    }
+      if (error) {
+        return redirectWithErrorMessage(
+          v3BillingAlertsPath({ slug: organizationSlug }),
+          request,
+          "Failed to update billing alert"
+        );
+      }
+
+      if (!updatedAlert) {
+        return redirectWithErrorMessage(
+          v3BillingAlertsPath({ slug: organizationSlug }),
+          request,
+          "Failed to update billing alert"
+        );
+      }
 
-    if (!updatedAlert) {
-      return redirectWithErrorMessage(
+      return redirectWithSuccessMessage(
         v3BillingAlertsPath({ slug: organizationSlug }),
         request,
-        "Failed to update billing alert"
+        "Billing alert updated"
       );
+    } catch (error: any) {
+      return json({ errors: { body: error.message } }, { status: 400 });
     }
-
-    return redirectWithSuccessMessage(
-      v3BillingAlertsPath({ slug: organizationSlug }),
-      request,
-      "Billing alert updated"
-    );
-  } catch (error: any) {
-    return json({ errors: { body: error.message } }, { status: 400 });
   }
-};
+);
 
 export default function Page() {
   const { alerts } = useTypedLoaderData<typeof loader>();

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.billing/route.tsx

@@ -1,15 +1,14 @@
 import { CalendarDaysIcon, StarIcon } from "@heroicons/react/20/solid";
-import { type LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { type PlanDefinition } from "@trigger.dev/platform";
 import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
 import { PageBody, PageContainer } from "~/components/layout/AppLayout";
 import { LinkButton } from "~/components/primitives/Buttons";
 import { DateTime } from "~/components/primitives/DateTime";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
-import { prisma } from "~/db.server";
+import { $replica, prisma } from "~/db.server";
 import { featuresForRequest } from "~/features.server";
 import { getCurrentPlan, getPlans } from "~/services/platform.v3.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import {
   OrganizationParamsSchema,
   organizationPath,
@@ -27,58 +26,73 @@ export const meta: MetaFunction = () => {
   ];
 };
 
-export async function loader({ params, request }: LoaderFunctionArgs) {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = OrganizationParamsSchema.parse(params);
-
-  const { isManagedCloud } = featuresForRequest(request);
-  if (!isManagedCloud) {
-    return redirect(organizationPath({ slug: organizationSlug }));
-  }
-
-  const plans = await getPlans();
-  if (!plans) {
-    throw new Response(null, { status: 404, statusText: "Plans not found" });
-  }
+async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
+  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
+  return org?.id ?? null;
+}
 
-  const organization = await prisma.organization.findFirst({
-    where: { slug: organizationSlug, members: { some: { userId } } },
-  });
+export const loader = dashboardLoader(
+  {
+    params: OrganizationParamsSchema,
+    context: async (params) => {
+      const organizationId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: { action: "manage", resource: { type: "billing" } },
+  },
+  async ({ params, request, user }) => {
+    const userId = user.id;
+    const { organizationSlug } = params;
+
+    const { isManagedCloud } = featuresForRequest(request);
+    if (!isManagedCloud) {
+      return redirect(organizationPath({ slug: organizationSlug }));
+    }
+
+    const plans = await getPlans();
+    if (!plans) {
+      throw new Response(null, { status: 404, statusText: "Plans not found" });
+    }
+
+    const organization = await prisma.organization.findFirst({
+      where: { slug: organizationSlug, members: { some: { userId } } },
+    });
+
+    if (!organization) {
+      throw new Response(null, { status: 404, statusText: "Organization not found" });
+    }
+
+    const currentPlan = await getCurrentPlan(organization.id);
+
+    //periods
+    const periodStart = new Date();
+    periodStart.setUTCHours(0, 0, 0, 0);
+    periodStart.setUTCDate(1);
+
+    const periodEnd = new Date();
+    periodEnd.setUTCMonth(periodEnd.getMonth() + 1);
+    periodEnd.setUTCDate(0);
+    periodEnd.setUTCHours(0, 0, 0, 0);
+
+    const daysRemaining = Math.ceil(
+      (periodEnd.getTime() - new Date().getTime()) / (1000 * 60 * 60 * 24)
+    );
 
-  if (!organization) {
-    throw new Response(null, { status: 404, statusText: "Organization not found" });
+    // Extract 'message' from search params
+    const url = new URL(request.url);
+    const message = url.searchParams.get("message");
+
+    return typedjson({
+      ...plans,
+      ...currentPlan,
+      organizationSlug,
+      periodStart,
+      periodEnd,
+      daysRemaining,
+      message,
+    });
   }
-
-  const currentPlan = await getCurrentPlan(organization.id);
-
-  //periods
-  const periodStart = new Date();
-  periodStart.setUTCHours(0, 0, 0, 0);
-  periodStart.setUTCDate(1);
-
-  const periodEnd = new Date();
-  periodEnd.setUTCMonth(periodEnd.getMonth() + 1);
-  periodEnd.setUTCDate(0);
-  periodEnd.setUTCHours(0, 0, 0, 0);
-
-  const daysRemaining = Math.ceil(
-    (periodEnd.getTime() - new Date().getTime()) / (1000 * 60 * 60 * 24)
-  );
-
-  // Extract 'message' from search params
-  const url = new URL(request.url);
-  const message = url.searchParams.get("message");
-
-  return typedjson({
-    ...plans,
-    ...currentPlan,
-    organizationSlug,
-    periodStart,
-    periodEnd,
-    daysRemaining,
-    message,
-  });
-}
+);
 
 export default function ChoosePlanPage() {
   const {