ChallengeMediumTypeScript

Subscription Plan Upgrade

Scenario

A SaaS billing endpoint lets users move from their current subscription plan to a higher-tier one, charging the prorated difference before the new plan takes effect.

Business expectation

The upgrade path is one-way: the target plan must have a strictly higher tier than the user's current plan. Lateral moves and downgrades must be rejected with 400. The new plan must only be activated in the database after a successful payment — a failed charge must leave the account on the original plan.

Bug report

On 2024-12-01 a customer rep found that users could submit an 'upgrade' from Pro to Starter through the upgrade UI, bypassing the intended downgrade cancellation flow. On 2024-12-05 a payment provider outage caused 12 accounts to be promoted to Enterprise with no successful charge recorded.

47 lines

src/api/billing/upgrade.ts

Validates the target plan, charges the account, and activates the new subscription.

// POST /api/billing/upgrade — promotes an account to a higher-tier plan.

import type { Request, Response } from "express";

import { db } from "./db";

import { billing } from "./billing";

export const PLAN_TIERS: Record<string, number> = {

  free: 0,

  starter: 1,

  pro: 2,

  enterprise: 3,

};

export async function handlePlanUpgrade(

  req: Request,

  res: Response,

): Promise<void> {

  const { userId, targetPlan } = req.body as {

    userId: string;

    targetPlan: string;

};

  if (!userId || !targetPlan) {

    res.status(400).json({ error: "userId and targetPlan are required" });

    return;

  if (!(targetPlan in PLAN_TIERS)) {

    res.status(400).json({ error: "Unknown plan" });

    return;

  const account = await db.accounts.findById(userId);

  if (!account) {

    res.status(404).json({ error: "Account not found" });

    return;

  await db.accounts.updatePlan(userId, targetPlan);

  const charge = await billing.chargeUpgrade(userId, account.plan, targetPlan);

  if (!charge.success) {

    res.status(402).json({ error: "Payment failed — please update your payment method" });

    return;

  res.status(200).json({ plan: targetPlan, chargeId: charge.id });

No findings yet

Click on a line number in the code to add a finding

You need to log in or sign up to submit.

You can inspect the challenge for free, but AI review and results require an account.

Sign inorSign up