feat: Razorpay support

[RohitKushvaha01]

Waiting for Acode-Foundation/acode.app#15 to be merged

API Expectations

1. Plugin Details / Ownership Check

GET ${constants.API_BASE}/plugin/${id}

Should return plugin metadata along with an owned: boolean field.

The owned field is used to indicate that the plugin has already been purchased externally (outside the in-app purchase flow). This allows the client to mark the plugin as purchased even when no in-app purchase record exists.

---

2. Owned Plugins Filter

GET ${constants.API_BASE}/plugins?owned=true

Should return only plugins that have been purchased externally by the current user.

This is used to fetch plugins the user already owns outside the in-app billing system.

---

3. Protected Plugin Download

GET ${constants.API_BASE}/plugin/download/{pluginId}

Used to download plugin files after purchase.

When the download URL belongs to acode.app or any subdomain of acode.app, the client sends the authentication token in the request header:

x-auth-token: <token>

Expected Server Behavior

• Validate the provided token.
• Allow access only to users who own the requested plugin.
• Return the plugin file on success.
• Return an appropriate HTTP error code (401, 403, 404, etc.) on failure.

Notes

• Auth headers are only sent to trusted acode.app domains.
• External/untrusted URLs will not receive the auth token.

[greptile-apps]

Greptile Summary

This PR adds Razorpay payment support by routing plugin downloads and ownership checks through a new native Android layer (PluginRetriever.java) that attaches stored credentials only to trusted acode.app domains. The JS side is updated to handle the owned flag from the API and separates IAP and Razorpay purchase paths in getOwned with independent error handling.

All findings are P2 quality issues: withSupportedEditor is defined but never called in PluginRetriever.java, android.content.Context is imported but unused, and the loader progress callback is wired to a local cache file read where progress semantics differ from a remote stream.

Confidence Score: 5/5

Safe to merge; all findings are non-blocking P2 quality issues

No P0 or P1 issues found. The core logic for Razorpay ownership, fallback IAP handling, and trusted-domain credential gating is correct. Remaining findings are dead code and a cosmetic loader concern.

src/plugins/auth/src/android/PluginRetriever.java — dead code and unused import; src/pages/plugins/plugins.js — inconsistent fetch strategy between filtered and unfiltered views

Important Files Changed

Filename	Overview
src/plugins/auth/src/android/PluginRetriever.java	New Java helper for authenticated HTTP — download, JSON fetch, and token-gated plugin detail; contains dead code (withSupportedEditor) and an unused Context import
src/plugins/auth/src/android/Authenticator.java	Adds three new Cordova actions (fetchWithToken, downloadPlugin, fetchPlugins) that delegate to PluginRetriever; logic is clean and consistent with existing auth pattern
src/lib/installPlugin.js	Download path replaced with native Cordova downloadPlugin call; progress callback on the subsequent local file read may produce misleading or absent loader updates
src/pages/plugin/plugin.js	Plugin detail now fetched via fetchWithToken; Razorpay owned flag properly handled including IAP-absent and IAP-error fallback paths
src/pages/plugins/plugins.js	IAP and Razorpay owned-plugin paths properly separated with independent try/catch; fetchPlugins (auth-bearing) used for all filtered views while getAllPlugins still uses plain fetch — inconsistency worth tracking
src/lib/constants.js	Adds BASE_URL constant; static property correctly defined, resolves prior undefined/api concern
src/lib/auth.js	Login URL now uses constants.BASE_URL instead of a hardcoded string — straightforward, correct change
src/pages/plugin/plugin.view.js	Commented-out debug console.log statements added alongside button render paths — no functional change
src/plugins/auth/plugin.xml	Registers the new PluginRetriever.java source file in the Cordova plugin manifest

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[JS: install plugin] --> B[cordova.exec downloadPlugin]
    B --> C[Authenticator.java]
    C --> D[PluginRetriever.downloadPlugin]
    D --> E{Trusted domain?}
    E -->|Yes| F[Add auth header]
    E -->|No| G[No header added]
    F --> H[HTTP GET zip]
    G --> H
    H --> I[Write to cache file]
    I --> J[JS: fsOperation readFile]
    J --> K[Unzip and install]

    L[JS: get owned plugins] --> M[cordova.exec fetchPlugins]
    M --> N[PluginRetriever.fetchJsonArray]
    N --> O[GET /api/plugins?owned=true]
    O --> P[Return array to JS]
    P --> Q[Render owned list]

Loading

_{Reviews (10): Last reviewed commit: "fix: remove useless code" | Re-trigger Greptile}

[UnschooledGamer]

LGTM

[RohitKushvaha01]

@greptileai

[RohitKushvaha01]

@greptileai