⚡ Optimize Stripe Webhook Performance & Fix Data Flow

[cjo93]

This PR optimizes the Stripe webhook handler by offloading the email sending process to a background task using Vercel's waitUntil and a direct internal function call, eliminating a blocking internal HTTP request.

Additionally, it fixes a data integrity issue where the purchase confirmation email was missing user details ("Unknown"). The webhook now retrieves the full Stripe session to access metadata (containing unitA and unitB) before sending the email.

Key Changes:

• Refactor: Extracted email sending logic from api/send-email.ts to api/_utils/email.ts.
• Performance: Replaced blocking await fetch(...) with waitUntil(sendEmail(...)) in api/stripe-webhook.ts.
• Fix: Added stripe.checkout.sessions.retrieve(sessionId) to fetch missing metadata.
• Cleanup: Fixed unreachable code in webhook CORS handling.

Impact:

• Webhook response time significantly reduced (blocking email send removed).
• Purchase confirmation emails now correctly display user names.

---

PR created automatically by Jules for task 17979173710390596694 started by @cjo93

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
thisisdefrag	Ready	Preview, Comment	Feb 4, 2026 11:03pm
v0-thisisdefrag	Ready	Preview, Comment, Open in v0	Feb 4, 2026 11:03pm

[gemini-code-assist]

Summary of Changes

Hello @cjo93, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's backend efficiency and data accuracy. By optimizing the Stripe webhook's email delivery mechanism to be non-blocking and ensuring comprehensive user data retrieval, the changes lead to a more responsive system and improved user communication regarding purchases.

Highlights

• Performance Optimization: The Stripe webhook handler now offloads the email sending process to a non-blocking background task using Vercel's waitUntil and a direct internal function call. This change eliminates a blocking internal HTTP request, significantly reducing the webhook's response time.
• Data Integrity Fix: The purchase confirmation email now correctly includes user details, resolving a previous issue where user information appeared as 'Unknown'. This is achieved by retrieving the full Stripe session to access metadata (containing unitA and unitB) before sending the email.
• Code Refactoring: Email sending logic and all associated HTML templates have been extracted from api/send-email.ts into a new dedicated utility file, api/_utils/email.ts. This improves modularity, reusability, and maintainability of the email service.
• Dependency Update: The @vercel/functions package has been added to enable the waitUntil functionality, which is crucial for executing background tasks asynchronously.
• Webhook CORS Handling Cleanup: Minor cleanup and reordering of the CORS handling logic within the Stripe webhook endpoint were performed to ensure correct and efficient execution.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• api/_utils/email.ts
  • Added new file to centralize all email sending logic and HTML templates.
  • Introduced sendEmail function to handle various email types (e.g., purchase confirmation, welcome, support).
  • Defined interfaces for UnitData, SupportRequest, ResendManualRequest, and EmailOptions to ensure type safety.
• api/send-email.ts
  • Removed all internal email template generation functions and Resend client instantiation.
  • Modified to import and utilize the new sendEmail utility function from api/_utils/email.ts.
  • Removed local interfaces as they are now defined in the shared utility file.
• api/stripe-webhook.ts
  • Imported waitUntil from @vercel/functions to enable non-blocking background task execution.
  • Imported sendEmail from api/_utils/email.ts to use the refactored email service.
  • Added logic to retrieve the full Stripe session using stripe.checkout.sessions.retrieve(sessionId) to access metadata for unitA and unitB.
  • Replaced the blocking fetch call for sending emails with a non-blocking waitUntil(sendEmail(...)).
  • Reordered the if (req.method !== 'POST') check to appear after CORS headers, fixing previously unreachable code.
• package-lock.json
  • Added @vercel/functions and its dependency @vercel/oidc to the locked dependencies.
• package.json
  • Added @vercel/functions to the project dependencies.
  • Reordered existing dependencies for better organization.

Activity

• No human activity has been recorded on this pull request since its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant performance and correctness improvements to the Stripe webhook and email sending logic. Offloading the email sending to a background task with waitUntil is a great optimization. The refactoring of email logic into a separate utility is also a good move for maintainability. My review includes a few suggestions to enhance type safety and robustness, particularly around handling missing data and using constants for configuration values.

[gemini-code-assist]

The use of non-null assertion operators (!) for unitA, unitB, and manualUrl on line 49 is risky as it can lead to runtime errors if these properties are not provided. It's safer to perform an explicit check for all required properties for this email type. After applying this suggestion, please also remove the ! operators from line 49.

Suggested change

	if (!to) throw new Error('Missing recipient');
	if (!to || !unitA || !unitB || !manualUrl) throw new Error('Missing required options for purchase_confirmation email');

[gemini-code-assist]

Similar to the purchase_confirmation case, using non-null assertion operators (!) on line 56 is risky. An explicit check for all required properties would make this more robust. After applying this suggestion, please also remove the ! operators from line 56.

Suggested change

	if (!to) throw new Error('Missing recipient');
	if (!to || !unitA || !unitB || !manualUrl) throw new Error('Missing required options for manual_delivery email');

[gemini-code-assist]

If parsing the unitA or unitB metadata fails in the preceding try...catch block, unitA or unitB will be undefined. This will cause the sendEmail background task to fail silently (from the webhook's perspective), as it relies on non-null values. It's better to prevent queueing the email if the required data is missing.

                    if (unitA && unitB) {
                        waitUntil(
                            sendEmail({
                                type: 'purchase_confirmation',
                                to: customerEmail,
                                unitA,
                                unitB,
                                manualUrl,
                            })
                            .then(() => console.log('📧 Confirmation email queued for:', customerEmail))
                            .catch((emailErr) => console.error('❌ Failed to send confirmation email:', emailErr))
                        );
                    } else {
                        console.error('❌ Could not send purchase confirmation: missing unitA or unitB in session metadata.');
                    }

[gemini-code-assist]

The type property in EmailOptions is a generic string. Using a string literal union type would provide better type safety and autocompletion, preventing invalid email types at compile time. You could also define a separate EmailType for this.

Suggested change

	type: string;
	type: 'purchase_confirmation' | 'manual_delivery' | 'welcome' | 'resend_manual' | 'support_confirmation' | 'support_internal';

[gemini-code-assist]

The internal support email address 'info@defrag.app' is hardcoded. It's better to define this as a constant at the top of the file (e.g., const INTERNAL_SUPPORT_EMAIL = 'info@defrag.app';) for easier maintenance.

Suggested change

	recipients = ['info@defrag.app']; // Internal notification
	recipients = [INTERNAL_SUPPORT_EMAIL]; // Internal notification

[gemini-code-assist]

The base URL https://defrag.app is hardcoded. This can make it difficult to manage different environments (development, staging, production). It's a best practice to source this from an environment variable, for example process.env.APP_URL.

Suggested change

	const manualUrl = `https://defrag.app/manual?session_id=${sessionId}`;
	const manualUrl = `${process.env.APP_URL || 'https://defrag.app'}/manual?session_id=${sessionId}`;

[Copilot]

Pull request overview

This PR optimizes the Stripe webhook handler by extracting email sending logic into a reusable utility and implementing non-blocking email delivery using Vercel's waitUntil API. It also addresses a data integrity issue where purchase confirmation emails were missing user details due to unavailable metadata in the webhook event object.

Changes:

• Refactored email sending logic from api/send-email.ts to a shared utility function in api/_utils/email.ts
• Replaced blocking HTTP request to /api/send-email with direct function call wrapped in waitUntil() for background processing
• Added session metadata retrieval in webhook to obtain unitA and unitB for personalized emails
• Fixed CORS handling order by moving OPTIONS check before POST validation

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
package.json	Added @vercel/functions dependency for waitUntil support, reorganized dependencies alphabetically
package-lock.json	Installed @vercel/functions package and its dependency @vercel/oidc
api/stripe-webhook.ts	Refactored to use direct sendEmail call with waitUntil, added session metadata retrieval, fixed CORS handling order
api/send-email.ts	Simplified to delegate all logic to shared sendEmail utility function
api/_utils/email.ts	New shared utility containing all email sending logic, type definitions, and email templates extracted from send-email.ts

[Copilot]

The non-null assertion operator on unitA! and unitB! is unsafe here. These values are parsed from metadata inside a try-catch block in the webhook (api/stripe-webhook.ts:94-95), and if the parsing fails or the metadata is missing, they will be undefined. This will pass undefined to the email generation function which uses them directly (e.g., ${unitA?.name || 'Unknown'} in line 334). While the template has fallback logic, the assertion suggests these are guaranteed to exist when they aren't. Consider either removing the non-null assertions or adding explicit checks.

Suggested change

	subject = 'DEFRAG // YOUR MANUAL IS READY';
	html = generatePurchaseEmail(unitA!, unitB!, manualUrl!);
	recipients = [to];
	break;
	case 'manual_delivery':
	if (!to) throw new Error('Missing recipient');
	subject = 'DEFRAG // MANUAL GENERATED';
	html = generateManualDeliveryEmail(unitA!, unitB!, manualUrl!);
	if (!unitA || !unitB || !manualUrl) {
	throw new Error('Missing unit data or manual URL');
	}
	subject = 'DEFRAG // YOUR MANUAL IS READY';
	html = generatePurchaseEmail(unitA, unitB, manualUrl);
	recipients = [to];
	break;
	case 'manual_delivery':
	if (!to) throw new Error('Missing recipient');
	if (!unitA || !unitB || !manualUrl) {
	throw new Error('Missing unit data or manual URL');
	}
	subject = 'DEFRAG // MANUAL GENERATED';
	html = generateManualDeliveryEmail(unitA, unitB, manualUrl);

[Copilot]

Missing validation for required parameters with unsafe non-null assertions. The function uses non-null assertions on unitA!, unitB!, and manualUrl! (lines 49, 56) but these parameters are optional in the type signature. While calling code in the webhook constructs these values, the assertions are unsafe because if metadata parsing fails (api/stripe-webhook.ts:96-97), these will be undefined. This could lead to runtime errors or "undefined" appearing in email templates. Either make these parameters required in the EmailOptions interface for these email types, or add explicit validation that throws descriptive errors.

Suggested change

	subject = 'DEFRAG // YOUR MANUAL IS READY';
	html = generatePurchaseEmail(unitA!, unitB!, manualUrl!);
	recipients = [to];
	break;
	case 'manual_delivery':
	if (!to) throw new Error('Missing recipient');
	subject = 'DEFRAG // MANUAL GENERATED';
	html = generateManualDeliveryEmail(unitA!, unitB!, manualUrl!);
	if (!unitA || !unitB || !manualUrl) {
	throw new Error('Missing purchase confirmation data: unitA, unitB, and manualUrl are required');
	}
	subject = 'DEFRAG // YOUR MANUAL IS READY';
	html = generatePurchaseEmail(unitA, unitB, manualUrl);
	recipients = [to];
	break;
	case 'manual_delivery':
	if (!to) throw new Error('Missing recipient');
	if (!unitA || !unitB || !manualUrl) {
	throw new Error('Missing manual delivery data: unitA, unitB, and manualUrl are required');
	}
	subject = 'DEFRAG // MANUAL GENERATED';
	html = generateManualDeliveryEmail(unitA, unitB, manualUrl);

[Copilot]

The extra API call to retrieve the full session may be unnecessary. The checkout.session.completed event object already includes the metadata field. You can access it directly from eventSession.metadata instead of making an additional stripe.checkout.sessions.retrieve() call. This would improve performance by eliminating the redundant API request. If metadata is indeed missing from the webhook event in practice, consider adding a comment explaining why the additional retrieval is necessary.

Suggested change

	// Retrieve full session to ensure we have metadata
	let unitA, unitB;
	try {
	const session = await stripe.checkout.sessions.retrieve(sessionId);
	unitA = session.metadata?.unitA ? JSON.parse(session.metadata.unitA) : undefined;
	unitB = session.metadata?.unitB ? JSON.parse(session.metadata.unitB) : undefined;
	} catch (err) {
	console.error('⚠️ Failed to retrieve full session or parse metadata:', err);
	// Parse metadata directly from the webhook event to avoid an extra Stripe API call
	let unitA, unitB;
	try {
	const metadata = eventSession.metadata || {};
	unitA = metadata.unitA ? JSON.parse(metadata.unitA) : undefined;
	unitB = metadata.unitB ? JSON.parse(metadata.unitB) : undefined;
	} catch (err) {
	console.error('⚠️ Failed to parse session metadata from webhook event:', err);

[Copilot]

Silent error handling could lead to missing data in emails. When metadata retrieval or parsing fails, the error is logged but execution continues with unitA and unitB as undefined. While this prevents the webhook from failing, it means emails will be sent with "Unknown" names, potentially confusing users. Consider adding more robust error handling: either retry the metadata retrieval, return a 500 status to trigger Stripe retry, or at minimum log more context (like the session ID) for debugging when metadata is missing.

Suggested change

	let unitA, unitB;
	try {
	const session = await stripe.checkout.sessions.retrieve(sessionId);
	unitA = session.metadata?.unitA ? JSON.parse(session.metadata.unitA) : undefined;
	unitB = session.metadata?.unitB ? JSON.parse(session.metadata.unitB) : undefined;
	} catch (err) {
	console.error('⚠️ Failed to retrieve full session or parse metadata:', err);
	let unitA: unknown;
	let unitB: unknown;
	try {
	const session = await stripe.checkout.sessions.retrieve(sessionId);
	const rawUnitA = session.metadata?.unitA;
	const rawUnitB = session.metadata?.unitB;
	if (!rawUnitA || !rawUnitB) {
	console.error('⚠️ Missing required unit metadata on checkout session', {
	sessionId,
	customerEmail,
	metadata: session.metadata,
	});
	// Return 500 so Stripe retries and we can attempt to recover metadata
	return res.status(500).json({ error: 'Missing required unit metadata on checkout session' });
	}
	unitA = JSON.parse(rawUnitA);
	unitB = JSON.parse(rawUnitB);
	} catch (err) {
	console.error('⚠️ Failed to retrieve full session or parse metadata:', {
	sessionId,
	customerEmail,
	error: err,
	});
	// Return 500 so Stripe retries and metadata retrieval can be retried
	return res.status(500).json({ error: 'Failed to retrieve or parse session metadata' });

[Copilot]

The Stripe API version is inconsistent with other API endpoints in the codebase. Other Stripe integrations use '2025-12-15.clover' (see api/create-checkout.ts:5, api/admin-stats.ts:5, api/verify-payment.ts:6), while this file uses '2024-12-18.acacia'. This inconsistency could lead to unexpected behavior or compatibility issues when interacting with Stripe API features. Update this to match the version used throughout the codebase.

Suggested change

	apiVersion: '2024-12-18.acacia',
	apiVersion: '2025-12-15.clover',

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a3a9488ead

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Map validation errors to 400 instead of 500

After the refactor, sendEmail(...) now throws for missing/invalid inputs (e.g., missing to, missing supportRequest, or an unknown type), but the handler catches all errors and responds with HTTP 500. That means client input mistakes are now reported as server failures (and may trigger retries/alerts) instead of the previous 400 responses. Consider validating the required fields in the handler or translating known validation errors to 400 to preserve the API contract.

Useful? React with 👍 / 👎.