Block codebuff usage

Author: jahooma

common/src/types/contracts/billing.ts

@@ -12,6 +12,7 @@ export type GetUserUsageDataFn = (params: {
     totalDebt: number
     netBalance: number
     breakdown: Record<string, number>
+    principals: Record<string, number>
   }
   nextQuotaReset: string
   autoTopupTriggered?: boolean

common/src/types/contracts/database.ts

@@ -8,6 +8,7 @@ type User = {
   referral_code: string | null
   stripe_customer_id: string | null
   banned: boolean
+  created_at: Date
 }
 export const userColumns = [
   'id',
@@ -16,6 +17,7 @@ export const userColumns = [
   'referral_code',
   'stripe_customer_id',
   'banned',
+  'created_at',
 ] as const
 export type UserColumn = keyof User
 export type GetUserInfoFromApiKeyInput<T extends UserColumn> = {

web/src/app/api/v1/chat/completions/__tests__/completions.test.ts

@@ -18,21 +18,32 @@ import type { BlockGrantResult } from '@codebuff/billing/subscription'
 import type { GetUserPreferencesFn } from '../_post'
 
 describe('/api/v1/chat/completions POST endpoint', () => {
+  // Old enough to clear the account-age gate in _post.ts
+  const AGED_ACCOUNT_CREATED_AT = new Date('2024-01-01T00:00:00Z')
+
   const mockUserData: Record<
     string,
-    { id: string; banned: boolean }
+    { id: string; banned: boolean; created_at: Date }
   > = {
     'test-api-key-123': {
       id: 'user-123',
       banned: false,
+      created_at: AGED_ACCOUNT_CREATED_AT,
     },
     'test-api-key-no-credits': {
       id: 'user-no-credits',
       banned: false,
+      created_at: AGED_ACCOUNT_CREATED_AT,
     },
     'test-api-key-blocked': {
       id: 'banned-user-id',
       banned: true,
+      created_at: AGED_ACCOUNT_CREATED_AT,
+    },
+    'test-api-key-new-free': {
+      id: 'user-new-free',
+      banned: false,
+      created_at: new Date(),
     },
   }
 
@@ -43,7 +54,11 @@ describe('/api/v1/chat/completions POST endpoint', () => {
     if (!userData) {
       return null
     }
-    return { id: userData.id, banned: userData.banned } as Awaited<ReturnType<GetUserInfoFromApiKeyFn>>
+    return {
+      id: userData.id,
+      banned: userData.banned,
+      created_at: userData.created_at,
+    } as Awaited<ReturnType<GetUserInfoFromApiKeyFn>>
   }
 
   let mockLogger: Logger
@@ -80,6 +95,22 @@ describe('/api/v1/chat/completions POST endpoint', () => {
             totalDebt: 0,
             netBalance: 0,
             breakdown: {},
+            // Has purchased credits historically (principals > 0) but 0 remaining
+            // so the paid-plan gate passes and the credit check is what enforces 402.
+            principals: { purchase: 100 },
+          },
+          nextQuotaReset,
+        }
+      }
+      if (userId === 'user-new-free') {
+        return {
+          usageThisCycle: 0,
+          balance: {
+            totalRemaining: 100,
+            totalDebt: 0,
+            netBalance: 100,
+            breakdown: {},
+            principals: {},
           },
           nextQuotaReset,
         }
@@ -91,6 +122,7 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           totalDebt: 0,
           netBalance: 100,
           breakdown: {},
+          principals: { purchase: 100 },
         },
         nextQuotaReset,
       }
@@ -421,6 +453,75 @@ describe('/api/v1/chat/completions POST endpoint', () => {
       expect(body.message).not.toContain(nextQuotaReset)
     })
 
+    it('returns 403 for a free-tier user with no paid relationship', async () => {
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: { Authorization: 'Bearer test-api-key-new-free' },
+          body: JSON.stringify({
+            model: 'test/test-model',
+            stream: false,
+            codebuff_metadata: {
+              run_id: 'run-123',
+              client_id: 'test-client-id-123',
+            },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(403)
+      const body = await response.json()
+      expect(body.error).toBe('requires_paid_plan')
+    })
+
+    it('lets a BYOK free-tier new account through the paid-plan gate', async () => {
+      const req = new NextRequest(
+        'http://localhost:3000/api/v1/chat/completions',
+        {
+          method: 'POST',
+          headers: {
+            Authorization: 'Bearer test-api-key-new-free',
+            'x-openrouter-api-key': 'sk-or-byok-test',
+          },
+          body: JSON.stringify({
+            model: 'test/test-model',
+            stream: false,
+            codebuff_metadata: {
+              run_id: 'run-123',
+              client_id: 'test-client-id-123',
+            },
+          }),
+        },
+      )
+
+      const response = await postChatCompletions({
+        req,
+        getUserInfoFromApiKey: mockGetUserInfoFromApiKey,
+        logger: mockLogger,
+        trackEvent: mockTrackEvent,
+        getUserUsageData: mockGetUserUsageData,
+        getAgentRunFromId: mockGetAgentRunFromId,
+        fetch: mockFetch,
+        insertMessageBigquery: mockInsertMessageBigquery,
+        loggerWithContext: mockLoggerWithContext,
+      })
+
+      expect(response.status).toBe(200)
+    })
+
     it('skips credit check when in FREE mode even with 0 credits', async () => {
       const req = new NextRequest(
         'http://localhost:3000/api/v1/chat/completions',
@@ -818,6 +919,7 @@ describe('/api/v1/chat/completions POST endpoint', () => {
           totalDebt: 0,
           netBalance: includeSubscriptionCredits ? 350 : 0,
           breakdown: {},
+          principals: { subscription: 350 },
         },
         nextQuotaReset,
       }))

web/src/app/api/v1/chat/completions/_post.ts

@@ -74,6 +74,9 @@ const FREE_MODE_ALLOWED_COUNTRIES = new Set([
   'NO', 'SE', 'NL', 'DK', 'DE', 'FI', 'BE', 'LU', 'CH', 'IE', 'IS',
 ])
 
+const MIN_ACCOUNT_AGE_DAYS = 3
+const MIN_ACCOUNT_AGE_FOR_PAID_MS = MIN_ACCOUNT_AGE_DAYS * 24 * 60 * 60 * 1000
+
 function extractClientIp(req: NextRequest): string | undefined {
   const forwardedFor = req.headers.get('x-forwarded-for')
   if (forwardedFor) {
@@ -206,7 +209,7 @@ export async function postChatCompletions(params: {
     // Get user info
     const userInfo = await getUserInfoFromApiKey({
       apiKey,
-      fields: ['id', 'email', 'discord_id', 'stripe_customer_id', 'banned'],
+      fields: ['id', 'email', 'discord_id', 'stripe_customer_id', 'banned', 'created_at'],
       logger,
     })
     if (!userInfo) {
@@ -440,10 +443,43 @@ export async function postChatCompletions(params: {
 
     // Fetch user credit data (includes subscription credits when block grant was ensured)
     const {
-      balance: { totalRemaining },
+      balance: { totalRemaining, principals },
       nextQuotaReset,
     } = await getUserUsageData({ userId, logger, includeSubscriptionCredits })
 
+    // Gate non-free-mode requests behind (a) an established paid relationship
+    // AND (b) a non-new account. An ongoing abuse campaign uses freshly-signed-up
+    // self-referral accounts to burn credits via the stream-error billing gap in
+    // openrouter.ts; restricting to aged + paid accounts cuts off that vector.
+    // BYOK users bypass — they pay OpenRouter directly, so there's nothing to burn.
+    const openrouterApiKeyHeader = req.headers.get(BYOK_OPENROUTER_HEADER)
+    const hasPaidRelationship =
+      (principals.purchase ?? 0) > 0 || (principals.subscription ?? 0) > 0
+    const accountAgeMs = userInfo.created_at
+      ? Date.now() - new Date(userInfo.created_at).getTime()
+      : 0
+    const accountIsTooNew = accountAgeMs < MIN_ACCOUNT_AGE_FOR_PAID_MS
+    if (!openrouterApiKeyHeader && (!hasPaidRelationship || accountIsTooNew)) {
+      trackEvent({
+        event: AnalyticsEvent.CHAT_COMPLETIONS_VALIDATION_ERROR,
+        userId,
+        properties: {
+          error: 'blocked_for_free_tier',
+          model: typedBody.model,
+          hasPaidRelationship,
+          accountAgeMs,
+        },
+        logger,
+      })
+      return NextResponse.json(
+        {
+          error: 'requires_paid_plan',
+          message: `Non-free mode requires a paid subscription or purchased credits on an account at least ${MIN_ACCOUNT_AGE_DAYS} days old. Visit ${env.NEXT_PUBLIC_CODEBUFF_APP_URL}/usage to upgrade, or pass an OpenRouter API key to bring your own credits.`,
+        },
+        { status: 403 },
+      )
+    }
+
     // Credit check
     if (totalRemaining <= 0 && !isFreeModeRequest) {
       trackEvent({
@@ -464,7 +500,7 @@ export async function postChatCompletions(params: {
       )
     }
 
-    const openrouterApiKey = req.headers.get(BYOK_OPENROUTER_HEADER)
+    const openrouterApiKey = openrouterApiKeyHeader
 
     // Handle streaming vs non-streaming
     try {

web/src/app/api/v1/docs-search/__tests__/docs-search.test.ts

@@ -41,6 +41,7 @@ describe('/api/v1/docs-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 10,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -113,6 +114,7 @@ describe('/api/v1/docs-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -163,6 +165,7 @@ describe('/api/v1/docs-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: includeSubscriptionCredits ? 350 : 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -200,6 +203,7 @@ describe('/api/v1/docs-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))

web/src/app/api/v1/me/__tests__/me.test.ts

@@ -25,6 +25,7 @@ describe('/api/v1/me route', () => {
       referral_code: 'ref-user-123',
       stripe_customer_id: 'cus_test_123',
       banned: false,
+      created_at: new Date('2024-01-01T00:00:00Z'),
     },
     'test-api-key-456': {
       id: 'user-456',
@@ -33,6 +34,7 @@ describe('/api/v1/me route', () => {
       referral_code: 'ref-user-456',
       stripe_customer_id: null,
       banned: false,
+      created_at: new Date('2024-01-01T00:00:00Z'),
     },
   }
 
@@ -214,7 +216,7 @@ describe('/api/v1/me route', () => {
       const body = await response.json()
       expect(body.error).toContain('Invalid fields: invalid_field')
       expect(body.error).toContain(
-        'Valid fields are: id, email, discord_id, referral_code, stripe_customer_id, banned, referral_link',
+        'Valid fields are: id, email, discord_id, referral_code, stripe_customer_id, banned, created_at, referral_link',
       )
     })
 

web/src/app/api/v1/me/_get.ts

@@ -129,7 +129,7 @@ export async function getMe(params: {
 
   // Build response including derived fields
   const userInfoRecord = userInfo as Partial<
-    Record<ValidDbField, string | boolean | null>
+    Record<ValidDbField, string | boolean | Date | null>
   >
 
   const responseBody: Record<string, unknown> = {}

web/src/app/api/v1/web-search/__tests__/web-search.test.ts

@@ -43,6 +43,7 @@ describe('/api/v1/web-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 10,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -96,6 +97,7 @@ describe('/api/v1/web-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -148,6 +150,7 @@ describe('/api/v1/web-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: includeSubscriptionCredits ? 350 : 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))
@@ -186,6 +189,7 @@ describe('/api/v1/web-search POST endpoint', () => {
         totalDebt: 0,
         netBalance: 0,
         breakdown: {},
+        principals: {},
       },
       nextQuotaReset: 'soon',
     }))

web/src/db/user.ts

@@ -15,6 +15,7 @@ export const VALID_USER_INFO_FIELDS = [
   'referral_code',
   'stripe_customer_id',
   'banned',
+  'created_at',
 ] as const
 
 export async function getUserInfoFromApiKey<T extends UserColumn>({