fixes stripe

app.py

@@ -489,18 +489,6 @@ def getAllowedOrigins():
 CORS_ORIGIN_REGEX = r"https://.*\.(poweron\.swiss|poweron-center\.net)"
 
 
-# CORS configuration using environment variables
-app.add_middleware(
-    CORSMiddleware,
-    allow_origins=getAllowedOrigins(),
-    allow_origin_regex=CORS_ORIGIN_REGEX,
-    allow_credentials=True,
-    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    allow_headers=["*"],
-    expose_headers=["*"],
-    max_age=86400,  # Increased caching for preflight requests
-)
-
 # SlowAPI rate limiter initialization
 from modules.auth import limiter
 from slowapi.errors import RateLimitExceeded
@@ -538,6 +526,19 @@ app.add_middleware(
     ProactiveTokenRefreshMiddleware, enabled=True, check_interval_minutes=5
 )
 
+# CORS must be registered LAST so it wraps the whole stack: every response (errors, CSRF 403,
+# rate limits) still gets Access-Control-Allow-Origin for browser cross-origin calls.
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=getAllowedOrigins(),
+    allow_origin_regex=CORS_ORIGIN_REGEX,
+    allow_credentials=True,
+    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    allow_headers=["*"],
+    expose_headers=["*"],
+    max_age=86400,
+)
+
 # Include all routers
 
 from modules.routes.routeAdmin import router as generalRouter

env_int.env

@@ -53,7 +53,7 @@ Service_CLICKUP_OAUTH_REDIRECT_URI = http://localhost:8000/api/clickup/auth/conn
 
 # Stripe Billing (both end with _SECRET for encryption script)
 STRIPE_SECRET_KEY_SECRET = INT_ENC:Z0FBQUFBQnB5dkd5ekdBaGNGVUlOQUpncTlzLWlTV0V5OWZzQkpDczhCUGw4U1JpTHZ0d3pfYlFNWElLRlNiNlNsaDRYTGZUTkg2OUFrTW1GZXpOUjBVbmRQWjN6ekhHd2ZSQ195OHlaeWh1TmxrUm10V2R3YmdncmFLbFMzVjdqcWJMSUJPR2xuSEozclNoZG1rZVBTaWg3OFQ1Qzdxb0wyQ2RKazc2dG1aZXBUTXlvbDZqLS1KOVI5M3BGc3NQZkZRbnFpRjIwWmh2ZHlVNlpxZVo2dWNmMjQ5eW02QmtzUT09
-STRIPE_WEBHOOK_SECRET = INT_ENC:Z0FBQUFBQnB5dkd5VUszOWllM1E1YXlsdldIdENlUTd4bWhycVNBZVZzSWxlMjd4NEJwRnFVbnRaNTlGOWUyLVdxRUxySEtGRDdfbEVHM1dFTU93SHZtY1RKZkh0NG92M2cwYTQxQjQ0SFhqNXZnd21jbE52WW0wZC1oMlY3OXFFSV9sd2M1TC10N0hZa2Zha3FzX1FhcE14alo2TGFHX3QybHFxOTlQWWFZR3pabkRtOEp1Zm1zOFlrbDF0MFNkUjUyVFI5NUNZaU5TRXF4X29tcEQ2RUR1MTlXcUoxbTl0dz09
+STRIPE_WEBHOOK_SECRET = whsec_2agCQEbDPSOn2C40EJcwoPCqlvaPLF7M
 STRIPE_API_VERSION = 2026-01-28.clover
 
 # AI configuration

modules/routes/routeSubscription.py

@@ -291,14 +291,31 @@ def verifyCheckout(
         logger.error("Failed to retrieve checkout session %s: %s", data.sessionId, e)
         raise HTTPException(status_code=400, detail="Invalid session ID")
 
-    if session.get("status") != "complete" or session.get("payment_status") != "paid":
+    payStatus = session.get("payment_status")
+    if session.get("status") != "complete":
+        return {"status": "pending", "message": "Checkout not yet completed"}
+    # Subscription checkouts with trial / $0 first period use no_payment_required, not paid.
+    if payStatus not in ("paid", "no_payment_required"):
         return {"status": "pending", "message": "Checkout not yet completed"}
 
     if session.get("mode") != "subscription":
         raise HTTPException(status_code=400, detail="Not a subscription checkout session")
 
     from modules.routes.routeBilling import _handleSubscriptionCheckoutCompleted
-    _handleSubscriptionCheckoutCompleted(session, f"verify-{data.sessionId}")
+
+    try:
+        _handleSubscriptionCheckoutCompleted(session, f"verify-{data.sessionId}")
+    except Exception as e:
+        logger.exception(
+            "verifyCheckout: handler failed for session %s mandate %s: %s",
+            data.sessionId,
+            mandateId,
+            e,
+        )
+        raise HTTPException(
+            status_code=500,
+            detail="Subscription-Aktivierung nach Checkout fehlgeschlagen. Bitte erneut versuchen oder Support informieren.",
+        ) from e
 
     return {"status": "activated", "message": "Subscription activated"}