feat: Razorpay support

[RohitKushvaha01]

Waiting for Acode-Foundation/acode.app#15 to be merged

API Expectations

1. Plugin Details / Ownership Check

GET ${constants.API_BASE}/plugin/${id}

Should return plugin metadata along with an owned: boolean field.

The owned field is used to indicate that the plugin has already been purchased externally (outside the in-app purchase flow). This allows the client to mark the plugin as purchased even when no in-app purchase record exists.

---

2. Owned Plugins Filter

GET ${constants.API_BASE}/plugins?owned=true

Should return only plugins that have been purchased externally by the current user.

This is used to fetch plugins the user already owns outside the in-app billing system.

---

3. Protected Plugin Download

GET ${constants.API_BASE}/plugin/download/{pluginId}

Used to download plugin files after purchase.

When the download URL belongs to acode.app or any subdomain of acode.app, the client sends the authentication token in the request header:

x-auth-token: <token>

Expected Server Behavior

• Validate the provided token.
• Allow access only to users who own the requested plugin.
• Return the plugin file on success.
• Return an appropriate HTTP error code (401, 403, 404, etc.) on failure.

Notes

• Auth headers are only sent to trusted acode.app domains.
• External/untrusted URLs will not receive the auth token.

[greptile-apps]

Greptile Summary

This PR wires up Razorpay as a second payment path for paid plugins. On the native side it adds PluginRetriever.java (downloadPlugin + fetchJsonArray) with proper finally-disconnect handling, and routes all authenticated plugin fetches through the Authenticator Cordova plugin. On the JS side it refactors getOwned to run IAP and Razorpay fetches in sequence, migrates retrieveFilteredPlugins to the new auth-token-aware fetch, and adds the remotePlugin.owned fallback for non-Play-Store environments.

Confidence Score: 5/5

Safe to merge; all remaining findings are P2 style/cleanup suggestions that do not affect correctness.

The major issues flagged in previous review rounds (connection leak, filterState pagination not returned to JS, IAP failure swallowing Razorpay path, remotePlugin.owned not checked without an IAP product) are all addressed in this revision. The only new findings are a hardcoded temp filename (concurrent-install edge case) and inconsistent indentation — both P2 and non-blocking.

src/lib/installPlugin.js (temp file race condition), src/pages/plugins/plugins.js (indentation inconsistency)

Important Files Changed

Filename	Overview
src/lib/installPlugin.js	Replaces cordova.plugin.http with a native Authenticator.downloadPlugin exec; reads the result from a hardcoded temp file that is never deleted and could be clobbered by concurrent installs.
src/pages/plugin/plugin.js	Adds an else if (remotePlugin.owned) fallback so Razorpay-purchased plugins are recognised when the IAP product object is absent (e.g. non-Play-Store environments).
src/pages/plugins/plugins.js	Adds fetchPlugins Cordova bridge helper, rewrites getOwned to query Razorpay-owned plugins after IAP, and migrates retrieveFilteredPlugins to use the auth-token-aware native fetch; fetchPlugins/retrieveFilteredPlugins/getOwned are inconsistently un-indented relative to the rest of the PluginsInclude body.
src/plugins/auth/plugin.xml	Registers PluginRetriever.java with the Cordova build so the new class is compiled and available at runtime.
src/plugins/auth/src/android/Authenticator.java	Adds downloadPlugin and fetchPlugins action handlers that delegate to PluginRetriever on a thread-pool thread; cleans up inline comments and imports JSONObject.
src/plugins/auth/src/android/PluginRetriever.java	New file providing downloadPlugin (with proper finally-disconnect fix) and fetchJsonArray; both correctly scope the x-auth-token header to acode.app hosts only.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[getOwned called] --> B[IAP path: iap.getPurchases]
    B -->|success| C[Fetch each SKU from API]
    B -->|failure| D[Log warning, continue]
    C --> E[Add to owned list]
    D --> F[Razorpay path: fetchPlugins owned=true]
    E --> F
    F -->|success| G[Merge with addedIds dedup]
    F -->|failure| H[Log error]
    G --> I[Render owned tab]
    H --> I

    J[installPlugin called] --> K{URL type?}
    K -->|Acode registry or local| L[fsOperation.readFile directly]
    K -->|Third-party URL| M[cordova.exec downloadPlugin]
    M --> N[PluginRetriever writes ZIP to cache]
    N --> O[fsOperation.readFile from cache file]
    L --> P[JSZip.loadAsync]
    O --> P

Loading

_{Reviews (7): Last reviewed commit: "fix: bug" | Re-trigger Greptile}

[UnschooledGamer]

LGTM