@consilioweb/payload-support 0.5.1

package/src/endpoints/login.ts

@@ -0,0 +1,92 @@
+import type { Endpoint } from 'payload'
+import type { CollectionSlugs } from '../utils/slugs'
+import { RateLimiter } from '../utils/rateLimiter'
+
+const loginLimiter = new RateLimiter(15 * 60_000, 10) // 10 per 15 min
+
+/**
+ * POST /api/support/login
+ * Client login endpoint.
+ */
+export function createLoginEndpoint(slugs: CollectionSlugs): Endpoint {
+  return {
+    path: '/support/login',
+    method: 'post',
+    handler: async (req) => {
+      const ip = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || req.headers.get('x-real-ip') || 'unknown'
+
+      if (loginLimiter.check(ip)) {
+        return Response.json(
+          { error: 'Trop de tentatives. Réessayez dans quelques minutes.' },
+          { status: 429 },
+        )
+      }
+
+      const payload = req.payload
+      let body: { email?: string; password?: string }
+      try {
+        body = await req.json!()
+      } catch {
+        return Response.json({ error: 'Invalid JSON body' }, { status: 400 })
+      }
+      const { email, password } = body
+      const userAgent = req.headers.get('user-agent') || ''
+
+      if (!email || !password) {
+        return Response.json({ error: 'Email et mot de passe requis.' }, { status: 400 })
+      }
+
+      try {
+        const result = await payload.login({
+          collection: slugs.supportClients as any,
+          data: { email, password },
+        })
+
+        // Log successful login (fire-and-forget)
+        payload.create({
+          collection: slugs.authLogs as any,
+          data: { email, success: true, action: 'login', ipAddress: ip, userAgent },
+          overrideAccess: true,
+        }).catch(() => {})
+
+        const headers = new Headers({ 'Content-Type': 'application/json' })
+
+        if (result.token) {
+          const secure = process.env.NODE_ENV === 'production'
+          headers.append(
+            'Set-Cookie',
+            `payload-token=${result.token}; HttpOnly; ${secure ? 'Secure; ' : ''}SameSite=Lax; Path=/; Max-Age=7200`,
+          )
+        }
+
+        return new Response(
+          JSON.stringify({
+            message: 'Login successful',
+            user: result.user,
+            token: result.token,
+            exp: result.exp,
+          }),
+          { status: 200, headers },
+        )
+      } catch (err: unknown) {
+        const errorMessage = err instanceof Error ? err.message : 'Erreur inconnue'
+
+        let errorReason = 'Identifiants incorrects'
+        if (errorMessage.includes('locked') || errorMessage.includes('verrouillé') || errorMessage.includes('Too many')) {
+          errorReason = 'Compte verrouillé (trop de tentatives)'
+        }
+
+        payload.create({
+          collection: slugs.authLogs as any,
+          data: { email, success: false, action: 'login', errorReason, ipAddress: ip, userAgent },
+          overrideAccess: true,
+        }).catch(() => {})
+
+        return Response.json(
+          { errors: [{ message: 'Email ou mot de passe incorrect.' }] },
+          { status: 401 },
+        )
+      }
+    },
+  }
+}

package/src/endpoints/merge-clients.ts

@@ -0,0 +1,132 @@
+import type { Endpoint } from 'payload'
+import type { CollectionSlugs } from '../utils/slugs'
+import { requireAdmin, handleAuthError } from '../utils/auth'
+
+/**
+ * POST /api/support/merge-clients
+ * Merge client B (source) into client A (target). Admin-only.
+ */
+export function createMergeClientsEndpoint(slugs: CollectionSlugs): Endpoint {
+  return {
+    path: '/support/merge-clients',
+    method: 'post',
+    handler: async (req) => {
+      try {
+        const payload = req.payload
+
+        requireAdmin(req, slugs)
+
+        const { sourceId, targetId } = await req.json!()
+
+        if (!sourceId || !targetId || sourceId === targetId) {
+          return Response.json({ error: 'sourceId and targetId are required and must be different' }, { status: 400 })
+        }
+
+        const [source, target] = await Promise.all([
+          payload.findByID({ collection: slugs.supportClients as any, id: sourceId, depth: 0, overrideAccess: true }),
+          payload.findByID({ collection: slugs.supportClients as any, id: targetId, depth: 0, overrideAccess: true }),
+        ]) as [any, any]
+
+        if (!source || !target) {
+          return Response.json({ error: 'Source or target client not found' }, { status: 404 })
+        }
+
+        const results = {
+          tickets: 0,
+          ticketMessages: 0,
+          chatMessages: 0,
+          pendingEmails: 0,
+          satisfactionSurveys: 0,
+        }
+
+        // 1. Transfer tickets
+        const tickets = await payload.find({
+          collection: slugs.tickets as any,
+          where: { client: { equals: sourceId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+        for (const ticket of tickets.docs) {
+          await payload.update({ collection: slugs.tickets as any, id: ticket.id, data: { client: targetId }, overrideAccess: true })
+          results.tickets++
+        }
+
+        // 2. Transfer ticket messages (authorClient)
+        const messages = await payload.find({
+          collection: slugs.ticketMessages as any,
+          where: { authorClient: { equals: sourceId } },
+          limit: 1000,
+          depth: 0,
+          overrideAccess: true,
+        })
+        for (const msg of messages.docs) {
+          await payload.update({ collection: slugs.ticketMessages as any, id: msg.id, data: { authorClient: targetId }, overrideAccess: true })
+          results.ticketMessages++
+        }
+
+        // 3. Transfer chat messages
+        const chats = await payload.find({
+          collection: slugs.chatMessages as any,
+          where: { client: { equals: sourceId } },
+          limit: 1000,
+          depth: 0,
+          overrideAccess: true,
+        })
+        for (const chat of chats.docs) {
+          await payload.update({ collection: slugs.chatMessages as any, id: chat.id, data: { client: targetId }, overrideAccess: true })
+          results.chatMessages++
+        }
+
+        // 4. Transfer pending emails
+        const pendingEmails = await payload.find({
+          collection: slugs.pendingEmails as any,
+          where: { client: { equals: sourceId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+        for (const pe of pendingEmails.docs) {
+          await payload.update({ collection: slugs.pendingEmails as any, id: pe.id, data: { client: targetId }, overrideAccess: true })
+          results.pendingEmails++
+        }
+
+        // 5. Transfer satisfaction surveys
+        const surveys = await payload.find({
+          collection: slugs.satisfactionSurveys as any,
+          where: { client: { equals: sourceId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+        for (const survey of surveys.docs) {
+          await payload.update({ collection: slugs.satisfactionSurveys as any, id: survey.id, data: { client: targetId }, overrideAccess: true })
+          results.satisfactionSurveys++
+        }
+
+        // 6. Delete source client
+        await payload.delete({
+          collection: slugs.supportClients as any,
+          id: sourceId,
+          overrideAccess: true,
+        })
+
+        const sourceLabel = `${source.firstName} ${source.lastName} (${source.email})`
+        const targetLabel = `${target.firstName} ${target.lastName} (${target.email})`
+
+        return Response.json({
+          success: true,
+          message: `Client "${sourceLabel}" fusionné dans "${targetLabel}"`,
+          merged: results,
+          deletedClientId: sourceId,
+          targetClientId: targetId,
+        })
+      } catch (error) {
+        const authResponse = handleAuthError(error)
+        if (authResponse) return authResponse
+        console.error('[merge-clients] Error:', error)
+        return Response.json({ error: 'Internal server error' }, { status: 500 })
+      }
+    },
+  }
+}

package/src/endpoints/merge-tickets.ts

@@ -0,0 +1,137 @@
+import type { Endpoint } from 'payload'
+import type { CollectionSlugs } from '../utils/slugs'
+import { requireAdmin, handleAuthError } from '../utils/auth'
+
+/**
+ * POST /api/support/merge-tickets
+ * Merge source ticket into target ticket. Admin-only.
+ */
+export function createMergeTicketsEndpoint(slugs: CollectionSlugs): Endpoint {
+  return {
+    path: '/support/merge-tickets',
+    method: 'post',
+    handler: async (req) => {
+      try {
+        const payload = req.payload
+
+        requireAdmin(req, slugs)
+
+        const { sourceTicketId, targetTicketId } = await req.json!()
+
+        if (!sourceTicketId || !targetTicketId) {
+          return Response.json({ error: 'sourceTicketId et targetTicketId requis' }, { status: 400 })
+        }
+
+        if (sourceTicketId === targetTicketId) {
+          return Response.json({ error: 'Impossible de fusionner un ticket avec lui-même' }, { status: 400 })
+        }
+
+        const [source, target] = await Promise.all([
+          payload.findByID({ collection: slugs.tickets as any, id: sourceTicketId, depth: 0, overrideAccess: true }),
+          payload.findByID({ collection: slugs.tickets as any, id: targetTicketId, depth: 0, overrideAccess: true }),
+        ])
+
+        if (!source) return Response.json({ error: 'Ticket source introuvable' }, { status: 404 })
+        if (!target) return Response.json({ error: 'Ticket cible introuvable' }, { status: 404 })
+
+        const sourceClient = typeof source.client === 'object' ? (source.client as any).id : source.client
+        const targetClient = typeof target.client === 'object' ? (target.client as any).id : target.client
+
+        if (sourceClient !== targetClient) {
+          return Response.json({ error: 'Les deux tickets doivent appartenir au même client' }, { status: 400 })
+        }
+
+        // Move all messages from source to target
+        const messages = await payload.find({
+          collection: slugs.ticketMessages as any,
+          where: { ticket: { equals: sourceTicketId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+
+        for (const msg of messages.docs) {
+          await payload.update({
+            collection: slugs.ticketMessages as any,
+            id: msg.id,
+            data: { ticket: targetTicketId },
+            overrideAccess: true,
+          })
+        }
+
+        // Move time entries
+        const timeEntries = await payload.find({
+          collection: slugs.timeEntries as any,
+          where: { ticket: { equals: sourceTicketId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+
+        for (const entry of timeEntries.docs) {
+          await payload.update({
+            collection: slugs.timeEntries as any,
+            id: entry.id,
+            data: { ticket: targetTicketId },
+            overrideAccess: true,
+          })
+        }
+
+        // Add internal note to target
+        const sourceNumber = (source as any).ticketNumber || `#${sourceTicketId}`
+        await payload.create({
+          collection: slugs.ticketMessages as any,
+          data: {
+            ticket: targetTicketId,
+            body: `Messages fusionnés depuis ${sourceNumber} (${messages.totalDocs} messages, ${timeEntries.totalDocs} entrées de temps)`,
+            authorType: 'admin',
+            isInternal: true,
+            skipNotification: true,
+          },
+          overrideAccess: true,
+        })
+
+        // Delete source ticket
+        await payload.delete({
+          collection: slugs.tickets as any,
+          id: sourceTicketId,
+          overrideAccess: true,
+        })
+
+        // Recalculate totalTimeMinutes on target
+        const allTimeEntries = await payload.find({
+          collection: slugs.timeEntries as any,
+          where: { ticket: { equals: targetTicketId } },
+          limit: 500,
+          depth: 0,
+          overrideAccess: true,
+        })
+
+        const totalMinutes = allTimeEntries.docs.reduce(
+          (sum: number, e: any) => sum + (e.duration || 0),
+          0,
+        )
+
+        await payload.update({
+          collection: slugs.tickets as any,
+          id: targetTicketId,
+          data: { totalTimeMinutes: totalMinutes },
+          overrideAccess: true,
+        })
+
+        return Response.json({
+          success: true,
+          messagesMoved: messages.totalDocs,
+          timeEntriesMoved: timeEntries.totalDocs,
+          sourceTicket: sourceNumber,
+          targetTicket: (target as any).ticketNumber || `#${targetTicketId}`,
+        })
+      } catch (error) {
+        const authResponse = handleAuthError(error)
+        if (authResponse) return authResponse
+        console.error('[merge-tickets] Error:', error)
+        return Response.json({ error: 'Erreur interne' }, { status: 500 })
+      }
+    },
+  }
+}

package/src/endpoints/oauth-google.ts

@@ -0,0 +1,179 @@
+import type { Endpoint } from 'payload'
+import type { CollectionSlugs } from '../utils/slugs'
+import crypto from 'crypto'
+
+/**
+ * POST /api/support/oauth/google
+ * Google OAuth — handles both login redirect and callback.
+ * Body: { action: 'login' } or { code: string, state: string, cookieState: string }
+ */
+export interface OAuthGoogleOptions {
+  allowedEmailDomains?: string[]
+}
+
+export function createOAuthGoogleEndpoint(slugs: CollectionSlugs, options?: OAuthGoogleOptions): Endpoint {
+  return {
+    path: '/support/oauth/google',
+    method: 'post',
+    handler: async (req) => {
+      const GOOGLE_CLIENT_ID = process.env.GOOGLE_OAUTH_CLIENT_ID || ''
+      const GOOGLE_CLIENT_SECRET = process.env.GOOGLE_OAUTH_CLIENT_SECRET || ''
+      const baseUrl = process.env.NEXT_PUBLIC_SERVER_URL || ''
+
+      if (!GOOGLE_CLIENT_ID || !GOOGLE_CLIENT_SECRET) {
+        return Response.json(
+          { error: 'Google OAuth non configuré.' },
+          { status: 501 },
+        )
+      }
+
+      try {
+        const body = await req.json!()
+        const { action, code, state: queryState, cookieState } = body
+
+        // Step 1: Generate OAuth URL
+        if (action === 'login') {
+          const oauthState = crypto.randomBytes(32).toString('hex')
+          const redirectUri = `${baseUrl}/api/support/oauth/google`
+          const params = new URLSearchParams({
+            client_id: GOOGLE_CLIENT_ID,
+            redirect_uri: redirectUri,
+            response_type: 'code',
+            scope: 'openid email profile',
+            state: oauthState,
+            prompt: 'select_account',
+          })
+
+          return Response.json({
+            url: `https://accounts.google.com/o/oauth2/v2/auth?${params}`,
+            state: oauthState,
+          })
+        }
+
+        // Step 2: Handle callback (code exchange)
+        if (code) {
+          // Validate state
+          if (!cookieState || !queryState || cookieState !== queryState) {
+            return Response.json({ error: 'state_mismatch' }, { status: 400 })
+          }
+
+          const redirectUri = `${baseUrl}/api/support/oauth/google`
+
+          // Exchange code for tokens
+          const tokenRes = await fetch('https://oauth2.googleapis.com/token', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: new URLSearchParams({
+              code,
+              client_id: GOOGLE_CLIENT_ID,
+              client_secret: GOOGLE_CLIENT_SECRET,
+              redirect_uri: redirectUri,
+              grant_type: 'authorization_code',
+            }),
+          })
+
+          const tokens = await tokenRes.json()
+
+          if (!tokens.access_token) {
+            return Response.json({ error: 'oauth_failed' }, { status: 400 })
+          }
+
+          // Get user profile from Google
+          const profileRes = await fetch('https://www.googleapis.com/oauth2/v2/userinfo', {
+            headers: { Authorization: `Bearer ${tokens.access_token}` },
+          })
+
+          const profile = await profileRes.json()
+
+          if (!profile.email) {
+            return Response.json({ error: 'no_email' }, { status: 400 })
+          }
+
+          const payload = req.payload
+
+          // Find existing support client by email
+          const existing = await payload.find({
+            collection: slugs.supportClients as any,
+            where: { email: { equals: profile.email } },
+            limit: 1,
+            depth: 0,
+            overrideAccess: true,
+          })
+
+          let clientDoc = existing.docs[0]
+
+          // Auto-create account if needed
+          if (!clientDoc) {
+            // Domain restriction check for new accounts
+            const allowedDomains = options?.allowedEmailDomains
+            if (allowedDomains && allowedDomains.length > 0) {
+              const emailDomain = profile.email.split('@')[1]?.toLowerCase()
+              const isAllowed = allowedDomains.some(
+                (d: string) => d.toLowerCase() === emailDomain,
+              )
+              if (!isAllowed) {
+                return Response.json(
+                  { error: 'Inscription non autorisée pour ce domaine email.' },
+                  { status: 403 },
+                )
+              }
+            }
+            const autoPassword = crypto.randomBytes(48).toString('base64url')
+            const fullName = profile.name || profile.email.split('@')[0]
+            const nameParts = fullName.split(' ')
+
+            clientDoc = await payload.create({
+              collection: slugs.supportClients as any,
+              data: {
+                email: profile.email,
+                firstName: nameParts[0] || fullName,
+                lastName: nameParts.slice(1).join(' ') || '-',
+                company: fullName,
+                password: autoPassword,
+              },
+              overrideAccess: true,
+            })
+          }
+
+          // Generate temp password, login, then rotate
+          const tempPassword = crypto.randomBytes(48).toString('base64url')
+          await payload.update({
+            collection: slugs.supportClients as any,
+            id: clientDoc.id,
+            data: { password: tempPassword },
+            overrideAccess: true,
+          })
+
+          const loginResult = await payload.login({
+            collection: slugs.supportClients as any,
+            data: { email: profile.email, password: tempPassword },
+          })
+
+          // Immediately rotate password
+          const postLoginPassword = crypto.randomBytes(48).toString('base64url')
+          await payload.update({
+            collection: slugs.supportClients as any,
+            id: clientDoc.id,
+            data: { password: postLoginPassword },
+            overrideAccess: true,
+          })
+
+          if (!loginResult.token) {
+            return Response.json({ error: 'login_failed' }, { status: 400 })
+          }
+
+          return Response.json({
+            token: loginResult.token,
+            user: loginResult.user,
+            exp: loginResult.exp,
+          })
+        }
+
+        return Response.json({ error: 'Action invalide' }, { status: 400 })
+      } catch (err) {
+        console.error('[oauth/google] Error:', err)
+        return Response.json({ error: 'oauth_error' }, { status: 500 })
+      }
+    },
+  }
+}