@rmdes/indiekit-endpoint-donation 0.1.0-alpha.1 → 0.1.0-alpha.2

package/index.js

@@ -2,6 +2,7 @@ import path from "node:path";
 import { fileURLToPath } from "node:url";
 
 import express from "express";
+import rateLimit from "express-rate-limit";
 import { waitForReady } from "@rmdes/indiekit-startup-gate";
 
 import { dashboardController } from "./lib/controllers/dashboard.js";
@@ -89,25 +90,40 @@ export default class DonationEndpoint {
     router.post("/sync", syncController.runOnce);
     router.post("/rebuild", syncController.triggerRebuild);
 
+    // Stats JSON (donor-data-sanitized but still admin-only as defense
+    // in depth — the public Eleventy site reads MongoDB directly via the
+    // _data/donations.js loader, not via this HTTP endpoint).
+    router.get("/stats.json", statsController.json);
+    router.get("/stats/:campaignId.json", statsController.byCampaign);
+
     return router;
   }
 
-  // Public routes — Stripe webhook + JSON stats consumed by the static site.
+  // Public routes — Stripe webhook ONLY. Everything else (stats, donations,
+  // campaigns) is under the admin-protected `routes` getter above.
+  //
+  // Rate-limit the webhook endpoint to bound damage from a misbehaving
+  // upstream OR a forged-but-unsigned flood. Stripe typically sends one
+  // event at a time with exponential backoff on failure — 60/min/IP is
+  // well above legitimate traffic and well below "abuse" threshold.
   get routesPublic() {
     const router = express.Router();
 
-    // Stripe sends raw body; mount express.raw() at this route only so
-    // signature verification works. Indiekit's global JSON parser would
-    // otherwise consume the body before we can verify the signature.
+    const webhookLimiter = rateLimit({
+      windowMs: 60 * 1000,        // 1 minute window
+      max: 60,                    // 60 requests per IP per window
+      message: { error: "rate_limited" },
+      standardHeaders: true,
+      legacyHeaders: false,
+    });
+
     router.post(
       "/webhook",
+      webhookLimiter,
       express.raw({ type: "application/json" }),
       webhookController.receive,
     );
 
-    router.get("/stats.json", statsController.json);
-    router.get("/stats/:campaignId.json", statsController.byCampaign);
-
     return router;
   }
 

package/lib/controllers/campaigns.js

@@ -1,20 +1,23 @@
 /**
- * Campaign list + detail + manual override.
+ * Campaign list + detail + local-override edit.
+ * Admin-only (session middleware). Inputs validated to prevent NoSQL
+ * injection via untyped params + body fields.
+ *
  * Campaigns are authoritatively defined in Stripe Products — this admin
- * UI is read-mostly. The only writable fields are local overrides
- * (e.g. a "do not display on /transparence/" flag if you want to hide
- * a campaign from the public page without archiving it in Stripe).
+ * UI is read-mostly. The only writable fields are local overrides:
+ *   - hidden_on_public (hide from /soutenir/ + /transparence/)
+ *   - display_order   (sort hint)
  * @module controllers/campaigns
  */
 
 import { listCampaigns, getCampaign, upsertCampaign } from "../storage/campaigns.js";
 import { sumByCampaign } from "../storage/donations.js";
+import * as v from "../validate.js";
 
 async function list(request, response, next) {
   try {
     const { application } = request.app.locals;
     const campaigns = await listCampaigns(application);
-    // Augment each campaign with its current donation total.
     const augmented = await Promise.all(
       campaigns.map(async (c) => {
         const { total, count } = await sumByCampaign(application, c.stripe_product_id);
@@ -32,7 +35,10 @@ async function list(request, response, next) {
 async function detail(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const c = await getCampaign(application, request.params.id);
+    let productId;
+    try { productId = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    const c = await getCampaign(application, productId);
     if (!c) return response.status(404).render("donation-not-found");
     const { total, count } = await sumByCampaign(application, c.stripe_product_id);
     response.render("donation-campaign-edit", {
@@ -46,15 +52,19 @@ async function detail(request, response, next) {
 async function update(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const c = await getCampaign(application, request.params.id);
+    let productId;
+    try { productId = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    const c = await getCampaign(application, productId);
     if (!c) return response.status(404).render("donation-not-found");
-    // Only local overrides editable; everything else syncs from Stripe.
+
+    const display_order = v.nonNegInt(request.body.display_order) ?? (c.display_order ?? 100);
     await upsertCampaign(application, {
       ...c,
-      hidden_on_public: request.body.hidden_on_public === "on",
-      display_order: Number(request.body.display_order ?? c.display_order ?? 100),
+      hidden_on_public: v.checkbox(request.body.hidden_on_public),
+      display_order,
     });
-    response.redirect(`${application.donationEndpoint}/campaigns/${request.params.id}`);
+    response.redirect(`${application.donationEndpoint}/campaigns/${productId}`);
   } catch (err) { next(err); }
 }
 

package/lib/controllers/consent.js

@@ -1,21 +1,25 @@
 /**
  * Toggle a donation's public-display consent flag.
- * Used both by the admin UI (manual toggle from /donations/:id) and
- * eventually by the donor self-service link (v2).
+ * Admin-only (session middleware). Input validated to prevent NoSQL
+ * injection via untyped params.
  * @module controllers/consent
  */
 
 import { getDonation, updateConsent } from "../storage/donations.js";
 import { triggerRebuild } from "../build/trigger.js";
+import * as v from "../validate.js";
 
 async function toggle(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const current = await getDonation(application, request.params.id);
+    let id;
+    try { id = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    const current = await getDonation(application, id);
     if (!current) return response.status(404).render("donation-not-found");
-    await updateConsent(application, request.params.id, !current.donor?.consent_public);
+    await updateConsent(application, id, !current.donor?.consent_public);
     await triggerRebuild(application);
-    response.redirect(`${application.donationEndpoint}/donations/${request.params.id}`);
+    response.redirect(`${application.donationEndpoint}/donations/${id}`);
   } catch (err) { next(err); }
 }
 

package/lib/controllers/donations.js

@@ -1,19 +1,30 @@
 /**
- * Donations list + detail + edit + delete.
+ * Donations list + detail + edit + delete. Admin-only (session middleware).
+ * All inputs validated through lib/validate.js before reaching MongoDB.
  * @module controllers/donations
  */
 
 import { listDonations, getDonation, upsertDonation, removeDonation } from "../storage/donations.js";
+import * as v from "../validate.js";
 
 async function list(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const { campaign_id, source, page = 1, limit = 50 } = request.query;
+    // Filters from query string: never trust as Mongo operators.
+    let campaign_id = null;
+    if (request.query.campaign_id) {
+      try { campaign_id = v.safeId(request.query.campaign_id); } catch { /* ignore */ }
+    }
+    const sourceVal = v.str(request.query.source, { max: 30, allowEmpty: true });
+    const source = ["stripe", "givewp_migrated", "manual"].includes(sourceVal) ? sourceVal : null;
+    const limit = v.nonNegInt(request.query.limit, { max: 200 }) ?? 50;
+    const page = v.nonNegInt(request.query.page, { max: 10000 }) ?? 1;
+
     const items = await listDonations(application, {
       campaign_id,
       source,
-      limit: Number(limit),
-      skip: (Number(page) - 1) * Number(limit),
+      limit,
+      skip: (page - 1) * limit,
       includeRefunded: true,
     });
     response.render("donation-donations", {
@@ -28,7 +39,10 @@ async function list(request, response, next) {
 async function detail(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const donation = await getDonation(application, request.params.id);
+    let id;
+    try { id = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    const donation = await getDonation(application, id);
     if (!donation) return response.status(404).render("donation-not-found");
     response.render("donation-donation-edit", {
       title: donation.stripe_id,
@@ -39,30 +53,39 @@ async function detail(request, response, next) {
 }
 
 async function update(request, response, next) {
-  // TODO: validate inputs, only allow editing display name / message / consent flag.
-  // Stripe data (amount, date, campaign, donor_id) is canonical from Stripe — not editable.
   try {
     const { application } = request.app.locals;
-    const current = await getDonation(application, request.params.id);
+    let id;
+    try { id = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    const current = await getDonation(application, id);
     if (!current) return response.status(404).render("donation-not-found");
+
+    // Only editable fields: display name, message, consent flag.
+    // Stripe-canonical fields (amount, date, campaign, donor_id) are NEVER mutated.
+    const display = v.str(request.body.display, { max: 60, allowEmpty: true });
+    const message = v.str(request.body.message, { max: 200, allowEmpty: true });
     const next_ = {
       ...current,
       donor: {
         ...current.donor,
-        display: request.body.display ?? current.donor.display,
-        message: request.body.message ?? current.donor.message,
-        consent_public: request.body.consent_public === "on",
+        display: display || null,
+        message: message || null,
+        consent_public: v.checkbox(request.body.consent_public),
       },
     };
     await upsertDonation(application, next_);
-    response.redirect(`${application.donationEndpoint}/donations/${request.params.id}`);
+    response.redirect(`${application.donationEndpoint}/donations/${id}`);
   } catch (err) { next(err); }
 }
 
 async function remove(request, response, next) {
   try {
     const { application } = request.app.locals;
-    await removeDonation(application, request.params.id);
+    let id;
+    try { id = v.safeId(request.params.id); }
+    catch { return response.status(400).render("donation-not-found"); }
+    await removeDonation(application, id);
     response.redirect(`${application.donationEndpoint}/donations`);
   } catch (err) { next(err); }
 }

package/lib/controllers/manual.js

@@ -1,12 +1,13 @@
 /**
  * Manual offline-donation entry — fills the gap for cash/bank-transfer
- * gifts that never went through Stripe.
+ * gifts that never went through Stripe. Admin-only (session middleware).
  * @module controllers/manual
  */
 
 import { upsertDonation } from "../storage/donations.js";
 import { listCampaigns } from "../storage/campaigns.js";
 import { triggerRebuild } from "../build/trigger.js";
+import * as v from "../validate.js";
 
 async function form(request, response, next) {
   try {
@@ -21,36 +22,57 @@ async function form(request, response, next) {
 }
 
 async function create(request, response, next) {
+  const { application } = request.app.locals;
+  const fail = (reason) =>
+    response.status(400).render("donation-manual-error", {
+      title: request.__("donation.manual.error.title"),
+      message: reason,
+      baseUrl: application.donationEndpoint,
+    });
+
   try {
-    const { application } = request.app.locals;
-    const { amount, currency, campaign_id, donor_display, message, consent_public, date } = request.body;
-
-    const amount_cents = Math.round(Number(amount) * 100);
-    if (!amount_cents || !campaign_id || !date) {
-      return response.status(400).render("donation-manual-error", {
-        title: request.__("donation.manual.error.title"),
-        message: request.__("donation.manual.error.required"),
-        baseUrl: application.donationEndpoint,
-      });
+    // Native validation — see lib/validate.js for the helpers.
+    const amount_cents = v.cents(request.body.amount);
+    if (amount_cents === null) return fail("Montant invalide.");
+
+    let campaign_id;
+    try {
+      campaign_id = v.safeId(request.body.campaign_id);
+    } catch {
+      return fail("Identifiant de campagne invalide.");
     }
 
+    const date = v.isoDate(request.body.date);
+    if (!date) return fail("Date invalide.");
+
+    const currencyCode = v.currency(request.body.currency)
+      || application.donationConfig?.currency
+      || "EUR";
+
+    const donor_display = v.str(request.body.donor_display, { max: 60, allowEmpty: true });
+    const message = v.str(request.body.message, { max: 200, allowEmpty: true });
+    const note = v.str(request.body.note, { max: 500, allowEmpty: true });
+
     const id = `manual_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
     const donation = {
       stripe_id: id,
       date: new Date(date),
       amount_cents,
-      currency: currency || application.donationConfig?.currency || "EUR",
+      currency: currencyCode,
       campaign_id,
       recurring: false,
       donor: {
         donor_id: `manual_${id}`,
-        display: donor_display?.trim() || null,
-        consent_public: consent_public === "on",
-        message: message?.trim() || null,
+        display: donor_display || null,
+        consent_public: v.checkbox(request.body.consent_public),
+        message: message || null,
       },
       source: "manual",
       refunded: false,
-      meta: { entered_by: request.session?.me ?? "unknown", note: request.body.note ?? null },
+      meta: {
+        entered_by: typeof request.session?.me === "string" ? request.session.me : "unknown",
+        note: note || null,
+      },
     };
     await upsertDonation(application, donation);
     await triggerRebuild(application);

package/lib/controllers/stats.js

@@ -11,12 +11,15 @@ import { listCampaigns } from "../storage/campaigns.js";
 async function json(request, response, next) {
   try {
     const { application } = request.app.locals;
-    const [stats, campaigns, donations] = await Promise.all([
+    const [stats, allCampaigns, donations] = await Promise.all([
       lifetimeStats(application),
       listCampaigns(application),
       listDonations(application, { limit: 100 }),
     ]);
 
+    // Public endpoint — never surface campaigns the admin chose to hide.
+    const campaigns = allCampaigns.filter((c) => !c.hidden_on_public);
+
     // Augment campaigns with their current totals.
     const enriched = await Promise.all(
       campaigns.map(async (c) => {

package/lib/validate.js

@@ -0,0 +1,74 @@
+/**
+ * Native input validation helpers. Used by admin controllers to coerce
+ * request.body / request.params fields to safe types BEFORE they hit
+ * MongoDB or get rendered back to clients.
+ *
+ * Why no Zod or similar: the plugin keeps its dependency footprint
+ * minimal. These helpers cover the narrow set of inputs the donation
+ * plugin actually accepts and reject everything else as bad input.
+ */
+
+/** Coerce to a non-empty string of bounded length. Returns null if invalid. */
+export function str(value, { max = 200, allowEmpty = false } = {}) {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  if (!allowEmpty && !trimmed) return null;
+  return trimmed.slice(0, max);
+}
+
+/** Coerce to a positive integer (cents). Returns null on invalid input. */
+export function cents(value, { min = 1, max = 1_000_000_00 } = {}) {
+  // Accept "12,50" (FR) and "12.50" (en). Floor-fail on garbage.
+  const cleaned = typeof value === "string"
+    ? value.replace(",", ".").trim()
+    : value;
+  const n = Number(cleaned);
+  if (!Number.isFinite(n) || n <= 0) return null;
+  const c = Math.round(n * 100);
+  if (c < min || c > max) return null;
+  return c;
+}
+
+/** Coerce to ISO 8601 date string (YYYY-MM-DD or full). Returns null if invalid. */
+export function isoDate(value) {
+  if (typeof value !== "string") return null;
+  const d = new Date(value);
+  if (Number.isNaN(d.getTime())) return null;
+  return d.toISOString();
+}
+
+/** Coerce to a non-negative integer (for display_order etc). */
+export function nonNegInt(value, { max = 1000 } = {}) {
+  const n = Number(value);
+  if (!Number.isFinite(n) || n < 0) return null;
+  if (n > max) return null;
+  return Math.floor(n);
+}
+
+/** Coerce HTML form checkbox value to boolean. */
+export function checkbox(value) {
+  return value === "on" || value === "true" || value === true;
+}
+
+/**
+ * Coerce a Stripe / Mongo identifier to a string. Strips any object/array
+ * shape that could be mistaken for a Mongo query operator (e.g. {$ne: null}).
+ * Throws on truly hostile input so the caller can return 400.
+ */
+export function safeId(value, { maxLen = 80 } = {}) {
+  if (typeof value !== "string") {
+    throw new Error("id must be a string");
+  }
+  // Allow alphanumerics, underscore, hyphen — Stripe IDs and our own.
+  if (!/^[A-Za-z0-9_-]+$/.test(value) || value.length > maxLen) {
+    throw new Error("id contains invalid characters or is too long");
+  }
+  return value;
+}
+
+/** Allow-listed currency code. */
+export function currency(value, { allowed = ["EUR", "USD", "GBP", "CHF"] } = {}) {
+  if (typeof value !== "string") return null;
+  const upper = value.toUpperCase();
+  return allowed.includes(upper) ? upper : null;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rmdes/indiekit-endpoint-donation",
-  "version": "0.1.0-alpha.1",
+  "version": "0.1.0-alpha.2",
   "description": "Stripe-backed donation endpoint for Indiekit. Treats Stripe Products as campaigns, PaymentIntents/Checkout Sessions as donations, exposes admin UI + public stats API + rebuild trigger.",
   "keywords": [
     "indiekit",
@@ -37,6 +37,7 @@
     "@indiekit/frontend": "^1.0.0-beta.27",
     "@rmdes/indiekit-startup-gate": "^1.0.0",
     "express": "^5.0.0",
+    "express-rate-limit": "^8.5.2",
     "stripe": "^17.0.0"
   },
   "peerDependencies": {