@stamhoofd/backend 1.0.0

package/src/endpoints/organization/dashboard/registration-periods/PatchOrganizationRegistrationPeriodsEndpoint.ts

@@ -0,0 +1,210 @@
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { GroupPrivateSettings, OrganizationRegistrationPeriod as OrganizationRegistrationPeriodStruct, PermissionLevel, PermissionsResourceType, ResourcePermissions, Version } from "@stamhoofd/structures";
+
+import { AutoEncoderPatchType, Decoder, PatchableArrayAutoEncoder, PatchableArrayDecoder, StringDecoder } from "@simonbackx/simple-encoding";
+import { Context } from "../../../../helpers/Context";
+import { Group, OrganizationRegistrationPeriod, RegistrationPeriod } from "@stamhoofd/models";
+import { SimpleError } from "@simonbackx/simple-errors";
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = PatchableArrayAutoEncoder<OrganizationRegistrationPeriodStruct>
+type ResponseBody = OrganizationRegistrationPeriodStruct[]
+
+/**
+ * One endpoint to create, patch and delete members and their registrations and payments
+ */
+
+export class PatchRegistrationPeriodsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = new PatchableArrayDecoder(OrganizationRegistrationPeriodStruct as Decoder<OrganizationRegistrationPeriodStruct>, OrganizationRegistrationPeriodStruct.patchType() as Decoder<AutoEncoderPatchType<OrganizationRegistrationPeriodStruct>>, StringDecoder)
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "PATCH") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/organization/registration-periods", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        const {user} = await Context.authenticate()
+
+        if (!await Context.auth.hasFullAccess(organization.id)) {
+            throw Context.auth.error()
+        } 
+
+        const structs: OrganizationRegistrationPeriodStruct[] = [];
+
+        for (const patch of request.body.getPatches()) {
+            const organizationPeriod = await OrganizationRegistrationPeriod.getByID(patch.id);
+            if (!organizationPeriod || organizationPeriod.organizationId !== organization.id) {
+                throw new SimpleError({
+                    code: "not_found",
+                    message: "Period not found",
+                    statusCode: 404
+                })
+            }
+            let deleteUnreachable = false
+            const allowedIds: string[] = []
+
+            if (await Context.auth.hasFullAccess(organization.id)) {
+                if (patch.settings) {
+                    organizationPeriod.settings.patchOrPut(patch.settings);
+                }
+            } else {
+                /// Only allow editing category group ids
+                if (patch.settings) {
+                    // Only allow adding groups if we have create permissions in a given category group
+                    if (patch.settings.categories && !Array.isArray(patch.settings.categories)) {
+                        for (const pp of patch.settings.categories.getPatches()) {
+                            const category = organizationPeriod.settings.categories.find(c => c.id === pp.id)
+                            if (!category) {
+                                // Fail silently
+                                continue
+                            }
+    
+                            if (!await Context.auth.canCreateGroupInCategory(organization.id, category)) {
+                                throw Context.auth.error('Je hebt geen toegangsrechten om groepen toe te voegen in deze categorie')
+                            }
+                                
+                            // Only process puts
+                            const ids = pp.groupIds.getPuts().map(p => p.put)
+                            allowedIds.push(...ids)
+                            category.groupIds.push(...ids)
+                        }
+    
+                        if (allowedIds.length > 0) {
+                            deleteUnreachable = true
+                        }
+                    }
+                }
+            }
+
+            await organizationPeriod.save();
+
+            // Check changes to groups
+            const deleteGroups = patch.groups.getDeletes()
+            if (deleteGroups.length > 0) {
+                for (const id of deleteGroups) {
+                    const model = await Group.getByID(id)
+                    if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                        throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te verwijderen')
+                    }
+
+                    model.deletedAt = new Date()
+                    await model.save()
+                    deleteUnreachable = true
+                }
+            }
+
+            for (const groupPut of patch.groups.getPuts()) {
+                if (!await Context.auth.hasFullAccess(organization.id) && !allowedIds.includes(groupPut.put.id)) {
+                    throw Context.auth.error('Je hebt geen toegangsrechten om groepen toe te voegen')
+                }
+
+                const struct = groupPut.put
+                const model = new Group()
+                model.id = struct.id
+                model.organizationId = organization.id
+                model.periodId = organizationPeriod.periodId
+                model.settings = struct.settings
+                model.privateSettings = struct.privateSettings ?? GroupPrivateSettings.create({})
+                model.status = struct.status
+
+                if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                    // Create a temporary permission role for this user
+                    const organizationPermissions = user.permissions?.organizationPermissions?.get(organization.id)
+                    if (!organizationPermissions) {
+                        throw new Error('Unexpected missing permissions')
+                    }
+                    const resourcePermissions = ResourcePermissions.create({
+                        resourceName: model.settings.name,
+                        level: PermissionLevel.Full
+                    })
+                    const patch = resourcePermissions.createInsertPatch(PermissionsResourceType.Groups, model.id, organizationPermissions)
+                    user.permissions!.organizationPermissions.set(organization.id, organizationPermissions.patch(patch))
+                    console.log('Automatically granted author full permissions to resource', 'group', model.id, 'user', user.id, 'patch', patch.encode({version: Version}))
+                    await user.save()
+                }
+
+                // Check if current user has permissions to this new group -> else fail with error
+                if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                    throw new SimpleError({
+                        code: "missing_permissions",
+                        message: "You cannot restrict your own permissions",
+                        human: "Je kan geen inschrijvingsgroep maken zonder dat je zelf volledige toegang hebt tot de nieuwe groep"
+                    })
+                    continue;
+                }
+
+                await model.updateOccupancy()
+                await model.save();
+            }
+
+            for (const struct of patch.groups.getPatches()) {
+                const model = await Group.getByID(struct.id)
+
+                if (!model || !await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                    throw Context.auth.error('Je hebt geen toegangsrechten om deze groep te wijzigen')
+                }
+
+                if (struct.settings) {
+                    model.settings.patchOrPut(struct.settings)
+                }
+
+                if (struct.status) {
+                    model.status = struct.status
+                }
+                
+                if (struct.privateSettings) {
+                    model.privateSettings.patchOrPut(struct.privateSettings)
+
+                    if (!await Context.auth.canAccessGroup(model, PermissionLevel.Full)) {
+                        throw new SimpleError({
+                            code: "missing_permissions",
+                            message: "You cannot restrict your own permissions",
+                            human: "Je kan je eigen volledige toegang tot deze inschrijvingsgroep niet verwijderen. Vraag aan een hoofdbeheerder om jouw toegang te verwijderen."
+                        })
+                    }
+                }
+
+                if (struct.cycle !== undefined) {
+                    model.cycle = struct.cycle
+                }
+
+                if (struct.deletedAt !== undefined) {
+                    model.deletedAt = struct.deletedAt
+                }
+                
+                await model.updateOccupancy()
+                await model.save();
+            }
+
+            const period = await RegistrationPeriod.getByID(organizationPeriod.periodId);
+            const groups = await Group.getAll(organization.id, organizationPeriod.periodId)
+
+            if (deleteUnreachable) {
+                // Delete unreachable categories first
+                await organization.cleanCategories(groups);
+                await Group.deleteUnreachable(organization.id, organizationPeriod, groups)
+            }
+
+            if (period) {
+
+                structs.push(organizationPeriod.getStructure(period, groups));
+            }
+
+        }
+
+        return new Response(
+            structs
+        );
+    }
+
+}

package/src/endpoints/organization/dashboard/stripe/ConnectStripeEndpoint.ts

@@ -0,0 +1,93 @@
+
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { StripeAccount } from '@stamhoofd/models';
+import { PermissionLevel, StripeAccount as StripeAccountStruct } from "@stamhoofd/structures";
+import Stripe from 'stripe';
+
+import { Context } from '../../../../helpers/Context';
+import { StripeHelper } from '../../../../helpers/StripeHelper';
+type Params = Record<string, never>;
+type Body = undefined;
+type Query = undefined
+type ResponseBody = StripeAccountStruct
+
+export class ConnectMollieEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {    
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/connect", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(_: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Full)) {
+            throw Context.auth.error()
+        }
+
+        const models = await StripeAccount.where({ organizationId: organization.id, status: "active" })
+
+        const canCreateMultipleStripeAccounts = models.every(a => (a.meta.charges_enabled && a.meta.payouts_enabled) || (a.meta.details_submitted))
+        if (models.length > 0 && !canCreateMultipleStripeAccounts) {
+            throw new SimpleError({
+                code: "already_connected",
+                message: "Je hebt al een Stripe account gekoppeld"
+            })
+        }
+
+        const type = 'express'
+
+        let expressData: Stripe.AccountCreateParams = {
+            country: organization.address.country,
+            // Problem: we cannot set company or business_type, because then it defaults the structure of the company to one that requires a company number
+            capabilities: {
+                card_payments: { requested: true },
+                transfers: { requested: true },
+                bancontact_payments: { requested: true },
+                ideal_payments: { requested: true },
+            },
+            settings: {
+                payouts: {
+                    schedule: {
+                        delay_days: 'minimum',
+                        interval: 'weekly',
+                        weekly_anchor: 'monday',
+                    }
+                }
+            }
+        };
+
+        if (type !== 'express') {
+            expressData = {};
+        }
+
+        // Create a new Stripe account
+        const stripe = StripeHelper.getInstance()
+        const account = await stripe.accounts.create({
+            type,
+            ...expressData
+        });
+
+        // Save the Stripe account in the database
+        const model = new StripeAccount();
+        model.organizationId = organization.id;
+        model.accountId = account.id;
+        model.setMetaFromStripeAccount(account)
+        await model.save();
+
+        // Return information about the Stripe Account
+        
+        return new Response(StripeAccountStruct.create(model));
+    }
+}

package/src/endpoints/organization/dashboard/stripe/DeleteStripeAccountEndpoint.ts

@@ -0,0 +1,59 @@
+
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { StripeAccount } from '@stamhoofd/models';
+import { PermissionLevel } from '@stamhoofd/structures';
+
+import { Context } from '../../../../helpers/Context';
+
+type Params = { id: string };
+type Body = undefined;
+type Query = undefined
+type ResponseBody = undefined
+
+export class DeleteStripeAccountEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {    
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "DELETE") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/accounts/@id", {id: String});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Full)) {
+            throw Context.auth.error()
+        }
+
+       // Search account in database
+        const model = await StripeAccount.getByID(request.params.id)
+        if (!model || model.organizationId != organization.id || model.status !== "active") {
+            throw Context.auth.notFoundOrNoAccess("Account niet gevonden")
+        }
+
+        // For now we don't delete them in Stripe because this causes issues with data access
+        // const stripe = StripeHelper.getInstance()
+        // 
+        // try {
+        //     await stripe.accounts.del(model.accountId);
+        // } catch (e) {
+        //     console.error('Tried deleting account but failed', e)
+        // }
+
+        // If that succeeded
+        model.status = "deleted"
+        await model.save()
+
+        return new Response(undefined);
+    }
+}

package/src/endpoints/organization/dashboard/stripe/GetStripeAccountLinkEndpoint.ts

@@ -0,0 +1,78 @@
+
+import { AutoEncoder, Decoder, field, StringDecoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { StripeAccount } from '@stamhoofd/models';
+import { PermissionLevel } from '@stamhoofd/structures';
+
+import { Context } from '../../../../helpers/Context';
+import { StripeHelper } from '../../../../helpers/StripeHelper';
+
+type Params = Record<string, never>;
+class Body extends AutoEncoder {
+    /**
+     * The account id (internal id, not the stripe id)
+     */
+    @field({ decoder: StringDecoder })
+    accountId: string
+
+    @field({ decoder: StringDecoder })
+    returnUrl: string
+
+    @field({ decoder: StringDecoder })
+    refreshUrl: string
+}
+
+type Query = undefined
+class ResponseBody extends AutoEncoder {
+    @field({ decoder: StringDecoder })
+    url: string
+}
+
+export class GetStripeAccountLinkEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = Body as Decoder<Body>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/account-link", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Full)) {
+            throw Context.auth.error()
+        }
+
+        // Search account in database
+        const model = await StripeAccount.getByID(request.body.accountId)
+        if (!model || model.organizationId != organization.id || model.status !== 'active') {
+            throw Context.auth.notFoundOrNoAccess("Account niet gevonden")
+        }
+
+        // Get account
+        const stripe = StripeHelper.getInstance()
+        const accountLink = await stripe.accountLinks.create({
+            account: model.accountId,
+            refresh_url: request.body.refreshUrl,
+            return_url: request.body.returnUrl,
+            type: 'account_onboarding',
+            collect: model.meta.type === 'express' ? 'eventually_due' : undefined, // Collect all at the start
+        });
+
+        return new Response(ResponseBody.create({
+            url: accountLink.url
+        }));
+    }
+}

package/src/endpoints/organization/dashboard/stripe/GetStripeAccountsEndpoint.ts

@@ -0,0 +1,40 @@
+
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { StripeAccount } from '@stamhoofd/models';
+import { PermissionLevel, StripeAccount as StripeAccountStruct } from '@stamhoofd/structures';
+
+import { Context } from '../../../../helpers/Context';
+
+type Params = Record<string, never>;
+type Body = undefined;
+type Query = undefined
+type ResponseBody = StripeAccountStruct[]
+
+export class GetStripeAccountLinkEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {    
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/accounts", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(_: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Read)) {
+            throw Context.auth.error()
+        }
+
+        const models = await StripeAccount.where({ organizationId: organization.id, status: 'active' })
+        return new Response(models.map(m => StripeAccountStruct.create(m)));
+    }
+}

package/src/endpoints/organization/dashboard/stripe/GetStripeLoginLinkEndpoint.ts

@@ -0,0 +1,69 @@
+
+import { AutoEncoder, Decoder, field, StringDecoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { StripeAccount, Token } from '@stamhoofd/models';
+import { PermissionLevel } from '@stamhoofd/structures';
+
+import { Context } from '../../../../helpers/Context';
+import { StripeHelper } from '../../../../helpers/StripeHelper';
+
+type Params = Record<string, never>;
+class Body extends AutoEncoder {
+    /**
+     * The account id (internal id, not the stripe id)
+     */
+    @field({ decoder: StringDecoder })
+    accountId: string
+}
+
+type Query = undefined
+class ResponseBody extends AutoEncoder {
+    @field({ decoder: StringDecoder })
+    url: string
+}
+
+export class GetStripeLoginLinkEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = Body as Decoder<Body>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/login-link", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Full)) {
+            throw Context.auth.error()
+        }
+
+        // Search account in database
+        const model = await StripeAccount.getByID(request.body.accountId)
+        if (!model || model.organizationId != organization.id || model.status !== 'active') {
+            throw new SimpleError({
+                code: "not_found",
+                message: "Account niet gevonden",
+                statusCode: 400
+            })
+        }
+
+        const stripe = StripeHelper.getInstance()
+        const accountLink = await stripe.accounts.createLoginLink(model.accountId);
+
+        return new Response(ResponseBody.create({
+            url: accountLink.url
+        }));
+    }
+}

package/src/endpoints/organization/dashboard/stripe/UpdateStripeAccountEndpoint.ts

@@ -0,0 +1,52 @@
+
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { StripeAccount } from '@stamhoofd/models';
+import { PermissionLevel, StripeAccount as StripeAccountStruct } from '@stamhoofd/structures';
+
+import { Context } from '../../../../helpers/Context';
+import { StripeHelper } from '../../../../helpers/StripeHelper';
+
+type Params = { id: string };
+type Body = undefined;
+type Query = undefined
+type ResponseBody = StripeAccountStruct
+
+export class UpdateStripeAccountEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {    
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/stripe/accounts/@id", {id: String});
+
+        if (params) {
+            return [true, params as Params];
+        }
+
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManagePaymentAccounts(organization.id, PermissionLevel.Read)) {
+            throw Context.auth.error()
+        }
+
+       // Search account in database
+        const model = await StripeAccount.getByID(request.params.id)
+        if (!model || model.organizationId != organization.id) {
+            throw Context.auth.notFoundOrNoAccess("Account niet gevonden")
+        }
+
+        // Get account
+        const stripe = StripeHelper.getInstance()
+        const account = await stripe.accounts.retrieve(model.accountId);
+        model.setMetaFromStripeAccount(account)
+        await model.save()
+
+        return new Response(StripeAccountStruct.create(model));
+    }
+}

package/src/endpoints/organization/dashboard/users/CreateApiUserEndpoint.ts

@@ -0,0 +1,73 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from "@simonbackx/simple-errors";
+import { Token, User } from '@stamhoofd/models';
+import { ApiUser, ApiUserWithToken, UserPermissions } from "@stamhoofd/structures";
+
+import { Context } from '../../../../helpers/Context';
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = ApiUser
+type ResponseBody = ApiUser
+
+export class CreateAdminEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = ApiUser as Decoder<ApiUser>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/api-keys", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.authenticate()
+
+        // Fast throw first (more in depth checking for patches later)
+        if (!await Context.auth.canManageAdmins(organization.id)) {
+            throw Context.auth.error()
+        }
+
+        const admin = new User();
+        admin.organizationId = organization.id;
+        admin.firstName = request.body.name;
+        admin.lastName = null
+        admin.email = 'creating.api'
+        admin.verified = true
+
+        if (!admin.isApiUser) {
+            throw new Error('Unexpectedly created normal user while trying to create API-user')
+        }
+
+        // Merge permissions
+        if (!request.body.permissions) {
+            throw new SimpleError({
+                code: 'missing_field',
+                message: 'When creating API-users, you are required to specify permissions in the request',
+                field: 'permissions'
+            })
+        }
+
+        admin.permissions = UserPermissions.limitedAdd(null, request.body.permissions, organization.id)
+        await admin.save();
+
+        // Set id
+        admin.email = admin.id + '.api'
+        await admin.save();
+
+        const createdToken = await Token.createApiToken(admin);
+
+        return new Response(ApiUserWithToken.create({
+            ...(await Token.getAPIUserWithToken(admin)),
+            token: createdToken.accessToken,
+            expiresAt: createdToken.accessTokenValidUntil
+        }));
+    }
+}