@stamhoofd/backend 1.0.0

package/src/endpoints/organization/shared/auth/GetOrganizationEndpoint.test.ts

@@ -0,0 +1,78 @@
+import { Request } from "@simonbackx/simple-endpoints";
+import { GroupFactory, OrganizationFactory, Token, UserFactory } from '@stamhoofd/models';
+import { Organization, PermissionLevel, Permissions } from '@stamhoofd/structures';
+
+import { testServer } from "../../../../../tests/helpers/TestServer";
+import { GetOrganizationEndpoint } from './GetOrganizationEndpoint';
+
+describe("Endpoint.GetOrganization", () => {
+    // Test endpoint
+    const endpoint = new GetOrganizationEndpoint();
+
+    test("Get organization as signed in user", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const groups = await new GroupFactory({ organization }).createMultiple(2)
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v3/organization", organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        if (!(response.body instanceof Organization)) {
+            throw new Error("Expected Organization")
+        }
+
+        expect(response.body.id).toEqual(organization.id)
+        expect(response.body.groups.map(g => g.id).sort()).toEqual(groups.map(g => g.id).sort())
+        expect(response.body.privateMeta).toEqual(null)
+    });
+
+    test("Get organization as admin", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.Read
+            })
+        }).create()
+
+        const groups = await new GroupFactory({ organization }).createMultiple(2)
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v3/organization", organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        if (!(response.body instanceof Organization)) {
+            throw new Error("Expected Organization")
+        }
+
+        expect(response.body.id).toEqual(organization.id)
+        expect(response.body.groups.map(g => g.id).sort()).toEqual(groups.map(g => g.id).sort())
+        expect(response.body.privateMeta).not.toEqual(null)
+    });
+
+     test("Get organization as admin of a different organization", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const organization2 = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization: organization2,
+            permissions: Permissions.create({
+                level: PermissionLevel.Read
+            })
+        }).create()
+
+        const token = await Token.createToken(user)
+
+        const r = Request.buildJson("GET", "/v3/organization", organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
+    });
+
+});

package/src/endpoints/organization/shared/auth/GetOrganizationEndpoint.ts

@@ -0,0 +1,34 @@
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { Organization as OrganizationStruct } from "@stamhoofd/structures";
+
+import { AuthenticatedStructures } from "../../../../helpers/AuthenticatedStructures";
+import { Context } from "../../../../helpers/Context";
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = undefined
+type ResponseBody = OrganizationStruct;
+
+export class GetOrganizationEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/organization", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(_: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.optionalAuthenticate({allowWithoutAccount: true})
+
+        return new Response(
+            await AuthenticatedStructures.organization(organization)
+        );
+    }
+}

package/src/endpoints/organization/shared/auth/OpenIDConnectCallbackEndpoint.ts

@@ -0,0 +1,44 @@
+import { AnyDecoder, Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+
+import { Context } from '../../../../helpers/Context';
+import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = any;
+type ResponseBody = undefined;
+
+export class OpenIDConnectCallbackEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = AnyDecoder as Decoder<any>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/openid/callback", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope()
+        const configuration = organization.serverMeta.ssoConfiguration
+
+        if (!configuration) {
+            throw new SimpleError({
+                code: "invalid_configuration",
+                message: "Invalid configuration",
+                statusCode: 400
+            });
+        }
+
+        const helper = new OpenIDConnectHelper(organization, configuration)
+        return await helper.callback(request)
+    }
+}

package/src/endpoints/organization/shared/auth/OpenIDConnectStartEndpoint.ts

@@ -0,0 +1,82 @@
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Webshop } from '@stamhoofd/models';
+import { StartOpenIDFlowStruct } from "@stamhoofd/structures";
+
+import { Context } from '../../../../helpers/Context';
+import { OpenIDConnectHelper } from '../../../../helpers/OpenIDConnectHelper';
+
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = StartOpenIDFlowStruct;
+type ResponseBody = undefined;
+
+export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = StartOpenIDFlowStruct as Decoder<StartOpenIDFlowStruct>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/openid/start", {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        // Check webshop and/or organization
+        const organization = await Context.setOrganizationScope()
+        const webshopId = request.body.webshopId;
+        let redirectUri = 'https://' + organization.getHost()
+        
+        if (webshopId) {
+            const webshop = await Webshop.getByID(webshopId)
+            if (!webshop || webshop.organizationId !== organization.id) {
+                throw new SimpleError({
+                    code: "invalid_webshop",
+                    message: "Invalid webshop",
+                    statusCode: 400
+                });
+            }
+            redirectUri = 'https://' + webshop.setRelation(Webshop.organization, organization).getHost()
+        }
+
+        if (request.body.redirectUri) {
+            try {
+                const allowedHost = new URL(redirectUri);
+                const givenUrl = new URL(request.body.redirectUri);
+
+                if (allowedHost.host === givenUrl.host && givenUrl.protocol === "https:") {
+                    redirectUri = givenUrl.href
+                }
+            } catch (e) {
+                console.error('Invalid redirect uri', request.body.redirectUri)
+            }
+        }
+
+        if (request.body.spaState.length < 10) {
+            throw new SimpleError({
+                code: "invalid_state",
+                message: "Invalid state",
+                statusCode: 400
+            });
+        }
+        
+        const configuration = organization.serverMeta.ssoConfiguration
+        if (!configuration) {
+            throw new SimpleError({
+                code: "invalid_client",
+                message: "SSO not configured",
+                statusCode: 400
+            });
+        }
+
+        const helper = new OpenIDConnectHelper(organization, configuration)
+        return await helper.startAuthCodeFlow(redirectUri, request.body.provider, request.body.spaState, request.body.prompt)
+    }
+}

package/src/endpoints/organization/webshops/CheckWebshopDiscountCodesEndpoint.ts

@@ -0,0 +1,59 @@
+import { ArrayDecoder, StringDecoder } from "@simonbackx/simple-encoding";
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Webshop, WebshopDiscountCode } from '@stamhoofd/models';
+import { DiscountCode } from "@stamhoofd/structures";
+
+import { Context } from "../../../helpers/Context";
+
+type Params = { id: string };
+type Query = undefined;
+type Body = string[]
+type ResponseBody = DiscountCode[]
+
+export class CheckWebshopDiscountCodesEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = new ArrayDecoder(StringDecoder)
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/webshop/@id/discount-codes", { id: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope()
+        const webshop = await Webshop.getByID(request.params.id)
+        if (!webshop || webshop.organizationId != organization.id) {
+            throw new SimpleError({
+                code: "not_found",
+                message: "Webshop not found",
+                human: "Deze webshop bestaat niet (meer)"
+            })
+        }
+
+        if (request.body.length > 10) {
+            // Auto limit
+            request.body = request.body.slice(0, 10)
+        }
+        
+        // Check all discount codes
+        // Return all valid ones
+        if (request.body.length > 0) {
+            const codes = await WebshopDiscountCode.getActiveCodes(webshop.id, request.body)
+
+            // todo
+            return new Response(
+                codes.map(c => c.getStructure())
+            );
+        }
+
+        return new Response([]);
+    }
+}

package/src/endpoints/organization/webshops/GetOrderByPaymentEndpoint.ts

@@ -0,0 +1,51 @@
+import { PartialWithoutMethods } from "@simonbackx/simple-encoding";
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Order } from '@stamhoofd/models';
+import { Payment } from '@stamhoofd/models';
+import { Order as OrderStruct } from "@stamhoofd/structures";
+
+import { Context } from "../../../helpers/Context";
+type Params = { id: string; paymentId: string };
+type Query = undefined;
+type Body = undefined
+type ResponseBody = OrderStruct
+
+export class GetOrderByPaymentEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/webshop/@id/payment/@paymentId/order", { id: String, paymentId: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope()
+        const payment = await Payment.getByID(request.params.paymentId)
+
+        if (!payment || payment.organizationId != organization.id) {
+            throw new SimpleError({
+                code: "not_found",
+                message: "Order not found",
+                human: "Deze bestelling bestaat niet (meer)"
+            })
+        }
+        const [order] = await Order.where({ paymentId: payment.id }, { limit: 1})
+        if (!order || order.webshopId != request.params.id || order.organizationId != organization.id) {
+            throw new SimpleError({
+                code: "not_found",
+                message: "Order not found",
+                human: "Deze bestelling bestaat niet (meer)"
+            })
+        }
+
+        order.setRelation(Order.payment, payment)
+        return new Response(await order.getStructure());
+    }
+}

package/src/endpoints/organization/webshops/GetOrderEndpoint.ts

@@ -0,0 +1,40 @@
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+import { Order } from '@stamhoofd/models';
+import { Order as OrderStruct } from "@stamhoofd/structures";
+
+import { Context } from "../../../helpers/Context";
+type Params = { id: string; orderId: string };
+type Query = undefined;
+type Body = undefined
+type ResponseBody = OrderStruct
+
+export class GetOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/webshop/@id/order/@orderId", { id: String, orderId: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope()
+        const order = await Order.getByID(request.params.orderId)
+
+        if (!order || order.webshopId != request.params.id || order.organizationId != organization.id) {
+            throw new SimpleError({
+                code: "not_found",
+                message: "Order not found",
+                human: "Deze bestelling bestaat niet (meer)"
+            })
+        }
+
+        return new Response(await order.getStructure());
+    }
+}

package/src/endpoints/organization/webshops/GetTicketsEndpoint.ts

@@ -0,0 +1,124 @@
+import { AutoEncoder, Decoder, field, StringDecoder } from "@simonbackx/simple-encoding";
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from "@simonbackx/simple-errors";
+import { Order, Ticket } from '@stamhoofd/models';
+import { TicketOrder, TicketPublic } from "@stamhoofd/structures";
+
+import { Context } from "../../../helpers/Context";
+type Params = { id: string };
+
+class Query extends AutoEncoder {
+    /**
+     * Get one ticket by the secret of an individual ticket
+     */
+    @field({ decoder: StringDecoder, optional: true })
+    secret?: string
+
+    /**
+     * Get all tickets of a single order if key is not passed.
+     * If key is passed, only return a single ticket, but exclude item information
+     */
+    @field({ decoder: StringDecoder, optional: true })
+    orderId?: string
+}
+
+type Body = undefined
+type ResponseBody = TicketPublic[] | TicketOrder[]
+
+export class GetTicketsEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    queryDecoder = Query as Decoder<Query>
+    
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "GET") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/webshop/@id/tickets", { id: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope()
+        
+        if (request.query.secret) {
+            const [ticket] = await Ticket.where({ 
+                secret: request.query.secret, 
+                webshopId: request.params.id,
+                organizationId: organization.id
+            }, { limit: 1 })
+
+            if (!ticket || (request.query.orderId && ticket.orderId !== request.query.orderId) || ticket.isDeleted) {
+                throw new SimpleError({
+                    code: "not_found",
+                    message: "Ticket not found",
+                    human: "Dit ticket bestaat niet"
+                })
+            }
+
+            if (!request.query.orderId) {
+                // Include item data
+                const order = await Order.getByID(ticket.orderId)
+                if (!order || order.webshopId !== request.params.id) {
+                    console.error("Error: missing order "+ticket.orderId+" for ticket "+ticket.id)
+                    throw new SimpleError({
+                        code: "not_found",
+                        message: "Ticket not found",
+                        human: "Dit ticket bestaat niet"
+                    })
+                }
+
+                if (ticket.itemId) {
+                    const item = order.data.cart.items.find(i => i.id === ticket.itemId)
+                    
+                    if (!item) {
+                        console.error("Error: missing item "+ticket.itemId+" for ticket "+ticket.id)
+                        throw new SimpleError({
+                            code: "not_found",
+                            message: "Ticket not found",
+                            human: "Dit ticket bestaat niet"
+                        })
+                    }
+
+                    return new Response([
+                        TicketPublic.create({
+                            ...ticket,
+                            items: [item]
+                        })
+                    ]); 
+
+                } else {
+                    return new Response([
+                        TicketPublic.create({
+                            ...ticket,
+                            items: order.data.cart.items
+                        })
+                    ]); 
+                }
+            }
+            return new Response([
+                TicketOrder.create(ticket)
+            ]); 
+        } else {
+            if (!request.query.orderId) {
+                throw new SimpleError({
+                    code: "not_found",
+                    message: "At least one query parameter expected: secret, orderId"
+                })
+            }
+
+            const tickets = await Ticket.where({ 
+                orderId: request.query.orderId, 
+                webshopId: request.params.id,
+                organizationId: organization.id,
+                deletedAt: null
+            })
+            return new Response(
+                tickets.map(ticket => TicketOrder.create(ticket))
+            ); 
+        }
+    }
+}

package/src/endpoints/organization/webshops/GetWebshopEndpoint.test.ts

@@ -0,0 +1,130 @@
+import { Request } from "@simonbackx/simple-endpoints";
+import { OrganizationFactory, Token, UserFactory, WebshopFactory } from '@stamhoofd/models';
+import { PermissionLevel, Permissions, PrivateWebshop, Webshop as WebshopStruct  } from '@stamhoofd/structures';
+
+import { testServer } from "../../../../tests/helpers/TestServer";
+import { GetWebshopEndpoint } from './GetWebshopEndpoint';
+
+describe("Endpoint.GetWebshop", () => {
+    // Test endpoint
+    const endpoint = new GetWebshopEndpoint();
+
+    test("Get webshop as signed in user", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({ organization }).create()
+        const token = await Token.createToken(user)
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v244/webshop/" + webshop.id, organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        expect(response.body.id).toEqual(webshop.id)
+        expect((response.body as any).privateMeta).toBeUndefined()
+    });
+
+    test("Allow access without organization scope in old v243", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v243/webshop/" + webshop.id);
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        expect(response.body.id).toEqual(webshop.id)
+        expect((response.body as any).privateMeta).toBeUndefined()
+    });
+
+    test("Do not allow access without organization scope in v244", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+        const r = Request.buildJson("GET", "/v244/webshop/" + webshop.id);
+        await expect(testServer.test(endpoint, r)).rejects.toThrow('Please specify the organization in the hostname');
+    });
+
+    test("Get webshop as admin", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.Read
+            })
+        }).create()
+        const token = await Token.createToken(user)
+
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v244/webshop/" + webshop.id, organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        expect(response.body.id).toEqual(webshop.id)
+        expect((response.body as any).privateMeta).toBeDefined()
+    });
+
+    test("Get webshop as admin that does not have access to specific webshop", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization,
+            permissions: Permissions.create({
+                level: PermissionLevel.None
+            })
+        }).create()
+        const token = await Token.createToken(user)
+
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v244/webshop/" + webshop.id, organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        const response = await testServer.test(endpoint, r);
+        expect(response.body).toBeDefined();
+
+        expect(response.body.id).toEqual(webshop.id)
+        expect((response.body as any).privateMeta).toBeUndefined()
+    });
+
+     test("Get webshop as admin of a different organization", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const organization2 = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization: organization2,
+            permissions: Permissions.create({
+                level: PermissionLevel.Read
+            })
+        }).create()
+
+        const token = await Token.createToken(user)
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v244/webshop/" + webshop.id, organization.getApiHost());
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
+    });
+
+    test("If organization scope is missing in v243, access is still checked correctly", async () => {
+        const organization = await new OrganizationFactory({}).create()
+        const organization2 = await new OrganizationFactory({}).create()
+        const user = await new UserFactory({
+            organization: organization2,
+            permissions: Permissions.create({
+                level: PermissionLevel.Full
+            })
+        }).create()
+
+        const token = await Token.createToken(user)
+        const webshop = await new WebshopFactory({ organizationId: organization.id }).create()
+
+        const r = Request.buildJson("GET", "/v243/webshop/" + webshop.id);
+        r.headers.authorization = "Bearer " + token.accessToken
+
+        await expect(testServer.test(endpoint, r)).rejects.toThrow('The access token is invalid');
+    });
+
+});