@stamhoofd/backend 1.0.0

package/src/endpoints/organization/webshops/PlaceOrderEndpoint.ts

@@ -0,0 +1,335 @@
+import { createMollieClient, PaymentMethod as molliePaymentMethod } from '@mollie/api-client';
+import { Decoder } from '@simonbackx/simple-encoding';
+import { DecodedRequest, Endpoint, Request, Response } from "@simonbackx/simple-endpoints";
+import { SimpleError } from '@simonbackx/simple-errors';
+import { I18n } from '@stamhoofd/backend-i18n';
+import { Email } from '@stamhoofd/email';
+import { BalanceItem, BalanceItemPayment, MolliePayment, MollieToken, Order, PayconiqPayment, Payment, RateLimiter, Webshop, WebshopDiscountCode } from '@stamhoofd/models';
+import { QueueHandler } from '@stamhoofd/queues';
+import { BalanceItemStatus, Order as OrderStruct, OrderData, OrderResponse, Payment as PaymentStruct, PaymentMethod, PaymentMethodHelper, PaymentProvider, PaymentStatus, Version, Webshop as WebshopStruct,WebshopAuthType } from "@stamhoofd/structures";
+import { Formatter } from '@stamhoofd/utility';
+
+import { BuckarooHelper } from '../../../helpers/BuckarooHelper';
+import { Context } from '../../../helpers/Context';
+import { StripeHelper } from '../../../helpers/StripeHelper';
+
+type Params = { id: string };
+type Query = undefined;
+type Body = OrderData
+type ResponseBody = OrderResponse
+
+export const demoOrderLimiter = new RateLimiter({
+    limits: [
+        {   
+            // Max 10 per hour
+            limit: STAMHOOFD.environment === 'development' ? 100 : 10,
+            duration: 60 * 1000 * 60
+        },
+        {   
+            // Max 20 a day
+            limit: STAMHOOFD.environment === 'development' ? 1000 : 20,
+            duration: 24 * 60 * 1000 * 60
+        }
+    ]
+});
+
+/**
+ * Allow to add, patch and delete multiple members simultaneously, which is needed in order to sync relational data that is saved encrypted in multiple members (e.g. parents)
+ */
+export class PlaceOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = OrderData as Decoder<OrderData>
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method != "POST") {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, "/webshop/@id/order", { id: String });
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        const organization = await Context.setOrganizationScope();
+        await Context.optionalAuthenticate()
+
+        // Read + validate + update stock in one go, to prevent race conditions
+        const { webshop, order } = await QueueHandler.schedule("webshop-stock/"+request.params.id, async () => {
+            const webshopWithoutOrganization = await Webshop.getByID(request.params.id)
+            if (!webshopWithoutOrganization || webshopWithoutOrganization.organizationId !== organization.id) {
+                throw new SimpleError({
+                    code: "not_found",
+                    message: "Webshop not found",
+                    human: "Deze webshop bestaat niet (meer)"
+                })
+            }
+
+            //const organization = (await Organization.getByID(webshopWithoutOrganization.organizationId))!
+            const webshop = webshopWithoutOrganization.setRelation(Webshop.organization, organization)
+
+            if (webshop.meta.authType === WebshopAuthType.Required && !Context.user) {
+                throw new SimpleError({
+                    code: "not_authenticated",
+                    message: "Not authenticated",
+                    human: "Je moet inloggen om een bestelling te kunnen plaatsen.",
+                    statusCode: 401
+                })
+            }
+
+            // For non paid organizations, the limit is 10
+            if (!organization.meta.packages.isPaid && STAMHOOFD.environment !== 'test') {
+                const limiter = demoOrderLimiter
+
+                try {
+                    limiter.track(organization.id, 1);
+                } catch (e) {
+                    Email.sendInternal({
+                        to: "hallo@stamhoofd.be",
+                        subject: "[Limiet] Limiet bereikt voor aantal bestellingen",
+                        text: "Beste, \nDe limiet werd bereikt voor het aantal bestellingen per dag. \nVereniging: "+organization.id+" ("+organization.name+")" + "\n\n" + e.message + "\n\nStamhoofd"
+                    }, new I18n("nl", "BE"))
+                    
+                    throw new SimpleError({
+                        code: "too_many_emails_period",
+                        message: "Too many e-mails limited",
+                        human: "Oeps! Om spam te voorkomen limiteren we het aantal test bestellingen die je per uur of dag kan plaatsen. Probeer over een uur opnieuw of schakel over naar een betaald abonnement.",
+                        field: "recipients"
+                    })
+                }
+            }
+
+            const webshopStruct = WebshopStruct.create(webshop)
+
+            const usedCodes = request.body.discountCodes.map(c => c.code)
+            const uniqueCodes = Formatter.uniqueArray(usedCodes);
+            if (uniqueCodes.length !== usedCodes.length) {
+                // Duplicate code usage is not allowed
+                throw new SimpleError({
+                    code: "duplicate_codes",
+                    message: "Duplicate usage of discount codes",
+                    human: "Sommige kortingcodes werden dubbel toegepast op jouw bestelling. Kijk het even na, dit is niet toegestaan.",
+                    field: "cart.discountCodes"
+                })
+            }
+            if (uniqueCodes.length > 0) {
+                // Fetch new and update them
+                const codeModels = await WebshopDiscountCode.getActiveCodes(webshop.id, uniqueCodes)
+
+                if (codeModels.length !== uniqueCodes.length) {
+                    throw new SimpleError({
+                        code: "invalid_code",
+                        message: "Invalid discount code",
+                        human: "De kortingscode die je hebt toegevoegd is niet (meer) geldig",
+                        field: "cart.discountCodes"
+                    })
+                }
+                request.body.discountCodes = codeModels.map(c => c.getStructure())
+            }
+
+            request.body.validate(webshopStruct, organization.meta, request.i18n, false, Context.user?.getStructure())
+            request.body.update(webshopStruct)
+
+            const order = new Order().setRelation(Order.webshop, webshop)
+            order.data = request.body // TODO: validate
+            order.organizationId = organization.id
+            order.createdAt = new Date()
+            order.createdAt.setMilliseconds(0)
+            order.userId = Context.user?.id ?? null
+
+            // Always reserve the stock
+            await order.updateStock()
+            return { webshop, order, organization }
+        })
+
+        // The order now is valid, the stock is reserved for now (until the payment fails or expires)
+        const totalPrice = request.body.totalPrice
+
+        try {
+            if (totalPrice == 0) {
+                // Force unknown payment method
+                order.data.paymentMethod = PaymentMethod.Unknown
+
+                // Mark this order as paid
+                await order.markPaid(null, organization, webshop)
+                await order.save()
+            } else {
+                const payment = new Payment()
+                payment.organizationId = organization.id
+                payment.method = request.body.paymentMethod
+                payment.status = PaymentStatus.Created
+                payment.price = totalPrice
+                payment.paidAt = null
+
+                // Determine the payment provider
+                // Throws if invalid
+                const {provider, stripeAccount} = await organization.getPaymentProviderFor(payment.method, webshop.privateMeta.paymentConfiguration)
+                payment.provider = provider
+                payment.stripeAccountId = stripeAccount?.id ?? null
+
+                await payment.save()
+
+                // Deprecated field
+                order.paymentId = payment.id
+                order.setRelation(Order.payment, payment)
+
+                // Save order to get the id
+                await order.save()
+
+                const balanceItemPayments: (BalanceItemPayment & { balanceItem: BalanceItem })[] = []
+
+                // Create balance item
+                const balanceItem = new BalanceItem();
+                balanceItem.orderId = order.id;
+                balanceItem.price = totalPrice
+                balanceItem.description = webshop.meta.name
+                balanceItem.pricePaid = 0
+                balanceItem.organizationId = organization.id;
+                balanceItem.status = BalanceItemStatus.Hidden;
+                await balanceItem.save();
+
+                // Create one balance item payment to pay it in one payment
+                const balanceItemPayment = new BalanceItemPayment()
+                balanceItemPayment.balanceItemId = balanceItem.id;
+                balanceItemPayment.paymentId = payment.id;
+                balanceItemPayment.organizationId = organization.id;
+                balanceItemPayment.price = balanceItem.price;
+                await balanceItemPayment.save();
+                balanceItemPayments.push(balanceItemPayment.setRelation(BalanceItemPayment.balanceItem, balanceItem))
+
+                let paymentUrl: string | null = null
+                const description = webshop.meta.name+" - "+payment.id
+
+                if (payment.method == PaymentMethod.Transfer) {
+                    await order.markValid(payment, [])
+
+                    if (order.number) {
+                        balanceItem.description = order.generateBalanceDescription(webshop)
+                    }
+
+                    balanceItem.status = BalanceItemStatus.Pending;
+                    await balanceItem.save()
+                    await payment.save()
+                } else if (payment.method == PaymentMethod.PointOfSale) {
+                    // Not really paid, but needed to create the tickets if needed
+                    await order.markPaid(payment, organization, webshop)
+
+                    if (order.number) {
+                        balanceItem.description = order.generateBalanceDescription(webshop)
+                    }
+                    
+                    balanceItem.status = BalanceItemStatus.Pending;
+                    await balanceItem.save()
+                    await payment.save()
+                } else {
+                    const cancelUrl = "https://"+webshop.getHost()+'/payment?id='+encodeURIComponent(payment.id)+"&cancel=true"
+                    const redirectUrl = "https://"+webshop.getHost()+'/payment?id='+encodeURIComponent(payment.id)
+                    const exchangeUrl = 'https://'+organization.getApiHost()+"/v"+Version+"/payments/"+encodeURIComponent(payment.id)+"?exchange=true"
+
+                    if (payment.provider === PaymentProvider.Stripe) {
+                        const stripeResult = await StripeHelper.createPayment({
+                            payment,
+                            stripeAccount,
+                            redirectUrl,
+                            cancelUrl,
+                            statementDescriptor: webshop.meta.name,
+                            metadata: {
+                                order: order.id,
+                                organization: organization.id,
+                                webshop: webshop.id,
+                                payment: payment.id,
+                            },
+                            i18n: request.i18n,
+                            lineItems: balanceItemPayments,
+                            organization,
+                            customer: {
+                                name: order.data.customer.name,
+                                email: order.data.customer.email,
+                            }
+                        });
+                        paymentUrl = stripeResult.paymentUrl
+                    } else if (payment.provider === PaymentProvider.Mollie) {
+                        // Mollie payment
+                        const token = await MollieToken.getTokenFor(webshop.organizationId)
+                        if (!token) {
+                            throw new SimpleError({ 
+                                code: "",
+                                message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is onbeschikbaar"
+                            })
+                        }
+                        const profileId = organization.privateMeta.mollieProfile?.id ?? await token.getProfileId(webshop.getHost())
+                        if (!profileId) {
+                            throw new SimpleError({
+                                code: "",
+                                message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is tijdelijk onbeschikbaar"
+                            })
+                        }
+                        const mollieClient = createMollieClient({ accessToken: await token.getAccessToken() });
+                        const molliePayment = await mollieClient.payments.create({
+                            amount: {
+                                currency: 'EUR',
+                                value: (totalPrice / 100).toFixed(2)
+                            },
+                            method: payment.method == PaymentMethod.Bancontact ? molliePaymentMethod.bancontact : (payment.method == PaymentMethod.iDEAL ? molliePaymentMethod.ideal : molliePaymentMethod.creditcard),
+                            testmode: organization.privateMeta.useTestPayments ?? STAMHOOFD.environment != 'production',
+                            profileId,
+                            description,
+                            redirectUrl,
+                            webhookUrl: exchangeUrl,
+                            metadata: {
+                                order: order.id,
+                                organization: organization.id,
+                                webshop: webshop.id,
+                                payment: payment.id
+                            },
+                        });
+                        console.log(molliePayment)
+                        paymentUrl = molliePayment.getCheckoutUrl()
+
+                        // Save payment
+                        const dbPayment = new MolliePayment()
+                        dbPayment.paymentId = payment.id
+                        dbPayment.mollieId = molliePayment.id
+                        await dbPayment.save();
+                    } else if (payment.provider == PaymentProvider.Payconiq) {
+                        paymentUrl = await PayconiqPayment.createPayment(payment, organization, description, redirectUrl, exchangeUrl)
+                    } else if (payment.provider == PaymentProvider.Buckaroo) {
+                        // Increase request timeout because buckaroo is super slow
+                        request.request.request?.setTimeout(60 * 1000)
+                        const buckaroo = new BuckarooHelper(organization.privateMeta?.buckarooSettings?.key ?? "", organization.privateMeta?.buckarooSettings?.secret ?? "", organization.privateMeta.useTestPayments ?? STAMHOOFD.environment != 'production')
+                        const ip = request.request.getIP()
+                        paymentUrl = await buckaroo.createPayment(payment, ip, description, redirectUrl, exchangeUrl)
+                        await payment.save()
+
+                        // TypeScript doesn't understand that the status can change and isn't a const....
+                        if ((payment.status as any) === PaymentStatus.Failed) {
+                            throw new SimpleError({
+                                code: "payment_failed",
+                                message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is onbeschikbaar"
+                            })
+                        }
+                    } else {
+                        throw new Error("Unknown payment provider")
+                    }
+                }
+
+                return new Response(OrderResponse.create({
+                    paymentUrl: paymentUrl,
+                    order: OrderStruct.create({...order, payment: PaymentStruct.create(payment) })
+                }));
+            }
+        } catch (e) {
+            // Mark order as failed to release stock
+            if (order) {
+                await order.deleteOrderBecauseOfCreationError()
+            }
+            throw e;
+        }
+        
+        return new Response(OrderResponse.create({
+            order: order.getStructureWithoutPayment()
+        }));
+    }
+}

package/src/helpers/AddressValidator.test.ts

@@ -0,0 +1,40 @@
+import { City, PostalCode, Province } from "@stamhoofd/models"
+import { Address, Country } from "@stamhoofd/structures"
+
+import { AddressValidator } from "./AddressValidator"
+
+describe("AddressValidator", () => {
+    it("Can validate a city", async () => {
+        const province = new Province()
+        province.name = "Oost-Vlaanderen"
+        province.country = Country.Belgium
+        await province.save()
+
+        const city = new City()
+        city.name = "Wetteren"
+        city.country = Country.Belgium
+        city.provinceId = province.id
+        await city.save()
+
+        const postalCode = new PostalCode()
+        postalCode.cityId = city.id
+        postalCode.postalCode = "9230"
+        postalCode.country = Country.Belgium
+        await postalCode.save()
+
+        expect(true).toBe(true)
+
+        const validateAddress = Address.create({
+            country: Country.Belgium,
+            city: "Wetteren",
+            street: "Kerkstraat",
+            postalCode: "9230",
+            number: "12"
+        })
+        const validated = await AddressValidator.validate(validateAddress)
+        expect(validated.street).toEqual("Kerkstraat")
+        expect(validated.city).toEqual("Wetteren")
+        expect(validated.postalCode).toEqual("9230")
+        expect(validated.number).toEqual("12")
+    })
+})

package/src/helpers/AddressValidator.ts

@@ -0,0 +1,256 @@
+import { Database } from "@simonbackx/simple-database"
+import { ArrayDecoder, AutoEncoder, Decoder, field, ObjectData, StringDecoder } from "@simonbackx/simple-encoding"
+import { SimpleError } from "@simonbackx/simple-errors"
+import { City, PostalCode, Street } from "@stamhoofd/models"
+import { Address, Country, ValidatedAddress } from "@stamhoofd/structures"
+import { sleep, StringCompare } from "@stamhoofd/utility"
+import axios from "axios"
+import { v4 as uuidv4 } from "uuid";
+
+export class AddressValidatorStatic {
+    // TODO: hold street cache
+    
+    async validate(address: Address): Promise<ValidatedAddress> {
+        address = address.clone()
+        let postalCode = address.postalCode
+        if (address.country == Country.Netherlands) {
+            // Check if we have the right syntax
+            const stripped = postalCode.replace(/\s/g, '')
+            if (stripped.length != 6) {
+                throw new SimpleError({
+                    code: "invalid_field",
+                    message: "Invalid postal code format (NL)",
+                    human: "Ongeldig postcode formaat, voer in zoals '8011 PK'",
+                    field: "postalCode"
+                })
+            }
+
+            const numbers = stripped.slice(0, 4)
+            if (!/[0-9]{4}/.test(numbers)) {
+                throw new SimpleError({
+                    code: "invalid_field",
+                    message: "Invalid postal code format (NL)",
+                    human: "Ongeldig postcode formaat, voer in zoals '8011 PK'",
+                    field: "postalCode"
+                })
+            }
+
+            // Don't do validation on last letters
+            postalCode = numbers
+        } else {
+            postalCode = postalCode.trim()
+        }
+
+        if (postalCode.length == 0) {
+            const numbers = address.city.substring(0, 4)
+            if (!/[0-9]{4}/.test(numbers)) {
+                postalCode = numbers
+                address.city = address.city.substring(4).trim()
+            } else {
+                throw new SimpleError({
+                    code: "invalid_field",
+                    message: "Postal code is required",
+                    human: "Voer een postcode in",
+                    field: "postalCode"
+                })
+            }
+        }
+        
+        const city = await PostalCode.getCity(postalCode, address.city, address.country)
+
+        if (!city) {
+            throw new SimpleError({
+                code: "invalid_field",
+                message: "Invalid postal code or city",
+                human: "Deze postcode en/of gemeente bestaat niet, kijk je even na op een typfout?",
+                field: "postalCode"
+            })
+        }
+
+        // Validate street and try to correct it
+        if (address.country === Country.Belgium) {
+            // Also validate the street
+            let streets = await Street.where({ cityId: city.parentCityId ?? city.id })
+
+            if (streets.length == 0 && STAMHOOFD.environment === "development") {
+                console.log("Forcing sync of city")
+                const c = await City.getByID(city.parentCityId ?? city.id)
+                try {
+                    await this.syncCity(c!)
+                } catch (e) {
+                    console.error('Ignored error while syncing city')
+                    console.error(e)
+                }
+                streets = await Street.where({ cityId: city.parentCityId ?? city.id })
+            }
+
+            if (STAMHOOFD.environment === "development" && streets.length > 0) {
+                // First search by typo count
+                let bestScore = 0
+                let bestStreet: Street | undefined = undefined
+                for (const street of streets) {
+                    const score = StringCompare.typoCount(street.name, address.street)
+                    if ((bestStreet === undefined || score < bestScore)) {
+                        bestScore = score
+                        bestStreet = street
+                    }
+                }
+
+                if (bestStreet && bestScore < 3) {
+                    address.street = bestStreet.name
+                } else {
+                    // Search for the street
+                    bestScore = 0
+                    bestStreet = undefined
+                    for (const street of streets) {
+                        const score = StringCompare.compare(street.name, address.street)
+                        if ((bestStreet === undefined || score > bestScore)) {
+                            bestScore = score
+                            bestStreet = street
+                        }
+                    }
+
+                    if (!bestStreet || bestScore < 3 || bestScore < bestStreet.name.length/3) {
+                        throw new SimpleError({
+                            code: "invalid_field",
+                            message: "Invalid street",
+                            human: "Deze straat bestaat niet, kijk je deze even na op fouten? Formuleer de naam zonder afkortingen.",
+                            field: "street"
+                        })
+                    }
+
+                    throw new SimpleError({
+                        code: "invalid_field",
+                        message: "Invalid street, do you mean " + bestStreet.name + "?",
+                        human: "Deze straat bestaat niet, bedoel je '" + bestStreet.name + "'?",
+                        field: "street"
+                    })
+                }
+            } else {
+                // Skip validation for some regions that don't support validation
+            }
+        }
+
+        return ValidatedAddress.create(Object.assign({ ... address }, {
+            postalCode: address.country === Country.Belgium ? postalCode : address.postalCode,
+            city: city.name, // override misspelled addresses
+            cityId: city.id,
+            parentCityId: city.parentCityId,
+            provinceId: city.provinceId,
+        }))
+    }
+
+    async downloadStreets(country: Country, city: string): Promise<string[]> {
+        let url: string | undefined = "https://api.basisregisters.vlaanderen.be/v2/straatnamen?gemeentenaam=" + encodeURIComponent(city)
+        const streetNames: string[] = []
+
+        try {
+            while (url) {
+                const response = await axios.request({
+                    method: "GET",
+                    url,
+                    headers: {
+                        "Accept": "application/ld+json",
+                    }
+                })
+
+                // TypeScript is going insane here, hence the weird type casting
+                const result = new ObjectData(response.data, { version: 0 }).decode(StraatnamenResult as Decoder<StraatnamenResult>) as any as StraatnamenResult;
+                const streets = result.straatnamen.map(street => street.straatnaam.geografischeNaam.spelling);
+
+                streetNames.push(...streets);
+                url = result.volgende
+            }
+            
+        } catch (e) {
+            console.error(e.response.data)
+            throw new Error("Failed to fetch streets")
+        }
+
+        return streetNames
+    }
+
+    async syncCity(city: City): Promise<void> {
+        const streetNames = await this.downloadStreets(city.country, city.name)
+        if (streetNames.length == 0) {
+            return
+        }
+        
+        await Database.delete("DELETE from `streets` WHERE `cityId` = ?", [city.id])
+        await Database.insert("INSERT INTO `streets` (`id`, `name`, `cityId`) VALUES ?", [streetNames.map(street => [uuidv4(), street, city.id])])
+    }
+
+    async syncAll(): Promise<void> {
+        const cities = await City.where({ country: Country.Belgium, parentCityId: null })
+        for (const city of cities) {
+            await this.syncCity(city)
+
+            // Rate limit
+            await sleep(1000)
+        }
+    }
+
+    getSlowSync(): () => Promise<void> {
+        let lastFullCitySync: Date | null = null
+        let lastCityId = ""
+        async function syncNext() {
+            // Wait 24 hours between every full update
+            if (lastFullCitySync && lastFullCitySync > new Date(new Date().getTime() - 24 * 60 * 60 * 1000)) {
+                console.log("Skip city sync")
+                return
+            }
+            
+            const cities = await City.where({ 
+                id: { sign: '>', value: lastCityId },
+                country: Country.Belgium, 
+                parentCityId: null
+            }, {
+                limit: 1,
+                sort: ["id"]
+            })
+
+            if (cities.length == 0) {
+                // Wait an half hour before starting again
+                lastCityId = ""
+                lastFullCitySync = new Date()
+                return
+            }
+
+            for (const city of cities) {
+                try {
+                    await this.syncCity(city)
+                } catch (e) {
+                    console.error("Failed city sync for "+city.name, e)
+                }
+            }
+
+            lastCityId = cities[cities.length - 1].id
+        }
+
+        return syncNext
+    }
+}
+class GeografischeNaam extends AutoEncoder {
+    @field({ decoder: StringDecoder })
+    spelling: string
+}
+
+class Straatnaam extends AutoEncoder {
+    @field({ decoder: GeografischeNaam })
+    geografischeNaam: GeografischeNaam
+}
+
+class StraatnaamResult extends AutoEncoder {
+    @field({ decoder: Straatnaam })
+    straatnaam: Straatnaam
+}
+
+class StraatnamenResult extends AutoEncoder {
+    @field({ decoder: new ArrayDecoder(StraatnaamResult) })
+    straatnamen: StraatnaamResult[]
+
+    @field({ decoder: StringDecoder, optional: true })
+    volgende?: string
+}
+
+export const AddressValidator = new AddressValidatorStatic()