npm - @stamhoofd/backend - Versions diffs - 1.0.0 - Mend

@stamhoofd/backend 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/src/helpers/OpenIDConnectHelper.ts ADDED Viewed

@@ -0,0 +1,284 @@
+import { DecodedRequest, Response } from "@simonbackx/simple-endpoints";
+import { isSimpleError, isSimpleErrors, SimpleError } from "@simonbackx/simple-errors";
+import { Organization, Token, User } from "@stamhoofd/models";
+import { LoginProviderType, OpenIDClientConfiguration, Token as TokenStruct } from "@stamhoofd/structures";
+import crypto from "crypto";
+import { generators, Issuer } from 'openid-client';
+import { CookieHelper } from "./CookieHelper";
+async function randomBytes(size: number): Promise<Buffer> {
+    return new Promise((resolve, reject) => {
+        crypto.randomBytes(size, (err: Error | null, buf: Buffer) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(buf);
+        });
+    });
+}
+type SessionContext = {
+    expires: Date,
+    code_verifier: string,
+    state: string,
+    nonce: string
+    redirectUri: string,
+    spaState: string,
+    providerType: LoginProviderType
+};
+export class OpenIDConnectHelper {
+    organization: Organization
+    configuration: OpenIDClientConfiguration
+    static sessionStorage = new Map<string, SessionContext>()
+    constructor(organization, configuration: OpenIDClientConfiguration) {
+        this.organization = organization
+        this.configuration = configuration
+    }
+    get redirectUri() {
+        return 'https://' + this.organization.id + '.' + STAMHOOFD.domains.api + '/openid/callback'
+    }
+    async getClient() {
+        const issuer = await Issuer.discover(this.configuration.issuer);
+        const client = new issuer.Client({
+            client_id: this.configuration.clientId,
+            client_secret: this.configuration.clientSecret,
+            redirect_uris: [this.redirectUri],
+            response_types: ['code'],
+        });
+        // Todo: in the future we can add a cache here
+        return client;
+    }
+    static async storeSession(response: Response<any>, data: SessionContext) {
+        const sessionId = (await randomBytes(192)).toString("base64");
+        // Delete expired sessions
+        for (const [key, value] of this.sessionStorage) {
+            if (value.expires < new Date()) {
+                this.sessionStorage.delete(key)
+            }
+        }
+        this.sessionStorage.set(sessionId, data);
+        // Store
+        CookieHelper.setCookie(response, "oid_session_id", sessionId, {
+            httpOnly: true,
+            secure: true,
+            expires: data.expires
+        })
+    }
+    static getSession(request: DecodedRequest<any, any, any>): SessionContext | null {
+        const sessionId = CookieHelper.getCookie(request, "oid_session_id")
+        if (!sessionId) {
+            return null
+        }
+        const session = this.sessionStorage.get(sessionId)
+        if (!session) {
+            return null
+        }
+        if (session.expires < new Date()) {
+            return null
+        }
+        return session
+    }
+    async startAuthCodeFlow(redirectUri: string, providerType: LoginProviderType, spaState: string, prompt: string | null = null): Promise<Response<undefined>> {
+        const code_verifier = generators.codeVerifier();
+        const state = generators.state();
+        const nonce = generators.nonce();
+        const code_challenge = generators.codeChallenge(code_verifier);
+        const expires = new Date(Date.now() + 1000 * 60 * 15);
+        const session: SessionContext = {
+            expires,
+            code_verifier,
+            state,
+            nonce,
+            redirectUri,
+            spaState,
+            providerType
+        };
+        try {
+            const response = new Response(undefined);
+            const client = await this.getClient()
+            await OpenIDConnectHelper.storeSession(response, session);
+            const redirect = client.authorizationUrl({
+                scope: 'openid email profile',
+                code_challenge,
+                code_challenge_method: 'S256',
+                response_mode: 'form_post',
+                response_type: 'code',
+                state,
+                nonce,
+                prompt: prompt ?? undefined
+            });
+            response.headers['location'] = redirect;
+            response.status = 302;
+            return response;
+        } catch (e) {
+            const message = (isSimpleError(e) || isSimpleErrors(e) ? e.getHuman() : 'Er ging iets mis.')
+            console.error('Error in openID callback', e)
+            return OpenIDConnectHelper.getErrorRedirectResponse(session, message)
+        }
+    }
+    async callback(request: DecodedRequest<any, any, any>): Promise<Response<undefined>> {
+        const session = OpenIDConnectHelper.getSession(request)
+        if (!session) {
+            throw new Error("Missing session")
+        }
+        try {
+            const response = new Response(undefined);
+            const client = await this.getClient()
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+            const tokenSet = await client.callback(this.redirectUri, request.body, {
+                code_verifier: session.code_verifier,
+                state: session.state,
+                nonce: session.nonce
+            });
+            console.log('received and validated tokens %j', tokenSet);
+            const claims = tokenSet.claims();
+            console.log('validated ID Token claims %j', claims);
+            if (!claims.name) {
+                throw new SimpleError({
+                    code: 'invalid_user',
+                    message: "Missing name",
+                    statusCode: 400
+                })
+            }
+            let firstName = claims.name.split(" ")[0]
+            let lastName = claims.name.split(" ").slice(1).join(" ")
+            // Get from API
+            if (tokenSet.access_token) {
+                const userinfo = await client.userinfo(tokenSet.access_token);
+                console.log('userinfo', userinfo);
+                if (userinfo.given_name) {
+                    console.log('userinfo given_name', userinfo.given_name);
+                    firstName = userinfo.given_name
+                }
+                if (userinfo.family_name) {
+                    console.log('userinfo family_name', userinfo.family_name);
+                    lastName = userinfo.family_name
+                }
+            }
+            if (!claims.email) {
+                throw new SimpleError({
+                    code: 'invalid_user',
+                    message: "Missing email address",
+                    statusCode: 400
+                })
+            }
+            if (!claims.sub) {
+                throw new SimpleError({
+                    code: 'invalid_user',
+                    message: "Missing sub",
+                    statusCode: 400
+                })
+            }
+            // Get user from database
+            let user = await User.getOrganizationLevelUser(this.organization.id, claims.email)
+            if (!user) {
+                // Create a new user
+                user = await User.registerSSO(this.organization, {
+                    id: undefined,
+                    email: claims.email,
+                    firstName,
+                    lastName,
+                    type: session.providerType,
+                    sub: claims.sub,
+                })
+                if (!user) {
+                    throw new SimpleError({
+                        code: 'invalid_user',
+                        message: "Failed to create user",
+                        statusCode: 500
+                    })
+                }
+            } else {
+                // Update name
+                if (!user.firstName || !user.hasPasswordBasedAccount()) {
+                    user.firstName = firstName
+                }
+                if (!user.lastName || !user.hasPasswordBasedAccount()) {
+                    user.lastName = lastName
+                }
+                user.linkLoginProvider(session.providerType, claims.sub)
+                await user.save()
+            }
+            const token = await Token.createExpiredToken(user);
+            if (!token) {
+                throw new SimpleError({
+                    code: "error",
+                    message: "Could not generate token",
+                    human: "Er ging iets mis bij het aanmelden",
+                    statusCode: 500
+                });
+            }
+            const st = new TokenStruct(token);
+            // Redirect back to webshop
+            const redirectUri = new URL(session.redirectUri)
+            redirectUri.searchParams.set("oid_rt", st.refreshToken)
+            redirectUri.searchParams.set("s", session.spaState)
+            response.headers['location'] = redirectUri.toString();
+            response.status = 302;
+            return response;
+        } catch (e) {
+            const message = (isSimpleError(e) || isSimpleErrors(e) ? e.getHuman() : 'Er ging iets mis.')
+            console.error('Error in openID callback', e)
+            return OpenIDConnectHelper.getErrorRedirectResponse(session, message)
+        }
+    }
+    static getErrorRedirectResponse(session: SessionContext, errorMessage: string) {
+        const response = new Response(undefined);
+        // Redirect back to webshop
+        const redirectUri = new URL(session.redirectUri)
+        redirectUri.searchParams.set("s", session.spaState)
+        redirectUri.searchParams.set("error", errorMessage)
+        response.headers['location'] = redirectUri.toString();
+        response.status = 302;
+        return response;
+    }
+}

package/src/helpers/StripeHelper.ts ADDED Viewed

@@ -0,0 +1,293 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { I18n } from '@stamhoofd/backend-i18n';
+import { BalanceItem, BalanceItemPayment, Organization, Payment, StripeAccount, StripeCheckoutSession, StripePaymentIntent } from '@stamhoofd/models';
+import { calculateVATPercentage, PaymentMethod, PaymentMethodHelper, PaymentStatus } from '@stamhoofd/structures';
+import { Formatter } from '@stamhoofd/utility';
+import Stripe from 'stripe';
+export class StripeHelper {
+    static getInstance() {
+        return new Stripe(STAMHOOFD.STRIPE_SECRET_KEY, {apiVersion: '2022-11-15', typescript: true, maxNetworkRetries: 0, timeout: 10000});
+    }
+    static async getStatus(payment: Payment, cancel = false, testMode = false): Promise<PaymentStatus> {
+        if (testMode && !STAMHOOFD.STRIPE_SECRET_KEY.startsWith("sk_test_")) {
+            // Do not query anything
+            return payment.status
+        }
+        const [model] = await StripePaymentIntent.where({paymentId: payment.id}, {limit: 1})
+        if (!model) {
+            return await this.getStatusFromCheckoutSession(payment, cancel)
+        }
+        const stripe = this.getInstance()
+        let intent = await stripe.paymentIntents.retrieve(model.stripeIntentId)
+        console.log(intent);
+        if (intent.status === "succeeded") {
+            if (intent.latest_charge) {
+                try {
+                    const charge = await stripe.charges.retrieve(typeof intent.latest_charge === 'string' ? intent.latest_charge : intent.latest_charge.id)
+                    if (charge.payment_method_details?.bancontact) {
+                        if (charge.payment_method_details.bancontact.iban_last4) {
+                            payment.iban = "xxxx " + charge.payment_method_details.bancontact.iban_last4
+                        }
+                        payment.ibanName = charge.payment_method_details.bancontact.verified_name
+                        await payment.save()
+                    }
+                    if (charge.payment_method_details?.ideal) {
+                        if (charge.payment_method_details.ideal.iban_last4) {
+                            payment.iban = "xxxx " + charge.payment_method_details.ideal.iban_last4
+                        }
+                        payment.ibanName = charge.payment_method_details.ideal.verified_name
+                        await payment.save()
+                    }
+                    if (charge.payment_method_details?.card) {
+                        if (charge.payment_method_details.card.last4) {
+                            payment.iban = "xxxx " + charge.payment_method_details.card.last4
+                        }
+                        await payment.save()
+                    }
+                } catch (e) {
+                    console.error('Failed fatching charge', e)
+                }
+            }
+            return PaymentStatus.Succeeded
+        }
+        if (intent.status === "canceled" || intent.status === "requires_payment_method") {
+            // For Bnaconctact/iDEAL the payment status is reverted to requires_payment_method when the user cancels the payment
+            // Don't ask me why...
+            return PaymentStatus.Failed
+        }
+        if (cancel) {
+            try {
+                // Cancel the intent
+                console.log('Cancelling payment intent')
+                intent = await stripe.paymentIntents.cancel(model.stripeIntentId)
+                console.log('Cancelled payment intent', intent)
+                if (intent.status === "succeeded") {
+                    return PaymentStatus.Succeeded
+                }
+                if (intent.status === "canceled" || intent.status === "requires_payment_method") {
+                    return PaymentStatus.Failed
+                }
+            } catch (e) {
+                console.error('Error cancelling payment intent', e)
+            }
+        }
+        if (intent.status === "processing") {
+            return PaymentStatus.Pending
+        }
+        return PaymentStatus.Created
+    }
+    static async getStatusFromCheckoutSession(payment: Payment, cancel = false): Promise<PaymentStatus> {
+        const [model] = await StripeCheckoutSession.where({paymentId: payment.id}, {limit: 1})
+        if (!model) {
+            return PaymentStatus.Failed
+        }
+        const stripe = this.getInstance()
+        const session = await stripe.checkout.sessions.retrieve(model.stripeSessionId)
+        console.log("session", session);
+        if (session.status === "complete") {
+            return PaymentStatus.Succeeded
+        }
+        if (session.status === "expired") {
+            return PaymentStatus.Failed
+        }
+        if (cancel) {
+            // Cancel the session
+            const session = await stripe.checkout.sessions.expire(model.stripeSessionId)
+            if (session.status === "complete") {
+                return PaymentStatus.Succeeded
+            }
+            if (session.status === "expired") {
+                return PaymentStatus.Failed
+            }
+        }
+        return PaymentStatus.Created
+    }
+    static async createPayment(
+        {payment, stripeAccount, redirectUrl, cancelUrl, customer, statementDescriptor, i18n, metadata, organization, lineItems}: {
+            payment: Payment,
+            stripeAccount: StripeAccount | null,
+            redirectUrl: string,
+            cancelUrl: string,
+            customer: {
+                name: string,
+                email: string,
+            },
+            statementDescriptor: string,
+            i18n: I18n,
+            metadata: {[key: string]: string},
+            organization: Organization,
+            lineItems: (BalanceItemPayment & {balanceItem: BalanceItem})[],
+        }
+    ): Promise<{paymentUrl: string}> {
+        if (!stripeAccount) {
+            throw new SimpleError({
+                code: "",
+                message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is onbeschikbaar"
+            })
+        }
+        const totalPrice = payment.price;
+        let fee = 0;
+        const vat = calculateVATPercentage(organization.address, organization.meta.VATNumber)
+        function calculateFee(fixed: number, percentageTimes100: number) {
+            return Math.round(Math.round(fixed + Math.max(1, totalPrice * percentageTimes100 / 100 / 100)) * (100 + vat) / 100); // € 0,21 + 0,2%
+        }
+        if (payment.method === PaymentMethod.iDEAL) {
+            fee = calculateFee(21, 20); // € 0,21 + 0,2%
+        } else if (payment.method === PaymentMethod.Bancontact) {
+            fee = calculateFee(24, 20); // € 0,24 + 0,2%
+        } else {
+            fee = calculateFee(25, 150); // € 0,25 + 1,5%
+        }
+        payment.transferFee = fee;
+        const fullMetadata = {
+            ...(metadata ?? {}),
+            organizationVATNumber: organization.meta.VATNumber
+        }
+        const stripe = StripeHelper.getInstance()
+        let paymentUrl: string
+        // Bancontact or iDEAL: use payment intends
+        if (payment.method === PaymentMethod.Bancontact || payment.method === PaymentMethod.iDEAL) {
+            const paymentMethod = await stripe.paymentMethods.create({
+                type: payment.method.toLowerCase() as 'bancontact',
+                billing_details: {
+                    name: customer.name && customer.name.length > 2 ? customer.name : 'Onbekend',
+                    email: customer.email
+                },
+            })
+            const paymentIntent = await stripe.paymentIntents.create({
+                amount: totalPrice,
+                currency: 'eur',
+                payment_method: paymentMethod.id,
+                payment_method_types: [payment.method.toLowerCase()],
+                statement_descriptor: Formatter.slug(statementDescriptor).substring(0, 22).toUpperCase(),
+                application_fee_amount: fee,
+                on_behalf_of: stripeAccount.accountId,
+                confirm: true,
+                return_url: redirectUrl,
+                transfer_data: {
+                    destination: stripeAccount.accountId,
+                },
+                metadata: fullMetadata,
+                payment_method_options: {bancontact: {preferred_language: ['nl', 'fr', 'de', 'en'].includes(i18n.language) ? i18n.language as 'en' : 'nl'}},
+            });
+            console.log("Stripe payment intent", paymentIntent)
+            const url = paymentIntent.next_action?.redirect_to_url?.url
+            if (paymentIntent.status !== 'requires_action' || !url) {
+                console.error("Stripe payment intent status is not requires_action", paymentIntent)
+                throw new SimpleError({
+                    code: "invalid_status",
+                    message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is onbeschikbaar"
+                })
+            }
+            paymentUrl = url
+            // Store in database
+            const paymentIntentModel = new StripePaymentIntent()
+            paymentIntentModel.paymentId = payment.id
+            paymentIntentModel.stripeIntentId = paymentIntent.id
+            paymentIntentModel.organizationId = organization.id
+            await paymentIntentModel.save()
+        } else {
+            // Build Stripe line items
+            const stripeLineItems: Stripe.Checkout.SessionCreateParams.LineItem[] = []
+            let lineItemsPrice = 0
+            for (const item of lineItems) {
+                const stripeLineItem = {
+                    price_data: {
+                        currency: 'eur',
+                        unit_amount: item.price,
+                        product_data: {
+                            name: item.balanceItem.description,
+                        },
+                    },
+                    quantity: 1,
+                }
+                stripeLineItems.push(stripeLineItem)
+                lineItemsPrice += item.price
+            }
+            if (lineItemsPrice !== totalPrice) {
+                console.error('Total price of line items does not match total price of payment', lineItemsPrice, totalPrice, payment.id)
+                throw new SimpleError({
+                    code: "invalid_price",
+                    message: "De totale prijs van de betaling komt niet overeen met de prijs van de items",
+                    human: "Er ging iets mis bij het aanmaken van de betaling. Probeer opnieuw of gebruik een andere betaalmethode.",
+                    statusCode: 500
+                })
+            }
+            // Use checkout flow
+            const session = await stripe.checkout.sessions.create({
+                mode: 'payment',
+                success_url: redirectUrl,
+                cancel_url: cancelUrl,
+                payment_method_types: ["card"],
+                line_items: stripeLineItems,
+                currency: 'eur',
+                locale: i18n.language as 'nl',
+                payment_intent_data: {
+                    on_behalf_of: stripeAccount.accountId,
+                    application_fee_amount: fee,
+                    transfer_data: {
+                        destination: stripeAccount.accountId,
+                    },
+                    metadata: fullMetadata,
+                    statement_descriptor: Formatter.slug(statementDescriptor).substring(0, 22).toUpperCase(),
+                },
+                customer_email: customer.email,
+                metadata: fullMetadata,
+                expires_at: Math.floor(Date.now() / 1000) + 30 * 60, // Expire in 30 minutes
+            });
+            console.log("Stripe session", session)
+            if (!session.url) {
+                console.error("Stripe session has no url", session)
+                throw new SimpleError({
+                    code: "invalid_status",
+                    message: "Betaling via " + PaymentMethodHelper.getName(payment.method) + " is onbeschikbaar"
+                })
+            }
+            paymentUrl = session.url
+            // Store in database
+            const paymentIntentModel = new StripeCheckoutSession()
+            paymentIntentModel.paymentId = payment.id
+            paymentIntentModel.stripeSessionId = session.id
+            paymentIntentModel.organizationId = organization.id
+            await paymentIntentModel.save()
+        }
+        await payment.save()
+        return {
+            paymentUrl
+        }
+    }
+}