@stamhoofd/backend 2.87.1 → 2.88.0

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@stamhoofd/backend",
-    "version": "2.87.1",
+    "version": "2.88.0",
     "main": "./dist/index.js",
     "exports": {
         ".": {
@@ -44,14 +44,14 @@
         "@simonbackx/simple-encoding": "2.22.0",
         "@simonbackx/simple-endpoints": "1.20.1",
         "@simonbackx/simple-logging": "^1.0.1",
-        "@stamhoofd/backend-i18n": "2.87.1",
-        "@stamhoofd/backend-middleware": "2.87.1",
-        "@stamhoofd/email": "2.87.1",
-        "@stamhoofd/models": "2.87.1",
-        "@stamhoofd/queues": "2.87.1",
-        "@stamhoofd/sql": "2.87.1",
-        "@stamhoofd/structures": "2.87.1",
-        "@stamhoofd/utility": "2.87.1",
+        "@stamhoofd/backend-i18n": "2.88.0",
+        "@stamhoofd/backend-middleware": "2.88.0",
+        "@stamhoofd/email": "2.88.0",
+        "@stamhoofd/models": "2.88.0",
+        "@stamhoofd/queues": "2.88.0",
+        "@stamhoofd/sql": "2.88.0",
+        "@stamhoofd/structures": "2.88.0",
+        "@stamhoofd/utility": "2.88.0",
         "archiver": "^7.0.1",
         "axios": "^1.8.2",
         "cookie": "^0.7.0",
@@ -69,5 +69,5 @@
     "publishConfig": {
         "access": "public"
     },
-    "gitHead": "a9a8e07e38224fe34e805e400b1a46d5c286a10a"
+    "gitHead": "0406b1c0f731ff037988ddf71f3bc9a0046a64f3"
 }

package/src/endpoints/auth/CreateTokenEndpoint.ts

@@ -34,7 +34,7 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
         // - check if not multiple attempts for the same username are started in parallel
         // - Limit the amount of failed attemps by IP (will only make it a bit harder)
         // - Detect attacks on random accounts (using email list + most used passwords) and temorary require CAPTCHA on all accounts
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
 
         switch (request.body.grantType) {
             case 'refresh_token': {
@@ -60,8 +60,11 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
                 const token = await Token.createToken(oldToken.user);
 
                 // In the rare event our response doesn't reach the client anymore, we don't want the client to sign out...
-                // So we give them a second chance and create a new token BUT we expire our existing token in an hour (forever!)
-                oldToken.refreshTokenValidUntil = new Date(Date.now() + 60 * 60 * 1000);
+                // So we allow a small rotation overlap period
+                const leeway = 60 * 1000;
+                oldToken.refreshTokenValidUntil = new Date(Math.min(oldToken.refreshTokenValidUntil.getTime(), Date.now() + leeway));
+
+                // Invalidate the corresponding access token
                 oldToken.accessTokenValidUntil = new Date(Date.now() - 60 * 60 * 1000);
 
                 // Do not delete the old one, only expire it fast so it will get deleted in the future
@@ -81,9 +84,6 @@ export class CreateTokenEndpoint extends Endpoint<Params, Query, Body, ResponseB
             }
 
             case 'password': {
-                // Increase timout for legacy
-                request.request.request?.setTimeout(30 * 1000);
-
                 if (STAMHOOFD.userMode === 'platform') {
                     const platform = await Platform.getSharedPrivateStruct();
                     const config = platform.config.loginMethods.get(LoginMethod.Password);

package/src/endpoints/auth/ForgotPasswordEndpoint.ts

@@ -28,7 +28,7 @@ export class ForgotPasswordEndpoint extends Endpoint<Params, Query, Body, Respon
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
 
         if (STAMHOOFD.userMode === 'platform') {
             const platform = await Platform.getSharedPrivateStruct();

package/src/endpoints/auth/OpenIDConnectCallbackEndpoint.ts

@@ -26,7 +26,7 @@ export class OpenIDConnectCallbackEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        await Context.setUserOrganizationScope();
+        await Context.setUserOrganizationScope({ willAuthenticate: false });
         const ssoService = await SSOServiceWithSession.fromSession(request);
         return await ssoService.callback();
     }

package/src/endpoints/auth/OpenIDConnectStartEndpoint.ts

@@ -28,7 +28,7 @@ export class OpenIDConnectStartEndpoint extends Endpoint<Params, Query, Body, Re
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
         // Check webshop and/or organization
-        await Context.setUserOrganizationScope();
+        await Context.setUserOrganizationScope({ willAuthenticate: false });
         const service = await SSOService.fromContext(request.query.provider);
         return await service.validateAndStartAuthCodeFlow(request.query);
     }

package/src/endpoints/auth/PollEmailVerificationEndpoint.ts

@@ -27,7 +27,7 @@ export class PollEmailVerificationEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
         const valid = await EmailVerificationCode.poll(organization?.id ?? null, request.body.token);
 
         return new Response(PollEmailVerificationResponse.create({

package/src/endpoints/auth/RetryEmailVerificationEndpoint.ts

@@ -27,7 +27,7 @@ export class PollEmailVerificationEndpoint extends Endpoint<Params, Query, Body,
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
         const valid = await EmailVerificationCode.poll(organization?.id ?? null, request.body.token);
 
         if (valid) {

package/src/endpoints/auth/SignupEndpoint.ts

@@ -28,7 +28,7 @@ export class SignupEndpoint extends Endpoint<Params, Query, Body, ResponseBody>
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setUserOrganizationScope();
+        const organization = await Context.setUserOrganizationScope({ willAuthenticate: false });
 
         if (STAMHOOFD.userMode === 'platform') {
             const platform = await Platform.getShared();

package/src/endpoints/auth/VerifyEmailEndpoint.ts

@@ -28,7 +28,7 @@ export class VerifyEmailEndpoint extends Endpoint<Params, Query, Body, ResponseB
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
 
         const code = await EmailVerificationCode.verify(organization?.id ?? null, request.body.token, request.body.code);
 

package/src/endpoints/global/files/GetFileCache.ts

@@ -45,7 +45,7 @@ export class GetFileCache extends Endpoint<Params, Query, Body, ResponseBody> {
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        await Context.setOptionalOrganizationScope();
+        await Context.setOptionalOrganizationScope({ willAuthenticate: false });
 
         limiter.track(request.request.getIP(), 1);
 

package/src/endpoints/global/members/PatchOrganizationMembersEndpoint.ts

@@ -101,7 +101,7 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
 
             // We risk creating a new member without being able to access it manually afterwards
             // Cache access to this member temporarily in memory
-            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Write);
+            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Full);
 
             if (STAMHOOFD.userMode !== 'platform' && !member.organizationId) {
                 throw new SimpleError({
@@ -925,7 +925,7 @@ export class PatchOrganizationMembersEndpoint extends Endpoint<Params, Query, Bo
             console.log('checkSecurityCode: security code is correct - for ' + member.id);
 
             // Grant temporary access to this member without needing to enter the security code again
-            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Write);
+            await Context.auth.temporarilyGrantMemberAccess(member, PermissionLevel.Full);
 
             const log = new AuditLog();
 

package/src/endpoints/global/organizations/GetOrganizationFromDomainEndpoint.test.ts

@@ -1,5 +1,5 @@
 import { Request } from '@simonbackx/simple-endpoints';
-import { GroupFactory, OrganizationFactory } from '@stamhoofd/models';
+import { OrganizationFactory } from '@stamhoofd/models';
 import { Organization } from '@stamhoofd/structures';
 
 import { testServer } from '../../../../tests/helpers/TestServer';
@@ -14,7 +14,7 @@ describe('Endpoint.GetOrganizationFromDomain', () => {
 
         const r = Request.buildJson('GET', '/v2/organization-from-domain');
         r.query = {
-            domain: organization.uri + '.stamhoofd.dev',
+            domain: organization.uri + '.' + STAMHOOFD.domains.registration!['']!,
         };
 
         const response = await testServer.test(endpoint, r);

package/src/endpoints/global/organizations/GetOrganizationFromUriEndpoint.ts

@@ -45,13 +45,6 @@ export class GetOrganizationFromUriEndpoint extends Endpoint<Params, Query, Body
             });
         }
 
-        if (!organization.active) {
-            throw new SimpleError({
-                code: 'archived_organization',
-                message: 'This organization has been archived',
-                statusCode: 404,
-            });
-        }
         return new Response(await AuthenticatedStructures.organization(organization));
     }
 }

package/src/endpoints/global/organizations/SearchOrganizationEndpoint.ts

@@ -56,6 +56,7 @@ export class SearchOrganizationEndpoint extends Endpoint<Params, Query, Body, Re
         const whereMatch: SQLWhere = new SQLMatch(SQL.column(Organization.table, 'searchIndex'), scalarToSQLExpression(matchValue));
 
         let organizations = await Organization.select()
+            .where('active', true)
             .where(whereMatch)
             .orderBy(whereMatch, 'DESC')
             .limit(limit).fetch();

package/src/endpoints/organization/dashboard/organization/PatchOrganizationEndpoint.ts

@@ -39,7 +39,7 @@ export class PatchOrganizationEndpoint extends Endpoint<Params, Query, Body, Res
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope({ allowInactive: true });
+        const organization = await Context.setOrganizationScope();
         await Context.authenticate();
 
         if (!await Context.auth.hasSomeAccess(organization.id)) {

package/src/endpoints/organization/dashboard/receivable-balances/GetReceivableBalancesEndpoint.ts

@@ -147,7 +147,7 @@ export class GetReceivableBalancesEndpoint extends Endpoint<Params, Query, Body,
     }
 
     static async buildDetailedData(requestQuery: LimitedFilteredRequest) {
-        const organization = Context.organization ?? await Context.setOrganizationScope();
+        const organization = Context.organization ?? await Context.setOrganizationScope({ willAuthenticate: false });
         const { data, next } = await GetReceivableBalancesEndpoint.buildDataHelper(requestQuery);
 
         return new PaginatedResponse<DetailedReceivableBalance[], LimitedFilteredRequest>({

package/src/endpoints/organization/shared/ExchangePaymentEndpoint.ts

@@ -43,7 +43,7 @@ export class ExchangePaymentEndpoint extends Endpoint<Params, Query, Body, Respo
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOptionalOrganizationScope();
+        const organization = await Context.setOptionalOrganizationScope({ willAuthenticate: false });
         if (!request.query.exchange) {
             await Context.optionalAuthenticate();
         }

package/src/endpoints/organization/webshops/CheckWebshopDiscountCodesEndpoint.ts

@@ -28,7 +28,7 @@ export class CheckWebshopDiscountCodesEndpoint extends Endpoint<Params, Query, B
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOrganizationScope({ willAuthenticate: false });
         const webshop = await Webshop.getByID(request.params.id);
         if (!webshop || webshop.organizationId !== organization.id) {
             throw new SimpleError({

package/src/endpoints/organization/webshops/GetOrderByPaymentEndpoint.ts

@@ -26,7 +26,7 @@ export class GetOrderByPaymentEndpoint extends Endpoint<Params, Query, Body, Res
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOrganizationScope({ willAuthenticate: false });
         const payment = await Payment.getByID(request.params.paymentId);
 
         if (!payment || payment.organizationId !== organization.id) {

package/src/endpoints/organization/webshops/GetOrderEndpoint.ts

@@ -24,7 +24,7 @@ export class GetOrderEndpoint extends Endpoint<Params, Query, Body, ResponseBody
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOrganizationScope({ willAuthenticate: false });
         const order = await Order.getByID(request.params.orderId);
 
         if (!order || order.webshopId !== request.params.id || order.organizationId !== organization.id) {

package/src/endpoints/organization/webshops/GetTicketsEndpoint.ts

@@ -42,7 +42,7 @@ export class GetTicketsEndpoint extends Endpoint<Params, Query, Body, ResponseBo
     }
 
     async handle(request: DecodedRequest<Params, Query, Body>) {
-        const organization = await Context.setOrganizationScope();
+        const organization = await Context.setOrganizationScope({ willAuthenticate: false });
 
         if (request.query.secret) {
             const [ticket] = await Ticket.where({

package/src/endpoints/organization/webshops/retrieveUitpasSocialTariffPrice.ts

@@ -0,0 +1,69 @@
+import { DecodedRequest, Endpoint, Request, Response } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
+import { UitpasPriceCheckRequest, UitpasPriceCheckResponse } from '@stamhoofd/structures';
+
+import { UitpasNumberValidator } from '../../../helpers/UitpasNumberValidator';
+import { Decoder } from '@simonbackx/simple-encoding';
+type Params = Record<string, never>;
+type Query = undefined;
+type Body = UitpasPriceCheckRequest;
+type ResponseBody = UitpasPriceCheckResponse;
+
+export class retrieveUitpasSocialTariffPrice extends Endpoint<Params, Query, Body, ResponseBody> {
+    bodyDecoder = UitpasPriceCheckRequest as Decoder<UitpasPriceCheckRequest>;
+
+    protected doesMatch(request: Request): [true, Params] | [false] {
+        if (request.method !== 'POST') {
+            return [false];
+        }
+
+        const params = Endpoint.parseParameters(request.url, '/uitpas', {});
+
+        if (params) {
+            return [true, params as Params];
+        }
+        return [false];
+    }
+
+    async handle(request: DecodedRequest<Params, Query, Body>) {
+        if (request.body.uitpasEventId) {
+            // OFFICIAL FLOW
+            if (!request.body.uitpasNumber) {
+                // STATIC CHECK
+                // request shouldn't include a reduced price
+            }
+            else {
+                // OFFICIAL FLOW with an UiTPAS number
+                // request should include a reduced price (estimate by the frontend)
+            }
+            throw new SimpleError({
+                code: 'not_implemented',
+                message: 'Official flow not yet implemented',
+                human: 'De officiële flow voor het valideren van een UiTPAS-nummer wordt nog niet ondersteund.',
+            });
+        }
+        else {
+            // NON-OFFICIAL FLOW
+            // request should include UiTPAS-number, reduced price AND base price
+            if (!request.body.reducedPrice) {
+                throw new SimpleError({
+                    code: 'missing_reduced_price',
+                    message: 'Reduced price must be provided for non-official flow.',
+                    human: $t('Je moet een verlaagd tarief opgeven voor de UiTPAS.'),
+                });
+            }
+            if (!request.body.uitpasNumber) {
+                throw new SimpleError({
+                    code: 'missing_uitpas_number',
+                    message: 'Uitpas number must be provided for non-official flow.',
+                    human: $t('Je moet een UiTPAS-nummer opgeven.'),
+                });
+            }
+            await UitpasNumberValidator.checkUitpasNumber(request.body.uitpasNumber);
+            const uitpasPriceCheckResponse = UitpasPriceCheckResponse.create({
+                price: request.body.reducedPrice,
+            });
+            return new Response(uitpasPriceCheckResponse);
+        }
+    }
+}

package/src/helpers/AuthenticatedStructures.ts

@@ -443,6 +443,17 @@ export class AuthenticatedStructures {
             }
         }
 
+        const membershipOrganizationId = Platform.shared.membershipOrganizationId;
+        if (Context.auth.hasSomePlatformAccess() && membershipOrganizationId) {
+            if (await Context.auth.hasSomeAccess(membershipOrganizationId)) {
+                const found = organizations.get(membershipOrganizationId);
+                if (!found) {
+                    const organization = await Context.auth.getOrganization(membershipOrganizationId);
+                    organizations.set(organization.id, organization);
+                }
+            }
+        }
+
         const memberBlobs: MemberWithRegistrationsBlob[] = [];
         for (const member of members) {
             for (const registration of member.registrations) {

package/src/helpers/Context.ts

@@ -1,5 +1,5 @@
 import { DecodedRequest, Request } from '@simonbackx/simple-endpoints';
-import { SimpleError } from '@simonbackx/simple-errors';
+import { isSimpleError, SimpleError } from '@simonbackx/simple-errors';
 import { I18n } from '@stamhoofd/backend-i18n';
 import { Organization, Platform, RateLimiter, Token, User } from '@stamhoofd/models';
 import { AsyncLocalStorage } from 'async_hooks';
@@ -149,12 +149,15 @@ export class ContextInstance {
         return this.#auth;
     }
 
-    async setOptionalOrganizationScope() {
+    async setOptionalOrganizationScope(options?: { willAuthenticate?: boolean }) {
         try {
-            return await this.setOrganizationScope();
+            return await this.setOrganizationScope(options);
         }
         catch (e) {
-            return null;
+            if (isSimpleError(e) && e.hasCode('invalid_host')) {
+                return null;
+            }
+            throw e;
         }
     }
 
@@ -170,15 +173,21 @@ export class ContextInstance {
     /**
      * Require organization scope if userMode is not platform
      */
-    async setUserOrganizationScope() {
+    async setUserOrganizationScope(options?: { willAuthenticate?: boolean }) {
         if (STAMHOOFD.userMode === 'platform') {
             return null;
         }
-        return await this.setOrganizationScope();
+        return await this.setOrganizationScope(options);
     }
 
-    async setOrganizationScope(options?: { allowInactive?: boolean }) {
-        const organization = await Organization.fromApiHost(this.request.host, options);
+    async setOrganizationScope(options?: { willAuthenticate?: boolean }) {
+        if (!options) {
+            options = {};
+        }
+
+        const organization = await Organization.fromApiHost(this.request.host, {
+            allowInactive: options.willAuthenticate ?? true,
+        });
 
         this.organization = organization;
         this.i18n.switchToLocale({ country: organization.address.country });
@@ -192,6 +201,14 @@ export class ContextInstance {
         }
         catch (e) {
             if (e.code === 'not_authenticated') {
+                // Do not allow to optional authenticate to inactive organizations
+                if (this.organization && !this.organization.active) {
+                    throw new SimpleError({
+                        code: 'not_authenticated',
+                        message: 'You need to authenticate to view inactive organizations',
+                        statusCode: 401,
+                    });
+                }
                 return {};
             }
             throw e;
@@ -290,6 +307,18 @@ export class ContextInstance {
 
         this.#auth = new AdminPermissionChecker(user, await Platform.getSharedPrivateStruct(), this.organization);
 
+        if (this.organization && !this.organization.active) {
+            // For inactive organizations, you always need permissions to view them
+            if (!await Context.auth.hasFullAccess(this.organization.id)) {
+                throw new SimpleError({
+                    code: 'archived',
+                    message: 'Full access is required to view inactive organizations',
+                    human: $t('Je moet een hoofdbeheerder zijn om inactieve verenigingen te bekijken'),
+                    statusCode: 401,
+                });
+            }
+        }
+
         return { user, token };
     }
 }

package/src/helpers/MemberUserSyncer.ts

@@ -156,6 +156,8 @@ export class MemberUserSyncerStatic {
     }
 
     async updateInheritedPermissions(user: User) {
+        // Fetch all members for this user
+        
         const responsibilities = user.memberId ? (await this.getResponsibilitiesForMembers([user.memberId])) : [];
 
         // Check if the member has active registrations

package/src/helpers/UitpasNumberValidator.test.ts

@@ -0,0 +1,23 @@
+import { STExpect } from '@stamhoofd/test-utils';
+import { UitpasNumberValidator } from './UitpasNumberValidator';
+
+describe.skip('UitpasNumberValidator', () => {
+    it('should validate a correct Uitpas number with kansentarief', async () => {
+        const validNumber = '0900000067513';
+        await expect(UitpasNumberValidator.checkUitpasNumber(validNumber)).resolves.toBeUndefined();
+    });
+
+    it('should throw an error for an invalid Uitpas number', async () => {
+        const invalidNumber = '1234567890123';
+        await expect(UitpasNumberValidator.checkUitpasNumber(invalidNumber)).rejects.toThrow(
+            STExpect.simpleError({ code: 'unsuccessful_but_expected_response_retrieving_pass_by_uitpas_number' }),
+        );
+    });
+
+    it('should throw an error for a Uitpas number with kansentarief expired', async () => {
+        const expiredNumber = '0900000058918';
+        await expect(UitpasNumberValidator.checkUitpasNumber(expiredNumber)).rejects.toThrow(
+            STExpect.simpleError({ code: 'uitpas_number_issue' }),
+        );
+    });
+});

package/src/helpers/UitpasNumberValidator.ts

@@ -0,0 +1,157 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { UitpasTokenRepository } from './UitpasTokenRepository';
+import { DataValidator } from '@stamhoofd/utility';
+
+type UitpasNumberSuccessfulResponse = {
+    socialTariff: {
+        status: 'ACTIVE' | 'EXPIRED' | 'NONE';
+    };
+    messages?: Array<{
+        text: string;
+    }>;
+};
+
+type UitpasNumberErrorResponse = {
+    title: string; // e.g., "Invalid uitpas number"
+    endUserMessage?: {
+        nl: string;
+    };
+};
+
+function assertIsUitpasNumberSuccessfulResponse(
+    json: unknown,
+): asserts json is UitpasNumberSuccessfulResponse {
+    if (
+        typeof json !== 'object'
+        || json === null
+        || !('socialTariff' in json)
+        || typeof json.socialTariff !== 'object'
+        || json.socialTariff === null
+        || !('status' in json.socialTariff)
+        || typeof json.socialTariff.status !== 'string'
+        || (json.socialTariff.status !== 'ACTIVE' && json.socialTariff.status !== 'EXPIRED' && json.socialTariff.status !== 'NONE')
+        || ('messages' in json && (!Array.isArray(json.messages) || !json.messages.every(
+            (message: unknown) => typeof message === 'object' && message !== null && 'text' in message && typeof message.text === 'string')))
+    ) {
+        console.error('Invalid response when retrieving pass by UiTPAS number:', json);
+        throw new SimpleError({
+            code: 'invalid_response_retrieving_pass_by_uitpas_number',
+            message: `Invalid response when retrieving pass by UiTPAS  number`,
+            human: $t(`Er is een fout opgetreden bij het ophalen van je UiTPAS. Kijk je het nummer even na?`),
+        });
+    }
+}
+
+function isUitpasNumberErrorResponse(
+    json: unknown,
+): json is UitpasNumberErrorResponse {
+    return typeof json === 'object'
+        && json !== null
+        && 'title' in json
+        && typeof json.title === 'string'
+        && (!('endUserMessage' in json)
+            || (typeof json.endUserMessage === 'object' && json.endUserMessage !== null && 'nl' in json.endUserMessage && typeof json.endUserMessage.nl === 'string')
+        );
+}
+
+export class UitpasNumberValidatorStatic {
+    async checkUitpasNumber(uitpasNumber: string) {
+        // static check (using regex)
+        if (!DataValidator.isUitpasNumberValid(uitpasNumber)) {
+            throw new SimpleError({
+                code: 'invalid_uitpas_number',
+                message: `Invalid UiTPAS number: ${uitpasNumber}`,
+                human: $t(
+                    `Het opgegeven UiTPAS-nummer is ongeldig. Controleer het nummer en probeer het opnieuw.`,
+                ),
+            });
+        }
+        const access_token = await UitpasTokenRepository.getAccessTokenFor(); // for nothing, means for platform
+        const baseUrl = 'https://api-test.uitpas.be'; // TO DO: Use the URL from environment variables
+
+        const url = `${baseUrl}/passes/${uitpasNumber}`;
+        const myHeaders = new Headers();
+        myHeaders.append('Authorization', 'Bearer ' + access_token);
+        const requestOptions = {
+            method: 'GET',
+            headers: myHeaders,
+        };
+
+        const response = await fetch(url, requestOptions).catch(() => {
+            // Handle network errors
+            throw new SimpleError({
+                code: 'uitpas_unreachable_retrieving_pass_by_uitpas_number',
+                message: `Network issue when retrieving pass by UiTPAS number`,
+                human: $t(
+                    `We konden UiTPAS niet bereiken om jouw UiTPAS-nummer te valideren. Probeer het later opnieuw.`,
+                ),
+            });
+        });
+        if (!response.ok) {
+            const json: unknown = await response.json().catch(() => { /* ignore */ });
+            let endUserMessage = '';
+
+            if (json) {
+                console.error(`UiTPAS API returned an error for UiTPAS number ${uitpasNumber}:`, json);
+            }
+            else {
+                console.error(`UiTPAS API returned an error for UiTPAS number ${uitpasNumber}:`, response.statusText);
+            }
+
+            if (isUitpasNumberErrorResponse(json)) {
+                endUserMessage = json.endUserMessage ? json.endUserMessage.nl : '';
+            }
+
+            if (endUserMessage) {
+                throw new SimpleError({
+                    code: 'unsuccessful_but_expected_response_retrieving_pass_by_uitpas_number',
+                    message: `Unsuccesful response with message when retrieving pass by UiTPAS number, message: ${endUserMessage}`,
+                    human: endUserMessage,
+                });
+            }
+
+            throw new SimpleError({
+                code: 'unsuccessful_and_unexpected_response_retrieving_pass_by_uitpas_number',
+                message: `Unsuccesful response without message when retrieving pass by UiTPAS number`,
+                human: $t(`Er is een fout opgetreden bij het ophalen van je UiTPAS. Kijk je het nummer even na?`),
+            });
+        }
+
+        const json = await response.json().catch(() => {
+            // Handle JSON parsing errors
+            throw new SimpleError({
+                code: 'invalid_json_retrieving_pass_by_uitpas_number',
+                message: `Invalid json when retrieving pass by UiTPAS  number`,
+                human: $t(
+                    `Er is een fout opgetreden bij het communiceren met UiTPAS. Probeer het later opnieuw.`,
+                ),
+            });
+        });
+        assertIsUitpasNumberSuccessfulResponse(json);
+        if (json.messages) {
+            const humanMessage = json.messages[0].text; // only display the first message
+
+            // alternatively, join all messages
+            // const text = json.messages.map((message: any) => message.text).join(', ');
+
+            throw new SimpleError({
+                code: 'uitpas_number_issue',
+                message: `UiTPAS API returned an error: ${humanMessage}`,
+                human: humanMessage,
+            });
+        }
+        if (json.socialTariff.status !== 'ACTIVE') {
+            // THIS SHOULD NOT HAPPEN, as in that case json.messages should be present
+            throw new SimpleError({
+                code: 'non_active_social_tariff',
+                message: `UiTPAS social tariff is not ACTIVE but ${json.socialTariff.status}`,
+                human: $t(
+                    `Het opgegeven UiTPAS-nummer heeft geen actief kansentarief. Neem contact op met de UiTPAS-organisatie voor meer informatie.`,
+                ),
+            });
+        }
+        // no errors -> the uitpas number is valid and social tariff is applicable
+    }
+}
+
+export const UitpasNumberValidator = new UitpasNumberValidatorStatic();

package/src/helpers/UitpasTokenRepository.ts

@@ -0,0 +1,146 @@
+import { SimpleError } from '@simonbackx/simple-errors';
+import { UitpasClientCredential } from '@stamhoofd/models';
+import { QueueHandler } from '@stamhoofd/queues';
+
+type UitpasTokenResponse = {
+    access_token: string;
+    expires_in: number;
+};
+
+function assertIsUitpasTokenResponse(json: unknown): asserts json is UitpasTokenResponse {
+    if (
+        typeof json !== 'object'
+        || json === null
+        || !('access_token' in json)
+        || !('expires_in' in json)
+        || typeof json.access_token !== 'string'
+        || typeof json.expires_in !== 'number'
+        || json.expires_in <= 0
+    ) {
+        console.error('Invalid response when fetching UiTPAS token:', json);
+        throw new SimpleError({
+            code: 'invalid_response_fetching_uitpas_token',
+            message: `Invalid response when fetching UiTPAS token`,
+            human: $t(`Er is een fout opgetreden bij het communiceren met UiTPAS. Probeer het later opnieuw.`),
+        });
+    }
+}
+
+export class UitpasTokenRepository {
+    accessToken?: string;
+    expiresOn: Date = new Date(0); // Set to minimum time initially
+    uitpasClientCredential: UitpasClientCredential;
+
+    constructor(uitpasClientCredential: UitpasClientCredential) {
+        this.uitpasClientCredential = uitpasClientCredential;
+    }
+
+    /**
+     * organizationId (null means platform) -> UitpasTokenRepository
+     */
+    static knownTokens: Map<string | null, UitpasTokenRepository> = new Map();
+
+    private static async createRepoFromDb(organizationId: string | null): Promise<UitpasTokenRepository> {
+        // query db
+        let uitpasClientCredential = await UitpasClientCredential.select().where('organizationId', organizationId).first(false);
+        if (!uitpasClientCredential) {
+            // temporary solution, because platform client id and secret are not yet in the database
+            if (organizationId === null) {
+                if (!STAMHOOFD.UITPAS_API_CLIENT_ID || !STAMHOOFD.UITPAS_API_CLIENT_SECRET) {
+                    throw new SimpleError({
+                        code: 'uitpas_api_not_configured_for_platform',
+                        message: 'UiTPAS api is not configured for the platform',
+                        human: $t('UiTPAS is niet volledig geconfigureerd, contacteer de platformbeheerder.'),
+                    });
+                }
+                uitpasClientCredential = new UitpasClientCredential();
+                uitpasClientCredential.clientId = STAMHOOFD.UITPAS_API_CLIENT_ID;
+                uitpasClientCredential.clientSecret = STAMHOOFD.UITPAS_API_CLIENT_SECRET;
+                uitpasClientCredential.organizationId = null; // null means platform
+            }
+            else {
+                throw new SimpleError({
+                    code: 'uitpas_api_not_configured_for_this_organization',
+                    message: `UiTPAS api not configured for organization with id ${organizationId}`,
+                    human: $t(`De UiTPAS integratie is niet compleet, contacteer de beheerder.`),
+                });
+            }
+        }
+        const newRepo = new UitpasTokenRepository(uitpasClientCredential);
+        this.knownTokens.set(organizationId, newRepo);
+        return newRepo;
+    }
+
+    private async getNewAccessToken(): Promise<string> {
+        const url = 'https://account-test.uitid.be/realms/uitid/protocol/openid-connect/token';
+        const myHeaders = new Headers();
+        myHeaders.append('Content-Type', 'application/x-www-form-urlencoded');
+        const params = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: this.uitpasClientCredential.clientId,
+            client_secret: this.uitpasClientCredential.clientSecret,
+        });
+        const requestOptions: RequestInit = {
+            method: 'POST',
+            headers: myHeaders,
+            body: params.toString(),
+        };
+        const response = await fetch(url, requestOptions).catch(() => {
+            // Handle network errors
+            throw new SimpleError({
+                code: 'uitpas_unreachable_fetching_uitpas_token',
+                message: `Network issue when fetching UiTPAS  token`,
+                human: $t(`We konden UiTPAS niet bereiken. Probeer het later opnieuw.`),
+            });
+        });
+        if (!response.ok) {
+            console.error(`Unsuccessful response when fetching UiTPAS token for organization with id ${this.uitpasClientCredential.organizationId}:`, response.statusText);
+            throw new SimpleError({
+                code: 'unsuccessful_response_fetching_uitpas_token',
+                message: `Unsuccesful response when fetching UiTPAS token`,
+                human: $t(`Er is een fout opgetreden bij het verbinden met UiTPAS. Probeer het later opnieuw.`),
+            });
+        }
+        const json: unknown = await response.json().catch(() => {
+            // Handle JSON parsing errors
+            throw new SimpleError({
+                code: 'invalid_json_fetching_uitpas_token',
+                message: `Invalid json when fetching UiTPAS token`,
+                human: $t(`Er is een fout opgetreden bij het communiceren met UiTPAS. Probeer het later opnieuw.`),
+            });
+        });
+        assertIsUitpasTokenResponse(json);
+        this.accessToken = json.access_token;
+        this.expiresOn = new Date((Date.now() + json.expires_in * 1000) - 10000); // Set expiration 10 seconds earlier to be safe
+        return this.accessToken;
+    }
+
+    /**
+     * Get the access token for the organization or platform.
+     * @param organizationId the organization ID for which to get the access token. If null, it means the platform.
+     * @param forceRefresh if true, the access token will be refreshed even if a previously stored token it is still valid
+     * @returns Promise<string> the access token for the organization or platform
+     * @throws SimpleError if the token cannot be obtained or the API is not configured
+     */
+    static async getAccessTokenFor(organizationId: string | null = null, forceRefresh: boolean = false): Promise<string> {
+        let repo = UitpasTokenRepository.knownTokens.get(organizationId);
+        if (repo && repo.accessToken && !forceRefresh && repo.expiresOn > new Date()) {
+            return repo.accessToken;
+        }
+
+        // Prevent multiple concurrent requests for the same organization, asking for an access token to the UiTPAS API.
+        // The queue can only run one at a time for the same organizationId
+        return await QueueHandler.schedule('uitpas/token-' + (organizationId ?? 'platform'), async () => {
+            // we re-search for the repo, as another call to this funcion might have added while we we're waiting in the queue
+            repo = UitpasTokenRepository.knownTokens.get(organizationId);
+            if (repo && repo.accessToken && !forceRefresh && repo.expiresOn > new Date()) {
+                return repo.accessToken;
+            }
+            if (!repo) {
+                repo = await UitpasTokenRepository.createRepoFromDb(organizationId);
+            }
+            // ask for a new access token
+            return repo.getNewAccessToken(); ;
+        });
+    }
+}

package/src/sql-filters/groups.ts

@@ -1,4 +1,4 @@
-import { SQL, createColumnFilter, SQLModernFilterDefinitions, SQLValueType, baseModernSQLFilterCompilers, createSQLColumnFilterCompiler, createSQLExpressionFilterCompiler, SQLModernValueType, createWildcardColumnFilter, SQLJsonExtract } from '@stamhoofd/sql';
+import { baseModernSQLFilterCompilers, createColumnFilter, createWildcardColumnFilter, SQL, SQLJsonExtract, SQLModernFilterDefinitions, SQLModernValueType } from '@stamhoofd/sql';
 
 export const groupFilterCompilers: SQLModernFilterDefinitions = {
     ...baseModernSQLFilterCompilers,
@@ -47,21 +47,4 @@ export const groupFilterCompilers: SQLModernFilterDefinitions = {
             }),
         }),
     ),
-
-    /* name: createSQLExpressionFilterCompiler(
-        SQL.jsonValue(SQL.column('groups', 'settings'), '$.value.name'),
-        { isJSONValue: true, type: SQLValueType.JSONString },
-    ),
-    status: createSQLExpressionFilterCompiler(
-        SQL.column('groups', 'status'),
-        { isJSONValue: true, type: SQLValueType.JSONString },
-    ),
-    defaultAgeGroupId: createSQLColumnFilterCompiler(SQL.column('groups', 'defaultAgeGroupId'), { nullable: true }),
-
-    bundleDiscountIds: createSQLExpressionFilterCompiler(
-        SQL.jsonKeys(
-            SQL.jsonValue(SQL.column('groups', 'settings'), '$.value.prices[0].bundleDiscounts'),
-        ),
-        { isJSONValue: true, isJSONObject: true },
-    ), */
 };

package/tests/jest.global.setup.ts

@@ -1,14 +1,8 @@
-import backendEnv from '@stamhoofd/backend-env';
-backendEnv.load({ path: __dirname + '/../../.env.test.json' });
-
-import { Database, Migration } from '@simonbackx/simple-database';
-import * as jose from 'jose';
+import { TestUtils } from '@stamhoofd/test-utils';
 import nock from 'nock';
 import path from 'path';
-import { GlobalHelper } from '../src/helpers/GlobalHelper';
 const emailPath = require.resolve('@stamhoofd/email');
 const modelsPath = require.resolve('@stamhoofd/models');
-import { TestUtils } from '@stamhoofd/test-utils';
 
 // Disable network requests
 nock.disableNetConnect();
@@ -22,6 +16,10 @@ if (new Date().getTimezoneOffset() !== 0) {
 }
 
 export default async () => {
+    await TestUtils.globalSetup();
+
+    const { Database, Migration } = await import('@simonbackx/simple-database');
+
     // External migrations
     await Migration.runAll(path.dirname(modelsPath) + '/migrations');
     await Migration.runAll(path.dirname(emailPath) + '/migrations');
@@ -30,6 +28,4 @@ export default async () => {
     await Migration.runAll(__dirname + '/src/migrations');
 
     await Database.end();
-
-    await TestUtils.globalSetup();
 };

package/tests/jest.setup.ts

@@ -1,20 +1,17 @@
-import backendEnv from '@stamhoofd/backend-env';
-backendEnv.load({ path: __dirname + '/../../.env.test.json' });
-
 import { Column, Database } from '@simonbackx/simple-database';
 import { Request } from '@simonbackx/simple-endpoints';
+import { SimpleError } from '@simonbackx/simple-errors';
 import { Email, EmailMocker } from '@stamhoofd/email';
+import { QueueHandler } from '@stamhoofd/queues';
 import { Version } from '@stamhoofd/structures';
+import { TestUtils } from '@stamhoofd/test-utils';
 import { sleep } from '@stamhoofd/utility';
+import * as jose from 'jose';
 import nock from 'nock';
 import { GlobalHelper } from '../src/helpers/GlobalHelper';
-import * as jose from 'jose';
-import { TestUtils } from '@stamhoofd/test-utils';
-import './toMatchMap';
-import { PayconiqMocker } from './helpers/PayconiqMocker';
 import { BalanceItemService } from '../src/services/BalanceItemService';
-import { QueueHandler } from '@stamhoofd/queues';
-import { SimpleError } from '@simonbackx/simple-errors';
+import { PayconiqMocker } from './helpers/PayconiqMocker';
+import './toMatchMap';
 
 // Set version of saved structures
 Column.setJSONVersion(Version);
@@ -75,7 +72,7 @@ beforeAll(async () => {
     await GlobalHelper.load();
 
     // Override default $t handlers
-    TestUtils.loadEnvironment();
+    await TestUtils.loadEnvironment();
 });
 
 afterAll(async () => {

package/.env.ci.json

@@ -1,58 +0,0 @@
-{
-    "environment": "test",
-    "domains": {
-        "dashboard": "dashboard.stamhoofd",
-        "marketing": {
-            "": "www.be.stamhoofd",
-            "BE": "www.be.stamhoofd",
-            "NL": "www.nl.stamhoofd"
-        },
-        "webshop": {
-            "": "shop.be.stamhoofd",
-            "BE": "shop.be.stamhoofd",
-            "NL": "shop.nl.stamhoofd"
-        },
-        "api": "api.stamhoofd",
-        "rendererApi": "renderer.stamhoofd",
-            
-        "defaultTransactionalEmail": {
-            "": "stamhoofd.be"
-        },
-
-        "defaultBroadcastEmail": {
-            "": "stamhoofd.email"
-        },
-        "webshopCname": "shop.stamhoofd"
-    },
-    
-    "PORT": 9091,
-    "DB_HOST": "127.0.0.1",
-    "DB_USER": "root",
-    "DB_PASS": "root",
-    "DB_DATABASE": "stamhoofd-tests",
-
-    "SMTP_HOST": "0.0.0.0",
-    "SMTP_USERNAME": "test",
-    "SMTP_PASSWORD": "test",
-    "SMTP_PORT": 587,
-
-    "AWS_ACCESS_KEY_ID": "",
-    "AWS_SECRET_ACCESS_KEY": "",
-    "AWS_REGION": "",
-
-    "SPACES_ENDPOINT": "anydomain.example",
-    "SPACES_BUCKET": "example",
-    "SPACES_KEY": "test",
-    "SPACES_SECRET": "test",
-
-    "INTERNAL_SECRET_KEY": "test",
-
-    "STRIPE_SECRET_KEY": "sk_test_test",
-    "STRIPE_ENDPOINT_SECRET": "sk_test",
-    "translationNamespace": "digit",
-    "platformName": "ravot",
-    "userMode": "organization",
-    "WHITELISTED_EMAIL_DESTINATIONS": [],
-    "MEMBER_NUMBER_ALGORITHM": "Incremental",
-    "MEMBER_NUMBER_ALGORITHM_LENGTH": 10
-}

package/.env.template.json

@@ -1,72 +0,0 @@
-{
-    "environment": "development",
-    "domains": {
-        "dashboard": "dashboard.stamhoofd",
-        "registration": {
-            "": "be.stamhoofd",
-            "BE": "be.stamhoofd",
-            "NL": "nl.stamhoofd"
-        },
-        "marketing": {
-            "": "www.be.stamhoofd",
-            "BE": "www.be.stamhoofd",
-            "NL": "www.nl.stamhoofd"
-        },
-        "documentation": {
-            "": "www.be.stamhoofd/docs",
-            "BE": "www.be.stamhoofd/docs",
-            "NL": "www.nl.stamhoofd/docs"
-        },
-        "webshop": {
-            "": "shop.be.stamhoofd",
-            "BE": "shop.be.stamhoofd",
-            "NL": "shop.nl.stamhoofd"
-        },
-        "legacyWebshop": "shop.stamhoofd",
-        "api": "api.stamhoofd",
-        "rendererApi": "renderer.stamhoofd",
-        "webshopCname": "shop.stamhoofd"
-    },
-    "translationNamespace": "stamhoofd",
-    "platformName": "stamhoofd",
-    "userMode": "organization",
-    
-    "PORT": 9091,
-    "DB_HOST": "127.0.0.1",
-    "DB_USER": "",
-    "DB_PASS": "",
-    "DB_DATABASE": "",
-
-    "SMTP_HOST": "0.0.0.0",
-    "SMTP_USERNAME": "username",
-    "SMTP_PASSWORD": "password",
-    "SMTP_PORT": 1025,
-
-    "TRANSACTIONAL_SMTP_HOST": "0.0.0.0",
-    "TRANSACTIONAL_SMTP_USERNAME": "username",
-    "TRANSACTIONAL_SMTP_PASSWORD": "password",
-    "TRANSACTIONAL_SMTP_PORT": 1025,
-
-    "AWS_ACCESS_KEY_ID": "",
-    "AWS_SECRET_ACCESS_KEY": "",
-    "AWS_REGION": "",
-
-    "SPACES_ENDPOINT": "",
-    "SPACES_BUCKET": "",
-    "SPACES_KEY": "",
-    "SPACES_SECRET": "",
-
-    "MOLLIE_CLIENT_ID": "",
-    "MOLLIE_SECRET": "",
-    "MOLLIE_API_KEY": "",
-    "MOLLIE_ORGANIZATION_TOKEN": "",
-
-    "LATEST_IOS_VERSION": 0,
-    "LATEST_ANDROID_VERSION": 0,
-
-    "NOLT_SSO_SECRET_KEY": "optional",
-    "INTERNAL_SECRET_KEY": "",
-    "CRONS_DISABLED": false,
-    "WHITELISTED_EMAIL_DESTINATIONS": ["*"],
-    "CACHE_PATH": "<fill in a safe path exlusive for Stamhoofd to store cached files>"
-}