npm - nodebb-plugin-calendar-onekite - Versions diffs - 2.1.2 → 10.0.11 - Mend

nodebb-plugin-calendar-onekite 2.1.2 → 10.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/language/en-GB/calendar-onekite.json +4 -0
package/library.js +479 -741
package/package.json +4 -17
package/plugin.json +22 -18
package/public/css/calendar-onekite.css +14 -0
package/public/js/admin/calendar-onekite-admin.js +81 -0
package/public/js/calendar-onekite.js +186 -0
package/templates/admin/plugins/calendar-onekite.tpl +104 -65
package/templates/calendar-onekite/calendar.tpl +18 -0
package/.drone.yml +0 -62
package/README.md +0 -28
package/helloasso.js +0 -129
package/static/css/calendar-onekite.css +0 -4
package/static/js/admin-planning.bundle.js +0 -26
package/static/js/admin-planning.js +0 -133
package/static/js/admin.bundle.js +0 -26
package/static/js/admin.js +0 -193
package/static/js/calendar-my-reservations.js +0 -55
package/static/js/calendar.bundle.js +0 -63
package/static/js/calendar.js +0 -454
package/static/js/my-reservations.bundle.js +0 -42
package/templates/admin/calendar-planning.tpl +0 -33
package/templates/calendar-my-reservations.tpl +0 -31
package/templates/calendar.tpl +0 -104
package/templates/emails/calendar-payment-confirmed.tpl +0 -1
package/templates/emails/calendar-reservation-approved.tpl +0 -1
package/templates/emails/calendar-reservation-created.tpl +0 -1
package/templates/widgets/calendar-upcoming.tpl +0 -14

package/library.js CHANGED Viewed

@@ -1,846 +1,584 @@
 'use strict';
+const axios = require('axios');
 const db = require.main.require('./src/database');
-const user = require.main.require('./src/user');
 const meta = require.main.require('./src/meta');
+const user = require.main.require('./src/user');
+const groups = require.main.require('./src/groups');
 const emailer = require.main.require('./src/emailer');
+const helpers = require.main.require('./src/controllers/helpers');
+const privileges = require.main.require('./src/privileges');
-const Settings = meta.settings;
-const helloAsso = require('./helloasso');
-const Plugin = {};
-let appRef = null;
-const SETTINGS_KEY = 'calendar-onekite';
-const EVENTS_SET_KEY = 'calendar:events:start';
-const EVENT_KEY_PREFIX = 'calendar:event:';
-function getEventKey(eid) {
-  return EVENT_KEY_PREFIX + eid;
-}
-function mountApiBoth(router, method, path, ...handlers) {
-  const m = String(method).toLowerCase();
-  router[m]('/api' + path, ...handlers);
-  router[m]('/api/v3' + path, ...handlers);
-}
-async function getParsedSettings() {
-  const s = (await Settings.get(SETTINGS_KEY)) || {};
-  const parseJson = (str, fallback) => {
-    try { return JSON.parse(str || ''); } catch { return fallback; }
-  };
-  const locations = parseJson(s.locationsJson, [
-    { id: 'arnaud', name: 'Chez Arnaud' },
-    { id: 'siege', name: 'Siège Onekite' },
-  ]);
+const plugin = {};
-  const inventory = parseJson(s.inventoryJson, [
-    { id: 'wing', name: 'Aile Wing', price: 5, stockByLocation: { arnaud: 1, siege: 0 } },
-  ]);
+const PLUGIN_NS = 'calendar-onekite';
+const RES_PREFIX = `calendar-onekite:reservation`;
+const RES_ZSET_BY_START = `calendar-onekite:reservations:byStart`;
-  return { ...s, locations, inventory };
-}
+let helloassoTokenCache = { token: null, expiresAt: 0 };
+let itemsCache = { items: null, expiresAt: 0 };
-async function nextReservationId() {
-  const rid = await db.incrObjectField('global', 'nextCalendarRid');
-  return String(rid);
+function nowMs() {
+  return Date.now();
 }
-function daysBetween(start, end) {
-  const d1 = new Date(start);
-  const d2 = new Date(end);
-  if (isNaN(d1.getTime()) || isNaN(d2.getTime())) return 1;
-  const t1 = Date.UTC(d1.getFullYear(), d1.getMonth(), d1.getDate());
-  const t2 = Date.UTC(d2.getFullYear(), d2.getMonth(), d2.getDate());
-  const diff = Math.round((t2 - t1) / (1000 * 60 * 60 * 24));
-  return Math.max(1, diff + 1);
+function safeJsonParse(s, fallback) {
+  try { return JSON.parse(s); } catch (e) { return fallback; }
 }
-/* ---------------- Events ---------------- */
-async function createEvent(data, uid) {
-  const eid = await db.incrObjectField('global', 'nextCalendarEid');
-  const key = getEventKey(eid);
-  const now = Date.now();
-  const startTs = Number(new Date(data.start).getTime()) || now;
-  const endTs = Number(new Date(data.end).getTime()) || startTs;
-  const bookingItemIds = Array.isArray(data.bookingItemIds)
-    ? data.bookingItemIds.map(String)
-    : [];
-  const eventObj = {
-    eid: String(eid),
-    title: String(data.title || ''),
-    description: String(data.description || ''),
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay ? 1 : 0,
-    location: String(data.location || ''),
-    createdByUid: String(uid || 0),
-    createdAt: String(now),
-    updatedAt: String(now),
-    rsvpYes: '[]',
-    rsvpMaybe: '[]',
-    rsvpNo: '[]',
-    visibility: String(data.visibility || 'public'),
-    bookingEnabled: data.bookingEnabled ? 1 : 0,
-    bookingItems: JSON.stringify(bookingItemIds), // stores IDs only
-    reservations: JSON.stringify([]),
-  };
-  await db.setObject(key, eventObj);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return eventObj;
+async function getSettings() {
+  const settings = await meta.settings.get(PLUGIN_NS);
+  // defaults
+  settings.enabled = settings.enabled === 'on' || settings.enabled === true;
+  settings.holdMinutes = parseInt(settings.holdMinutes || '60', 10);
+  settings.readerGroups = (settings.readerGroups || '').trim(); // currently unused (calendar page is public; NodeBB category perms cover it)
+  settings.requesterGroups = (settings.requesterGroups || '').trim(); // who can create requests
+  settings.approverGroups = (settings.approverGroups || '').trim(); // who can approve/reject
+  settings.notifyEmails = (settings.notifyEmails || '').trim(); // optional extra comma-separated emails
+  settings.helloassoEnv = (settings.helloassoEnv || 'sandbox').trim(); // sandbox|prod
+  settings.helloassoClientId = (settings.helloassoClientId || '').trim();
+  settings.helloassoClientSecret = (settings.helloassoClientSecret || '').trim();
+  settings.helloassoOrganizationSlug = (settings.helloassoOrganizationSlug || '').trim();
+  settings.helloassoFormType = (settings.helloassoFormType || 'event').trim();
+  settings.helloassoFormSlug = (settings.helloassoFormSlug || '').trim();
+  settings.helloassoBackUrl = (settings.helloassoBackUrl || '').trim();
+  settings.helloassoErrorUrl = (settings.helloassoErrorUrl || '').trim();
+  settings.helloassoReturnUrl = (settings.helloassoReturnUrl || '').trim();
+  settings.itemsCacheMinutes = parseInt(settings.itemsCacheMinutes || '360', 10);
+  return settings;
 }
-async function getEvent(eid) {
-  return db.getObject(getEventKey(eid));
+function apiBase(env) {
+  return env === 'prod' ? 'https://api.helloasso.com' : 'https://api.helloasso-sandbox.com';
 }
-async function updateEvent(eid, data) {
-  const key = getEventKey(eid);
-  const existing = await db.getObject(key);
-  if (!existing) throw new Error('Event not found');
-  const startTs = data.start ? new Date(data.start).getTime() : new Date(existing.start).getTime();
-  const endTs = data.end ? new Date(data.end).getTime() : new Date(existing.end).getTime();
+async function getHelloAssoToken(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const cacheOk = helloassoTokenCache.token && helloassoTokenCache.expiresAt > nowMs() + 30_000;
+  if (cacheOk) {
+    return helloassoTokenCache.token;
+  }
+  if (!settings.helloassoClientId || !settings.helloassoClientSecret) {
+    throw new Error('HelloAsso clientId/clientSecret not configured');
+  }
-  const existingIds = (() => {
-    try {
-      const arr = JSON.parse(existing.bookingItems || '[]');
-      return Array.isArray(arr) ? arr.map(String) : [];
-    } catch {
-      return [];
-    }
-  })();
-  const bookingItemIds = Array.isArray(data.bookingItemIds)
-    ? data.bookingItemIds.map(String)
-    : existingIds;
-  const updated = {
-    ...existing,
-    title: data.title !== undefined ? String(data.title) : existing.title,
-    description: data.description !== undefined ? String(data.description) : existing.description,
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay !== undefined ? (data.allDay ? 1 : 0) : existing.allDay,
-    location: data.location !== undefined ? String(data.location) : existing.location,
-    visibility: data.visibility !== undefined ? String(data.visibility) : existing.visibility,
-    bookingEnabled: data.bookingEnabled !== undefined ? (data.bookingEnabled ? 1 : 0) : (existing.bookingEnabled || 0),
-    bookingItems: JSON.stringify(bookingItemIds),
-    updatedAt: String(Date.now()),
-  };
+  const url = `${baseUrl}/oauth2/token`;
+  // client_credentials
+  const body = new URLSearchParams({
+    grant_type: 'client_credentials',
+    client_id: settings.helloassoClientId,
+    client_secret: settings.helloassoClientSecret,
+  });
-  await db.setObject(key, updated);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return updated;
-}
+  const res = await axios.post(url, body.toString(), {
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    timeout: 15_000,
+  });
-async function deleteEvent(eid) {
-  await db.sortedSetRemove(EVENTS_SET_KEY, eid);
-  await db.delete(getEventKey(eid));
+  const token = res.data && res.data.access_token;
+  const expiresIn = (res.data && res.data.expires_in) ? parseInt(res.data.expires_in, 10) : 1800;
+  if (!token) throw new Error('HelloAsso token response missing access_token');
+  helloassoTokenCache = { token, expiresAt: nowMs() + (expiresIn * 1000) };
+  return token;
 }
-async function getEventsBetween(start, end) {
-  const startTs = new Date(start).getTime();
-  const endTs = new Date(end).getTime();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, -1, startTs, endTs);
-  if (!eids || !eids.length) return [];
+async function fetchItemsFromHelloAsso(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
-  const keys = eids.map(id => getEventKey(id));
-  const events = await db.getObjects(keys);
-  return (events || []).filter(Boolean);
-}
+  if (!settings.helloassoOrganizationSlug || !settings.helloassoFormType || !settings.helloassoFormSlug) {
+    throw new Error('HelloAsso organizationSlug/formType/formSlug not configured');
+  }
-async function getUpcomingEvents(limit = 5) {
-  const now = Date.now();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, limit - 1, now, '+inf');
-  if (!eids || !eids.length) return [];
-  const keys = eids.map(id => getEventKey(id));
-  const events = await db.getObjects(keys);
-  return (events || []).filter(Boolean);
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/forms/${encodeURIComponent(settings.helloassoFormType)}/${encodeURIComponent(settings.helloassoFormSlug)}/items`;
+  const res = await axios.get(url, {
+    headers: { Authorization: `Bearer ${token}` },
+    timeout: 15_000,
+  });
+  // API returns array of items (docs), sometimes wrapped; we normalize
+  const items = Array.isArray(res.data) ? res.data : (res.data && (res.data.data || res.data.items) ? (res.data.data || res.data.items) : []);
+  return items;
 }
-/* ---------------- Permissions ---------------- */
-async function userCanCreate(uid) {
-  if (!uid || uid === 0) return false;
-  const settings = await Settings.get(SETTINGS_KEY);
-  if (!settings || !settings.allowedGroups) return false;
-  const allowedSet = new Set(
-    settings.allowedGroups.split(',').map(g => g.trim().toLowerCase()).filter(Boolean)
-  );
-  if (!allowedSet.size) return false;
+async function getItems(settings) {
+  const cacheOk = itemsCache.items && itemsCache.expiresAt > nowMs();
+  if (cacheOk) return itemsCache.items;
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
-  return groups.some(g => allowedSet.has(g));
+  const items = await fetchItemsFromHelloAsso(settings);
+  const ttl = Math.max(1, settings.itemsCacheMinutes) * 60_000;
+  itemsCache = { items, expiresAt: nowMs() + ttl };
+  return items;
 }
-async function userCanBook(uid) {
-  if (!uid || uid === 0) return false;
-  const settings = await Settings.get(SETTINGS_KEY);
-  if (!settings || !settings.allowedBookingGroups) return true;
-  const allowedSet = new Set(
-    settings.allowedBookingGroups.split(',').map(g => g.trim().toLowerCase()).filter(Boolean)
-  );
-  if (!allowedSet.size) return true;
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
-  return groups.some(g => allowedSet.has(g));
+function splitGroups(s) {
+  return (s || '')
+    .split(',')
+    .map(x => x.trim())
+    .filter(Boolean);
 }
-/* ---------------- RSVP ---------------- */
-async function setRsvp(eid, uid, status) {
-  const key = getEventKey(eid);
-  const event = await db.getObject(key);
-  if (!event) throw new Error('Event not found');
-  const parseList = (str) => {
-    try { return JSON.parse(str || '[]'); } catch { return []; }
-  };
-  let yes = parseList(event.rsvpYes);
-  let maybe = parseList(event.rsvpMaybe);
-  let no = parseList(event.rsvpNo);
-  const u = String(uid);
-  yes = yes.filter(id => id !== u);
-  maybe = maybe.filter(id => id !== u);
-  no = no.filter(id => id !== u);
-  if (status === 'yes') yes.push(u);
-  if (status === 'maybe') maybe.push(u);
-  if (status === 'no') no.push(u);
-  const updated = {
-    ...event,
-    rsvpYes: JSON.stringify(yes),
-    rsvpMaybe: JSON.stringify(maybe),
-    rsvpNo: JSON.stringify(no),
-    updatedAt: String(Date.now()),
-  };
-  await db.setObject(key, updated);
-  return updated;
+async function isUserInAnyGroup(uid, groupNames) {
+  if (!uid) return false;
+  if (!groupNames || !groupNames.length) return false;
+  for (const g of groupNames) {
+    // allows special names like 'administrators'
+    const isMember = await groups.isMember(uid, g);
+    if (isMember) return true;
+  }
+  return false;
 }
-/* ---------------- Reservations data helpers ---------------- */
-async function getAllReservations() {
-  const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-  const out = [];
-  for (const eid of eids) {
-    const ev = await getEvent(eid);
-    if (!ev) continue;
-    const resList = (() => {
-      try { return JSON.parse(ev.reservations || '[]'); } catch { return []; }
-    })();
-    for (const r of resList) {
-      out.push({ event: ev, reservation: r });
-    }
+async function assertRequesterPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  const requesterGroups = splitGroups(settings.requesterGroups);
+  if (!requesterGroups.length) {
+    // if not set, fallback: any logged-in user can request
+    return true;
   }
-  return out;
+  const ok = await isUserInAnyGroup(req.uid, requesterGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
 }
-/* ---------------- Pricing ---------------- */
+async function assertApproverPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  // admins always ok
+  const isAdmin = await user.isAdministrator(req.uid);
+  if (isAdmin) return true;
-function computePrice(inventoryItem, reservation) {
-  const unit = Number(inventoryItem?.price || 0);
-  const days = Number(reservation.days || 1);
-  return unit * Number(reservation.quantity || 0) * days;
+  const approverGroups = splitGroups(settings.approverGroups);
+  const ok = await isUserInAnyGroup(req.uid, approverGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
 }
-/* ---------------- Renderers ---------------- */
-function renderCalendarPage(req, res) { res.render('calendar', { title: 'Calendrier' }); }
-function renderMyReservationsPage(req, res) { res.render('calendar-my-reservations', { title: 'Mes réservations' }); }
-function renderPlanningPage(req, res) { res.render('admin/calendar-planning', { title: 'Planning' }); }
-async function renderAdminPage(req, res) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    // Provide defaults JSON strings if empty
-    if (!settings.locationsJson) {
-      settings.locationsJson = JSON.stringify([
-        { id: 'arnaud', name: 'Chez Arnaud' },
-        { id: 'siege', name: 'Siège Onekite' },
-      ], null, 2);
-    }
-    if (!settings.inventoryJson) {
-      settings.inventoryJson = JSON.stringify([
-        { id: 'wing', name: 'Aile Wing', price: 5, stockByLocation: { arnaud: 1, siege: 0 } },
-      ], null, 2);
+async function cleanupExpiredPending(settings) {
+  const now = nowMs();
+  // scan upcoming + recent; since we don't have range query in db zset, take last 2000
+  const ids = await db.getSortedSetRevRange(RES_ZSET_BY_START, 0, 2000);
+  if (!ids.length) return;
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
+  const toDelete = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    if (obj.status === 'pending' && obj.expiresAt && parseInt(obj.expiresAt, 10) < now) {
+      toDelete.push(obj.id);
     }
-    res.render('admin/plugins/calendar-onekite', { title: 'Calendar OneKite', settings });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
   }
-}
+  if (!toDelete.length) return;
-/* ---------------- Admin APIs ---------------- */
-async function adminGetPending(req, res) {
-  try {
-    const result = [];
-    const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-    for (const eid of eids) {
-      const event = await getEvent(eid);
-      if (!event) continue;
-      const reservations = JSON.parse(event.reservations || '[]');
-      const pending = reservations.filter(r => r.status === 'pending_admin');
-      if (pending.length) result.push({ event, reservations: pending });
-    }
-    res.json(result);
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
+  await Promise.all(toDelete.map(async (id) => {
+    await db.delete(`${RES_PREFIX}:${id}`);
+    await db.sortedSetRemove(RES_ZSET_BY_START, id);
+  }));
 }
-async function adminSaveSettings(req, res) {
-  try {
-    await Settings.set(SETTINGS_KEY, req.body);
-    res.json({ status: 'ok' });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
+async function nextReservationId() {
+  const n = await db.incrObjectField(`calendar-onekite:ids`, 'reservation');
+  return String(n);
 }
-async function adminValidateReservation(req, res) {
-  try {
-    const rid = req.params.rid;
-    const all = await getAllReservations();
-    let target = null;
-    for (const row of all) {
-      if (String(row.reservation.rid) === String(rid)) { target = row; break; }
-    }
-    if (!target) return res.status(404).json({ error: 'Réservation introuvable' });
-    const { event } = target;
-    const reservation = target.reservation;
-    if (reservation.status !== 'pending_admin') return res.status(400).json({ error: 'Réservation déjà traitée' });
-    reservation.status = 'awaiting_payment';
-    const resList = JSON.parse(event.reservations || '[]');
-    const idx = resList.findIndex(r => String(r.rid) === String(rid));
-    resList[idx] = reservation;
-    event.reservations = JSON.stringify(resList);
-    await db.setObject(getEventKey(event.eid), event);
-    const settings = await getParsedSettings();
-    const invItem = settings.inventory.find(i => String(i.id) === String(reservation.itemId));
-    const amount = computePrice(invItem, reservation);
-    const checkoutUrl = await helloAsso.createHelloAssoCheckoutIntent({
-      eid: reservation.eid,
-      rid,
-      uid: reservation.uid,
-      itemId: reservation.itemId,
-      quantity: reservation.quantity,
-      amount,
-    });
-    try {
-      await emailer.send('calendar-reservation-approved', reservation.uid, {
-        subject: 'Votre réservation a été validée',
-        eventTitle: event.title,
-        itemName: invItem?.name || reservation.itemId,
-        quantity: reservation.quantity,
-        checkoutUrl,
-        pickupLocation: reservation.pickupLocationName || reservation.locationId || 'Non précisé',
-        dateStart: reservation.dateStart,
-        dateEnd: reservation.dateEnd,
-        days: reservation.days || 1,
-      });
-    } catch (e) {
-      console.warn('[calendar-onekite] email reservation-approved error:', e.message);
-    }
-    res.json({ success: true, checkoutUrl });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
+async function reservationToEvent(obj) {
+  const status = obj.status || 'pending';
+  const icon = status === 'approved' ? '✅' : (status === 'rejected' ? '❌' : '⏳');
+  const title = `${icon} ${obj.itemName || 'Matériel'}${obj.requesterName ? ' — ' + obj.requesterName : ''}`;
+  return {
+    id: obj.id,
+    title,
+    start: obj.start,
+    end: obj.end,
+    extendedProps: {
+      status,
+      itemId: obj.itemId,
+      itemName: obj.itemName,
+      requesterUid: obj.uid,
+      requesterName: obj.requesterName,
+      paymentUrl: obj.paymentUrl || '',
+    },
+  };
 }
-async function adminCancelReservation(req, res) {
-  try {
-    const rid = req.params.rid;
-    const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-    let found = false;
-    for (const eid of eids) {
-      const event = await getEvent(eid);
-      if (!event) continue;
-      const reservations = JSON.parse(event.reservations || '[]');
-      const idx = reservations.findIndex(r => String(r.rid) === String(rid));
-      if (idx !== -1) {
-        reservations[idx].status = 'cancelled';
-        event.reservations = JSON.stringify(reservations);
-        await db.setObject(getEventKey(event.eid), event);
-        found = true;
-        break;
-      }
-    }
+async function getReservationsInRange(startISO, endISO) {
+  // naive: get latest N and filter
+  const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 5000);
+  if (!ids.length) return [];
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
-    if (!found) return res.status(404).json({ error: 'Réservation introuvable' });
-    res.json({ success: true });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
-}
-async function adminGetPlanning(req, res) {
-  try {
-    const settings = await getParsedSettings();
-    const locMap = new Map(settings.locations.map(l => [String(l.id), l.name || l.id]));
-    const invMap = new Map(settings.inventory.map(i => [String(i.id), i.name || i.id]));
-    const all = await getAllReservations();
-    const rows = [];
-    for (const row of all) {
-      const event = row.event;
-      const r = row.reservation;
-      if (!r) continue;
-      if (!['pending_admin', 'awaiting_payment', 'paid'].includes(String(r.status))) continue;
-      rows.push({
-        rid: r.rid,
-        eid: event.eid,
-        eventTitle: event.title,
-        itemId: r.itemId,
-        itemName: invMap.get(String(r.itemId)) || r.itemId,
-        uid: r.uid,
-        quantity: r.quantity,
-        dateStart: r.dateStart,
-        dateEnd: r.dateEnd,
-        days: r.days || daysBetween(r.dateStart, r.dateEnd),
-        status: r.status,
-        locationId: r.locationId,
-        pickupLocation: r.pickupLocationName || locMap.get(String(r.locationId)) || 'Non précisé',
-      });
-    }
+  const start = startISO ? new Date(startISO).getTime() : -Infinity;
+  const end = endISO ? new Date(endISO).getTime() : Infinity;
-    rows.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-    res.json(rows);
-  } catch (err) {
-    res.status(500).json({ error: err.message });
+  const out = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    const s = new Date(obj.start).getTime();
+    const e = new Date(obj.end).getTime();
+    if (isNaN(s) || isNaN(e)) continue;
+    // overlap
+    if (s < end && e > start) out.push(obj);
   }
+  return out;
 }
-/* ---------------- Public APIs ---------------- */
-async function inventoryApi(req, res) {
-  try {
-    const settings = await getParsedSettings();
-    res.json({
-      locations: settings.locations || [],
-      inventory: settings.inventory || [],
-    });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
+async function sendEmailToGroups(settings, subject, html, groupNames) {
+  const all = new Set();
+  for (const g of (groupNames || [])) {
+    const members = await groups.getMembers(g, 0, 2000);
+    (members || []).forEach(m => { if (m && m.uid) all.add(m.uid); });
   }
-}
-async function myReservations(req, res) {
-  try {
-    const uid = String(req.user?.uid || 0);
-    if (!uid || uid === '0') return res.status(403).json({ error: 'Non connecté' });
-    const settings = await getParsedSettings();
-    const locMap = new Map(settings.locations.map(l => [String(l.id), l.name || l.id]));
-    const invMap = new Map(settings.inventory.map(i => [String(i.id), i.name || i.id]));
-    const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-    const result = [];
-    for (const eid of eids) {
-      const event = await getEvent(eid);
-      if (!event) continue;
-      const reservations = JSON.parse(event.reservations || '[]');
-      reservations
-        .filter(r => String(r.uid) === uid)
-        .forEach(r => {
-          result.push({
-            ...r,
-            eventTitle: event.title,
-            itemName: invMap.get(String(r.itemId)) || r.itemId,
-            pickupLocation: r.pickupLocationName || locMap.get(String(r.locationId)) || '',
-          });
-        });
+  // Also allow extra direct emails (optional)
+  const extraEmails = (settings.notifyEmails || '').split(',').map(s => s.trim()).filter(Boolean);
+  const uids = Array.from(all);
+  // Send to uids
+  await Promise.all(uids.map(async (uid) => {
+    const u = await user.getUserFields(uid, ['email', 'username']);
+    if (u && u.email) {
+      await emailer.send('default', u.email, subject, html);
     }
+  }));
-    result.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-    res.json(result);
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
+  // Send to extra emails
+  await Promise.all(extraEmails.map(async (mail) => {
+    await emailer.send('default', mail, subject, html);
+  }));
 }
-async function bookReservation(req, res) {
-  try {
-    const uid = req.user?.uid || 0;
-    const eid = req.params.eid;
-    const { itemId, quantity, dateStart, dateEnd, locationId } = req.body;
-    if (!await userCanBook(uid)) {
-      return res.status(403).json({ error: 'Vous n’êtes pas autorisé à réserver du matériel.' });
-    }
-    if (!dateStart || !dateEnd || !itemId || !locationId) {
-      return res.status(400).json({ error: 'itemId, locationId, dateStart, dateEnd obligatoires.' });
-    }
-    if (String(dateEnd) < String(dateStart)) {
-      return res.status(400).json({ error: 'La date de fin doit être ≥ la date de début.' });
-    }
-    const settings = await getParsedSettings();
-    const loc = settings.locations.find(l => String(l.id) === String(locationId));
-    if (!loc) return res.status(400).json({ error: 'Lieu invalide.' });
-    const invItem = settings.inventory.find(i => String(i.id) === String(itemId));
-    if (!invItem) return res.status(400).json({ error: 'Matériel invalide.' });
+async function createCheckoutIntent(settings, reservationObj, amountCents) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
+  if (!settings.helloassoOrganizationSlug) throw new Error('HelloAsso organizationSlug missing');
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/checkout-intents`;
+  const requester = await user.getUserFields(reservationObj.uid, ['username', 'fullname', 'email']);
+  const payerName = (requester && (requester.fullname || requester.username) || '').trim();
+  const parts = payerName.split(/\s+/).filter(Boolean);
+  const firstName = parts[0] || 'User';
+  const lastName = parts.slice(1).join(' ') || 'NodeBB';
+  // Required by HelloAsso: totalAmount, initialAmount, itemName, backUrl, errorUrl, returnUrl, containsDonation (bool)
+  const body = {
+    totalAmount: amountCents,
+    initialAmount: amountCents,
+    itemName: reservationObj.itemName || 'Reservation',
+    backUrl: settings.helloassoBackUrl || settings.helloassoReturnUrl || settings.helloassoErrorUrl,
+    errorUrl: settings.helloassoErrorUrl || settings.helloassoReturnUrl || settings.helloassoBackUrl,
+    returnUrl: settings.helloassoReturnUrl || settings.helloassoBackUrl || settings.helloassoErrorUrl,
+    containsDonation: false,
+    payer: {
+      firstName,
+      lastName,
+      email: (requester && requester.email) || undefined,
+    },
+    metadata: {
+      plugin: 'calendar-onekite',
+      reservationId: reservationObj.id,
+      uid: reservationObj.uid,
+      itemId: reservationObj.itemId,
+      start: reservationObj.start,
+      end: reservationObj.end,
+    },
+  };
-    const stockTotal = Number(invItem.stockByLocation?.[String(locationId)] || 0);
-    if (stockTotal <= 0) return res.status(400).json({ error: 'Stock indisponible sur ce lieu.' });
+  const res = await axios.post(url, body, {
+    headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+    timeout: 15_000,
+  });
-    const q = Number(quantity);
-    if (!q || q <= 0) return res.status(400).json({ error: 'Quantité invalide' });
+  // docs: returns checkoutIntentId and redirectUrl (naming may vary)
+  const data = res.data || {};
+  const redirectUrl = data.redirectUrl || data.url || data.redirectURL || '';
+  const checkoutIntentId = data.checkoutIntentId || data.id || data.checkoutIntentID || '';
+  return { redirectUrl, checkoutIntentId, raw: data };
+}
-    const event = await getEvent(eid);
-    if (!event) return res.status(404).json({ error: 'Événement introuvable' });
-    if (!Number(event.bookingEnabled)) return res.status(400).json({ error: 'Réservation désactivée' });
+plugin.init = async function (params) {
+  const { router, middleware } = params;
+  const settings = await getSettings();
-    // Ensure item is allowed for this event
-    const allowedIds = (() => {
-      try {
-        const arr = JSON.parse(event.bookingItems || '[]');
-        return Array.isArray(arr) ? arr.map(String) : [];
-      } catch {
-        return [];
-      }
-    })();
-    if (!allowedIds.includes(String(itemId))) {
-      return res.status(400).json({ error: 'Ce matériel n’est pas autorisé pour cet événement.' });
+  // Page route: /calendar
+  router.get('/calendar', middleware.buildHeader, async (req, res) => {
+    if (!settings.enabled) {
+      return res.status(404).send('Calendar plugin disabled');
     }
+    const isLoggedIn = !!req.uid;
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn,
+      uid: req.uid || 0,
+    });
+  });
-    // Global availability: check overlaps across all events reservations (same itemId + locationId)
-    const all = await getAllReservations();
-    const overlapping = all
-      .map(x => x.reservation)
-      .filter(r => r && String(r.itemId) === String(itemId))
-      .filter(r => String(r.locationId) === String(locationId))
-      .filter(r => String(r.status) !== 'cancelled')
-      .filter(r => {
-        const startR = new Date(r.dateStart);
-        const endR = new Date(r.dateEnd);
-        const startN = new Date(dateStart);
-        const endN = new Date(dateEnd);
-        return !(endN < startR || startN > endR);
-      });
+  // API: events
+  router.get('/api/calendar-onekite/events', async (req, res) => {
+    try {
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ events: [] });
-    const used = overlapping.reduce((sum, r) => sum + Number(r.quantity || 0), 0);
-    const available = stockTotal - used;
-    if (q > available) return res.status(400).json({ error: `Stock insuffisant sur ce lieu (dispo: ${available}).` });
-    const rid = await nextReservationId();
-    const nbDays = daysBetween(dateStart, dateEnd);
-    const reservation = {
-      rid,
-      eid: String(eid),
-      uid: String(uid),
-      itemId: String(itemId),
-      locationId: String(locationId),
-      pickupLocationName: String(loc.name || loc.id),
-      quantity: q,
-      dateStart,
-      dateEnd,
-      days: nbDays,
-      status: 'pending_admin',
-      helloAssoOrderId: null,
-      createdAt: Date.now(),
-    };
-    const resList = JSON.parse(event.reservations || '[]');
-    resList.push(reservation);
-    event.reservations = JSON.stringify(resList);
-    await db.setObject(getEventKey(eid), event);
+      await cleanupExpiredPending(s);
-    try {
-      await emailer.send('calendar-reservation-created', uid, {
-        subject: 'Votre demande de réservation a été envoyée',
-        eventTitle: event.title,
-        item: invItem.name || invItem.id,
-        quantity: reservation.quantity,
-        dateStart,
-        dateEnd,
-        days: nbDays,
-        pickupLocation: reservation.pickupLocationName,
-      });
+      const start = req.query.start;
+      const end = req.query.end;
+      const objs = await getReservationsInRange(start, end);
+      const events = await Promise.all(objs.map(reservationToEvent));
+      res.json({ events });
     } catch (e) {
-      console.warn('[calendar-onekite] email reservation-created error:', e.message);
+      res.status(500).json({ error: e.message });
     }
+  });
-    res.json({
-      success: true,
-      status: 'pending_admin',
-      message: 'Votre demande de réservation a été envoyée. Elle doit être validée par un administrateur.',
-    });
-  } catch (err) {
-    res.status(500).json({ error: err.message });
-  }
-}
-/* ---------------- HelloAsso webhook ---------------- */
-async function helloAssoWebhook(req, res) {
-  try {
-    const payload = req.body;
-    const order = payload.order || payload;
-    const orderId = String(order.id || '');
-    const state = order.state || order.status || '';
-    if (state !== 'Paid') return res.json({ ignored: true });
-    const custom = order.metadata || order.customFields || {};
-    const eid = String(custom.eid || '');
-    const rid = String(custom.rid || '');
-    if (!eid || !rid) return res.status(400).json({ error: 'Missing eid/rid in metadata' });
-    const event = await getEvent(eid);
-    if (!event) throw new Error('Event not found');
-    const reservations = JSON.parse(event.reservations || '[]');
-    const idx = reservations.findIndex(r => String(r.rid) === String(rid));
-    if (idx === -1) throw new Error('Reservation not found');
-    const reservation = reservations[idx];
-    if (reservation.status === 'paid') return res.json({ ok: true });
-    reservation.status = 'paid';
-    reservation.helloAssoOrderId = orderId;
-    reservations[idx] = reservation;
-    event.reservations = JSON.stringify(reservations);
-    await db.setObject(getEventKey(eid), event);
-    const settings = await getParsedSettings();
-    const invItem = settings.inventory.find(i => String(i.id) === String(reservation.itemId));
+  // API: items
+  router.get('/api/calendar-onekite/items', async (req, res) => {
     try {
-      await emailer.send('calendar-payment-confirmed', reservation.uid, {
-        subject: 'Votre paiement a été confirmé',
-        eventTitle: event.title,
-        itemName: invItem?.name || reservation.itemId,
-        quantity: reservation.quantity,
-        pickupLocation: reservation.pickupLocationName || reservation.locationId || 'Non précisé',
-        dateStart: reservation.dateStart,
-        dateEnd: reservation.dateEnd,
-        days: reservation.days || 1,
-      });
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ items: [] });
+      const items = await getItems(s);
+      res.json({ items });
     } catch (e) {
-      console.warn('[calendar-onekite] email payment-confirmed error:', e.message);
+      res.status(500).json({ error: e.message });
     }
-    res.json({ ok: true });
-  } catch (err) {
-    console.error('[calendar-onekite] HelloAsso webhook error:', err);
-    res.status(500).json({ error: err.message });
-  }
-}
-/* ---------------- Widget ---------------- */
-Plugin.defineWidgets = async function (widgets) {
-  widgets.push({
-    widget: 'calendarUpcoming',
-    name: 'Prochains événements',
-    description: 'Affiche la liste des prochains événements du calendrier.',
-    content: '',
   });
-  return widgets;
-};
-Plugin.renderUpcomingWidget = async function (widget, callback) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    const limit = Number(widget?.data?.limit || settings.limit || 5);
-    const events = await getUpcomingEvents(limit);
-    const html = await appRef.renderAsync('widgets/calendar-upcoming', { events });
-    widget.html = html;
-    if (typeof callback === 'function') return callback(null, widget);
-    return widget;
-  } catch (err) {
-    if (typeof callback === 'function') return callback(err);
-    throw err;
-  }
-};
-Plugin.addAdminNavigation = function (header) {
-  header.plugins.push({
-    route: '/plugins/calendar-onekite',
-    icon: 'fa fa-calendar',
-    name: 'Calendar OneKite',
-  });
-  return header;
-};
-/* ---------------- Init ---------------- */
-Plugin.init = async function (params) {
-  const { router, middleware } = params;
-  appRef = params.app;
-  // Pages
-  router.get('/calendar', middleware.buildHeader, (req, res) => res.render('calendar', { title: 'Calendrier' }));
-  router.get('/calendar/my-reservations', middleware.buildHeader, (req, res) => res.render('calendar-my-reservations', { title: 'Mes réservations' }));
-  router.get('/admin/calendar/planning', middleware.admin.buildHeader, (req, res) => res.render('admin/calendar-planning', { title: 'Planning' }));
-  router.get('/admin/plugins/calendar-onekite', middleware.admin.buildHeader, renderAdminPage);
+  // API: create reservation (pending)
+  router.post('/api/calendar-onekite/reservations', middleware.authenticate, async (req, res) => {
+    try {
+      const s = await getSettings();
+      await assertRequesterPrivileges(req, s);
-  // Admin page (ajaxify)
-  mountApiBoth(router, 'get', '/admin/plugins/calendar-onekite', middleware.admin.checkPrivileges, renderAdminPage);
+      const { itemId, itemName, start, end, priceCents } = req.body || {};
+      if (!itemId || !itemName || !start || !end) {
+        return res.status(400).json({ error: 'missing-fields' });
+      }
-  // Settings save
-  mountApiBoth(router, 'put', '/admin/plugins/calendar-onekite', middleware.admin.checkPrivileges, adminSaveSettings);
+      const startMs = new Date(start).getTime();
+      const endMs = new Date(end).getTime();
+      if (!isFinite(startMs) || !isFinite(endMs) || endMs <= startMs) {
+        return res.status(400).json({ error: 'invalid-dates' });
+      }
-  // Admin APIs
-  mountApiBoth(router, 'get', '/admin/calendar/pending', middleware.admin.checkPrivileges, adminGetPending);
-  mountApiBoth(router, 'post', '/admin/calendar/reservation/:rid/validate', middleware.admin.checkPrivileges, adminValidateReservation);
-  mountApiBoth(router, 'post', '/admin/calendar/reservation/:rid/cancel', middleware.admin.checkPrivileges, adminCancelReservation);
-  mountApiBoth(router, 'get', '/admin/calendar/planning', middleware.admin.checkPrivileges, adminGetPlanning);
+      // Check overlap with approved OR pending (not expired) for same item
+      await cleanupExpiredPending(s);
+      const rangeObjs = await getReservationsInRange(new Date(startMs - 365*24*3600*1000).toISOString(), new Date(endMs + 365*24*3600*1000).toISOString());
+      const overlap = rangeObjs.some(o => {
+        if (!o) return false;
+        if (o.itemId !== String(itemId)) return false;
+        if (o.status !== 'approved' && o.status !== 'pending') return false;
+        const os = new Date(o.start).getTime();
+        const oe = new Date(o.end).getTime();
+        return os < endMs && oe > startMs;
+      });
+      if (overlap) {
+        return res.status(409).json({ error: 'overlap' });
+      }
-  // Public inventory
-  mountApiBoth(router, 'get', '/calendar/inventory', inventoryApi);
+      const id = await nextReservationId();
+      const requester = await user.getUserFields(req.uid, ['username', 'fullname']);
+      const requesterName = (requester && (requester.fullname || requester.username)) || 'User';
+      const expiresAt = nowMs() + (Math.max(1, s.holdMinutes) * 60_000);
+      const obj = {
+        id,
+        uid: String(req.uid),
+        requesterName,
+        itemId: String(itemId),
+        itemName: String(itemName),
+        start: new Date(startMs).toISOString(),
+        end: new Date(endMs).toISOString(),
+        status: 'pending',
+        createdAt: String(nowMs()),
+        expiresAt: String(expiresAt),
+        priceCents: String(parseInt(priceCents || '0', 10) || 0),
+      };
+      await db.setObject(`${RES_PREFIX}:${id}`, obj);
+      await db.sortedSetAdd(RES_ZSET_BY_START, startMs, id);
+      // Notify approvers
+      const approverGroups = splitGroups(s.approverGroups);
+      if (approverGroups.length) {
+        const subject = `[OneKite] Nouvelle réservation à valider (#${id})`;
+        const html = `
+          <p>Une nouvelle réservation est en attente de validation.</p>
+          <ul>
+            <li>ID: ${id}</li>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+            <li>Demandeur: ${requesterName}</li>
+          </ul>
+          <p>Connectez-vous à NodeBB et ouvrez le calendrier pour valider/refuser.</p>
+        `;
+        await sendEmailToGroups(s, subject, html, approverGroups);
+      }
-  // Events list for FullCalendar
-  mountApiBoth(router, 'get', '/calendar/events', async (req, res) => {
-    try {
-      const { start, end } = req.query;
-      if (!start || !end) return res.status(400).json({ error: 'Missing start/end' });
-      const events = await getEventsBetween(start, end);
-      res.json(events);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  // Event CRUD
-  mountApiBoth(router, 'post', '/calendar/event', middleware.ensureLoggedIn, async (req, res) => {
+  // API: approve reservation (creates checkout intent, sends payer link)
+  router.post('/api/calendar-onekite/reservations/:id/approve', middleware.authenticate, async (req, res) => {
     try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const event = await createEvent(req.body, uid);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+      // figure amount: from stored priceCents or from items list
+      let amountCents = parseInt(obj.priceCents || '0', 10) || 0;
+      if (!amountCents) {
+        const items = await getItems(s);
+        const match = (items || []).find(it => String(it.id || it.itemId || it.itemID) === String(obj.itemId));
+        // Try common fields for price
+        const price = match && (match.price || match.amount || match.unitPrice || match.totalAmount || match.publicAmount);
+        if (typeof price === 'number') amountCents = price;
+        if (!amountCents && match && match.price && typeof match.price.value === 'number') amountCents = match.price.value;
+      }
+      if (!amountCents) return res.status(400).json({ error: 'missing-amount' });
+      const { redirectUrl, checkoutIntentId } = await createCheckoutIntent(s, obj, amountCents);
+      if (!redirectUrl) return res.status(500).json({ error: 'helloasso-missing-redirectUrl' });
+      obj.status = 'approved';
+      obj.paymentUrl = redirectUrl;
+      obj.checkoutIntentId = checkoutIntentId ? String(checkoutIntentId) : '';
+      obj.approvedAt = String(nowMs());
+      obj.approvedBy = String(req.uid);
+      await db.setObject(key, obj);
+      // notify requester
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation validée (#${id}) - Paiement`;
+        const html = `
+          <p>Votre réservation a été validée ✅</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+          <p>Merci d'effectuer le paiement via ce lien :</p>
+          <p><a href="${redirectUrl}">${redirectUrl}</a></p>
+        `;
+        await emailer.send('default', requester.email, subject, html);
+      }
-  mountApiBoth(router, 'put', '/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const event = await updateEvent(req.params.eid, req.body);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  mountApiBoth(router, 'delete', '/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
+  // API: reject reservation
+  router.post('/api/calendar-onekite/reservations/:id/reject', middleware.authenticate, async (req, res) => {
     try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      await deleteEvent(req.params.eid);
-      res.json({ status: 'ok' });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+      obj.status = 'rejected';
+      obj.rejectedAt = String(nowMs());
+      obj.rejectedBy = String(req.uid);
+      await db.setObject(key, obj);
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation refusée (#${id})`;
+        const html = `
+          <p>Votre réservation a été refusée ❌</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+        `;
+        await emailer.send('default', requester.email, subject, html);
+      }
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  // Event details: enrich with bookingItemIds + resolved items
-  mountApiBoth(router, 'get', '/calendar/event/:eid', async (req, res) => {
-    try {
-      const settings = await getParsedSettings();
-      const invMap = new Map(settings.inventory.map(i => [String(i.id), i]));
+  // Admin API: get/save settings
+  router.get('/api/admin/plugins/calendar-onekite', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    const settings = await meta.settings.get(PLUGIN_NS);
+    res.json(settings);
+  });
-      const event = await getEvent(req.params.eid);
-      if (!event) return res.status(404).json({ error: 'Événement introuvable' });
+  router.post('/api/admin/plugins/calendar-onekite', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    await meta.settings.set(PLUGIN_NS, req.body);
+    // invalidate caches when settings change
+    helloassoTokenCache = { token: null, expiresAt: 0 };
+    itemsCache = { items: null, expiresAt: 0 };
+    res.json({ ok: true });
+  });
-      const bookingItemIds = (() => {
-        try {
-          const arr = JSON.parse(event.bookingItems || '[]');
-          return Array.isArray(arr) ? arr.map(String) : [];
-        } catch { return []; }
-      })();
+  // Admin API: purge by year
+  router.post('/api/admin/plugins/calendar-onekite/purge', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    const year = parseInt((req.body && req.body.year) || '0', 10);
+    if (!year || year < 1970 || year > 3000) return res.status(400).json({ error: 'invalid-year' });
-      const bookingItems = bookingItemIds.map(id => invMap.get(String(id))).filter(Boolean);
+    const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 100000);
+    if (!ids.length) return res.json({ deleted: 0 });
-      const reservations = (() => {
-        try { return JSON.parse(event.reservations || '[]'); } catch { return []; }
-      })();
+    const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+    const objs = await db.getObjects(keys);
-      res.json({ ...event, bookingItemIds, bookingItems, reservations });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+    const toDelete = [];
+    for (const obj of (objs || [])) {
+      if (!obj) continue;
+      const s = new Date(obj.start).getUTCFullYear();
+      if (s === year) toDelete.push(obj.id);
     }
-  });
+    await Promise.all(toDelete.map(async (id) => {
+      await db.delete(`${RES_PREFIX}:${id}`);
+      await db.sortedSetRemove(RES_ZSET_BY_START, id);
+    }));
-  // RSVP
-  mountApiBoth(router, 'post', '/calendar/event/:eid/rsvp', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      const status = req.body.status;
-      const updated = await setRsvp(req.params.eid, uid, status);
-      res.json(updated);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+    res.json({ deleted: toDelete.length });
   });
+};
-  // Permissions
-  mountApiBoth(router, 'get', '/calendar/permissions/create', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanCreate(uid);
-    res.json({ allow });
+plugin.addAdminNavigation = async function (header) {
+  header.plugins.push({
+    route: '/plugins/calendar-onekite',
+    icon: 'fa-calendar',
+    name: 'Calendar OneKite',
   });
+  return header;
+};
-  mountApiBoth(router, 'get', '/calendar/permissions/book', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanBook(uid);
-    res.json({ allow });
+plugin.addPageRoute = async function (data) {
+  // ensure /calendar works as "page route" for theme router filter edge cases
+  data.router.get('/calendar', data.middleware.buildHeader, async (req, res) => {
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn: !!req.uid,
+      uid: req.uid || 0,
+    });
   });
-  // Booking
-  mountApiBoth(router, 'post', '/calendar/event/:eid/book', middleware.ensureLoggedIn, bookReservation);
-  // My reservations
-  mountApiBoth(router, 'get', '/calendar/my-reservations', middleware.ensureLoggedIn, myReservations);
-  // HelloAsso webhook
-  router.post('/api/calendar/helloasso/webhook', helloAssoWebhook);
-  router.post('/api/v3/calendar/helloasso/webhook', helloAssoWebhook);
+  return data;
 };
-module.exports = Plugin;
+module.exports = plugin;