npm - nodebb-plugin-calendar-onekite - Versions diffs - 2.2.0 → 10.0.11 - Mend

nodebb-plugin-calendar-onekite 2.2.0 → 10.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/language/en-GB/calendar-onekite.json +4 -0
package/library.js +466 -740
package/package.json +4 -17
package/plugin.json +22 -18
package/public/css/calendar-onekite.css +14 -0
package/public/js/admin/calendar-onekite-admin.js +81 -0
package/public/js/calendar-onekite.js +186 -0
package/templates/admin/plugins/calendar-onekite.tpl +104 -65
package/templates/calendar-onekite/calendar.tpl +18 -0
package/.drone.yml +0 -62
package/README.md +0 -28
package/helloasso.js +0 -129
package/static/css/calendar-onekite.css +0 -4
package/static/js/admin-planning.bundle.js +0 -26
package/static/js/admin-planning.js +0 -133
package/static/js/admin.bundle.js +0 -26
package/static/js/admin.js +0 -193
package/static/js/calendar-my-reservations.js +0 -55
package/static/js/calendar.bundle.js +0 -63
package/static/js/calendar.js +0 -454
package/static/js/my-reservations.bundle.js +0 -42
package/templates/admin/calendar-planning.tpl +0 -33
package/templates/calendar-my-reservations.tpl +0 -31
package/templates/calendar.tpl +0 -104
package/templates/emails/calendar-payment-confirmed.tpl +0 -1
package/templates/emails/calendar-reservation-approved.tpl +0 -1
package/templates/emails/calendar-reservation-created.tpl +0 -1
package/templates/widgets/calendar-upcoming.tpl +0 -14

package/library.js CHANGED Viewed

@@ -1,858 +1,584 @@
 'use strict';
-/**
- * NodeBB v4 plugin: Calendar OneKite
- * - Events + booking items (with pickupLocation per item)
- * - Multi-day reservations
- * - Admin validation -> HelloAsso checkout link -> payment webhook -> mark paid
- * - Admin planning view + "My reservations" page
- * - Settings:
- *   - Settings key: "calendar-onekite"
- *   - Admin page: /admin/plugins/calendar-onekite
- *   - Admin API:  /api/admin/plugins/calendar-onekite
- *
- * Templates expected:
- * - templates/calendar.tpl
- * - templates/calendar-my-reservations.tpl
- * - templates/admin/plugins/calendar-onekite.tpl
- * - templates/admin/calendar-planning.tpl
- * - templates/widgets/calendar-upcoming.tpl
- * - templates/emails/calendar-reservation-created.tpl
- * - templates/emails/calendar-reservation-approved.tpl
- * - templates/emails/calendar-payment-confirmed.tpl
- */
+const axios = require('axios');
 const db = require.main.require('./src/database');
-const user = require.main.require('./src/user');
 const meta = require.main.require('./src/meta');
+const user = require.main.require('./src/user');
+const groups = require.main.require('./src/groups');
 const emailer = require.main.require('./src/emailer');
-const winston = require.main.require('winston');
+const helpers = require.main.require('./src/controllers/helpers');
+const privileges = require.main.require('./src/privileges');
-const Settings = meta.settings;
-const helloAsso = require('./helloasso');
+const plugin = {};
-const Plugin = {};
-let appRef = null;
+const PLUGIN_NS = 'calendar-onekite';
+const RES_PREFIX = `calendar-onekite:reservation`;
+const RES_ZSET_BY_START = `calendar-onekite:reservations:byStart`;
-const SETTINGS_KEY = 'calendar-onekite';
-const EVENTS_SET_KEY = 'calendar:events:start';
-const EVENT_KEY_PREFIX = 'calendar:event:';
+let helloassoTokenCache = { token: null, expiresAt: 0 };
+let itemsCache = { items: null, expiresAt: 0 };
-function getEventKey(eid) {
-  return EVENT_KEY_PREFIX + eid;
+function nowMs() {
+  return Date.now();
 }
-async function nextReservationId() {
-  const rid = await db.incrObjectField('global', 'nextCalendarRid');
-  return String(rid);
+function safeJsonParse(s, fallback) {
+  try { return JSON.parse(s); } catch (e) { return fallback; }
 }
-// number of days between two yyyy-mm-dd dates (inclusive)
-function daysBetween(start, end) {
-  const d1 = new Date(start);
-  const d2 = new Date(end);
-  if (isNaN(d1.getTime()) || isNaN(d2.getTime())) return 1;
-  const t1 = Date.UTC(d1.getFullYear(), d1.getMonth(), d1.getDate());
-  const t2 = Date.UTC(d2.getFullYear(), d2.getMonth(), d2.getDate());
-  const diff = Math.round((t2 - t1) / (1000 * 60 * 60 * 24));
-  return Math.max(1, diff + 1);
+async function getSettings() {
+  const settings = await meta.settings.get(PLUGIN_NS);
+  // defaults
+  settings.enabled = settings.enabled === 'on' || settings.enabled === true;
+  settings.holdMinutes = parseInt(settings.holdMinutes || '60', 10);
+  settings.readerGroups = (settings.readerGroups || '').trim(); // currently unused (calendar page is public; NodeBB category perms cover it)
+  settings.requesterGroups = (settings.requesterGroups || '').trim(); // who can create requests
+  settings.approverGroups = (settings.approverGroups || '').trim(); // who can approve/reject
+  settings.notifyEmails = (settings.notifyEmails || '').trim(); // optional extra comma-separated emails
+  settings.helloassoEnv = (settings.helloassoEnv || 'sandbox').trim(); // sandbox|prod
+  settings.helloassoClientId = (settings.helloassoClientId || '').trim();
+  settings.helloassoClientSecret = (settings.helloassoClientSecret || '').trim();
+  settings.helloassoOrganizationSlug = (settings.helloassoOrganizationSlug || '').trim();
+  settings.helloassoFormType = (settings.helloassoFormType || 'event').trim();
+  settings.helloassoFormSlug = (settings.helloassoFormSlug || '').trim();
+  settings.helloassoBackUrl = (settings.helloassoBackUrl || '').trim();
+  settings.helloassoErrorUrl = (settings.helloassoErrorUrl || '').trim();
+  settings.helloassoReturnUrl = (settings.helloassoReturnUrl || '').trim();
+  settings.itemsCacheMinutes = parseInt(settings.itemsCacheMinutes || '360', 10);
+  return settings;
 }
-/* -----------------------------
- * Events
- * ---------------------------- */
-async function createEvent(data, uid) {
-  const eid = await db.incrObjectField('global', 'nextCalendarEid');
-  const key = getEventKey(eid);
-  const now = Date.now();
-  const startTs = Number(new Date(data.start).getTime()) || now;
-  const endTs = Number(new Date(data.end).getTime()) || startTs;
-  const bookingItems = Array.isArray(data.bookingItems) ? data.bookingItems : [];
-  const eventObj = {
-    eid: String(eid),
-    title: String(data.title || ''),
-    description: String(data.description || ''),
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay ? 1 : 0,
-    location: String(data.location || ''),
-    createdByUid: String(uid || 0),
-    createdAt: String(now),
-    updatedAt: String(now),
-    rsvpYes: '[]',
-    rsvpMaybe: '[]',
-    rsvpNo: '[]',
-    visibility: String(data.visibility || 'public'),
-    bookingEnabled: data.bookingEnabled ? 1 : 0,
-    bookingItems: JSON.stringify(bookingItems),
-    reservations: JSON.stringify([]),
-  };
-  await db.setObject(key, eventObj);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return eventObj;
+function apiBase(env) {
+  return env === 'prod' ? 'https://api.helloasso.com' : 'https://api.helloasso-sandbox.com';
 }
-async function getEvent(eid) {
-  return db.getObject(getEventKey(eid));
-}
+async function getHelloAssoToken(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const cacheOk = helloassoTokenCache.token && helloassoTokenCache.expiresAt > nowMs() + 30_000;
+  if (cacheOk) {
+    return helloassoTokenCache.token;
+  }
+  if (!settings.helloassoClientId || !settings.helloassoClientSecret) {
+    throw new Error('HelloAsso clientId/clientSecret not configured');
+  }
-async function updateEvent(eid, data) {
-  const key = getEventKey(eid);
-  const existing = await db.getObject(key);
-  if (!existing) throw new Error('Event not found');
-  const startTs = data.start ? new Date(data.start).getTime() : new Date(existing.start).getTime();
-  const endTs = data.end ? new Date(data.end).getTime() : new Date(existing.end).getTime();
-  const bookingItems = Array.isArray(data.bookingItems)
-    ? data.bookingItems
-    : JSON.parse(existing.bookingItems || '[]');
-  const updated = {
-    ...existing,
-    title: data.title !== undefined ? String(data.title) : existing.title,
-    description: data.description !== undefined ? String(data.description) : existing.description,
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay !== undefined ? (data.allDay ? 1 : 0) : existing.allDay,
-    location: data.location !== undefined ? String(data.location) : existing.location,
-    visibility: data.visibility !== undefined ? String(data.visibility) : existing.visibility,
-    bookingEnabled: data.bookingEnabled !== undefined ? (data.bookingEnabled ? 1 : 0) : (existing.bookingEnabled || 0),
-    bookingItems: JSON.stringify(bookingItems),
-    updatedAt: String(Date.now()),
-  };
+  const url = `${baseUrl}/oauth2/token`;
+  // client_credentials
+  const body = new URLSearchParams({
+    grant_type: 'client_credentials',
+    client_id: settings.helloassoClientId,
+    client_secret: settings.helloassoClientSecret,
+  });
-  await db.setObject(key, updated);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return updated;
-}
+  const res = await axios.post(url, body.toString(), {
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    timeout: 15_000,
+  });
-async function deleteEvent(eid) {
-  await db.sortedSetRemove(EVENTS_SET_KEY, eid);
-  await db.delete(getEventKey(eid));
+  const token = res.data && res.data.access_token;
+  const expiresIn = (res.data && res.data.expires_in) ? parseInt(res.data.expires_in, 10) : 1800;
+  if (!token) throw new Error('HelloAsso token response missing access_token');
+  helloassoTokenCache = { token, expiresAt: nowMs() + (expiresIn * 1000) };
+  return token;
 }
-async function getEventsBetween(start, end) {
-  const startTs = new Date(start).getTime();
-  const endTs = new Date(end).getTime();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, -1, startTs, endTs);
-  if (!eids || !eids.length) return [];
+async function fetchItemsFromHelloAsso(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
-  const keys = eids.map(eid => getEventKey(eid));
-  const events = await db.getObjects(keys);
+  if (!settings.helloassoOrganizationSlug || !settings.helloassoFormType || !settings.helloassoFormSlug) {
+    throw new Error('HelloAsso organizationSlug/formType/formSlug not configured');
+  }
-  return (events || []).filter(Boolean).map(ev => ({
-    ...ev,
-    bookingItems: JSON.parse(ev.bookingItems || '[]'),
-  }));
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/forms/${encodeURIComponent(settings.helloassoFormType)}/${encodeURIComponent(settings.helloassoFormSlug)}/items`;
+  const res = await axios.get(url, {
+    headers: { Authorization: `Bearer ${token}` },
+    timeout: 15_000,
+  });
+  // API returns array of items (docs), sometimes wrapped; we normalize
+  const items = Array.isArray(res.data) ? res.data : (res.data && (res.data.data || res.data.items) ? (res.data.data || res.data.items) : []);
+  return items;
 }
-async function getUpcomingEvents(limit = 5) {
-  const now = Date.now();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, limit - 1, now, '+inf');
-  if (!eids || !eids.length) return [];
+async function getItems(settings) {
+  const cacheOk = itemsCache.items && itemsCache.expiresAt > nowMs();
+  if (cacheOk) return itemsCache.items;
-  const keys = eids.map(eid => getEventKey(eid));
-  const events = await db.getObjects(keys);
-  return (events || []).filter(Boolean);
+  const items = await fetchItemsFromHelloAsso(settings);
+  const ttl = Math.max(1, settings.itemsCacheMinutes) * 60_000;
+  itemsCache = { items, expiresAt: nowMs() + ttl };
+  return items;
 }
-/* -----------------------------
- * Permissions
- * ---------------------------- */
-async function userCanCreate(uid) {
-  if (!uid || uid === 0) return false;
-  const settings = await Settings.get(SETTINGS_KEY);
-  if (!settings || !settings.allowedGroups) return false;
-  const allowedSet = new Set(
-    settings.allowedGroups
-      .split(',')
-      .map(g => g.trim().toLowerCase())
-      .filter(Boolean)
-  );
-  if (!allowedSet.size) return false;
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
-  return groups.some(g => allowedSet.has(g));
+function splitGroups(s) {
+  return (s || '')
+    .split(',')
+    .map(x => x.trim())
+    .filter(Boolean);
 }
-async function userCanBook(uid) {
-  if (!uid || uid === 0) return false;
-  const settings = await Settings.get(SETTINGS_KEY);
-  // if not configured -> allow any logged-in user
-  if (!settings || !settings.allowedBookingGroups) return true;
-  const allowedSet = new Set(
-    settings.allowedBookingGroups
-      .split(',')
-      .map(g => g.trim().toLowerCase())
-      .filter(Boolean)
-  );
-  if (!allowedSet.size) return true;
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
-  return groups.some(g => allowedSet.has(g));
+async function isUserInAnyGroup(uid, groupNames) {
+  if (!uid) return false;
+  if (!groupNames || !groupNames.length) return false;
+  for (const g of groupNames) {
+    // allows special names like 'administrators'
+    const isMember = await groups.isMember(uid, g);
+    if (isMember) return true;
+  }
+  return false;
 }
-/* -----------------------------
- * RSVP
- * ---------------------------- */
-async function setRsvp(eid, uid, status) {
-  const key = getEventKey(eid);
-  const event = await db.getObject(key);
-  if (!event) throw new Error('Event not found');
-  const parseList = (str) => {
-    try { return JSON.parse(str || '[]'); } catch (e) { return []; }
-  };
-  let yes = parseList(event.rsvpYes);
-  let maybe = parseList(event.rsvpMaybe);
-  let no = parseList(event.rsvpNo);
-  const u = String(uid);
-  yes = yes.filter(id => id !== u);
-  maybe = maybe.filter(id => id !== u);
-  no = no.filter(id => id !== u);
-  if (status === 'yes') yes.push(u);
-  if (status === 'maybe') maybe.push(u);
-  if (status === 'no') no.push(u);
-  const updated = {
-    ...event,
-    rsvpYes: JSON.stringify(yes),
-    rsvpMaybe: JSON.stringify(maybe),
-    rsvpNo: JSON.stringify(no),
-    updatedAt: String(Date.now()),
-  };
-  await db.setObject(key, updated);
-  return updated;
+async function assertRequesterPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  const requesterGroups = splitGroups(settings.requesterGroups);
+  if (!requesterGroups.length) {
+    // if not set, fallback: any logged-in user can request
+    return true;
+  }
+  const ok = await isUserInAnyGroup(req.uid, requesterGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
 }
-/* -----------------------------
- * Pricing
- * ---------------------------- */
-function computePrice(event, reservation) {
-  const items = JSON.parse(event.bookingItems || '[]');
-  const item = items.find(i => i.id === reservation.itemId);
-  if (!item) return 0;
+async function assertApproverPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  // admins always ok
+  const isAdmin = await user.isAdministrator(req.uid);
+  if (isAdmin) return true;
-  const unit = Number(item.price || 0);
-  const days = Number(reservation.days || 1);
-  return unit * Number(reservation.quantity || 0) * days;
+  const approverGroups = splitGroups(settings.approverGroups);
+  const ok = await isUserInAnyGroup(req.uid, approverGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
 }
-/* -----------------------------
- * Renderers (pages)
- * ---------------------------- */
+async function cleanupExpiredPending(settings) {
+  const now = nowMs();
+  // scan upcoming + recent; since we don't have range query in db zset, take last 2000
+  const ids = await db.getSortedSetRevRange(RES_ZSET_BY_START, 0, 2000);
+  if (!ids.length) return;
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
+  const toDelete = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    if (obj.status === 'pending' && obj.expiresAt && parseInt(obj.expiresAt, 10) < now) {
+      toDelete.push(obj.id);
+    }
+  }
+  if (!toDelete.length) return;
-function renderCalendarPage(req, res) {
-  res.render('calendar', { title: 'Calendrier' });
+  await Promise.all(toDelete.map(async (id) => {
+    await db.delete(`${RES_PREFIX}:${id}`);
+    await db.sortedSetRemove(RES_ZSET_BY_START, id);
+  }));
 }
-function renderMyReservationsPage(req, res) {
-  res.render('calendar-my-reservations', { title: 'Mes réservations' });
+async function nextReservationId() {
+  const n = await db.incrObjectField(`calendar-onekite:ids`, 'reservation');
+  return String(n);
 }
-function renderPlanningPage(req, res) {
-  res.render('admin/calendar-planning', { title: 'Planning des réservations' });
+async function reservationToEvent(obj) {
+  const status = obj.status || 'pending';
+  const icon = status === 'approved' ? '✅' : (status === 'rejected' ? '❌' : '⏳');
+  const title = `${icon} ${obj.itemName || 'Matériel'}${obj.requesterName ? ' — ' + obj.requesterName : ''}`;
+  return {
+    id: obj.id,
+    title,
+    start: obj.start,
+    end: obj.end,
+    extendedProps: {
+      status,
+      itemId: obj.itemId,
+      itemName: obj.itemName,
+      requesterUid: obj.uid,
+      requesterName: obj.requesterName,
+      paymentUrl: obj.paymentUrl || '',
+    },
+  };
 }
-async function renderAdminPage(req, res) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    res.render('admin/plugins/calendar-onekite', {
-      title: 'Calendar OneKite',
-      settings,
-    });
-  } catch (err) {
-    if (req.path && req.path.startsWith('/api/')) {
-      return winston.error(`[calendar-onekite] ${err.stack || err.message}`);
-    res.status(500).json({ error: err.message });
-    }
-    res.status(500).send(err.message);
+async function getReservationsInRange(startISO, endISO) {
+  // naive: get latest N and filter
+  const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 5000);
+  if (!ids.length) return [];
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
+  const start = startISO ? new Date(startISO).getTime() : -Infinity;
+  const end = endISO ? new Date(endISO).getTime() : Infinity;
+  const out = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    const s = new Date(obj.start).getTime();
+    const e = new Date(obj.end).getTime();
+    if (isNaN(s) || isNaN(e)) continue;
+    // overlap
+    if (s < end && e > start) out.push(obj);
   }
+  return out;
 }
-/* -----------------------------
- * Plugin init
- * ---------------------------- */
-Plugin.init = async function (params) {
-  const { router, middleware } = params;
-  appRef = params.app;
-  // Public pages
-  router.get('/calendar', middleware.buildHeader, renderCalendarPage);
-  router.get('/api/calendar', renderCalendarPage);
-  router.get('/calendar/my-reservations', middleware.buildHeader, renderMyReservationsPage);
-  router.get('/api/calendar/my-reservations/page', renderMyReservationsPage);
+async function sendEmailToGroups(settings, subject, html, groupNames) {
+  const all = new Set();
+  for (const g of (groupNames || [])) {
+    const members = await groups.getMembers(g, 0, 2000);
+    (members || []).forEach(m => { if (m && m.uid) all.add(m.uid); });
+  }
+  // Also allow extra direct emails (optional)
+  const extraEmails = (settings.notifyEmails || '').split(',').map(s => s.trim()).filter(Boolean);
+  const uids = Array.from(all);
+  // Send to uids
+  await Promise.all(uids.map(async (uid) => {
+    const u = await user.getUserFields(uid, ['email', 'username']);
+    if (u && u.email) {
+      await emailer.send('default', u.email, subject, html);
+    }
+  }));
-  // Admin planning page
-  router.get('/admin/calendar/planning', middleware.admin.buildHeader, renderPlanningPage);
-  router.get('/api/admin/calendar/planning/page', renderPlanningPage);
+  // Send to extra emails
+  await Promise.all(extraEmails.map(async (mail) => {
+    await emailer.send('default', mail, subject, html);
+  }));
+}
-  /* -----------------------------
-   * Events API
-   * ---------------------------- */
+async function createCheckoutIntent(settings, reservationObj, amountCents) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
+  if (!settings.helloassoOrganizationSlug) throw new Error('HelloAsso organizationSlug missing');
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/checkout-intents`;
+  const requester = await user.getUserFields(reservationObj.uid, ['username', 'fullname', 'email']);
+  const payerName = (requester && (requester.fullname || requester.username) || '').trim();
+  const parts = payerName.split(/\s+/).filter(Boolean);
+  const firstName = parts[0] || 'User';
+  const lastName = parts.slice(1).join(' ') || 'NodeBB';
+  // Required by HelloAsso: totalAmount, initialAmount, itemName, backUrl, errorUrl, returnUrl, containsDonation (bool)
+  const body = {
+    totalAmount: amountCents,
+    initialAmount: amountCents,
+    itemName: reservationObj.itemName || 'Reservation',
+    backUrl: settings.helloassoBackUrl || settings.helloassoReturnUrl || settings.helloassoErrorUrl,
+    errorUrl: settings.helloassoErrorUrl || settings.helloassoReturnUrl || settings.helloassoBackUrl,
+    returnUrl: settings.helloassoReturnUrl || settings.helloassoBackUrl || settings.helloassoErrorUrl,
+    containsDonation: false,
+    payer: {
+      firstName,
+      lastName,
+      email: (requester && requester.email) || undefined,
+    },
+    metadata: {
+      plugin: 'calendar-onekite',
+      reservationId: reservationObj.id,
+      uid: reservationObj.uid,
+      itemId: reservationObj.itemId,
+      start: reservationObj.start,
+      end: reservationObj.end,
+    },
+  };
-  router.get('/api/calendar/events', async (req, res) => {
-    try {
-      const { start, end } = req.query;
-      if (!start || !end) return res.status(400).json({ error: 'Missing start/end' });
-      const events = await getEventsBetween(start, end);
-      res.json(events);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+  const res = await axios.post(url, body, {
+    headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+    timeout: 15_000,
   });
-  router.post('/api/calendar/event', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const event = await createEvent(req.body, uid);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+  // docs: returns checkoutIntentId and redirectUrl (naming may vary)
+  const data = res.data || {};
+  const redirectUrl = data.redirectUrl || data.url || data.redirectURL || '';
+  const checkoutIntentId = data.checkoutIntentId || data.id || data.checkoutIntentID || '';
+  return { redirectUrl, checkoutIntentId, raw: data };
+}
-  router.put('/api/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const eid = req.params.eid;
-      const event = await updateEvent(eid, req.body);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+plugin.init = async function (params) {
+  const { router, middleware } = params;
+  const settings = await getSettings();
-  router.delete('/api/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const eid = req.params.eid;
-      await deleteEvent(eid);
-      res.json({ status: 'ok' });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+  // Page route: /calendar
+  router.get('/calendar', middleware.buildHeader, async (req, res) => {
+    if (!settings.enabled) {
+      return res.status(404).send('Calendar plugin disabled');
     }
+    const isLoggedIn = !!req.uid;
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn,
+      uid: req.uid || 0,
+    });
   });
-  router.get('/api/calendar/event/:eid', async (req, res) => {
+  // API: events
+  router.get('/api/calendar-onekite/events', async (req, res) => {
     try {
-      const eid = req.params.eid;
-      const event = await getEvent(eid);
-      if (!event) return res.status(404).json({ error: 'Événement introuvable' });
-      const items = JSON.parse(event.bookingItems || '[]');
-      const reservations = JSON.parse(event.reservations || '[]');
-      res.json({ ...event, bookingItems: items, reservations });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ events: [] });
+      await cleanupExpiredPending(s);
+      const start = req.query.start;
+      const end = req.query.end;
+      const objs = await getReservationsInRange(start, end);
+      const events = await Promise.all(objs.map(reservationToEvent));
+      res.json({ events });
+    } catch (e) {
+      res.status(500).json({ error: e.message });
     }
   });
-  /* -----------------------------
-   * RSVP
-   * ---------------------------- */
-  router.post('/api/calendar/event/:eid/rsvp', middleware.ensureLoggedIn, async (req, res) => {
+  // API: items
+  router.get('/api/calendar-onekite/items', async (req, res) => {
     try {
-      const eid = req.params.eid;
-      const uid = req.user?.uid || 0;
-      const status = req.body.status;
-      const event = await setRsvp(eid, uid, status);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ items: [] });
+      const items = await getItems(s);
+      res.json({ items });
+    } catch (e) {
+      res.status(500).json({ error: e.message });
     }
   });
-  /* -----------------------------
-   * Client permissions endpoints
-   * ---------------------------- */
-  router.get('/api/calendar/permissions/create', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanCreate(uid);
-    res.json({ allow });
-  });
-  router.get('/api/calendar/permissions/book', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanBook(uid);
-    res.json({ allow });
-  });
-  /* -----------------------------
-   * Multi-day reservation request
-   * ---------------------------- */
-  router.post('/api/calendar/event/:eid/book', middleware.ensureLoggedIn, async (req, res) => {
+  // API: create reservation (pending)
+  router.post('/api/calendar-onekite/reservations', middleware.authenticate, async (req, res) => {
     try {
-      const uid = req.user?.uid || 0;
-      const eid = req.params.eid;
-      const { itemId, quantity, dateStart, dateEnd } = req.body;
+      const s = await getSettings();
+      await assertRequesterPrivileges(req, s);
-      if (!await userCanBook(uid)) {
-        return res.status(403).json({ error: 'Vous n’êtes pas autorisé à réserver du matériel.' });
-      }
-      if (!dateStart || !dateEnd) {
-        return res.status(400).json({ error: 'Dates de début et de fin obligatoires.' });
-      }
-      if (String(dateEnd) < String(dateStart)) {
-        return res.status(400).json({ error: 'La date de fin doit être ≥ la date de début.' });
+      const { itemId, itemName, start, end, priceCents } = req.body || {};
+      if (!itemId || !itemName || !start || !end) {
+        return res.status(400).json({ error: 'missing-fields' });
       }
-      const event = await getEvent(eid);
-      if (!event) return res.status(404).json({ error: 'Événement introuvable' });
-      if (!Number(event.bookingEnabled)) return res.status(400).json({ error: 'Réservation désactivée' });
-      const items = JSON.parse(event.bookingItems || '[]');
-      const item = items.find(i => i.id === itemId);
-      if (!item) return res.status(400).json({ error: 'Matériel introuvable' });
-      const q = Number(quantity);
-      if (!q || q <= 0) return res.status(400).json({ error: 'Quantité invalide' });
-      const allRes = JSON.parse(event.reservations || '[]');
-      // Stock check: sum overlapping reservations (pending_admin/awaiting_payment/paid) for the same item
-      const overlapping = allRes.filter(r => {
-        if (r.itemId !== itemId) return false;
-        if (r.status === 'cancelled') return false;
-        const startR = new Date(r.dateStart);
-        const endR = new Date(r.dateEnd);
-        const startN = new Date(dateStart);
-        const endN = new Date(dateEnd);
+      const startMs = new Date(start).getTime();
+      const endMs = new Date(end).getTime();
+      if (!isFinite(startMs) || !isFinite(endMs) || endMs <= startMs) {
+        return res.status(400).json({ error: 'invalid-dates' });
+      }
-        return !(endN < startR || startN > endR);
+      // Check overlap with approved OR pending (not expired) for same item
+      await cleanupExpiredPending(s);
+      const rangeObjs = await getReservationsInRange(new Date(startMs - 365*24*3600*1000).toISOString(), new Date(endMs + 365*24*3600*1000).toISOString());
+      const overlap = rangeObjs.some(o => {
+        if (!o) return false;
+        if (o.itemId !== String(itemId)) return false;
+        if (o.status !== 'approved' && o.status !== 'pending') return false;
+        const os = new Date(o.start).getTime();
+        const oe = new Date(o.end).getTime();
+        return os < endMs && oe > startMs;
       });
+      if (overlap) {
+        return res.status(409).json({ error: 'overlap' });
+      }
-      const used = overlapping.reduce((sum, r) => sum + Number(r.quantity || 0), 0);
-      const available = Number(item.total || 0) - used;
-      if (q > available) return res.status(400).json({ error: 'Matériel indisponible pour ces dates.' });
+      const id = await nextReservationId();
+      const requester = await user.getUserFields(req.uid, ['username', 'fullname']);
+      const requesterName = (requester && (requester.fullname || requester.username)) || 'User';
-      const rid = await nextReservationId();
-      const now = Date.now();
-      const nbDays = daysBetween(dateStart, dateEnd);
+      const expiresAt = nowMs() + (Math.max(1, s.holdMinutes) * 60_000);
-      const reservation = {
-        rid,
-        eid: String(eid),
-        uid: String(uid),
+      const obj = {
+        id,
+        uid: String(req.uid),
+        requesterName,
         itemId: String(itemId),
-        quantity: q,
-        dateStart,
-        dateEnd,
-        days: nbDays,
-        status: 'pending_admin',
-        helloAssoOrderId: null,
-        createdAt: now,
-        pickupLocation: String(item.pickupLocation || ''),
+        itemName: String(itemName),
+        start: new Date(startMs).toISOString(),
+        end: new Date(endMs).toISOString(),
+        status: 'pending',
+        createdAt: String(nowMs()),
+        expiresAt: String(expiresAt),
+        priceCents: String(parseInt(priceCents || '0', 10) || 0),
       };
-      allRes.push(reservation);
-      event.bookingItems = JSON.stringify(items);
-      event.reservations = JSON.stringify(allRes);
-      await db.setObject(getEventKey(eid), event);
-      // Email: request created
-      try {
-        await emailer.send('calendar-reservation-created', uid, {
-          subject: 'Votre demande de réservation a été envoyée',
-          eventTitle: event.title,
-          item: item.name,
-          quantity: reservation.quantity,
-          date: new Date().toLocaleString('fr-FR'),
-          dateStart,
-          dateEnd,
-          days: nbDays,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email reservation-created error:', e.message);
+      await db.setObject(`${RES_PREFIX}:${id}`, obj);
+      await db.sortedSetAdd(RES_ZSET_BY_START, startMs, id);
+      // Notify approvers
+      const approverGroups = splitGroups(s.approverGroups);
+      if (approverGroups.length) {
+        const subject = `[OneKite] Nouvelle réservation à valider (#${id})`;
+        const html = `
+          <p>Une nouvelle réservation est en attente de validation.</p>
+          <ul>
+            <li>ID: ${id}</li>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+            <li>Demandeur: ${requesterName}</li>
+          </ul>
+          <p>Connectez-vous à NodeBB et ouvrez le calendrier pour valider/refuser.</p>
+        `;
+        await sendEmailToGroups(s, subject, html, approverGroups);
       }
-      res.json({
-        success: true,
-        status: 'pending_admin',
-        message: 'Votre demande de réservation a été envoyée. Elle doit être validée par un administrateur.',
-      });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  /* -----------------------------
-   * Admin: pending list
-   * ---------------------------- */
-  router.get('/api/admin/calendar/pending', middleware.admin.checkPrivileges, async (req, res) => {
+  // API: approve reservation (creates checkout intent, sends payer link)
+  router.post('/api/calendar-onekite/reservations/:id/approve', middleware.authenticate, async (req, res) => {
     try {
-      const result = [];
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-        const reservations = JSON.parse(event.reservations || '[]');
-        const pending = reservations.filter(r => r.status === 'pending_admin');
-        if (pending.length) result.push({ event, reservations: pending });
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+      // figure amount: from stored priceCents or from items list
+      let amountCents = parseInt(obj.priceCents || '0', 10) || 0;
+      if (!amountCents) {
+        const items = await getItems(s);
+        const match = (items || []).find(it => String(it.id || it.itemId || it.itemID) === String(obj.itemId));
+        // Try common fields for price
+        const price = match && (match.price || match.amount || match.unitPrice || match.totalAmount || match.publicAmount);
+        if (typeof price === 'number') amountCents = price;
+        if (!amountCents && match && match.price && typeof match.price.value === 'number') amountCents = match.price.value;
       }
-      res.json(result);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
-  /* -----------------------------
-   * Admin: validate reservation -> awaiting_payment + HelloAsso checkout
-   * ---------------------------- */
-  router.post('/api/admin/calendar/reservation/:rid/validate', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      const rid = req.params.rid;
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-      let targetEvent = null;
-      let reservation = null;
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-        const reservations = JSON.parse(event.reservations || '[]');
-        const r = reservations.find(rr => rr.rid === rid);
-        if (r) {
-          targetEvent = event;
-          reservation = r;
-          break;
-        }
-      }
-      if (!reservation) return res.status(404).json({ error: 'Réservation introuvable' });
-      if (reservation.status !== 'pending_admin') return res.status(400).json({ error: 'Réservation déjà traitée' });
-      reservation.status = 'awaiting_payment';
-      const resList = JSON.parse(targetEvent.reservations || '[]');
-      const idx = resList.findIndex(r => r.rid === rid);
-      resList[idx] = reservation;
-      targetEvent.reservations = JSON.stringify(resList);
-      await db.setObject(getEventKey(targetEvent.eid), targetEvent);
-      const amount = computePrice(targetEvent, reservation);
-      const checkoutUrl = await helloAsso.createHelloAssoCheckoutIntent({
-        eid: reservation.eid,
-        rid,
-        uid: reservation.uid,
-        itemId: reservation.itemId,
-        quantity: reservation.quantity,
-        amount,
-      });
-      try {
-        await emailer.send('calendar-reservation-approved', reservation.uid, {
-          subject: 'Votre réservation a été validée',
-          eventTitle: targetEvent.title,
-          itemName: reservation.itemId,
-          quantity: reservation.quantity,
-          checkoutUrl,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-          dateStart: reservation.dateStart,
-          dateEnd: reservation.dateEnd,
-          days: reservation.days || 1,
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email reservation-approved error:', e.message);
+      if (!amountCents) return res.status(400).json({ error: 'missing-amount' });
+      const { redirectUrl, checkoutIntentId } = await createCheckoutIntent(s, obj, amountCents);
+      if (!redirectUrl) return res.status(500).json({ error: 'helloasso-missing-redirectUrl' });
+      obj.status = 'approved';
+      obj.paymentUrl = redirectUrl;
+      obj.checkoutIntentId = checkoutIntentId ? String(checkoutIntentId) : '';
+      obj.approvedAt = String(nowMs());
+      obj.approvedBy = String(req.uid);
+      await db.setObject(key, obj);
+      // notify requester
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation validée (#${id}) - Paiement`;
+        const html = `
+          <p>Votre réservation a été validée ✅</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+          <p>Merci d'effectuer le paiement via ce lien :</p>
+          <p><a href="${redirectUrl}">${redirectUrl}</a></p>
+        `;
+        await emailer.send('default', requester.email, subject, html);
       }
-      res.json({ success: true, checkoutUrl });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  /* -----------------------------
-   * Admin: cancel reservation
-   * ---------------------------- */
-  router.post('/api/admin/calendar/reservation/:rid/cancel', middleware.admin.checkPrivileges, async (req, res) => {
+  // API: reject reservation
+  router.post('/api/calendar-onekite/reservations/:id/reject', middleware.authenticate, async (req, res) => {
     try {
-      const rid = req.params.rid;
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-      let found = false;
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-        const reservations = JSON.parse(event.reservations || '[]');
-        const rIndex = reservations.findIndex(rr => rr.rid === rid);
-        if (rIndex !== -1) {
-          reservations[rIndex].status = 'cancelled';
-          event.reservations = JSON.stringify(reservations);
-          await db.setObject(getEventKey(event.eid), event);
-          found = true;
-          break;
-        }
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+      obj.status = 'rejected';
+      obj.rejectedAt = String(nowMs());
+      obj.rejectedBy = String(req.uid);
+      await db.setObject(key, obj);
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation refusée (#${id})`;
+        const html = `
+          <p>Votre réservation a été refusée ❌</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+        `;
+        await emailer.send('default', requester.email, subject, html);
       }
-      if (!found) return res.status(404).json({ error: 'Réservation introuvable' });
-      res.json({ success: true });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
-  /* -----------------------------
-   * HelloAsso webhook (marks reservation paid)
-   * ---------------------------- */
-  router.post('/api/calendar/helloasso/webhook', async (req, res) => {
-    try {
-      const payload = req.body;
-      const order = payload.order || payload;
-      const orderId = String(order.id || '');
-      const state = order.state || order.status || '';
-      if (state !== 'Paid') return res.json({ ignored: true });
-      const custom = order.customFields || {};
-      const eid = String(custom.eid || '');
-      const rid = String(custom.rid || '');
-      if (!eid || !rid) return res.status(400).json({ error: 'Missing eid/rid in customFields' });
-      const event = await getEvent(eid);
-      if (!event) throw new Error('Event not found');
-      let reservations = JSON.parse(event.reservations || '[]');
-      const rIndex = reservations.findIndex(r => r.rid === rid);
-      if (rIndex === -1) throw new Error('Reservation not found');
-      const reservation = reservations[rIndex];
-      if (reservation.status === 'paid') return res.json({ ok: true });
-      // Update optional aggregate reserved count
-      const items = JSON.parse(event.bookingItems || '[]');
-      const itemIndex = items.findIndex(i => i.id === reservation.itemId);
-      if (itemIndex !== -1) {
-        const it = items[itemIndex];
-        it.reserved = (Number(it.reserved || 0) + Number(reservation.quantity || 0));
-        items[itemIndex] = it;
-      }
-      reservation.status = 'paid';
-      reservation.helloAssoOrderId = orderId;
-      reservations[rIndex] = reservation;
-      event.bookingItems = JSON.stringify(items);
-      event.reservations = JSON.stringify(reservations);
-      await db.setObject(getEventKey(eid), event);
-      try {
-        await emailer.send('calendar-payment-confirmed', reservation.uid, {
-          subject: 'Votre paiement a été confirmé',
-          eventTitle: event.title,
-          itemName: reservation.itemId,
-          quantity: reservation.quantity,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-          dateStart: reservation.dateStart,
-          dateEnd: reservation.dateEnd,
-          days: reservation.days || 1,
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email payment-confirmed error:', e.message);
-      }
-      res.json({ ok: true });
-    } catch (err) {
-      console.error('[calendar-onekite] HelloAsso webhook error:', err);
-      res.status(500).json({ error: err.message });
-    }
+  // Admin API: get/save settings
+  router.get('/api/admin/plugins/calendar-onekite', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    const settings = await meta.settings.get(PLUGIN_NS);
+    res.json(settings);
   });
-  /* -----------------------------
-   * Admin plugin page + settings API
-   * IMPORTANT: keep these routes EXACTLY aligned with your admin.js
-   * ---------------------------- */
-  router.get('/admin/plugins/calendar-onekite', middleware.admin.buildHeader, renderAdminPage);
-  router.get('/api/admin/plugins/calendar-onekite', renderAdminPage);
-  router.put('/api/admin/plugins/calendar-onekite', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      await Settings.set(SETTINGS_KEY, req.body);
-      res.json({ status: 'ok' });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+  router.post('/api/admin/plugins/calendar-onekite', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    await meta.settings.set(PLUGIN_NS, req.body);
+    // invalidate caches when settings change
+    helloassoTokenCache = { token: null, expiresAt: 0 };
+    itemsCache = { items: null, expiresAt: 0 };
+    res.json({ ok: true });
   });
-  /* -----------------------------
-   * My reservations API
-   * ---------------------------- */
+  // Admin API: purge by year
+  router.post('/api/admin/plugins/calendar-onekite/purge', middleware.authenticate, middleware.adminsOnly, async (req, res) => {
+    const year = parseInt((req.body && req.body.year) || '0', 10);
+    if (!year || year < 1970 || year > 3000) return res.status(400).json({ error: 'invalid-year' });
-  router.get('/api/calendar/my-reservations', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = String(req.user?.uid || 0);
-      if (!uid || uid === '0') return res.status(403).json({ error: 'Non connecté' });
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-      const result = [];
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-        const items = JSON.parse(event.bookingItems || '[]');
-        const reservations = JSON.parse(event.reservations || '[]');
-        reservations
-          .filter(r => String(r.uid) === uid)
-          .forEach(r => {
-            const item = items.find(i => i.id === r.itemId);
-            result.push({
-              ...r,
-              eventTitle: event.title,
-              eventStart: event.start,
-              eventEnd: event.end,
-              itemName: item ? item.name : r.itemId,
-            });
-          });
-      }
-      result.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-      res.json(result);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+    const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 100000);
+    if (!ids.length) return res.json({ deleted: 0 });
-  /* -----------------------------
-   * Admin planning API (future reservations)
-   * ---------------------------- */
+    const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+    const objs = await db.getObjects(keys);
-  router.get('/api/admin/calendar/planning', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      const now = new Date();
-      const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, -1, now.getTime(), '+inf');
-      const rows = [];
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-        const items = JSON.parse(event.bookingItems || '[]');
-        const reservations = JSON.parse(event.reservations || '[]');
-        reservations
-          .filter(r => r.status === 'pending_admin' || r.status === 'awaiting_payment' || r.status === 'paid')
-          .forEach(r => {
-            const item = items.find(i => i.id === r.itemId);
-            rows.push({
-              eid: event.eid,
-              eventTitle: event.title,
-              itemId: r.itemId,
-              itemName: item ? item.name : r.itemId,
-              uid: r.uid,
-              quantity: r.quantity,
-              dateStart: r.dateStart,
-              dateEnd: r.dateEnd,
-              days: r.days || daysBetween(r.dateStart, r.dateEnd),
-              status: r.status,
-              pickupLocation: r.pickupLocation || 'Non précisé',
-            });
-          });
-      }
-      rows.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-      res.json(rows);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+    const toDelete = [];
+    for (const obj of (objs || [])) {
+      if (!obj) continue;
+      const s = new Date(obj.start).getUTCFullYear();
+      if (s === year) toDelete.push(obj.id);
     }
+    await Promise.all(toDelete.map(async (id) => {
+      await db.delete(`${RES_PREFIX}:${id}`);
+      await db.sortedSetRemove(RES_ZSET_BY_START, id);
+    }));
+    res.json({ deleted: toDelete.length });
   });
 };
-/* -----------------------------
- * ACP nav entry
- * ---------------------------- */
-Plugin.addAdminNavigation = function (header) {
+plugin.addAdminNavigation = async function (header) {
   header.plugins.push({
-    // NodeBB ACP will resolve this under /admin
     route: '/plugins/calendar-onekite',
-    icon: 'fa fa-calendar',
+    icon: 'fa-calendar',
     name: 'Calendar OneKite',
   });
   return header;
 };
-/* -----------------------------
- * Widget
- * ---------------------------- */
-Plugin.defineWidgets = async function (widgets) {
-  widgets.push({
-    widget: 'calendarUpcoming',
-    name: 'Prochains événements',
-    description: 'Affiche la liste des prochains événements du calendrier.',
-    content: '',
+plugin.addPageRoute = async function (data) {
+  // ensure /calendar works as "page route" for theme router filter edge cases
+  data.router.get('/calendar', data.middleware.buildHeader, async (req, res) => {
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn: !!req.uid,
+      uid: req.uid || 0,
+    });
   });
-  return widgets;
-};
-Plugin.renderUpcomingWidget = async function (widget, callback) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    const limit = Number((widget && widget.data && widget.data.limit) || settings.limit || 5);
-    const events = await getUpcomingEvents(limit);
-    const html = await appRef.renderAsync('widgets/calendar-upcoming', { events });
-    widget.html = html;
-    if (typeof callback === 'function') {
-      return callback(null, widget);
-    }
-    return widget;
-  } catch (err) {
-    if (typeof callback === 'function') {
-      return callback(err);
-    }
-    throw err;
-  }
+  return data;
 };
-module.exports = Plugin;
+module.exports = plugin;