nodebb-plugin-calendar-onekite 2.2.0 → 10.0.12

package/library.js

@@ -1,858 +1,603 @@
 'use strict';
 
-/**
- * NodeBB v4 plugin: Calendar OneKite
- * - Events + booking items (with pickupLocation per item)
- * - Multi-day reservations
- * - Admin validation -> HelloAsso checkout link -> payment webhook -> mark paid
- * - Admin planning view + "My reservations" page
- * - Settings:
- *   - Settings key: "calendar-onekite"
- *   - Admin page: /admin/plugins/calendar-onekite
- *   - Admin API:  /api/admin/plugins/calendar-onekite
- *
- * Templates expected:
- * - templates/calendar.tpl
- * - templates/calendar-my-reservations.tpl
- * - templates/admin/plugins/calendar-onekite.tpl
- * - templates/admin/calendar-planning.tpl
- * - templates/widgets/calendar-upcoming.tpl
- * - templates/emails/calendar-reservation-created.tpl
- * - templates/emails/calendar-reservation-approved.tpl
- * - templates/emails/calendar-payment-confirmed.tpl
- */
+const axios = require('axios');
 
 const db = require.main.require('./src/database');
-const user = require.main.require('./src/user');
 const meta = require.main.require('./src/meta');
+const user = require.main.require('./src/user');
+const groups = require.main.require('./src/groups');
 const emailer = require.main.require('./src/emailer');
-const winston = require.main.require('winston');
-
-const Settings = meta.settings;
-const helloAsso = require('./helloasso');
+const helpers = require.main.require('./src/controllers/helpers');
+const privileges = require.main.require('./src/privileges');
 
-const Plugin = {};
-let appRef = null;
+const plugin = {};
 
-const SETTINGS_KEY = 'calendar-onekite';
-const EVENTS_SET_KEY = 'calendar:events:start';
-const EVENT_KEY_PREFIX = 'calendar:event:';
-
-function getEventKey(eid) {
-  return EVENT_KEY_PREFIX + eid;
+function ensureLoggedIn(req, res, next) {
+  if (!req.uid) {
+    return res.status(401).json({ error: 'not-authenticated' });
+  }
+  next();
 }
 
-async function nextReservationId() {
-  const rid = await db.incrObjectField('global', 'nextCalendarRid');
-  return String(rid);
+async function adminsOnly(req, res, next) {
+  try {
+    if (!req.uid) return res.status(401).json({ error: 'not-authenticated' });
+    const isAdmin = await user.isAdministrator(req.uid);
+    if (!isAdmin) return res.status(403).json({ error: 'not-allowed' });
+    next();
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
 }
 
-// number of days between two yyyy-mm-dd dates (inclusive)
-function daysBetween(start, end) {
-  const d1 = new Date(start);
-  const d2 = new Date(end);
-  if (isNaN(d1.getTime()) || isNaN(d2.getTime())) return 1;
 
-  const t1 = Date.UTC(d1.getFullYear(), d1.getMonth(), d1.getDate());
-  const t2 = Date.UTC(d2.getFullYear(), d2.getMonth(), d2.getDate());
-  const diff = Math.round((t2 - t1) / (1000 * 60 * 60 * 24));
-  return Math.max(1, diff + 1);
-}
+const PLUGIN_NS = 'calendar-onekite';
+const RES_PREFIX = `calendar-onekite:reservation`;
+const RES_ZSET_BY_START = `calendar-onekite:reservations:byStart`;
 
-/* -----------------------------
- * Events
- * ---------------------------- */
-
-async function createEvent(data, uid) {
-  const eid = await db.incrObjectField('global', 'nextCalendarEid');
-  const key = getEventKey(eid);
-
-  const now = Date.now();
-  const startTs = Number(new Date(data.start).getTime()) || now;
-  const endTs = Number(new Date(data.end).getTime()) || startTs;
-
-  const bookingItems = Array.isArray(data.bookingItems) ? data.bookingItems : [];
-
-  const eventObj = {
-    eid: String(eid),
-    title: String(data.title || ''),
-    description: String(data.description || ''),
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay ? 1 : 0,
-    location: String(data.location || ''),
-    createdByUid: String(uid || 0),
-    createdAt: String(now),
-    updatedAt: String(now),
-
-    rsvpYes: '[]',
-    rsvpMaybe: '[]',
-    rsvpNo: '[]',
-
-    visibility: String(data.visibility || 'public'),
-
-    bookingEnabled: data.bookingEnabled ? 1 : 0,
-    bookingItems: JSON.stringify(bookingItems),
-    reservations: JSON.stringify([]),
-  };
+let helloassoTokenCache = { token: null, expiresAt: 0 };
+let itemsCache = { items: null, expiresAt: 0 };
 
-  await db.setObject(key, eventObj);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return eventObj;
+function nowMs() {
+  return Date.now();
 }
 
-async function getEvent(eid) {
-  return db.getObject(getEventKey(eid));
+function safeJsonParse(s, fallback) {
+  try { return JSON.parse(s); } catch (e) { return fallback; }
 }
 
-async function updateEvent(eid, data) {
-  const key = getEventKey(eid);
-  const existing = await db.getObject(key);
-  if (!existing) throw new Error('Event not found');
-
-  const startTs = data.start ? new Date(data.start).getTime() : new Date(existing.start).getTime();
-  const endTs = data.end ? new Date(data.end).getTime() : new Date(existing.end).getTime();
-
-  const bookingItems = Array.isArray(data.bookingItems)
-    ? data.bookingItems
-    : JSON.parse(existing.bookingItems || '[]');
-
-  const updated = {
-    ...existing,
-    title: data.title !== undefined ? String(data.title) : existing.title,
-    description: data.description !== undefined ? String(data.description) : existing.description,
-    start: new Date(startTs).toISOString(),
-    end: new Date(endTs).toISOString(),
-    allDay: data.allDay !== undefined ? (data.allDay ? 1 : 0) : existing.allDay,
-    location: data.location !== undefined ? String(data.location) : existing.location,
-    visibility: data.visibility !== undefined ? String(data.visibility) : existing.visibility,
-    bookingEnabled: data.bookingEnabled !== undefined ? (data.bookingEnabled ? 1 : 0) : (existing.bookingEnabled || 0),
-    bookingItems: JSON.stringify(bookingItems),
-    updatedAt: String(Date.now()),
-  };
-
-  await db.setObject(key, updated);
-  await db.sortedSetAdd(EVENTS_SET_KEY, startTs, eid);
-  return updated;
+async function getSettings() {
+  const settings = await meta.settings.get(PLUGIN_NS);
+  // defaults
+  settings.enabled = settings.enabled === 'on' || settings.enabled === true;
+  settings.holdMinutes = parseInt(settings.holdMinutes || '60', 10);
+  settings.readerGroups = (settings.readerGroups || '').trim(); // currently unused (calendar page is public; NodeBB category perms cover it)
+  settings.requesterGroups = (settings.requesterGroups || '').trim(); // who can create requests
+  settings.approverGroups = (settings.approverGroups || '').trim(); // who can approve/reject
+  settings.notifyEmails = (settings.notifyEmails || '').trim(); // optional extra comma-separated emails
+  settings.helloassoEnv = (settings.helloassoEnv || 'sandbox').trim(); // sandbox|prod
+  settings.helloassoClientId = (settings.helloassoClientId || '').trim();
+  settings.helloassoClientSecret = (settings.helloassoClientSecret || '').trim();
+  settings.helloassoOrganizationSlug = (settings.helloassoOrganizationSlug || '').trim();
+  settings.helloassoFormType = (settings.helloassoFormType || 'event').trim();
+  settings.helloassoFormSlug = (settings.helloassoFormSlug || '').trim();
+  settings.helloassoBackUrl = (settings.helloassoBackUrl || '').trim();
+  settings.helloassoErrorUrl = (settings.helloassoErrorUrl || '').trim();
+  settings.helloassoReturnUrl = (settings.helloassoReturnUrl || '').trim();
+  settings.itemsCacheMinutes = parseInt(settings.itemsCacheMinutes || '360', 10);
+  return settings;
 }
 
-async function deleteEvent(eid) {
-  await db.sortedSetRemove(EVENTS_SET_KEY, eid);
-  await db.delete(getEventKey(eid));
+function apiBase(env) {
+  return env === 'prod' ? 'https://api.helloasso.com' : 'https://api.helloasso-sandbox.com';
 }
 
-async function getEventsBetween(start, end) {
-  const startTs = new Date(start).getTime();
-  const endTs = new Date(end).getTime();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, -1, startTs, endTs);
-  if (!eids || !eids.length) return [];
-
-  const keys = eids.map(eid => getEventKey(eid));
-  const events = await db.getObjects(keys);
+async function getHelloAssoToken(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const cacheOk = helloassoTokenCache.token && helloassoTokenCache.expiresAt > nowMs() + 30_000;
+  if (cacheOk) {
+    return helloassoTokenCache.token;
+  }
+  if (!settings.helloassoClientId || !settings.helloassoClientSecret) {
+    throw new Error('HelloAsso clientId/clientSecret not configured');
+  }
 
-  return (events || []).filter(Boolean).map(ev => ({
-    ...ev,
-    bookingItems: JSON.parse(ev.bookingItems || '[]'),
-  }));
-}
+  const url = `${baseUrl}/oauth2/token`;
+  // client_credentials
+  const body = new URLSearchParams({
+    grant_type: 'client_credentials',
+    client_id: settings.helloassoClientId,
+    client_secret: settings.helloassoClientSecret,
+  });
 
-async function getUpcomingEvents(limit = 5) {
-  const now = Date.now();
-  const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, limit - 1, now, '+inf');
-  if (!eids || !eids.length) return [];
+  const res = await axios.post(url, body.toString(), {
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    timeout: 15_000,
+  });
 
-  const keys = eids.map(eid => getEventKey(eid));
-  const events = await db.getObjects(keys);
-  return (events || []).filter(Boolean);
+  const token = res.data && res.data.access_token;
+  const expiresIn = (res.data && res.data.expires_in) ? parseInt(res.data.expires_in, 10) : 1800;
+  if (!token) throw new Error('HelloAsso token response missing access_token');
+  helloassoTokenCache = { token, expiresAt: nowMs() + (expiresIn * 1000) };
+  return token;
 }
 
-/* -----------------------------
- * Permissions
- * ---------------------------- */
-
-async function userCanCreate(uid) {
-  if (!uid || uid === 0) return false;
-
-  const settings = await Settings.get(SETTINGS_KEY);
-  if (!settings || !settings.allowedGroups) return false;
+async function fetchItemsFromHelloAsso(settings) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
 
-  const allowedSet = new Set(
-    settings.allowedGroups
-      .split(',')
-      .map(g => g.trim().toLowerCase())
-      .filter(Boolean)
-  );
-  if (!allowedSet.size) return false;
-
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
+  if (!settings.helloassoOrganizationSlug || !settings.helloassoFormType || !settings.helloassoFormSlug) {
+    throw new Error('HelloAsso organizationSlug/formType/formSlug not configured');
+  }
 
-  return groups.some(g => allowedSet.has(g));
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/forms/${encodeURIComponent(settings.helloassoFormType)}/${encodeURIComponent(settings.helloassoFormSlug)}/items`;
+  const res = await axios.get(url, {
+    headers: { Authorization: `Bearer ${token}` },
+    timeout: 15_000,
+  });
+  // API returns array of items (docs), sometimes wrapped; we normalize
+  const items = Array.isArray(res.data) ? res.data : (res.data && (res.data.data || res.data.items) ? (res.data.data || res.data.items) : []);
+  return items;
 }
 
-async function userCanBook(uid) {
-  if (!uid || uid === 0) return false;
-
-  const settings = await Settings.get(SETTINGS_KEY);
-  // if not configured -> allow any logged-in user
-  if (!settings || !settings.allowedBookingGroups) return true;
-
-  const allowedSet = new Set(
-    settings.allowedBookingGroups
-      .split(',')
-      .map(g => g.trim().toLowerCase())
-      .filter(Boolean)
-  );
-  if (!allowedSet.size) return true;
-
-  const userGroupsArr = await user.getUserGroups([uid]);
-  const groups = (userGroupsArr[0] || []).map(g => (g.name || '').toLowerCase());
+async function getItems(settings) {
+  const cacheOk = itemsCache.items && itemsCache.expiresAt > nowMs();
+  if (cacheOk) return itemsCache.items;
 
-  return groups.some(g => allowedSet.has(g));
+  const items = await fetchItemsFromHelloAsso(settings);
+  const ttl = Math.max(1, settings.itemsCacheMinutes) * 60_000;
+  itemsCache = { items, expiresAt: nowMs() + ttl };
+  return items;
 }
 
-/* -----------------------------
- * RSVP
- * ---------------------------- */
-
-async function setRsvp(eid, uid, status) {
-  const key = getEventKey(eid);
-  const event = await db.getObject(key);
-  if (!event) throw new Error('Event not found');
-
-  const parseList = (str) => {
-    try { return JSON.parse(str || '[]'); } catch (e) { return []; }
-  };
-
-  let yes = parseList(event.rsvpYes);
-  let maybe = parseList(event.rsvpMaybe);
-  let no = parseList(event.rsvpNo);
-  const u = String(uid);
-
-  yes = yes.filter(id => id !== u);
-  maybe = maybe.filter(id => id !== u);
-  no = no.filter(id => id !== u);
-
-  if (status === 'yes') yes.push(u);
-  if (status === 'maybe') maybe.push(u);
-  if (status === 'no') no.push(u);
-
-  const updated = {
-    ...event,
-    rsvpYes: JSON.stringify(yes),
-    rsvpMaybe: JSON.stringify(maybe),
-    rsvpNo: JSON.stringify(no),
-    updatedAt: String(Date.now()),
-  };
+function splitGroups(s) {
+  return (s || '')
+    .split(',')
+    .map(x => x.trim())
+    .filter(Boolean);
+}
 
-  await db.setObject(key, updated);
-  return updated;
+async function isUserInAnyGroup(uid, groupNames) {
+  if (!uid) return false;
+  if (!groupNames || !groupNames.length) return false;
+  for (const g of groupNames) {
+    // allows special names like 'administrators'
+    const isMember = await groups.isMember(uid, g);
+    if (isMember) return true;
+  }
+  return false;
 }
 
-/* -----------------------------
- * Pricing
- * ---------------------------- */
+async function assertRequesterPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  const requesterGroups = splitGroups(settings.requesterGroups);
+  if (!requesterGroups.length) {
+    // if not set, fallback: any logged-in user can request
+    return true;
+  }
+  const ok = await isUserInAnyGroup(req.uid, requesterGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
+}
 
-function computePrice(event, reservation) {
-  const items = JSON.parse(event.bookingItems || '[]');
-  const item = items.find(i => i.id === reservation.itemId);
-  if (!item) return 0;
+async function assertApproverPrivileges(req, settings) {
+  if (!req.uid) throw new Error('not-authenticated');
+  // admins always ok
+  const isAdmin = await user.isAdministrator(req.uid);
+  if (isAdmin) return true;
 
-  const unit = Number(item.price || 0);
-  const days = Number(reservation.days || 1);
-  return unit * Number(reservation.quantity || 0) * days;
+  const approverGroups = splitGroups(settings.approverGroups);
+  const ok = await isUserInAnyGroup(req.uid, approverGroups);
+  if (!ok) throw new Error('not-allowed');
+  return true;
 }
 
-/* -----------------------------
- * Renderers (pages)
- * ---------------------------- */
+async function cleanupExpiredPending(settings) {
+  const now = nowMs();
+  // scan upcoming + recent; since we don't have range query in db zset, take last 2000
+  const ids = await db.getSortedSetRevRange(RES_ZSET_BY_START, 0, 2000);
+  if (!ids.length) return;
+
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
+  const toDelete = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    if (obj.status === 'pending' && obj.expiresAt && parseInt(obj.expiresAt, 10) < now) {
+      toDelete.push(obj.id);
+    }
+  }
+  if (!toDelete.length) return;
 
-function renderCalendarPage(req, res) {
-  res.render('calendar', { title: 'Calendrier' });
+  await Promise.all(toDelete.map(async (id) => {
+    await db.delete(`${RES_PREFIX}:${id}`);
+    await db.sortedSetRemove(RES_ZSET_BY_START, id);
+  }));
 }
 
-function renderMyReservationsPage(req, res) {
-  res.render('calendar-my-reservations', { title: 'Mes réservations' });
+async function nextReservationId() {
+  const n = await db.incrObjectField(`calendar-onekite:ids`, 'reservation');
+  return String(n);
 }
 
-function renderPlanningPage(req, res) {
-  res.render('admin/calendar-planning', { title: 'Planning des réservations' });
+async function reservationToEvent(obj) {
+  const status = obj.status || 'pending';
+  const icon = status === 'approved' ? '✅' : (status === 'rejected' ? '❌' : '⏳');
+  const title = `${icon} ${obj.itemName || 'Matériel'}${obj.requesterName ? ' — ' + obj.requesterName : ''}`;
+  return {
+    id: obj.id,
+    title,
+    start: obj.start,
+    end: obj.end,
+    extendedProps: {
+      status,
+      itemId: obj.itemId,
+      itemName: obj.itemName,
+      requesterUid: obj.uid,
+      requesterName: obj.requesterName,
+      paymentUrl: obj.paymentUrl || '',
+    },
+  };
 }
 
-async function renderAdminPage(req, res) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    res.render('admin/plugins/calendar-onekite', {
-      title: 'Calendar OneKite',
-      settings,
-    });
-  } catch (err) {
-    if (req.path && req.path.startsWith('/api/')) {
-      return winston.error(`[calendar-onekite] ${err.stack || err.message}`);
-    res.status(500).json({ error: err.message });
-    }
-    res.status(500).send(err.message);
+async function getReservationsInRange(startISO, endISO) {
+  // naive: get latest N and filter
+  const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 5000);
+  if (!ids.length) return [];
+  const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+  const objs = await db.getObjects(keys);
+
+  const start = startISO ? new Date(startISO).getTime() : -Infinity;
+  const end = endISO ? new Date(endISO).getTime() : Infinity;
+
+  const out = [];
+  for (const obj of (objs || [])) {
+    if (!obj) continue;
+    const s = new Date(obj.start).getTime();
+    const e = new Date(obj.end).getTime();
+    if (isNaN(s) || isNaN(e)) continue;
+    // overlap
+    if (s < end && e > start) out.push(obj);
   }
+  return out;
 }
 
-/* -----------------------------
- * Plugin init
- * ---------------------------- */
-
-Plugin.init = async function (params) {
-  const { router, middleware } = params;
-  appRef = params.app;
-
-  // Public pages
-  router.get('/calendar', middleware.buildHeader, renderCalendarPage);
-  router.get('/api/calendar', renderCalendarPage);
-
-  router.get('/calendar/my-reservations', middleware.buildHeader, renderMyReservationsPage);
-  router.get('/api/calendar/my-reservations/page', renderMyReservationsPage);
+async function sendEmailToGroups(settings, subject, html, groupNames) {
+  const all = new Set();
+  for (const g of (groupNames || [])) {
+    const members = await groups.getMembers(g, 0, 2000);
+    (members || []).forEach(m => { if (m && m.uid) all.add(m.uid); });
+  }
+  // Also allow extra direct emails (optional)
+  const extraEmails = (settings.notifyEmails || '').split(',').map(s => s.trim()).filter(Boolean);
+
+  const uids = Array.from(all);
+  // Send to uids
+  await Promise.all(uids.map(async (uid) => {
+    const u = await user.getUserFields(uid, ['email', 'username']);
+    if (u && u.email) {
+      await emailer.send('default', u.email, subject, html);
+    }
+  }));
 
-  // Admin planning page
-  router.get('/admin/calendar/planning', middleware.admin.buildHeader, renderPlanningPage);
-  router.get('/api/admin/calendar/planning/page', renderPlanningPage);
+  // Send to extra emails
+  await Promise.all(extraEmails.map(async (mail) => {
+    await emailer.send('default', mail, subject, html);
+  }));
+}
 
-  /* -----------------------------
-   * Events API
-   * ---------------------------- */
+async function createCheckoutIntent(settings, reservationObj, amountCents) {
+  const baseUrl = apiBase(settings.helloassoEnv);
+  const token = await getHelloAssoToken(settings);
+
+  if (!settings.helloassoOrganizationSlug) throw new Error('HelloAsso organizationSlug missing');
+  const url = `${baseUrl}/v5/organizations/${encodeURIComponent(settings.helloassoOrganizationSlug)}/checkout-intents`;
+
+  const requester = await user.getUserFields(reservationObj.uid, ['username', 'fullname', 'email']);
+  const payerName = (requester && (requester.fullname || requester.username) || '').trim();
+  const parts = payerName.split(/\s+/).filter(Boolean);
+  const firstName = parts[0] || 'User';
+  const lastName = parts.slice(1).join(' ') || 'NodeBB';
+
+  // Required by HelloAsso: totalAmount, initialAmount, itemName, backUrl, errorUrl, returnUrl, containsDonation (bool)
+  const body = {
+    totalAmount: amountCents,
+    initialAmount: amountCents,
+    itemName: reservationObj.itemName || 'Reservation',
+    backUrl: settings.helloassoBackUrl || settings.helloassoReturnUrl || settings.helloassoErrorUrl,
+    errorUrl: settings.helloassoErrorUrl || settings.helloassoReturnUrl || settings.helloassoBackUrl,
+    returnUrl: settings.helloassoReturnUrl || settings.helloassoBackUrl || settings.helloassoErrorUrl,
+    containsDonation: false,
+    payer: {
+      firstName,
+      lastName,
+      email: (requester && requester.email) || undefined,
+    },
+    metadata: {
+      plugin: 'calendar-onekite',
+      reservationId: reservationObj.id,
+      uid: reservationObj.uid,
+      itemId: reservationObj.itemId,
+      start: reservationObj.start,
+      end: reservationObj.end,
+    },
+  };
 
-  router.get('/api/calendar/events', async (req, res) => {
-    try {
-      const { start, end } = req.query;
-      if (!start || !end) return res.status(400).json({ error: 'Missing start/end' });
-      const events = await getEventsBetween(start, end);
-      res.json(events);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+  const res = await axios.post(url, body, {
+    headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+    timeout: 15_000,
   });
 
-  router.post('/api/calendar/event', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const event = await createEvent(req.body, uid);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+  // docs: returns checkoutIntentId and redirectUrl (naming may vary)
+  const data = res.data || {};
+  const redirectUrl = data.redirectUrl || data.url || data.redirectURL || '';
+  const checkoutIntentId = data.checkoutIntentId || data.id || data.checkoutIntentID || '';
+  return { redirectUrl, checkoutIntentId, raw: data };
+}
 
-  router.put('/api/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const eid = req.params.eid;
-      const event = await updateEvent(eid, req.body);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+plugin.init = async function (params) {
+  const { router, middleware } = params;
+  const settings = await getSettings();
 
-  router.delete('/api/calendar/event/:eid', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = req.user?.uid || 0;
-      if (!await userCanCreate(uid)) return res.status(403).json({ error: 'Permission refusée' });
-      const eid = req.params.eid;
-      await deleteEvent(eid);
-      res.json({ status: 'ok' });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+  // Page route: /calendar
+  router.get('/calendar', middleware.buildHeader, async (req, res) => {
+    if (!settings.enabled) {
+      return res.status(404).send('Calendar plugin disabled');
     }
+    const isLoggedIn = !!req.uid;
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn,
+      uid: req.uid || 0,
+    });
   });
 
-  router.get('/api/calendar/event/:eid', async (req, res) => {
+  // API: events
+  router.get('/api/calendar-onekite/events', async (req, res) => {
     try {
-      const eid = req.params.eid;
-      const event = await getEvent(eid);
-      if (!event) return res.status(404).json({ error: 'Événement introuvable' });
-      const items = JSON.parse(event.bookingItems || '[]');
-      const reservations = JSON.parse(event.reservations || '[]');
-      res.json({ ...event, bookingItems: items, reservations });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ events: [] });
+
+      await cleanupExpiredPending(s);
+
+      const start = req.query.start;
+      const end = req.query.end;
+      const objs = await getReservationsInRange(start, end);
+      const events = await Promise.all(objs.map(reservationToEvent));
+      res.json({ events });
+    } catch (e) {
+      res.status(500).json({ error: e.message });
     }
   });
 
-  /* -----------------------------
-   * RSVP
-   * ---------------------------- */
-
-  router.post('/api/calendar/event/:eid/rsvp', middleware.ensureLoggedIn, async (req, res) => {
+  // API: items
+  router.get('/api/calendar-onekite/items', async (req, res) => {
     try {
-      const eid = req.params.eid;
-      const uid = req.user?.uid || 0;
-      const status = req.body.status;
-      const event = await setRsvp(eid, uid, status);
-      res.json(event);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      const s = await getSettings();
+      if (!s.enabled) return res.json({ items: [] });
+      const items = await getItems(s);
+      res.json({ items });
+    } catch (e) {
+      res.status(500).json({ error: e.message });
     }
   });
 
-  /* -----------------------------
-   * Client permissions endpoints
-   * ---------------------------- */
-
-  router.get('/api/calendar/permissions/create', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanCreate(uid);
-    res.json({ allow });
-  });
-
-  router.get('/api/calendar/permissions/book', async (req, res) => {
-    const uid = req.user?.uid || 0;
-    const allow = await userCanBook(uid);
-    res.json({ allow });
-  });
-
-  /* -----------------------------
-   * Multi-day reservation request
-   * ---------------------------- */
-
-  router.post('/api/calendar/event/:eid/book', middleware.ensureLoggedIn, async (req, res) => {
+  // API: create reservation (pending)
+  router.post('/api/calendar-onekite/reservations', ensureLoggedIn, async (req, res) => {
     try {
-      const uid = req.user?.uid || 0;
-      const eid = req.params.eid;
-      const { itemId, quantity, dateStart, dateEnd } = req.body;
+      const s = await getSettings();
+      await assertRequesterPrivileges(req, s);
 
-      if (!await userCanBook(uid)) {
-        return res.status(403).json({ error: 'Vous n’êtes pas autorisé à réserver du matériel.' });
-      }
-      if (!dateStart || !dateEnd) {
-        return res.status(400).json({ error: 'Dates de début et de fin obligatoires.' });
+      const { itemId, itemName, start, end, priceCents } = req.body || {};
+      if (!itemId || !itemName || !start || !end) {
+        return res.status(400).json({ error: 'missing-fields' });
       }
-      if (String(dateEnd) < String(dateStart)) {
-        return res.status(400).json({ error: 'La date de fin doit être ≥ la date de début.' });
-      }
-
-      const event = await getEvent(eid);
-      if (!event) return res.status(404).json({ error: 'Événement introuvable' });
-      if (!Number(event.bookingEnabled)) return res.status(400).json({ error: 'Réservation désactivée' });
-
-      const items = JSON.parse(event.bookingItems || '[]');
-      const item = items.find(i => i.id === itemId);
-      if (!item) return res.status(400).json({ error: 'Matériel introuvable' });
-
-      const q = Number(quantity);
-      if (!q || q <= 0) return res.status(400).json({ error: 'Quantité invalide' });
 
-      const allRes = JSON.parse(event.reservations || '[]');
-
-      // Stock check: sum overlapping reservations (pending_admin/awaiting_payment/paid) for the same item
-      const overlapping = allRes.filter(r => {
-        if (r.itemId !== itemId) return false;
-        if (r.status === 'cancelled') return false;
-
-        const startR = new Date(r.dateStart);
-        const endR = new Date(r.dateEnd);
-        const startN = new Date(dateStart);
-        const endN = new Date(dateEnd);
+      const startMs = new Date(start).getTime();
+      const endMs = new Date(end).getTime();
+      if (!isFinite(startMs) || !isFinite(endMs) || endMs <= startMs) {
+        return res.status(400).json({ error: 'invalid-dates' });
+      }
 
-        return !(endN < startR || startN > endR);
+      // Check overlap with approved OR pending (not expired) for same item
+      await cleanupExpiredPending(s);
+      const rangeObjs = await getReservationsInRange(new Date(startMs - 365*24*3600*1000).toISOString(), new Date(endMs + 365*24*3600*1000).toISOString());
+      const overlap = rangeObjs.some(o => {
+        if (!o) return false;
+        if (o.itemId !== String(itemId)) return false;
+        if (o.status !== 'approved' && o.status !== 'pending') return false;
+        const os = new Date(o.start).getTime();
+        const oe = new Date(o.end).getTime();
+        return os < endMs && oe > startMs;
       });
+      if (overlap) {
+        return res.status(409).json({ error: 'overlap' });
+      }
 
-      const used = overlapping.reduce((sum, r) => sum + Number(r.quantity || 0), 0);
-      const available = Number(item.total || 0) - used;
-      if (q > available) return res.status(400).json({ error: 'Matériel indisponible pour ces dates.' });
+      const id = await nextReservationId();
+      const requester = await user.getUserFields(req.uid, ['username', 'fullname']);
+      const requesterName = (requester && (requester.fullname || requester.username)) || 'User';
 
-      const rid = await nextReservationId();
-      const now = Date.now();
-      const nbDays = daysBetween(dateStart, dateEnd);
+      const expiresAt = nowMs() + (Math.max(1, s.holdMinutes) * 60_000);
 
-      const reservation = {
-        rid,
-        eid: String(eid),
-        uid: String(uid),
+      const obj = {
+        id,
+        uid: String(req.uid),
+        requesterName,
         itemId: String(itemId),
-        quantity: q,
-        dateStart,
-        dateEnd,
-        days: nbDays,
-        status: 'pending_admin',
-        helloAssoOrderId: null,
-        createdAt: now,
-        pickupLocation: String(item.pickupLocation || ''),
+        itemName: String(itemName),
+        start: new Date(startMs).toISOString(),
+        end: new Date(endMs).toISOString(),
+        status: 'pending',
+        createdAt: String(nowMs()),
+        expiresAt: String(expiresAt),
+        priceCents: String(parseInt(priceCents || '0', 10) || 0),
       };
 
-      allRes.push(reservation);
-      event.bookingItems = JSON.stringify(items);
-      event.reservations = JSON.stringify(allRes);
-
-      await db.setObject(getEventKey(eid), event);
-
-      // Email: request created
-      try {
-        await emailer.send('calendar-reservation-created', uid, {
-          subject: 'Votre demande de réservation a été envoyée',
-          eventTitle: event.title,
-          item: item.name,
-          quantity: reservation.quantity,
-          date: new Date().toLocaleString('fr-FR'),
-          dateStart,
-          dateEnd,
-          days: nbDays,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email reservation-created error:', e.message);
-      }
-
-      res.json({
-        success: true,
-        status: 'pending_admin',
-        message: 'Votre demande de réservation a été envoyée. Elle doit être validée par un administrateur.',
-      });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
-
-  /* -----------------------------
-   * Admin: pending list
-   * ---------------------------- */
-
-  router.get('/api/admin/calendar/pending', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      const result = [];
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-
-        const reservations = JSON.parse(event.reservations || '[]');
-        const pending = reservations.filter(r => r.status === 'pending_admin');
-        if (pending.length) result.push({ event, reservations: pending });
+      await db.setObject(`${RES_PREFIX}:${id}`, obj);
+      await db.sortedSetAdd(RES_ZSET_BY_START, startMs, id);
+
+      // Notify approvers
+      const approverGroups = splitGroups(s.approverGroups);
+      if (approverGroups.length) {
+        const subject = `[OneKite] Nouvelle réservation à valider (#${id})`;
+        const html = `
+          <p>Une nouvelle réservation est en attente de validation.</p>
+          <ul>
+            <li>ID: ${id}</li>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+            <li>Demandeur: ${requesterName}</li>
+          </ul>
+          <p>Connectez-vous à NodeBB et ouvrez le calendrier pour valider/refuser.</p>
+        `;
+        await sendEmailToGroups(s, subject, html, approverGroups);
       }
 
-      res.json(result);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
 
-  /* -----------------------------
-   * Admin: validate reservation -> awaiting_payment + HelloAsso checkout
-   * ---------------------------- */
-
-  router.post('/api/admin/calendar/reservation/:rid/validate', middleware.admin.checkPrivileges, async (req, res) => {
+  // API: approve reservation (creates checkout intent, sends payer link)
+  router.post('/api/calendar-onekite/reservations/:id/approve', ensureLoggedIn, async (req, res) => {
     try {
-      const rid = req.params.rid;
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-
-      let targetEvent = null;
-      let reservation = null;
-
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-
-        const reservations = JSON.parse(event.reservations || '[]');
-        const r = reservations.find(rr => rr.rid === rid);
-        if (r) {
-          targetEvent = event;
-          reservation = r;
-          break;
-        }
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+
+      // figure amount: from stored priceCents or from items list
+      let amountCents = parseInt(obj.priceCents || '0', 10) || 0;
+      if (!amountCents) {
+        const items = await getItems(s);
+        const match = (items || []).find(it => String(it.id || it.itemId || it.itemID) === String(obj.itemId));
+        // Try common fields for price
+        const price = match && (match.price || match.amount || match.unitPrice || match.totalAmount || match.publicAmount);
+        if (typeof price === 'number') amountCents = price;
+        if (!amountCents && match && match.price && typeof match.price.value === 'number') amountCents = match.price.value;
       }
-
-      if (!reservation) return res.status(404).json({ error: 'Réservation introuvable' });
-      if (reservation.status !== 'pending_admin') return res.status(400).json({ error: 'Réservation déjà traitée' });
-
-      reservation.status = 'awaiting_payment';
-
-      const resList = JSON.parse(targetEvent.reservations || '[]');
-      const idx = resList.findIndex(r => r.rid === rid);
-      resList[idx] = reservation;
-      targetEvent.reservations = JSON.stringify(resList);
-
-      await db.setObject(getEventKey(targetEvent.eid), targetEvent);
-
-      const amount = computePrice(targetEvent, reservation);
-      const checkoutUrl = await helloAsso.createHelloAssoCheckoutIntent({
-        eid: reservation.eid,
-        rid,
-        uid: reservation.uid,
-        itemId: reservation.itemId,
-        quantity: reservation.quantity,
-        amount,
-      });
-
-      try {
-        await emailer.send('calendar-reservation-approved', reservation.uid, {
-          subject: 'Votre réservation a été validée',
-          eventTitle: targetEvent.title,
-          itemName: reservation.itemId,
-          quantity: reservation.quantity,
-          checkoutUrl,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-          dateStart: reservation.dateStart,
-          dateEnd: reservation.dateEnd,
-          days: reservation.days || 1,
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email reservation-approved error:', e.message);
+      if (!amountCents) return res.status(400).json({ error: 'missing-amount' });
+
+      const { redirectUrl, checkoutIntentId } = await createCheckoutIntent(s, obj, amountCents);
+      if (!redirectUrl) return res.status(500).json({ error: 'helloasso-missing-redirectUrl' });
+
+      obj.status = 'approved';
+      obj.paymentUrl = redirectUrl;
+      obj.checkoutIntentId = checkoutIntentId ? String(checkoutIntentId) : '';
+      obj.approvedAt = String(nowMs());
+      obj.approvedBy = String(req.uid);
+
+      await db.setObject(key, obj);
+
+      // notify requester
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation validée (#${id}) - Paiement`;
+        const html = `
+          <p>Votre réservation a été validée ✅</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+          <p>Merci d'effectuer le paiement via ce lien :</p>
+          <p><a href="${redirectUrl}">${redirectUrl}</a></p>
+        `;
+        await emailer.send('default', requester.email, subject, html);
       }
 
-      res.json({ success: true, checkoutUrl });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
 
-  /* -----------------------------
-   * Admin: cancel reservation
-   * ---------------------------- */
-
-  router.post('/api/admin/calendar/reservation/:rid/cancel', middleware.admin.checkPrivileges, async (req, res) => {
+  // API: reject reservation
+  router.post('/api/calendar-onekite/reservations/:id/reject', ensureLoggedIn, async (req, res) => {
     try {
-      const rid = req.params.rid;
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-
-      let found = false;
-
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-
-        const reservations = JSON.parse(event.reservations || '[]');
-        const rIndex = reservations.findIndex(rr => rr.rid === rid);
-        if (rIndex !== -1) {
-          reservations[rIndex].status = 'cancelled';
-          event.reservations = JSON.stringify(reservations);
-          await db.setObject(getEventKey(event.eid), event);
-          found = true;
-          break;
-        }
+      const s = await getSettings();
+      await assertApproverPrivileges(req, s);
+
+      const id = req.params.id;
+      const key = `${RES_PREFIX}:${id}`;
+      const obj = await db.getObject(key);
+      if (!obj) return res.status(404).json({ error: 'not-found' });
+      if (obj.status !== 'pending') return res.status(400).json({ error: 'not-pending' });
+
+      obj.status = 'rejected';
+      obj.rejectedAt = String(nowMs());
+      obj.rejectedBy = String(req.uid);
+      await db.setObject(key, obj);
+
+      const requester = await user.getUserFields(parseInt(obj.uid, 10), ['email', 'username', 'fullname']);
+      if (requester && requester.email) {
+        const subject = `[OneKite] Réservation refusée (#${id})`;
+        const html = `
+          <p>Votre réservation a été refusée ❌</p>
+          <ul>
+            <li>Matériel: ${obj.itemName}</li>
+            <li>Début: ${obj.start}</li>
+            <li>Fin: ${obj.end}</li>
+          </ul>
+        `;
+        await emailer.send('default', requester.email, subject, html);
       }
 
-      if (!found) return res.status(404).json({ error: 'Réservation introuvable' });
-      res.json({ success: true });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+      res.json({ reservation: obj });
+    } catch (e) {
+      const status = e.message === 'not-allowed' ? 403 : 500;
+      res.status(status).json({ error: e.message });
     }
   });
 
-  /* -----------------------------
-   * HelloAsso webhook (marks reservation paid)
-   * ---------------------------- */
-
-  router.post('/api/calendar/helloasso/webhook', async (req, res) => {
-    try {
-      const payload = req.body;
-      const order = payload.order || payload;
-
-      const orderId = String(order.id || '');
-      const state = order.state || order.status || '';
-      if (state !== 'Paid') return res.json({ ignored: true });
-
-      const custom = order.customFields || {};
-      const eid = String(custom.eid || '');
-      const rid = String(custom.rid || '');
-
-      if (!eid || !rid) return res.status(400).json({ error: 'Missing eid/rid in customFields' });
-
-      const event = await getEvent(eid);
-      if (!event) throw new Error('Event not found');
-
-      let reservations = JSON.parse(event.reservations || '[]');
-      const rIndex = reservations.findIndex(r => r.rid === rid);
-      if (rIndex === -1) throw new Error('Reservation not found');
-
-      const reservation = reservations[rIndex];
-      if (reservation.status === 'paid') return res.json({ ok: true });
-
-      // Update optional aggregate reserved count
-      const items = JSON.parse(event.bookingItems || '[]');
-      const itemIndex = items.findIndex(i => i.id === reservation.itemId);
-      if (itemIndex !== -1) {
-        const it = items[itemIndex];
-        it.reserved = (Number(it.reserved || 0) + Number(reservation.quantity || 0));
-        items[itemIndex] = it;
-      }
-
-      reservation.status = 'paid';
-      reservation.helloAssoOrderId = orderId;
-      reservations[rIndex] = reservation;
-
-      event.bookingItems = JSON.stringify(items);
-      event.reservations = JSON.stringify(reservations);
-
-      await db.setObject(getEventKey(eid), event);
-
-      try {
-        await emailer.send('calendar-payment-confirmed', reservation.uid, {
-          subject: 'Votre paiement a été confirmé',
-          eventTitle: event.title,
-          itemName: reservation.itemId,
-          quantity: reservation.quantity,
-          pickupLocation: reservation.pickupLocation || 'Non précisé',
-          dateStart: reservation.dateStart,
-          dateEnd: reservation.dateEnd,
-          days: reservation.days || 1,
-        });
-      } catch (e) {
-        console.warn('[calendar-onekite] email payment-confirmed error:', e.message);
-      }
-
-      res.json({ ok: true });
-    } catch (err) {
-      console.error('[calendar-onekite] HelloAsso webhook error:', err);
-      res.status(500).json({ error: err.message });
-    }
+  // Admin API: get/save settings
+  router.get('/api/admin/plugins/calendar-onekite', ensureLoggedIn, adminsOnly, async (req, res) => {
+    const settings = await meta.settings.get(PLUGIN_NS);
+    res.json(settings);
   });
 
-  /* -----------------------------
-   * Admin plugin page + settings API
-   * IMPORTANT: keep these routes EXACTLY aligned with your admin.js
-   * ---------------------------- */
-
-  router.get('/admin/plugins/calendar-onekite', middleware.admin.buildHeader, renderAdminPage);
-  router.get('/api/admin/plugins/calendar-onekite', renderAdminPage);
-
-  router.put('/api/admin/plugins/calendar-onekite', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      await Settings.set(SETTINGS_KEY, req.body);
-      res.json({ status: 'ok' });
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
+  router.post('/api/admin/plugins/calendar-onekite', ensureLoggedIn, adminsOnly, async (req, res) => {
+    await meta.settings.set(PLUGIN_NS, req.body);
+    // invalidate caches when settings change
+    helloassoTokenCache = { token: null, expiresAt: 0 };
+    itemsCache = { items: null, expiresAt: 0 };
+    res.json({ ok: true });
   });
 
-  /* -----------------------------
-   * My reservations API
-   * ---------------------------- */
-
-  router.get('/api/calendar/my-reservations', middleware.ensureLoggedIn, async (req, res) => {
-    try {
-      const uid = String(req.user?.uid || 0);
-      if (!uid || uid === '0') return res.status(403).json({ error: 'Non connecté' });
-
-      const eids = await db.getSortedSetRange(EVENTS_SET_KEY, 0, -1);
-      const result = [];
-
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-
-        const items = JSON.parse(event.bookingItems || '[]');
-        const reservations = JSON.parse(event.reservations || '[]');
-
-        reservations
-          .filter(r => String(r.uid) === uid)
-          .forEach(r => {
-            const item = items.find(i => i.id === r.itemId);
-            result.push({
-              ...r,
-              eventTitle: event.title,
-              eventStart: event.start,
-              eventEnd: event.end,
-              itemName: item ? item.name : r.itemId,
-            });
-          });
-      }
+  // Admin API: purge by year
+  router.post('/api/admin/plugins/calendar-onekite/purge', ensureLoggedIn, adminsOnly, async (req, res) => {
+    const year = parseInt((req.body && req.body.year) || '0', 10);
+    if (!year || year < 1970 || year > 3000) return res.status(400).json({ error: 'invalid-year' });
 
-      result.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-      res.json(result);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
-    }
-  });
+    const ids = await db.getSortedSetRange(RES_ZSET_BY_START, 0, 100000);
+    if (!ids.length) return res.json({ deleted: 0 });
 
-  /* -----------------------------
-   * Admin planning API (future reservations)
-   * ---------------------------- */
+    const keys = ids.map(id => `${RES_PREFIX}:${id}`);
+    const objs = await db.getObjects(keys);
 
-  router.get('/api/admin/calendar/planning', middleware.admin.checkPrivileges, async (req, res) => {
-    try {
-      const now = new Date();
-      const eids = await db.getSortedSetRangeByScore(EVENTS_SET_KEY, 0, -1, now.getTime(), '+inf');
-      const rows = [];
-
-      for (const eid of eids) {
-        const event = await getEvent(eid);
-        if (!event) continue;
-
-        const items = JSON.parse(event.bookingItems || '[]');
-        const reservations = JSON.parse(event.reservations || '[]');
-
-        reservations
-          .filter(r => r.status === 'pending_admin' || r.status === 'awaiting_payment' || r.status === 'paid')
-          .forEach(r => {
-            const item = items.find(i => i.id === r.itemId);
-            rows.push({
-              eid: event.eid,
-              eventTitle: event.title,
-              itemId: r.itemId,
-              itemName: item ? item.name : r.itemId,
-              uid: r.uid,
-              quantity: r.quantity,
-              dateStart: r.dateStart,
-              dateEnd: r.dateEnd,
-              days: r.days || daysBetween(r.dateStart, r.dateEnd),
-              status: r.status,
-              pickupLocation: r.pickupLocation || 'Non précisé',
-            });
-          });
-      }
-
-      rows.sort((a, b) => new Date(a.dateStart) - new Date(b.dateStart));
-      res.json(rows);
-    } catch (err) {
-      res.status(500).json({ error: err.message });
+    const toDelete = [];
+    for (const obj of (objs || [])) {
+      if (!obj) continue;
+      const s = new Date(obj.start).getUTCFullYear();
+      if (s === year) toDelete.push(obj.id);
     }
+    await Promise.all(toDelete.map(async (id) => {
+      await db.delete(`${RES_PREFIX}:${id}`);
+      await db.sortedSetRemove(RES_ZSET_BY_START, id);
+    }));
+
+    res.json({ deleted: toDelete.length });
   });
 };
 
-/* -----------------------------
- * ACP nav entry
- * ---------------------------- */
-
-Plugin.addAdminNavigation = function (header) {
+plugin.addAdminNavigation = async function (header) {
   header.plugins.push({
-    // NodeBB ACP will resolve this under /admin
     route: '/plugins/calendar-onekite',
-    icon: 'fa fa-calendar',
+    icon: 'fa-calendar',
     name: 'Calendar OneKite',
   });
   return header;
 };
 
-/* -----------------------------
- * Widget
- * ---------------------------- */
-
-Plugin.defineWidgets = async function (widgets) {
-  widgets.push({
-    widget: 'calendarUpcoming',
-    name: 'Prochains événements',
-    description: 'Affiche la liste des prochains événements du calendrier.',
-    content: '',
+plugin.addPageRoute = async function (data) {
+  // ensure /calendar works as "page route" for theme router filter edge cases
+  data.router.get('/calendar', data.middleware.buildHeader, async (req, res) => {
+    res.render('calendar-onekite/calendar', {
+      title: 'Calendrier',
+      isLoggedIn: !!req.uid,
+      uid: req.uid || 0,
+    });
   });
-  return widgets;
-};
-
-Plugin.renderUpcomingWidget = async function (widget, callback) {
-  try {
-    const settings = (await Settings.get(SETTINGS_KEY)) || {};
-    const limit = Number((widget && widget.data && widget.data.limit) || settings.limit || 5);
-    const events = await getUpcomingEvents(limit);
-    const html = await appRef.renderAsync('widgets/calendar-upcoming', { events });
-    widget.html = html;
-    if (typeof callback === 'function') {
-      return callback(null, widget);
-    }
-    return widget;
-  } catch (err) {
-    if (typeof callback === 'function') {
-      return callback(err);
-    }
-    throw err;
-  }
+  return data;
 };
 
-module.exports = Plugin;
+module.exports = plugin;