nodebb-plugin-equipment-calendar 0.1.0

package/README.md

@@ -0,0 +1,37 @@
+# NodeBB Equipment Calendar (v0.1.0)
+
+Plugin NodeBB (testé pour NodeBB v4.7.x) pour gérer des réservations de matériel via un calendrier (FullCalendar),
+avec workflow : demande -> validation par un groupe -> lien de paiement HelloAsso -> statut payé/validé.
+
+## Fonctionnement (sans "AJAX applicatif")
+- La page calendrier est rendue côté serveur avec les évènements de la période demandée.
+- Les actions (création, validation, refus) sont des POST classiques, suivis d'une redirection.
+- FullCalendar est utilisé en mode "events inline" (pas de feed JSON automatique).
+
+## Installation
+```bash
+cd /path/to/nodebb
+npm install /path/to/nodebb-plugin-equipment-calendar
+./nodebb build
+./nodebb restart
+```
+
+## Configuration
+Dans l'ACP : Plugins -> Equipment Calendar
+
+- Groupes autorisés à créer une demande
+- Groupe validateur
+- Groupe notifié
+- Matériel (JSON)
+- Paramètres HelloAsso (clientId, clientSecret, organizationSlug, returnUrl, webhookSecret, etc.)
+
+## Webhook HelloAsso
+Déclare l'URL :
+`https://<ton-forum>/equipment/webhook/helloasso`
+
+Le plugin vérifie la signature si `webhookSecret` est renseigné (exemple basique).
+
+## Remarques
+- Ce plugin est un squelette complet mais générique : adapte la logique de paiement HelloAsso selon ton besoin exact
+  (type de checkout, itemization, montant, etc.).
+- Pour un contrôle d'overlap strict : le plugin empêche les réservations qui chevauchent (même item) pour les statuts bloquants.

package/library.js

@@ -0,0 +1,649 @@
+'use strict';
+
+const db = require.main.require('./src/database');
+const meta = require.main.require('./src/meta');
+const groups = require.main.require('./src/groups');
+const user = require.main.require('./src/user');
+const notifications = require.main.require('./src/notifications');
+const Emailer = require.main.require('./src/emailer');
+const routeHelpers = require.main.require('./src/routes/helpers');
+const middleware = require.main.require('./src/middleware');
+const helpers = require.main.require('./src/controllers/helpers');
+const nconf = require.main.require('nconf');
+
+const axios = require('axios');
+const { DateTime } = require('luxon');
+const { v4: uuidv4 } = require('uuid');
+const crypto = require('crypto');
+
+const plugin = {};
+const SETTINGS_KEY = 'equipmentCalendar';
+
+const DEFAULT_SETTINGS = {
+  creatorGroups: 'registered-users',
+  approverGroup: 'administrators',
+  notifyGroup: 'administrators',
+  // JSON array of items: [{ "id": "cam1", "name": "Caméra A", "priceCents": 5000, "location": "Stock A", "active": true }]
+  itemsJson: '[]',
+  // HelloAsso
+  ha_clientId: '',
+  ha_clientSecret: '',
+  ha_organizationSlug: '',
+  ha_returnUrl: '',
+  ha_webhookSecret: '',
+  // calendar
+  defaultView: 'dayGridMonth',
+  timezone: 'Europe/Paris',
+  // privacy
+  showRequesterToAll: '0', // 0/1
+};
+
+function parseItems(itemsJson) {
+  try {
+    const arr = JSON.parse(itemsJson || '[]');
+    if (!Array.isArray(arr)) return [];
+    return arr.map(it => ({
+      id: String(it.id || '').trim(),
+      name: String(it.name || '').trim(),
+      priceCents: Number(it.priceCents || 0),
+      location: String(it.location || '').trim(),
+      active: it.active !== false,
+    })).filter(it => it.id && it.name);
+  } catch (e) {
+    return [];
+  }
+}
+
+async function getSettings() {
+  const settings = await meta.settings.get(SETTINGS_KEY);
+  return { ...DEFAULT_SETTINGS, ...(settings || {}) };
+}
+
+// --- Data layer ---
+// Keys:
+// item hash: equipmentCalendar:items (stored in settings as JSON)
+// reservations stored as objects in db, indexed by id, and by itemId
+// reservation object key: equipmentCalendar:res:<id>
+// index by item: equipmentCalendar:item:<itemId>:res (sorted set score=startMillis, value=resId)
+
+function resKey(id) { return `equipmentCalendar:res:${id}`; }
+function itemIndexKey(itemId) { return `equipmentCalendar:item:${itemId}:res`; }
+
+function statusBlocksItem(status) {
+  // statuses that block availability
+  return ['pending', 'approved_waiting_payment', 'paid_validated'].includes(status);
+}
+
+async function saveReservation(res) {
+  await db.setObject(resKey(res.id), res);
+  await db.sortedSetAdd(itemIndexKey(res.itemId), res.startMs, res.id);
+}
+
+async function getReservation(id) {
+  const obj = await db.getObject(resKey(id));
+  if (!obj || !obj.id) return null;
+  // db returns strings, normalize
+  return normalizeReservation(obj);
+}
+
+function normalizeReservation(obj) {
+  const startMs = Number(obj.startMs);
+  const endMs = Number(obj.endMs);
+  return {
+    id: obj.id,
+    itemId: obj.itemId,
+    uid: Number(obj.uid),
+    startMs,
+    endMs,
+    status: obj.status,
+    createdAtMs: Number(obj.createdAtMs || 0),
+    updatedAtMs: Number(obj.updatedAtMs || 0),
+    validatorUid: obj.validatorUid ? Number(obj.validatorUid) : 0,
+    notesUser: obj.notesUser || '',
+    notesAdmin: obj.notesAdmin || '',
+    ha_checkoutIntentId: obj.ha_checkoutIntentId || '',
+    ha_paymentUrl: obj.ha_paymentUrl || '',
+    ha_paymentStatus: obj.ha_paymentStatus || '',
+    ha_paidAtMs: Number(obj.ha_paidAtMs || 0),
+  };
+}
+
+async function listReservationsForRange(itemId, startMs, endMs) {
+  // fetch candidates by score range with some padding
+  const ids = await db.getSortedSetRangeByScore(itemIndexKey(itemId), 0, -1, startMs - 86400000, endMs + 86400000);
+  if (!ids || !ids.length) return [];
+  const objs = await db.getObjects(ids.map(resKey));
+  return (objs || []).filter(Boolean).map(normalizeReservation).filter(r => {
+    // overlap check
+    return r.startMs < endMs && r.endMs > startMs;
+  });
+}
+
+async function hasOverlap(itemId, startMs, endMs) {
+  const existing = await listReservationsForRange(itemId, startMs, endMs);
+  return existing.some(r => statusBlocksItem(r.status) && r.startMs < endMs && r.endMs > startMs);
+}
+
+// --- Permissions helpers ---
+async function isInAnyGroup(uid, groupNamesCsv) {
+  if (!uid) return false;
+  const groupNames = String(groupNamesCsv || '').split(',').map(s => s.trim()).filter(Boolean);
+  if (!groupNames.length) return false;
+  for (const g of groupNames) {
+    const isMember = await groups.isMember(uid, g);
+    if (isMember) return true;
+  }
+  return false;
+}
+
+async function canCreate(uid, settings) {
+  return isInAnyGroup(uid, settings.creatorGroups);
+}
+
+async function canApprove(uid, settings) {
+  return groups.isMember(uid, settings.approverGroup);
+}
+
+async function listGroupUids(groupName) {
+  try {
+    const members = await groups.getMembers(groupName, 0, 9999);
+    return (members && members.users) ? members.users.map(u => u.uid) : [];
+  } catch (e) {
+    return [];
+  }
+}
+
+async function sendGroupNotificationAndEmail(groupName, notifTitle, notifBody, link) {
+  const uids = await listGroupUids(groupName);
+  if (!uids.length) return;
+
+  // NodeBB notifications
+  try {
+    await notifications.create({
+      bodyShort: notifTitle,
+      bodyLong: notifBody,
+      nid: `equipmentCalendar:${uuidv4()}`,
+      from: 0,
+      path: link,
+    });
+  } catch (e) { /* ignore */ }
+
+  try {
+    // push notification to each user
+    for (const uid of uids) {
+      try {
+        await notifications.push({
+          uid,
+          bodyShort: notifTitle,
+          bodyLong: notifBody,
+          nid: `equipmentCalendar:${uuidv4()}`,
+          from: 0,
+          path: link,
+        });
+      } catch (e) { /* ignore per user */ }
+    }
+  } catch (e) { /* ignore */ }
+
+  // Emails (best-effort)
+  try {
+    const users = await user.getUsersData(uids);
+    const emails = (users || []).map(u => u.email).filter(Boolean);
+    if (emails.length) {
+      await Emailer.send('equipmentCalendar', {
+        // Emailer templates: we provide a minimal HTML via meta.template? NodeBB typically uses email templates
+        // Here we rely on Emailer plugin config; this is best-effort and may vary per installation.
+        // Fallback: send each email individually with raw subject/text if supported.
+        subject: notifTitle,
+        body: `${notifBody}\n\n${link}`,
+        to: emails.join(','),
+      });
+    }
+  } catch (e) {
+    // Many NodeBB installs do not support ad-hoc Emailer.send signatures; ignore gracefully.
+  }
+}
+
+// --- HelloAsso helpers ---
+// This is a minimal integration skeleton.
+// See HelloAsso API v5 docs for exact endpoints and payloads.
+async function helloAssoGetAccessToken(settings) {
+  // HelloAsso uses OAuth2 client credentials.
+  // Endpoint: https://api.helloasso.com/oauth2/token
+  const url = 'https://api.helloasso.com/oauth2/token';
+  const params = new URLSearchParams();
+  params.append('grant_type', 'client_credentials');
+  params.append('client_id', settings.ha_clientId);
+  params.append('client_secret', settings.ha_clientSecret);
+
+  const resp = await axios.post(url, params.toString(), {
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    timeout: 15000,
+  });
+  return resp.data.access_token;
+}
+
+async function helloAssoCreateCheckout(settings, token, reservation, item) {
+  // Minimal: create a checkout intent and return redirectUrl
+  // This endpoint/payload may need adaptation depending on your HelloAsso setup.
+  const org = settings.ha_organizationSlug;
+  if (!org) throw new Error('HelloAsso organizationSlug missing');
+
+  const url = `https://api.helloasso.com/v5/organizations/${encodeURIComponent(org)}/checkout-intents`;
+  const amountCents = Math.max(0, Number(item.priceCents || 0));
+
+  const payload = {
+    totalAmount: amountCents,
+    initialAmount: amountCents,
+    itemName: item.name,
+    backUrl: settings.ha_returnUrl || `${nconf.get('url')}/equipment/payment/return?rid=${encodeURIComponent(reservation.id)}`,
+    errorUrl: settings.ha_returnUrl || `${nconf.get('url')}/equipment/payment/return?rid=${encodeURIComponent(reservation.id)}&status=error`,
+    metadata: {
+      reservationId: reservation.id,
+      itemId: reservation.itemId,
+      uid: String(reservation.uid),
+    },
+  };
+
+  const resp = await axios.post(url, payload, {
+    headers: { Authorization: `Bearer ${token}` },
+    timeout: 15000,
+  });
+
+  // Typical response fields (may vary): id, redirectUrl
+  return {
+    checkoutIntentId: resp.data.id || resp.data.checkoutIntentId || '',
+    paymentUrl: resp.data.redirectUrl || resp.data.paymentUrl || '',
+  };
+}
+
+// Webhook signature check (simple HMAC SHA256 over raw body)
+function verifyWebhook(req, secret) {
+  if (!secret) return true;
+  const sig = req.headers['x-helloasso-signature'] || req.headers['x-helloasso-signature-hmac-sha256'];
+  if (!sig) return false;
+  const raw = req.rawBody || '';
+  const expected = crypto.createHmac('sha256', secret).update(raw).digest('hex');
+  // Some providers prefix, some base64; accept hex only in this skeleton
+  return String(sig).toLowerCase() === expected.toLowerCase();
+}
+
+// --- Rendering helpers ---
+function toEvent(res, item, requesterName, canSeeRequester) {
+  const start = DateTime.fromMillis(res.startMs).toISO();
+  const end = DateTime.fromMillis(res.endMs).toISO();
+
+  let icon = '⏳';
+  let className = 'ec-status-pending';
+  if (res.status === 'approved_waiting_payment') { icon = '💳'; className = 'ec-status-awaitpay'; }
+  if (res.status === 'paid_validated') { icon = '✅'; className = 'ec-status-valid'; }
+  if (res.status === 'rejected' || res.status === 'cancelled') { icon = '❌'; className = 'ec-status-cancel'; }
+
+  const titleParts = [icon, item ? item.name : res.itemId];
+  if (canSeeRequester && requesterName) titleParts.push(`- ${requesterName}`);
+  return {
+    id: res.id,
+    title: titleParts.join(' '),
+    start,
+    end,
+    allDay: false,
+    className,
+    extendedProps: {
+      status: res.status,
+      itemId: res.itemId,
+    },
+  };
+}
+
+function clampRange(startStr, endStr, tz) {
+  const start = DateTime.fromISO(startStr, { zone: tz }).isValid ? DateTime.fromISO(startStr, { zone: tz }) : DateTime.now().setZone(tz).startOf('month');
+  const end = DateTime.fromISO(endStr, { zone: tz }).isValid ? DateTime.fromISO(endStr, { zone: tz }) : start.plus({ months: 1 });
+  // prevent crazy ranges
+  const maxDays = 62;
+  const diffDays = Math.abs(end.diff(start, 'days').days);
+  const safeEnd = diffDays > maxDays ? start.plus({ days: maxDays }) : end;
+  return { start, end: safeEnd };
+}
+
+// --- Routes ---
+plugin.init = async function (params) {
+  const { router } = params;
+
+  // To verify webhook signature we need raw body; add a rawBody collector for this route only
+  router.post('/equipment/webhook/helloasso',
+    require.main.require('body-parser').text({ type: '*/*' }),
+    async (req, res) => {
+      req.rawBody = req.body || '';
+      let json;
+      try { json = JSON.parse(req.rawBody || '{}'); } catch (e) { json = {}; }
+
+      const settings = await getSettings();
+      if (!verifyWebhook(req, settings.ha_webhookSecret)) {
+        return res.status(401).json({ ok: false, error: 'invalid signature' });
+      }
+
+      // Minimal mapping: expect metadata.reservationId and event indicating payment succeeded.
+      const reservationId = json?.metadata?.reservationId || json?.data?.metadata?.reservationId || '';
+      const paymentStatus = json?.eventType || json?.type || json?.status || 'unknown';
+
+      if (reservationId) {
+        const reservation = await getReservation(reservationId);
+        if (reservation) {
+          reservation.ha_paymentStatus = String(paymentStatus);
+          // Heuristic: if payload includes "OrderPaid" or "Payment" success
+          const isPaid = /paid|success|payment/i.test(String(paymentStatus)) || json?.data?.state === 'Paid';
+          if (isPaid) {
+            reservation.status = 'paid_validated';
+            reservation.ha_paidAtMs = Date.now();
+          }
+          reservation.updatedAtMs = Date.now();
+          await saveReservation(reservation);
+        }
+      }
+
+      return res.json({ ok: true });
+    }
+  );
+
+  // Return endpoint (optional)
+  router.get('/equipment/payment/return', middleware.buildHeader, async (req, res) => {
+    res.render('equipment-calendar/payment-return', {
+      title: 'Paiement',
+      rid: req.query.rid || '',
+      status: req.query.status || 'ok',
+    });
+  });
+
+  // Page routes are attached via filter:router.page as well, but we also add directly to be safe:
+  router.get('/equipment/calendar', middleware.buildHeader, renderCalendarPage);
+  router.get('/equipment/approvals', middleware.buildHeader, renderApprovalsPage);
+
+  router.post('/equipment/reservations/create', middleware.applyCSRF, handleCreateReservation);
+  router.post('/equipment/reservations/:id/approve', middleware.applyCSRF, handleApproveReservation);
+  router.post('/equipment/reservations/:id/reject', middleware.applyCSRF, handleRejectReservation);
+};
+
+plugin.addPageRoutes = async function (data) {
+  // Ensure routes are treated as "page" routes by NodeBB router filter
+  // Not strictly necessary when using router.get with buildHeader, but kept for compatibility.
+  return data;
+};
+
+plugin.addAdminNavigation = async function (header) {
+  header.plugins.push({
+    route: '/plugins/equipment-calendar',
+    icon: 'fa-calendar',
+    name: 'Equipment Calendar',
+  });
+  return header;
+};
+
+// --- Admin page routes (ACP) ---
+plugin.addAdminRoutes = async function (params) {
+  const { router, middleware: mid } = params;
+  router.get('/admin/plugins/equipment-calendar', mid.admin.buildHeader, renderAdminPage);
+  router.get('/api/admin/plugins/equipment-calendar', renderAdminPage);
+};
+
+async function renderAdminPage(req, res) {
+  const settings = await getSettings();
+  res.render('admin/plugins/equipment-calendar', {
+    title: 'Equipment Calendar',
+    settings,
+  });
+}
+
+// --- Calendar page ---
+async function renderCalendarPage(req, res) {
+  const settings = await getSettings();
+  const items = parseItems(settings.itemsJson).filter(i => i.active);
+
+  const tz = settings.timezone || 'Europe/Paris';
+
+  const itemId = String(req.query.itemId || (items[0]?.id || '')).trim();
+  const chosenItem = items.find(i => i.id === itemId) || items[0] || null;
+
+  // Determine range to render
+  const now = DateTime.now().setZone(tz);
+  const view = String(req.query.view || settings.defaultView || 'dayGridMonth');
+  const startQ = req.query.start;
+  const endQ = req.query.end;
+
+  let start, end;
+  if (startQ && endQ) {
+    const r = clampRange(String(startQ), String(endQ), tz);
+    start = r.start;
+    end = r.end;
+  } else {
+    // Default to current month range
+    start = now.startOf('month');
+    end = now.endOf('month').plus({ days: 1 });
+  }
+
+  // Load reservations for chosen item within range
+  const reservations = chosenItem ? await listReservationsForRange(chosenItem.id, start.toMillis(), end.toMillis()) : [];
+  const showRequesterToAll = String(settings.showRequesterToAll) === '1';
+  const isApprover = req.uid ? await canApprove(req.uid, settings) : false;
+
+  const requesterUids = Array.from(new Set(reservations.map(r => r.uid))).filter(Boolean);
+  const users = requesterUids.length ? await user.getUsersData(requesterUids) : [];
+  const nameByUid = {};
+  (users || []).forEach(u => { nameByUid[u.uid] = u.username || ''; });
+
+  const events = reservations
+    .filter(r => r.status !== 'rejected' && r.status !== 'cancelled')
+    .map(r => toEvent(r, chosenItem, nameByUid[r.uid], isApprover || showRequesterToAll));
+
+  const canUserCreate = req.uid ? await canCreate(req.uid, settings) : false;
+
+  res.render('equipment-calendar/calendar', {
+    title: 'Réservation de matériel',
+    items,
+    chosenItemId: chosenItem ? chosenItem.id : '',
+    chosenItemName: chosenItem ? chosenItem.name : '',
+    chosenItemPriceCents: chosenItem ? chosenItem.priceCents : 0,
+    chosenItemLocation: chosenItem ? chosenItem.location : '',
+    view,
+    tz,
+    startISO: start.toISO(),
+    endISO: end.toISO(),
+    initialDateISO: start.toISODate(),
+    eventsJson: JSON.stringify(events),
+    canCreate: canUserCreate,
+    isApprover,
+    csrf: req.csrfToken,
+    forumUrl: nconf.get('url'),
+  });
+}
+
+// --- Approvals page ---
+async function renderApprovalsPage(req, res) {
+  const settings = await getSettings();
+  const ok = req.uid ? await canApprove(req.uid, settings) : false;
+  if (!ok) {
+    return helpers.notAllowed(req, res);
+  }
+
+  const items = parseItems(settings.itemsJson);
+  // naive scan: for a real install, store a global sorted set too; for now list per item and merge
+  // We'll pull recent 200 per item and then filter
+  const pending = [];
+  for (const it of items) {
+    const ids = await db.getSortedSetRevRange(itemIndexKey(it.id), 0, 199);
+    if (!ids || !ids.length) continue;
+    const objs = await db.getObjects(ids.map(resKey));
+    const resArr = (objs || []).filter(Boolean).map(normalizeReservation).filter(r => r.status === 'pending' || r.status === 'approved_waiting_payment');
+    for (const r of resArr) pending.push(r);
+  }
+
+  // Sort by createdAt desc
+  pending.sort((a, b) => (b.createdAtMs || 0) - (a.createdAtMs || 0));
+
+  const uids = Array.from(new Set(pending.map(r => r.uid))).filter(Boolean);
+  const users = uids.length ? await user.getUsersData(uids) : [];
+  const nameByUid = {};
+  (users || []).forEach(u => { nameByUid[u.uid] = u.username || ''; });
+
+  const rows = pending.map(r => {
+    const item = items.find(i => i.id === r.itemId);
+    return {
+      id: r.id,
+      itemName: item ? item.name : r.itemId,
+      requester: nameByUid[r.uid] || `uid:${r.uid}`,
+      start: DateTime.fromMillis(r.startMs).toFormat('dd/LL/yyyy HH:mm'),
+      end: DateTime.fromMillis(r.endMs).toFormat('dd/LL/yyyy HH:mm'),
+      status: r.status,
+      paymentUrl: r.ha_paymentUrl || '',
+    };
+  });
+
+  res.render('equipment-calendar/approvals', {
+    title: 'Validation des réservations',
+    rows,
+    csrf: req.csrfToken,
+  });
+}
+
+// --- Actions ---
+async function handleCreateReservation(req, res) {
+  try {
+    const settings = await getSettings();
+    if (!req.uid || !(await canCreate(req.uid, settings))) {
+      return helpers.notAllowed(req, res);
+    }
+
+    const items = parseItems(settings.itemsJson).filter(i => i.active);
+    const itemId = String(req.body.itemId || '').trim();
+    const item = items.find(i => i.id === itemId);
+    if (!item) return res.status(400).send('Invalid item');
+
+    const tz = settings.timezone || 'Europe/Paris';
+    const start = DateTime.fromISO(String(req.body.start || ''), { zone: tz });
+    const end = DateTime.fromISO(String(req.body.end || ''), { zone: tz });
+
+    if (!start.isValid || !end.isValid) return res.status(400).send('Invalid dates');
+    const startMs = start.toMillis();
+    const endMs = end.toMillis();
+
+    if (endMs <= startMs) return res.status(400).send('End must be after start');
+    if (end.diff(start, 'days').days > 31) return res.status(400).send('Range too large');
+
+    // Overlap
+    if (await hasOverlap(itemId, startMs, endMs)) {
+      return res.status(409).send('Overlap');
+    }
+
+    const reservation = {
+      id: uuidv4(),
+      itemId,
+      uid: req.uid,
+      startMs,
+      endMs,
+      status: 'pending',
+      createdAtMs: Date.now(),
+      updatedAtMs: Date.now(),
+      validatorUid: 0,
+      notesUser: String(req.body.notesUser || '').slice(0, 2000),
+      notesAdmin: '',
+      ha_checkoutIntentId: '',
+      ha_paymentUrl: '',
+      ha_paymentStatus: '',
+      ha_paidAtMs: 0,
+    };
+
+    await saveReservation(reservation);
+
+    // Notify group
+    const link = `/equipment/approvals`;
+    await sendGroupNotificationAndEmail(
+      settings.notifyGroup || settings.approverGroup,
+      'Nouvelle demande de réservation',
+      `Une demande de réservation est en attente (matériel: ${item.name}).`,
+      link
+    );
+
+    return res.redirect(`/equipment/calendar?itemId=${encodeURIComponent(itemId)}`);
+  } catch (e) {
+    return res.status(500).send(e.message || 'error');
+  }
+}
+
+async function handleApproveReservation(req, res) {
+  try {
+    const settings = await getSettings();
+    if (!req.uid || !(await canApprove(req.uid, settings))) {
+      return helpers.notAllowed(req, res);
+    }
+
+    const id = String(req.params.id || '').trim();
+    const reservation = await getReservation(id);
+    if (!reservation) return res.status(404).send('Not found');
+    if (reservation.status !== 'pending' && reservation.status !== 'approved_waiting_payment') {
+      return res.status(409).send('Invalid status');
+    }
+
+    const items = parseItems(settings.itemsJson);
+    const item = items.find(i => i.id === reservation.itemId);
+    if (!item) return res.status(400).send('Invalid item');
+
+    // Create HelloAsso checkout
+    if (!reservation.ha_paymentUrl) {
+      if (!settings.ha_clientId || !settings.ha_clientSecret) {
+        return res.status(400).send('HelloAsso not configured');
+      }
+      const token = await helloAssoGetAccessToken(settings);
+      const checkout = await helloAssoCreateCheckout(settings, token, reservation, item);
+      reservation.ha_checkoutIntentId = checkout.checkoutIntentId;
+      reservation.ha_paymentUrl = checkout.paymentUrl;
+    }
+
+    reservation.status = 'approved_waiting_payment';
+    reservation.validatorUid = req.uid;
+    reservation.updatedAtMs = Date.now();
+    await saveReservation(reservation);
+
+    // Notify requester with payment link (best-effort)
+    try {
+      const u = await user.getUserData(reservation.uid);
+      const subject = 'Réservation approuvée - Paiement requis';
+      const body = `Ta réservation de "${item.name}" a été approuvée.\n\nLien de paiement:\n${reservation.ha_paymentUrl}\n`;
+      // NodeBB Emailer signature may vary; this is best-effort
+      await Emailer.send('equipmentCalendar-payment', {
+        subject,
+        body,
+        to: u.email,
+      });
+    } catch (e) { /* ignore */ }
+
+    return res.redirect('/equipment/approvals');
+  } catch (e) {
+    return res.status(500).send(e.message || 'error');
+  }
+}
+
+async function handleRejectReservation(req, res) {
+  try {
+    const settings = await getSettings();
+    if (!req.uid || !(await canApprove(req.uid, settings))) {
+      return helpers.notAllowed(req, res);
+    }
+
+    const id = String(req.params.id || '').trim();
+    const reservation = await getReservation(id);
+    if (!reservation) return res.status(404).send('Not found');
+    if (reservation.status !== 'pending' && reservation.status !== 'approved_waiting_payment') {
+      return res.status(409).send('Invalid status');
+    }
+
+    reservation.status = 'rejected';
+    reservation.validatorUid = req.uid;
+    reservation.notesAdmin = String(req.body.notesAdmin || '').slice(0, 2000);
+    reservation.updatedAtMs = Date.now();
+    await saveReservation(reservation);
+
+    return res.redirect('/equipment/approvals');
+  } catch (e) {
+    return res.status(500).send(e.message || 'error');
+  }
+}
+
+module.exports = plugin;

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "nodebb-plugin-equipment-calendar",
+  "version": "0.1.0",
+  "description": "Equipment reservation calendar for NodeBB (FullCalendar, approvals, HelloAsso payments)",
+  "main": "library.js",
+  "scripts": {
+    "lint": "node -v"
+  },
+  "keywords": [
+    "nodebb",
+    "plugin",
+    "calendar",
+    "fullcalendar",
+    "helloasso"
+  ],
+  "author": "Generated by ChatGPT",
+  "license": "MIT",
+  "dependencies": {
+    "axios": "^1.7.9",
+    "luxon": "^3.5.0",
+    "uuid": "^9.0.1"
+  }
+}

package/plugin.json

@@ -0,0 +1,25 @@
+{
+  "id": "nodebb-plugin-equipment-calendar",
+  "name": "Equipment Calendar",
+  "description": "Calendar-based equipment reservations with group approvals and HelloAsso payments.",
+  "url": "https://example.invalid",
+  "library": "./library.js",
+  "hooks": [
+    {
+      "hook": "static:app.load",
+      "method": "init"
+    },
+    {
+      "hook": "filter:admin.header.build",
+      "method": "addAdminNavigation"
+    },
+    {
+      "hook": "filter:router.page",
+      "method": "addPageRoutes"
+    }
+  ],
+  "staticDirs": {
+    "public": "./public"
+  },
+  "templates": "./public/templates"
+}

package/public/lib/admin.js

@@ -0,0 +1,32 @@
+'use strict';
+/* global $, app */
+
+define('admin/plugins/equipment-calendar', function () {
+  const EquipmentCalendar = {};
+
+  EquipmentCalendar.init = function () {
+    $('#save').on('click', function () {
+      const payload = {
+        creatorGroups: $('#creatorGroups').val(),
+        approverGroup: $('#approverGroup').val(),
+        notifyGroup: $('#notifyGroup').val(),
+        itemsJson: $('#itemsJson').val(),
+        ha_clientId: $('#ha_clientId').val(),
+        ha_clientSecret: $('#ha_clientSecret').val(),
+        ha_organizationSlug: $('#ha_organizationSlug').val(),
+        ha_returnUrl: $('#ha_returnUrl').val(),
+        ha_webhookSecret: $('#ha_webhookSecret').val(),
+        defaultView: $('#defaultView').val(),
+        timezone: $('#timezone').val(),
+        showRequesterToAll: $('#showRequesterToAll').is(':checked') ? '1' : '0',
+      };
+
+      socket.emit('admin.settings.save', { hash: 'equipmentCalendar', values: payload }, function (err) {
+        if (err) return app.alertError(err.message || err);
+        app.alertSuccess('Sauvegardé');
+      });
+    });
+  };
+
+  return EquipmentCalendar;
+});

package/public/lib/client.js

@@ -0,0 +1,50 @@
+'use strict';
+/* global $, window, document, FullCalendar */
+
+(function () {
+  function submitCreate(startISO, endISO) {
+    const form = document.getElementById('ec-create-form');
+    if (!form) return;
+    form.querySelector('input[name="start"]').value = startISO;
+    form.querySelector('input[name="end"]').value = endISO;
+    form.submit();
+  }
+
+  $(document).ready(function () {
+    const el = document.getElementById('equipment-calendar');
+    if (!el) return;
+
+    const events = window.EC_EVENTS || [];
+    const initialDate = window.EC_INITIAL_DATE;
+    const initialView = window.EC_INITIAL_VIEW || 'dayGridMonth';
+
+    const calendar = new FullCalendar.Calendar(el, {
+      initialView: initialView,
+      initialDate: initialDate,
+      timeZone: window.EC_TZ || 'local',
+      selectable: window.EC_CAN_CREATE === true,
+      selectMirror: true,
+      events: events,
+      select: function (info) {
+        // FullCalendar provides end exclusive for all-day; for timed selections it's fine.
+        submitCreate(info.startStr, info.endStr);
+      },
+      dateClick: function (info) {
+        // Create 1-hour slot by default
+        const start = info.date;
+        const end = new Date(start.getTime() + 60 * 60 * 1000);
+        submitCreate(start.toISOString(), end.toISOString());
+      },
+      eventClick: function (info) {
+        // optionally show details
+      },
+      headerToolbar: {
+        left: 'prev,next today',
+        center: 'title',
+        right: 'dayGridMonth,timeGridWeek,timeGridDay'
+      },
+    });
+
+    calendar.render();
+  });
+}());

package/public/styles.css

@@ -0,0 +1 @@
+.equipment-calendar-page { }

package/public/templates/admin/plugins/equipment-calendar.tpl

@@ -0,0 +1,67 @@
+<div class="acp-page-container">
+  <h1>Equipment Calendar</h1>
+
+  <div class="alert alert-warning">
+    Les champs "Matériel" doivent être un JSON valide (array). Exemple :
+    <pre class="mb-0">[
+  { "id": "cam1", "name": "Caméra A", "priceCents": 5000, "location": "Stock A", "active": true },
+  { "id": "light1", "name": "Projecteur", "priceCents": 2000, "location": "Stock B", "active": true }
+]</pre>
+  </div>
+
+  <div class="row">
+    <div class="col-lg-8">
+      <div class="card card-body mb-3">
+        <h5>Permissions</h5>
+        <div class="mb-3">
+          <label class="form-label">Groupes autorisés à créer (CSV)</label>
+          <input id="creatorGroups" class="form-control" value="{{settings.creatorGroups}}">
+        </div>
+        <div class="mb-3">
+          <label class="form-label">Groupe validateur</label>
+          <input id="approverGroup" class="form-control" value="{{settings.approverGroup}}">
+        </div>
+        <div class="mb-3">
+          <label class="form-label">Groupe notifié (emails/notifs)</label>
+          <input id="notifyGroup" class="form-control" value="{{settings.notifyGroup}}">
+        </div>
+        <div class="form-check">
+          <input class="form-check-input" type="checkbox" id="showRequesterToAll" {{#if (eq settings.showRequesterToAll "1")}}checked{{/if}}>
+          <label class="form-check-label" for="showRequesterToAll">Afficher le demandeur à tout le monde</label>
+        </div>
+      </div>
+
+      <div class="card card-body mb-3">
+        <h5>Matériel</h5>
+        <textarea id="itemsJson" class="form-control" rows="10">{{settings.itemsJson}}</textarea>
+      </div>
+
+      <div class="card card-body mb-3">
+        <h5>HelloAsso</h5>
+        <div class="mb-3"><label class="form-label">Client ID</label><input id="ha_clientId" class="form-control" value="{{settings.ha_clientId}}"></div>
+        <div class="mb-3"><label class="form-label">Client Secret</label><input id="ha_clientSecret" class="form-control" value="{{settings.ha_clientSecret}}"></div>
+        <div class="mb-3"><label class="form-label">Organization Slug</label><input id="ha_organizationSlug" class="form-control" value="{{settings.ha_organizationSlug}}"></div>
+        <div class="mb-3"><label class="form-label">Return URL</label><input id="ha_returnUrl" class="form-control" value="{{settings.ha_returnUrl}}"></div>
+        <div class="mb-3"><label class="form-label">Webhook Secret (HMAC SHA256)</label><input id="ha_webhookSecret" class="form-control" value="{{settings.ha_webhookSecret}}"></div>
+      </div>
+
+      <div class="card card-body mb-3">
+        <h5>Calendrier</h5>
+        <div class="mb-3"><label class="form-label">Vue par défaut</label>
+          <select id="defaultView" class="form-select">
+            <option value="dayGridMonth" {{#if (eq settings.defaultView "dayGridMonth")}}selected{{/if}}>Mois</option>
+            <option value="timeGridWeek" {{#if (eq settings.defaultView "timeGridWeek")}}selected{{/if}}>Semaine</option>
+            <option value="timeGridDay" {{#if (eq settings.defaultView "timeGridDay")}}selected{{/if}}>Jour</option>
+          </select>
+        </div>
+        <div class="mb-3"><label class="form-label">Timezone</label><input id="timezone" class="form-control" value="{{settings.timezone}}"></div>
+      </div>
+
+      <button id="save" class="btn btn-primary">Sauvegarder</button>
+    </div>
+  </div>
+</div>
+
+<script>
+  require(['admin/plugins/equipment-calendar'], function (m) { m.init(); });
+</script>

package/public/templates/equipment-calendar/approvals.tpl

@@ -0,0 +1,51 @@
+<div class="equipment-approvals-page">
+  <h1>Validation des réservations</h1>
+
+  {{#if rows.length}}
+  <div class="table-responsive">
+    <table class="table table-striped align-middle">
+      <thead>
+        <tr>
+          <th>Matériel</th>
+          <th>Demandeur</th>
+          <th>Début</th>
+          <th>Fin</th>
+          <th>Statut</th>
+          <th>Paiement</th>
+          <th>Actions</th>
+        </tr>
+      </thead>
+      <tbody>
+        {{#rows}}
+        <tr>
+          <td>{{itemName}}</td>
+          <td>{{requester}}</td>
+          <td>{{start}}</td>
+          <td>{{end}}</td>
+          <td><code>{{status}}</code></td>
+          <td>
+            {{#if paymentUrl}}
+              <a href="{{paymentUrl}}" target="_blank" rel="noreferrer">Lien</a>
+            {{else}}
+              -
+            {{/if}}
+          </td>
+          <td>
+            <form method="post" action="/equipment/reservations/{{id}}/approve" class="d-inline">
+              <input type="hidden" name="_csrf" value="{{../csrf}}">
+              <button class="btn btn-sm btn-success" type="submit">Approuver</button>
+            </form>
+            <form method="post" action="/equipment/reservations/{{id}}/reject" class="d-inline ms-1">
+              <input type="hidden" name="_csrf" value="{{../csrf}}">
+              <button class="btn btn-sm btn-danger" type="submit">Refuser</button>
+            </form>
+          </td>
+        </tr>
+        {{/rows}}
+      </tbody>
+    </table>
+  </div>
+  {{else}}
+    <div class="alert alert-success">Aucune demande en attente 🎉</div>
+  {{/if}}
+</div>

package/public/templates/equipment-calendar/calendar.tpl

@@ -0,0 +1,68 @@
+<div class="equipment-calendar-page">
+  <h1>Réservation de matériel</h1>
+
+  <div class="mb-3">
+    <form method="get" action="/equipment/calendar" class="d-flex gap-2 align-items-end">
+      <div>
+        <label class="form-label">Matériel</label>
+        <select name="itemId" class="form-select" onchange="this.form.submit()">
+          {{#items}}
+          <option value="{{id}}" {{#if (eq ../chosenItemId id)}}selected{{/if}}>{{name}} — {{location}}</option>
+          {{/items}}
+        </select>
+      </div>
+      <div class="text-muted small">
+        <div><strong>Lieu:</strong> {{chosenItemLocation}}</div>
+        <div><strong>Prix:</strong> {{chosenItemPriceCents}} cts</div>
+      </div>
+    </form>
+  </div>
+
+  {{#if canCreate}}
+  <form id="ec-create-form" method="post" action="/equipment/reservations/create" class="card card-body mb-3">
+    <input type="hidden" name="_csrf" value="{{csrf}}">
+    <input type="hidden" name="itemId" value="{{chosenItemId}}">
+    <input type="hidden" name="start" value="">
+    <input type="hidden" name="end" value="">
+    <div class="row g-2 align-items-end">
+      <div class="col-md-8">
+        <label class="form-label">Note (optionnel)</label>
+        <input class="form-control" type="text" name="notesUser" maxlength="2000" placeholder="Ex: besoin de trépied, etc.">
+      </div>
+      <div class="col-md-4">
+        <button class="btn btn-primary w-100" type="submit" onclick="return false;">Sélectionne une date sur le calendrier</button>
+      </div>
+    </div>
+    <div class="form-text">Clique sur une date ou sélectionne une plage sur le calendrier pour soumettre une demande.</div>
+  </form>
+  {{else}}
+  <div class="alert alert-info">Tu peux consulter le calendrier, mais tu n’as pas les droits pour créer une demande.</div>
+  {{/if}}
+
+  <div class="card card-body">
+    <div id="equipment-calendar"></div>
+  </div>
+
+  {{#if isApprover}}
+  <div class="mt-3">
+    <a class="btn btn-outline-secondary" href="/equipment/approvals">Aller à la validation</a>
+  </div>
+  {{/if}}
+</div>
+
+<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/fullcalendar@6.1.19/index.global.min.css">
+<script src="https://cdn.jsdelivr.net/npm/fullcalendar@6.1.19/index.global.min.js"></script>
+<script src="/plugins/nodebb-plugin-equipment-calendar/lib/client.js"></script>
+
+<script>
+  window.EC_EVENTS = {{{eventsJson}}};
+  window.EC_INITIAL_DATE = "{{initialDateISO}}";
+  window.EC_INITIAL_VIEW = "{{view}}";
+  window.EC_TZ = "{{tz}}";
+  window.EC_CAN_CREATE = {{#if canCreate}}true{{else}}false{{/if}};
+</script>
+
+<style>
+  .ec-status-pending .fc-event-title { font-weight: 600; }
+  .ec-status-valid .fc-event-title { font-weight: 700; }
+</style>

package/public/templates/equipment-calendar/payment-return.tpl

@@ -0,0 +1,9 @@
+<div class="equipment-payment-return">
+  <h1>Paiement</h1>
+  {{#if (eq status "error")}}
+    <div class="alert alert-danger">Le paiement semble avoir échoué. Référence réservation: <code>{{rid}}</code></div>
+  {{else}}
+    <div class="alert alert-info">Merci. Si le paiement est confirmé, la réservation passera en "validée". Référence: <code>{{rid}}</code></div>
+  {{/if}}
+  <a class="btn btn-primary" href="/equipment/calendar">Retour au calendrier</a>
+</div>