nodebb-plugin-onekite-calendar 1.0.12 → 1.0.13

package/lib/helloassoWebhook.js

@@ -0,0 +1,390 @@
+'use strict';
+
+const crypto = require('crypto');
+
+const db = require.main.require('./src/database');
+const meta = require.main.require('./src/meta');
+const user = require.main.require('./src/user');
+// Real-time updates
+let io;
+try {
+  const socketIO = require.main.require('./src/socket.io');
+  io = socketIO.server || socketIO;
+} catch (e) {
+  io = null;
+}
+
+
+const dbLayer = require('./db');
+const helloasso = require('./helloasso');
+const discord = require('./discord');
+
+const SETTINGS_KEY = 'calendar-onekite';
+
+// Replay protection: store processed payment ids.
+const PROCESSED_KEY = 'calendar-onekite:helloasso:processedPayments';
+
+async function sendEmail(template, toEmail, subject, data) {
+  const uidFromData = data && Number.isInteger(data.uid) ? data.uid : null;
+  if (!toEmail && !uidFromData) return;
+  try {
+    const emailer = require.main.require('./src/emailer');
+    // NodeBB core signature is typically:
+    //   sendToEmail(template, email, language, params)
+    // Subject must be provided inside params.subject (and can be finalized via filter:email.modify).
+    const language = (meta && meta.config && (meta.config.defaultLang || meta.config.defaultLanguage)) || 'fr';
+    const params = Object.assign({}, data || {}, subject ? { subject } : {});
+
+    // In NodeBB 4.x, various email flows expect a uid to be present.
+    // If we have it, always prefer the uid-based sender.
+    let uid = uidFromData;
+    if (!uid && toEmail && typeof user.getUidByEmail === 'function') {
+      try {
+        uid = await user.getUidByEmail(toEmail);
+        if (uid && typeof uid === 'string') uid = parseInt(uid, 10);
+      } catch (e) {
+        uid = null;
+      }
+    }
+    if (uid && typeof emailer.send === 'function') {
+      // NodeBB: send(template, uid, params)
+      await emailer.send(template, uid, params);
+      return;
+    }
+
+    if (typeof emailer.sendToEmail === 'function') {
+      // Prefer the canonical signature.
+      // If a fork uses a shorter signature, we'll still try passing params as 3rd arg.
+      if (emailer.sendToEmail.length >= 4) {
+        await emailer.sendToEmail(template, toEmail, language, params);
+      } else {
+        await emailer.sendToEmail(template, toEmail, params);
+      }
+      return;
+    }
+
+    // Do not call emailer.send with an email address (it expects uid). If we reach here,
+    // fall back to sendToEmail only.
+  } catch (err) {
+    // eslint-disable-next-line no-console
+    console.warn('[calendar-onekite] Failed to send email (webhook)', { template, toEmail, err: String(err && err.message || err) });
+  }
+}
+
+function formatFR(tsOrIso) {
+  const d = new Date(tsOrIso);
+  const dd = String(d.getDate()).padStart(2, '0');
+  const mm = String(d.getMonth() + 1).padStart(2, '0');
+  const yyyy = d.getFullYear();
+  return `${dd}/${mm}/${yyyy}`;
+}
+
+function getReservationIdFromPayload(payload) {
+  try {
+    const data = payload && payload.data ? payload.data : null;
+    if (!data) return null;
+
+    // HelloAsso commonly uses "metadata" for checkout-intents/payments.
+    const metaCandidates = [
+      data.meta,
+      data.metadata,
+      data.checkoutIntent && (data.checkoutIntent.meta || data.checkoutIntent.metadata),
+      data.order && (data.order.meta || data.order.metadata),
+    ].filter(Boolean);
+
+    for (const metaObj of metaCandidates) {
+      if (typeof metaObj === 'object' && !Array.isArray(metaObj) && metaObj.reservationId) {
+        return String(metaObj.reservationId);
+      }
+      // Some systems send metadata as array of key/value pairs
+      if (Array.isArray(metaObj)) {
+        const found = metaObj.find((x) => x && (x.key === 'reservationId' || x.name === 'reservationId'));
+        if (found && (found.value || found.val)) return String(found.value || found.val);
+      }
+    }
+  } catch (e) {
+    // ignore
+  }
+  return null;
+}
+
+async function tryRecoverReservationIdFromPayment(settings, paymentId) {
+  if (!paymentId) return null;
+  try {
+    const token = await helloasso.getAccessToken({
+      env: settings.helloassoEnv || 'live',
+      clientId: settings.helloassoClientId,
+      clientSecret: settings.helloassoClientSecret,
+    });
+    if (!token) return null;
+    const details = await helloasso.getPaymentDetails({
+      env: settings.helloassoEnv || 'live',
+      token,
+      paymentId,
+    });
+    if (!details) return null;
+    // Reuse the same extraction logic on the payment details object.
+    return getReservationIdFromPayload({ data: details });
+  } catch (e) {
+    return null;
+  }
+}
+
+async function tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId) {
+  if (!checkoutIntentId) return null;
+  try {
+    // First, try a direct mapping stored when the checkout intent was created.
+    const mapped = await db.getObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId));
+    if (mapped) return String(mapped);
+
+    // If no mapping exists (older reservations), query HelloAsso for intent details to read metadata.
+    const token = await helloasso.getAccessToken({
+      env: settings.helloassoEnv || 'live',
+      clientId: settings.helloassoClientId,
+      clientSecret: settings.helloassoClientSecret,
+    });
+    if (!token) return null;
+    const details = await helloasso.getCheckoutIntentDetails({
+      env: settings.helloassoEnv || 'live',
+      token,
+      organizationSlug: settings.helloassoOrganizationSlug,
+      checkoutIntentId,
+    });
+    if (!details) return null;
+    const rid = getReservationIdFromPayload({ data: details });
+    if (rid) {
+      // persist mapping for next webhooks
+      try {
+        await db.setObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId), String(rid));
+      } catch (e) {}
+      return String(rid);
+    }
+  } catch (e) {
+    return null;
+  }
+  return null;
+}
+
+async function alreadyProcessed(paymentId) {
+  if (!paymentId) return false;
+  try {
+    return await db.isSetMember(PROCESSED_KEY, String(paymentId));
+  } catch (e) {
+    return false;
+  }
+}
+
+async function markProcessed(paymentId) {
+  if (!paymentId) return;
+  try {
+    await db.setAdd(PROCESSED_KEY, String(paymentId));
+  } catch (e) {
+    // ignore
+  }
+}
+
+function isConfirmedPayment(payload) {
+  try {
+    if (!payload || !payload.data) return false;
+    const eventType = String(payload.eventType || '').toLowerCase();
+    const stateRaw = payload.data.state || payload.data.status || payload.data.paymentState || '';
+    const state = String(stateRaw).toLowerCase();
+
+    // We accept the most common "paid" states seen in HelloAsso webhooks.
+    const okState = ['confirmed', 'authorized', 'paid', 'processed', 'succeeded', 'success'].includes(state);
+
+    // HelloAsso may send eventType "Payment" and/or "Order".
+    if (eventType === 'payment') {
+      return okState;
+    }
+    if (eventType === 'order') {
+      // Order payloads may not carry a payment-like "state" field; accept if missing,
+      // but still require a recognizable "paid" state when provided.
+      return !state || okState;
+    }
+    return false;
+  } catch (e) {
+    return false;
+  }
+}
+
+function formatFR(tsOrIso) {
+  const d = new Date(tsOrIso);
+  const dd = String(d.getDate()).padStart(2, '0');
+  const mm = String(d.getMonth() + 1).padStart(2, '0');
+  const yyyy = d.getFullYear();
+  return `${dd}/${mm}/${yyyy}`;
+}
+
+function getReservationIdFromPayload(payload) {
+  try {
+    const m = payload && payload.data ? payload.data.meta : null;
+    if (!m) return null;
+    if (typeof m === 'object' && m.reservationId) return String(m.reservationId);
+    if (typeof m === 'object' && m.reservationID) return String(m.reservationID);
+    return null;
+  } catch (e) {
+    return null;
+  }
+}
+
+
+function getCheckoutIntentIdFromPayload(payload) {
+  try {
+    const data = payload && payload.data ? payload.data : null;
+    if (!data) return null;
+    // Common locations based on HelloAsso docs and community reports:
+    // - Order event often contains checkoutIntentId at root of data
+    // - Return/back redirects contain checkoutIntentId in query params (not here)
+    const candidates = [
+      data.checkoutIntentId,
+      data.checkoutIntent && (data.checkoutIntent.id || data.checkoutIntent.checkoutIntentId),
+      data.order && (data.order.checkoutIntentId || (data.order.checkoutIntent && data.order.checkoutIntent.id)),
+    ].filter(Boolean);
+    if (candidates.length) return String(candidates[0]);
+  } catch (e) {}
+  return null;
+}
+
+/**
+ * Hardened HelloAsso webhook handler.
+ * - Requires x-ha-signature (HMAC SHA-256) verification.
+ * - Only accepts eventType=Payment with state=Confirmed.
+ * - Provides basic replay protection using the payment id.
+ *
+ * This handler is "safe" by default: if we cannot verify the signature,
+ * we refuse the request.
+ */
+async function handler(req, res, next) {
+  try {
+    if (req.method === 'GET') {
+      return res.json({ ok: true });
+    }
+    if (req.method !== 'POST') {
+      return res.status(405).json({ ok: false, error: 'method-not-allowed' });
+    }
+
+    const settings = await meta.settings.get(SETTINGS_KEY);
+
+    // Restrict webhook calls by IP (HelloAsso partner mode signature is not used).
+    const defaultAllowed = ['51.138.206.200', '4.233.135.234'];
+    const raw = String((settings && settings.helloassoWebhookAllowedIps) || '').trim();
+    const allowedIps = (raw ? raw.split(/[\s,;]+/g) : defaultAllowed).map(s => String(s || '').trim()).filter(Boolean);
+
+    const clientIp = (() => {
+      const cf = req.headers['cf-connecting-ip'];
+      if (cf) return String(cf).trim();
+      const xff = req.headers['x-forwarded-for'];
+      if (xff) return String(xff).split(',')[0].trim();
+      return String(req.ip || '').trim();
+    })();
+
+    if (allowedIps.length && clientIp && !allowedIps.includes(clientIp)) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook blocked by IP allowlist', { ip: clientIp, allowed: allowedIps });
+      return res.status(403).json({ ok: false, error: 'ip-not-allowed' });
+    }
+
+    // At this point, the payload is trusted.
+    const payload = req.body;
+
+    if (!isConfirmedPayment(payload)) {
+      // Acknowledge but ignore other event types/states.
+      return res.json({ ok: true, ignored: true });
+    }
+
+    // Ignore incomplete Payment events (HelloAsso sometimes omits metadata and checkoutIntentId on Payment webhooks).
+    // We rely on Order events (or checkoutIntent mappings) for reliable reconciliation.
+    const _eventType = String((payload && payload.eventType) || '').toLowerCase();
+    const _rid = getReservationIdFromPayload(payload);
+    const _checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
+    if (_eventType === 'payment' && !_rid && !_checkoutIntentId) {
+      return res.json({ ok: true, ignored: true, incompletePayment: true });
+    }
+
+    const paymentId = payload && payload.data ? (payload.data.id || payload.data.paymentId) : null;
+    // If we can't identify the payment, acknowledge and ignore (prevents accidental crashes).
+    if (!paymentId) {
+      return res.json({ ok: true, ignored: true, missingPaymentId: true });
+    }
+    if (await alreadyProcessed(paymentId)) {
+      return res.json({ ok: true, duplicate: true });
+    }
+
+    const rid = getReservationIdFromPayload(payload);
+    let resolvedRid = rid;
+    const checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
+    if (!resolvedRid && checkoutIntentId) {
+      // Some webhook payloads omit metadata but provide checkoutIntentId (common on Order events).
+      resolvedRid = await tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId);
+    }
+    if (!resolvedRid && paymentId) {
+      // Some webhook payloads omit metadata; try to fetch the payment details.
+      resolvedRid = await tryRecoverReservationIdFromPayment(settings, paymentId);
+    }
+    if (!resolvedRid) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook missing reservationId in metadata', { eventType: payload && payload.eventType, paymentId, checkoutIntentId });
+      // Do NOT mark as processed: if metadata/config is fixed later, a manual replay may be possible.
+      return res.json({ ok: true, processed: false, missingReservationId: true });
+    }
+
+    const r = await dbLayer.getReservation(resolvedRid);
+    if (!r) {
+      await markProcessed(paymentId);
+      return res.json({ ok: true, processed: true, reservationNotFound: true });
+    }
+
+    // Mark as paid and persist payment metadata.
+    r.status = 'paid';
+    r.paidAt = Date.now();
+    r.paymentId = paymentId ? String(paymentId) : '';
+    if (payload.data && payload.data.paymentReceiptUrl) {
+      r.paymentReceiptUrl = String(payload.data.paymentReceiptUrl);
+    }
+    await dbLayer.saveReservation(r);
+
+    // Real-time notify: refresh calendars for all viewers (owner + validators/admins)
+    try {
+      if (io && io.sockets && typeof io.sockets.emit === 'function') {
+        io.sockets.emit('event:calendar-onekite.reservationUpdated', { rid: r.rid, status: r.status });
+      }
+    } catch (e) {}
+
+    // Notify requester
+    const requester = await user.getUserFields(r.uid, ['username', 'email']);
+    if (requester && requester.email) {
+      await sendEmail('calendar-onekite_paid', requester.email, 'Location matériel - Paiement reçu', {
+        uid: parseInt(r.uid, 10),
+        username: requester.username,
+        itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+        itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+        dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+        paymentReceiptUrl: r.paymentReceiptUrl || '',
+      });
+    }
+
+    // Discord webhook (optional)
+    try {
+      await discord.notifyPaymentReceived(settings, {
+        rid: r.rid,
+        uid: r.uid,
+        username: (requester && requester.username) ? requester.username : (r.username || ''),
+        itemIds: r.itemIds || (r.itemId ? [r.itemId] : []),
+        itemNames: r.itemNames || (r.itemName ? [r.itemName] : []),
+        start: r.start,
+        end: r.end,
+        status: r.status,
+      });
+    } catch (e) {}
+
+    await markProcessed(paymentId);
+    return res.json({ ok: true, processed: true });
+  } catch (err) {
+    return next(err);
+  }
+}
+
+module.exports = {
+  handler,
+};

package/lib/scheduler.js

@@ -0,0 +1,182 @@
+'use strict';
+
+const meta = require.main.require('./src/meta');
+const db = require.main.require('./src/database');
+const dbLayer = require('./db');
+
+let timer = null;
+
+function getSetting(settings, key, fallback) {
+  const v = settings && Object.prototype.hasOwnProperty.call(settings, key) ? settings[key] : undefined;
+  if (v == null || v === '') return fallback;
+  if (typeof v === 'object' && v && typeof v.value !== 'undefined') return v.value;
+  return v;
+}
+
+// Pending holds: short lock after a user creates a request (defaults to 5 minutes)
+async function expirePending() {
+  const settings = await meta.settings.get('calendar-onekite');
+  const holdMins = parseInt(getSetting(settings, 'pendingHoldMinutes', '5'), 10) || 5;
+  const now = Date.now();
+
+  const ids = await dbLayer.listAllReservationIds(5000);
+  if (!ids || !ids.length) {
+    return;
+  }
+
+  for (const rid of ids) {
+    const resv = await dbLayer.getReservation(rid);
+    if (!resv || resv.status !== 'pending') {
+      continue;
+    }
+    const createdAt = parseInt(resv.createdAt, 10) || 0;
+    const expiresAt = createdAt + holdMins * 60 * 1000;
+    if (now > expiresAt) {
+      // Expire (remove from calendar)
+      await dbLayer.removeReservation(rid);
+    }
+  }
+}
+
+// Payment window logic:
+// - When a reservation is validated it becomes awaiting_payment
+// - We send a reminder after `paymentHoldMinutes` (default 60)
+// - We expire (and remove) after `2 * paymentHoldMinutes`
+async function processAwaitingPayment() {
+  const settings = await meta.settings.get('calendar-onekite');
+  const holdMins = parseInt(
+    getSetting(settings, 'paymentHoldMinutes', getSetting(settings, 'holdMinutes', '60')),
+    10
+  ) || 60;
+  const now = Date.now();
+
+  const ids = await dbLayer.listAllReservationIds(5000);
+  if (!ids || !ids.length) return;
+
+  const emailer = require.main.require('./src/emailer');
+  const user = require.main.require('./src/user');
+
+  async function sendEmail(template, toEmail, subject, data) {
+    if (!toEmail) return;
+    try {
+      // NodeBB core signature:
+      //   Emailer.sendToEmail(template, email, language, params[, callback])
+      // Subject is NOT a positional argument; it must be provided in params.subject
+      // and optionally copied into the final email by filter:email.modify.
+      const language = (meta && meta.config && (meta.config.defaultLang || meta.config.defaultLanguage)) || 'fr';
+      const params = Object.assign({}, data || {}, subject ? { subject } : {});
+
+      if (typeof emailer.sendToEmail === 'function') {
+        await emailer.sendToEmail(template, toEmail, language, params);
+        return;
+      }
+
+      // Fallbacks for older/unusual builds
+      if (typeof emailer.send === 'function') {
+        // Some builds accept (template, email, language, params)
+        if (emailer.send.length >= 4) {
+          await emailer.send(template, toEmail, language, params);
+          return;
+        }
+        // Some builds accept (template, email, params)
+        await emailer.send(template, toEmail, params);
+      }
+    } catch (err) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] Failed to send email (scheduler)', {
+        template,
+        toEmail,
+        err: String((err && err.message) || err),
+      });
+    }
+  }
+
+  function formatFR(ts) {
+    const d = new Date(ts);
+    const dd = String(d.getDate()).padStart(2, '0');
+    const mm = String(d.getMonth() + 1).padStart(2, '0');
+    const yyyy = d.getFullYear();
+    return `${dd}/${mm}/${yyyy}`;
+  }
+
+  for (const rid of ids) {
+    const r = await dbLayer.getReservation(rid);
+    if (!r || r.status !== 'awaiting_payment') continue;
+
+    const approvedAt = parseInt(r.approvedAt || r.validatedAt || 0, 10) || 0;
+    if (!approvedAt) continue;
+
+    const reminderAt = approvedAt + holdMins * 60 * 1000;
+    const expireAt = approvedAt + 2 * holdMins * 60 * 1000;
+
+    if (!r.reminderSent && now >= reminderAt && now < expireAt) {
+      // Send reminder once (guarded across clustered NodeBB processes)
+      const reminderKey = 'calendar-onekite:email:reminderSent';
+      const first = await db.setAdd(reminderKey, rid);
+      if (!first) {
+        // another process already sent it
+        r.reminderSent = true;
+        r.reminderAt = now;
+        await dbLayer.saveReservation(r);
+        continue;
+      }
+      const u = await user.getUserFields(r.uid, ['username', 'email']);
+      if (u && u.email) {
+        await sendEmail('calendar-onekite_reminder', u.email, 'Location matériel - Rappel', {
+          username: u.username,
+          itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+          itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+          dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+          paymentUrl: r.paymentUrl || '',
+          delayMinutes: holdMins,
+          pickupLine: r.pickupTime ? (r.adminNote ? `${r.pickupTime} à ${r.adminNote}` : r.pickupTime) : '',
+        });
+      }
+      r.reminderSent = true;
+      r.reminderAt = now;
+      await dbLayer.saveReservation(r);
+      continue;
+    }
+
+    if (now >= expireAt) {
+      // Expire: remove reservation so it disappears from calendar and frees items
+      // Guard email send across clustered NodeBB processes
+      const expiredKey = 'calendar-onekite:email:expiredSent';
+      const firstExpired = await db.setAdd(expiredKey, rid);
+      const shouldEmail = !!firstExpired;
+      const u = await user.getUserFields(r.uid, ['username', 'email']);
+      if (shouldEmail && u && u.email) {
+        await sendEmail('calendar-onekite_expired', u.email, 'Location matériel - Rappel', {
+          username: u.username,
+          itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+          itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+          dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+          delayMinutes: holdMins,
+        });
+      }
+      await dbLayer.removeReservation(rid);
+    }
+  }
+}
+
+function start() {
+  if (timer) return;
+  timer = setInterval(() => {
+    expirePending().catch(() => {});
+    processAwaitingPayment().catch(() => {});
+  }, 60 * 1000);
+}
+
+function stop() {
+  if (timer) {
+    clearInterval(timer);
+    timer = null;
+  }
+}
+
+module.exports = {
+  start,
+  stop,
+  expirePending,
+  processAwaitingPayment,
+};