nodebb-plugin-onekite-calendar 2.0.11 → 2.0.13

package/pkg/package/lib/helloassoWebhook.js

@@ -0,0 +1,389 @@
+'use strict';
+
+const crypto = require('crypto');
+
+const db = require.main.require('./src/database');
+const meta = require.main.require('./src/meta');
+const user = require.main.require('./src/user');
+// Real-time updates
+let io;
+try {
+  const socketIO = require.main.require('./src/socket.io');
+  io = socketIO.server || socketIO;
+} catch (e) {
+  io = null;
+}
+
+
+const dbLayer = require('./db');
+const helloasso = require('./helloasso');
+const discord = require('./discord');
+
+async function auditLog(action, actorUid, payload) {
+  try {
+    const uid = actorUid ? parseInt(actorUid, 10) : 0;
+    let actorUsername = '';
+    if (uid) {
+      try {
+        const u = await user.getUserFields(uid, ['username']);
+        actorUsername = (u && u.username) ? String(u.username) : '';
+      } catch (e) {}
+    }
+    const ts = Date.now();
+    const year = new Date(ts).getFullYear();
+    await dbLayer.addAuditEntry(Object.assign({ ts, year, action, actorUid: uid, actorUsername }, payload || {}));
+  } catch (e) {}
+}
+
+const SETTINGS_KEY = 'calendar-onekite';
+
+// Replay protection: store processed payment ids.
+const PROCESSED_KEY = 'calendar-onekite:helloasso:processedPayments';
+
+async function sendEmail(template, uid, subject, data) {
+  const toUid = Number.isInteger(uid) ? uid : (uid ? parseInt(uid, 10) : NaN);
+  if (!Number.isInteger(toUid) || toUid <= 0) return;
+  try {
+    const emailer = require.main.require('./src/emailer');
+    if (typeof emailer.send !== 'function') return;
+    const params = Object.assign({}, data || {}, subject ? { subject } : {});
+    // NodeBB 4.x: send(template, uid, params)
+    // Do NOT branch on function.length: it is unreliable once wrapped/bound and
+    // can lead to params being dropped (empty email bodies / missing subjects).
+    await emailer.send(template, toUid, params);
+  } catch (err) {
+    // eslint-disable-next-line no-console
+    console.warn('[calendar-onekite] Failed to send email (webhook)', { template, uid: toUid, err: String((err && err.message) || err) });
+  }
+}
+
+function formatFR(tsOrIso) {
+  const d = new Date(tsOrIso);
+  const dd = String(d.getDate()).padStart(2, '0');
+  const mm = String(d.getMonth() + 1).padStart(2, '0');
+  const yyyy = d.getFullYear();
+  return `${dd}/${mm}/${yyyy}`;
+}
+
+function getReservationIdFromPayload(payload) {
+  try {
+    const data = payload && payload.data ? payload.data : null;
+    if (!data) return null;
+
+    // HelloAsso commonly uses "metadata" for checkout-intents/payments.
+    const metaCandidates = [
+      data.meta,
+      data.metadata,
+      data.checkoutIntent && (data.checkoutIntent.meta || data.checkoutIntent.metadata),
+      data.order && (data.order.meta || data.order.metadata),
+    ].filter(Boolean);
+
+    for (const metaObj of metaCandidates) {
+      if (typeof metaObj === 'object' && !Array.isArray(metaObj) && metaObj.reservationId) {
+        return String(metaObj.reservationId);
+      }
+      // Some systems send metadata as array of key/value pairs
+      if (Array.isArray(metaObj)) {
+        const found = metaObj.find((x) => x && (x.key === 'reservationId' || x.name === 'reservationId'));
+        if (found && (found.value || found.val)) return String(found.value || found.val);
+      }
+    }
+  } catch (e) {
+    // ignore
+  }
+  return null;
+}
+
+async function tryRecoverReservationIdFromPayment(settings, paymentId) {
+  if (!paymentId) return null;
+  try {
+    const token = await helloasso.getAccessToken({
+      env: settings.helloassoEnv || 'live',
+      clientId: settings.helloassoClientId,
+      clientSecret: settings.helloassoClientSecret,
+    });
+    if (!token) return null;
+    const details = await helloasso.getPaymentDetails({
+      env: settings.helloassoEnv || 'live',
+      token,
+      paymentId,
+    });
+    if (!details) return null;
+    // Reuse the same extraction logic on the payment details object.
+    return getReservationIdFromPayload({ data: details });
+  } catch (e) {
+    return null;
+  }
+}
+
+async function tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId) {
+  if (!checkoutIntentId) return null;
+  try {
+    // First, try a direct mapping stored when the checkout intent was created.
+    const mapped = await db.getObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId));
+    if (mapped) return String(mapped);
+
+    // If no mapping exists (older reservations), query HelloAsso for intent details to read metadata.
+    const token = await helloasso.getAccessToken({
+      env: settings.helloassoEnv || 'live',
+      clientId: settings.helloassoClientId,
+      clientSecret: settings.helloassoClientSecret,
+    });
+    if (!token) return null;
+    const details = await helloasso.getCheckoutIntentDetails({
+      env: settings.helloassoEnv || 'live',
+      token,
+      organizationSlug: settings.helloassoOrganizationSlug,
+      checkoutIntentId,
+    });
+    if (!details) return null;
+    const rid = getReservationIdFromPayload({ data: details });
+    if (rid) {
+      // persist mapping for next webhooks
+      try {
+        await db.setObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId), String(rid));
+      } catch (e) {}
+      return String(rid);
+    }
+  } catch (e) {
+    return null;
+  }
+  return null;
+}
+
+async function alreadyProcessed(paymentId) {
+  if (!paymentId) return false;
+  try {
+    return await db.isSetMember(PROCESSED_KEY, String(paymentId));
+  } catch (e) {
+    return false;
+  }
+}
+
+async function markProcessed(paymentId) {
+  if (!paymentId) return;
+  try {
+    await db.setAdd(PROCESSED_KEY, String(paymentId));
+  } catch (e) {
+    // ignore
+  }
+}
+
+function isConfirmedPayment(payload) {
+  try {
+    if (!payload || !payload.data) return false;
+    const eventType = String(payload.eventType || '').toLowerCase();
+    const stateRaw = payload.data.state || payload.data.status || payload.data.paymentState || '';
+    const state = String(stateRaw).toLowerCase();
+
+    // We accept the most common "paid" states seen in HelloAsso webhooks.
+    const okState = ['confirmed', 'authorized', 'paid', 'processed', 'succeeded', 'success'].includes(state);
+
+    // HelloAsso may send eventType "Payment" and/or "Order".
+    if (eventType === 'payment') {
+      return okState;
+    }
+    if (eventType === 'order') {
+      // Order payloads may not carry a payment-like "state" field; accept if missing,
+      // but still require a recognizable "paid" state when provided.
+      return !state || okState;
+    }
+    return false;
+  } catch (e) {
+    return false;
+  }
+}
+
+function formatFR(tsOrIso) {
+  const d = new Date(tsOrIso);
+  const dd = String(d.getDate()).padStart(2, '0');
+  const mm = String(d.getMonth() + 1).padStart(2, '0');
+  const yyyy = d.getFullYear();
+  return `${dd}/${mm}/${yyyy}`;
+}
+
+function getReservationIdFromPayload(payload) {
+  try {
+    const m = payload && payload.data ? payload.data.meta : null;
+    if (!m) return null;
+    if (typeof m === 'object' && m.reservationId) return String(m.reservationId);
+    if (typeof m === 'object' && m.reservationID) return String(m.reservationID);
+    return null;
+  } catch (e) {
+    return null;
+  }
+}
+
+
+function getCheckoutIntentIdFromPayload(payload) {
+  try {
+    const data = payload && payload.data ? payload.data : null;
+    if (!data) return null;
+    // Common locations based on HelloAsso docs and community reports:
+    // - Order event often contains checkoutIntentId at root of data
+    // - Return/back redirects contain checkoutIntentId in query params (not here)
+    const candidates = [
+      data.checkoutIntentId,
+      data.checkoutIntent && (data.checkoutIntent.id || data.checkoutIntent.checkoutIntentId),
+      data.order && (data.order.checkoutIntentId || (data.order.checkoutIntent && data.order.checkoutIntent.id)),
+    ].filter(Boolean);
+    if (candidates.length) return String(candidates[0]);
+  } catch (e) {}
+  return null;
+}
+
+/**
+ * Hardened HelloAsso webhook handler.
+ * - Requires x-ha-signature (HMAC SHA-256) verification.
+ * - Only accepts eventType=Payment with state=Confirmed.
+ * - Provides basic replay protection using the payment id.
+ *
+ * This handler is "safe" by default: if we cannot verify the signature,
+ * we refuse the request.
+ */
+async function handler(req, res, next) {
+  try {
+    if (req.method === 'GET') {
+      return res.json({ ok: true });
+    }
+    if (req.method !== 'POST') {
+      return res.status(405).json({ ok: false, error: 'method-not-allowed' });
+    }
+
+    const settings = await meta.settings.get(SETTINGS_KEY);
+
+    // Restrict webhook calls by IP (HelloAsso partner mode signature is not used).
+    const defaultAllowed = ['51.138.206.200', '4.233.135.234'];
+    const raw = String((settings && settings.helloassoWebhookAllowedIps) || '').trim();
+    const allowedIps = (raw ? raw.split(/[\s,;]+/g) : defaultAllowed).map(s => String(s || '').trim()).filter(Boolean);
+
+    const clientIp = (() => {
+      const cf = req.headers['cf-connecting-ip'];
+      if (cf) return String(cf).trim();
+      const xff = req.headers['x-forwarded-for'];
+      if (xff) return String(xff).split(',')[0].trim();
+      return String(req.ip || '').trim();
+    })();
+
+    if (allowedIps.length && clientIp && !allowedIps.includes(clientIp)) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook blocked by IP allowlist', { ip: clientIp, allowed: allowedIps });
+      return res.status(403).json({ ok: false, error: 'ip-not-allowed' });
+    }
+
+    // At this point, the payload is trusted.
+    const payload = req.body;
+
+    if (!isConfirmedPayment(payload)) {
+      // Acknowledge but ignore other event types/states.
+      return res.json({ ok: true, ignored: true });
+    }
+
+    // Ignore incomplete Payment events (HelloAsso sometimes omits metadata and checkoutIntentId on Payment webhooks).
+    // We rely on Order events (or checkoutIntent mappings) for reliable reconciliation.
+    const _eventType = String((payload && payload.eventType) || '').toLowerCase();
+    const _rid = getReservationIdFromPayload(payload);
+    const _checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
+    if (_eventType === 'payment' && !_rid && !_checkoutIntentId) {
+      return res.json({ ok: true, ignored: true, incompletePayment: true });
+    }
+
+    const paymentId = payload && payload.data ? (payload.data.id || payload.data.paymentId) : null;
+    // If we can't identify the payment, acknowledge and ignore (prevents accidental crashes).
+    if (!paymentId) {
+      return res.json({ ok: true, ignored: true, missingPaymentId: true });
+    }
+    if (await alreadyProcessed(paymentId)) {
+      return res.json({ ok: true, duplicate: true });
+    }
+
+    const rid = getReservationIdFromPayload(payload);
+    let resolvedRid = rid;
+    const checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
+    if (!resolvedRid && checkoutIntentId) {
+      // Some webhook payloads omit metadata but provide checkoutIntentId (common on Order events).
+      resolvedRid = await tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId);
+    }
+    if (!resolvedRid && paymentId) {
+      // Some webhook payloads omit metadata; try to fetch the payment details.
+      resolvedRid = await tryRecoverReservationIdFromPayment(settings, paymentId);
+    }
+    if (!resolvedRid) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook missing reservationId in metadata', { eventType: payload && payload.eventType, paymentId, checkoutIntentId });
+      // Do NOT mark as processed: if metadata/config is fixed later, a manual replay may be possible.
+      return res.json({ ok: true, processed: false, missingReservationId: true });
+    }
+
+    const r = await dbLayer.getReservation(resolvedRid);
+    if (!r) {
+      await markProcessed(paymentId);
+      return res.json({ ok: true, processed: true, reservationNotFound: true });
+    }
+
+    // Mark as paid and persist payment metadata.
+    r.status = 'paid';
+    r.paidAt = Date.now();
+    r.paymentId = paymentId ? String(paymentId) : '';
+    if (payload.data && payload.data.paymentReceiptUrl) {
+      r.paymentReceiptUrl = String(payload.data.paymentReceiptUrl);
+    }
+    await dbLayer.saveReservation(r);
+
+    await auditLog('reservation_paid', 0, {
+      targetType: 'reservation',
+      targetId: String(r.rid),
+      reservationUid: Number(r.uid) || 0,
+      reservationUsername: String(r.username || ''),
+      itemIds: r.itemIds || (r.itemId ? [r.itemId] : []),
+      itemNames: r.itemNames || (r.itemName ? [r.itemName] : []),
+      startDate: r.startDate || '',
+      endDate: r.endDate || '',
+      paymentId: r.paymentId || '',
+    });
+
+    // Real-time notify: refresh calendars for all viewers (owner + validators/admins)
+    try {
+      if (io && io.sockets && typeof io.sockets.emit === 'function') {
+        io.sockets.emit('event:calendar-onekite.reservationUpdated', { rid: r.rid, status: r.status });
+      }
+    } catch (e) {}
+
+    // Notify requester
+    const requesterUid = parseInt(r.uid, 10);
+    const requester = await user.getUserFields(requesterUid, ['username']);
+    if (requesterUid) {
+      await sendEmail('calendar-onekite_paid', requesterUid, 'Location matériel - Paiement reçu', {
+        uid: requesterUid,
+        username: requester && requester.username ? requester.username : '',
+        itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+        itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+        dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+        paymentReceiptUrl: r.paymentReceiptUrl || '',
+      });
+    }
+
+    // Discord webhook (optional)
+    try {
+      await discord.notifyPaymentReceived(settings, {
+        rid: r.rid,
+        uid: r.uid,
+        username: (requester && requester.username) ? requester.username : (r.username || ''),
+        itemIds: r.itemIds || (r.itemId ? [r.itemId] : []),
+        itemNames: r.itemNames || (r.itemName ? [r.itemName] : []),
+        start: r.start,
+        end: r.end,
+        status: r.status,
+      });
+    } catch (e) {}
+
+    await markProcessed(paymentId);
+    return res.json({ ok: true, processed: true });
+  } catch (err) {
+    return next(err);
+  }
+}
+
+module.exports = {
+  handler,
+};

package/pkg/package/lib/scheduler.js

@@ -0,0 +1,201 @@
+'use strict';
+
+const meta = require.main.require('./src/meta');
+const db = require.main.require('./src/database');
+const dbLayer = require('./db');
+const discord = require('./discord');
+
+let timer = null;
+
+function getSetting(settings, key, fallback) {
+  const v = settings && Object.prototype.hasOwnProperty.call(settings, key) ? settings[key] : undefined;
+  if (v == null || v === '') return fallback;
+  if (typeof v === 'object' && v && typeof v.value !== 'undefined') return v.value;
+  return v;
+}
+
+// Pending holds: short lock after a user creates a request (defaults to 5 minutes)
+async function expirePending() {
+  const settings = await meta.settings.get('calendar-onekite');
+  const holdMins = parseInt(getSetting(settings, 'pendingHoldMinutes', '5'), 10) || 5;
+  const now = Date.now();
+
+  const ids = await dbLayer.listAllReservationIds(5000);
+  if (!ids || !ids.length) {
+    return;
+  }
+
+  for (const rid of ids) {
+    const resv = await dbLayer.getReservation(rid);
+    if (!resv || resv.status !== 'pending') {
+      continue;
+    }
+    const createdAt = parseInt(resv.createdAt, 10) || 0;
+    const expiresAt = createdAt + holdMins * 60 * 1000;
+    if (now > expiresAt) {
+      // Expire (remove from calendar)
+      await dbLayer.removeReservation(rid);
+    }
+  }
+}
+
+// Payment window logic:
+// - When a reservation is validated it becomes awaiting_payment
+// - We send a reminder after `paymentHoldMinutes` (default 60)
+// - We expire (and remove) after `2 * paymentHoldMinutes`
+async function processAwaitingPayment() {
+  const settings = await meta.settings.get('calendar-onekite');
+  const holdMins = parseInt(
+    getSetting(settings, 'paymentHoldMinutes', getSetting(settings, 'holdMinutes', '60')),
+    10
+  ) || 60;
+  const now = Date.now();
+
+  const ids = await dbLayer.listAllReservationIds(5000);
+  if (!ids || !ids.length) return;
+
+  const emailer = require.main.require('./src/emailer');
+  const user = require.main.require('./src/user');
+
+  // NodeBB 4.x: always send by uid.
+  async function sendEmail(template, uid, subject, data) {
+    const toUid = Number.isInteger(uid) ? uid : (uid ? parseInt(uid, 10) : NaN);
+    if (!Number.isInteger(toUid) || toUid <= 0) return;
+
+    const params = Object.assign({}, data || {}, subject ? { subject } : {});
+
+    try {
+      if (typeof emailer.send !== 'function') return;
+      // NodeBB 4.x: send(template, uid, params)
+      // Do NOT branch on function.length (unreliable once wrapped/bound).
+      await emailer.send(template, toUid, params);
+    } catch (err) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] Failed to send email (scheduler)', {
+        template,
+        uid: toUid,
+        err: String((err && err.message) || err),
+      });
+    }
+  }
+
+  function formatFR(ts) {
+    const d = new Date(ts);
+    const dd = String(d.getDate()).padStart(2, '0');
+    const mm = String(d.getMonth() + 1).padStart(2, '0');
+    const yyyy = d.getFullYear();
+    return `${dd}/${mm}/${yyyy}`;
+  }
+
+  for (const rid of ids) {
+    const r = await dbLayer.getReservation(rid);
+    if (!r || r.status !== 'awaiting_payment') continue;
+
+    const approvedAt = parseInt(r.approvedAt || r.validatedAt || 0, 10) || 0;
+    if (!approvedAt) continue;
+
+    const reminderAt = approvedAt + holdMins * 60 * 1000;
+    const expireAt = approvedAt + 2 * holdMins * 60 * 1000;
+
+    if (!r.reminderSent && now >= reminderAt && now < expireAt) {
+      // Send reminder once (guarded across clustered NodeBB processes)
+      const reminderKey = 'calendar-onekite:email:reminderSent';
+      const first = await db.setAdd(reminderKey, rid);
+      if (!first) {
+        // another process already sent it
+        r.reminderSent = true;
+        r.reminderAt = now;
+        await dbLayer.saveReservation(r);
+        continue;
+      }
+
+      const toUid = parseInt(r.uid, 10);
+      const u = await user.getUserFields(toUid, ['username']);
+      if (toUid) {
+        await sendEmail('calendar-onekite_reminder', toUid, 'Location matériel - Rappel', {
+          uid: toUid,
+          username: (u && u.username) ? u.username : '',
+          itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+          itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+          dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+          paymentUrl: r.paymentUrl || '',
+          delayMinutes: holdMins,
+          pickupLine: r.pickupTime ? (r.adminNote ? `${r.pickupTime} à ${r.adminNote}` : r.pickupTime) : '',
+        });
+      }
+
+      r.reminderSent = true;
+      r.reminderAt = now;
+      await dbLayer.saveReservation(r);
+      continue;
+    }
+
+    if (now >= expireAt) {
+      // Expire: remove reservation so it disappears from calendar and frees items
+      // Guard email send across clustered NodeBB processes
+      const expiredKey = 'calendar-onekite:email:expiredSent';
+      const firstExpired = await db.setAdd(expiredKey, rid);
+      const shouldEmail = !!firstExpired;
+
+      // Guard Discord notification across clustered NodeBB processes
+      const discordKey = 'calendar-onekite:discord:cancelledSent';
+      const firstDiscord = await db.setAdd(discordKey, rid);
+      const shouldDiscord = !!firstDiscord;
+
+      const toUid = parseInt(r.uid, 10);
+      const u = await user.getUserFields(toUid, ['username']);
+
+      if (shouldEmail && toUid) {
+        await sendEmail('calendar-onekite_expired', toUid, 'Location matériel - Rappel', {
+          uid: toUid,
+          username: (u && u.username) ? u.username : '',
+          itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+          itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+          dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+          delayMinutes: holdMins,
+        });
+      }
+
+      if (shouldDiscord) {
+        try {
+          await discord.notifyReservationCancelled(settings, {
+            rid: r.rid || rid,
+            uid: r.uid,
+            username: (u && u.username) ? u.username : (r.username || ''),
+            itemIds: r.itemIds || [],
+            itemNames: r.itemNames || [],
+            start: r.start,
+            end: r.end,
+            status: 'cancelled',
+            cancelledAt: now,
+            cancelledBy: 'system',
+          });
+        } catch (e) {}
+      }
+
+      await dbLayer.removeReservation(rid);
+    }
+  }
+}
+
+function start() {
+  if (timer) return;
+  timer = setInterval(() => {
+    expirePending().catch(() => {});
+    processAwaitingPayment().catch(() => {});
+  }, 60 * 1000);
+}
+
+function stop() {
+  if (timer) {
+    clearInterval(timer);
+    timer = null;
+  }
+}
+
+module.exports = {
+  start,
+  stop,
+  expirePending,
+  processAwaitingPayment,
+};