nodebb-plugin-onekite-calendar 2.0.72 → 2.0.74

package/lib/admin.js

@@ -196,6 +196,67 @@ admin.approveReservation = async function (req, res) {
   res.json({ ok: true, paymentUrl: paymentUrl || null });
 };
 
+admin.markReservationPaid = async function (req, res) {
+  const rid = req.params.rid;
+  const r = await dbLayer.getReservation(rid);
+  if (!r) return res.status(404).json({ error: 'not-found' });
+
+  const note = String((req.body && req.body.note) || '').trim();
+  const manualPaymentId = String((req.body && req.body.paymentId) || '').trim();
+
+  r.status = 'paid';
+  r.paidAt = Date.now();
+  r.manuallyPaid = true;
+  r.manuallyPaidBy = req.uid;
+  r.manuallyPaidNote = note;
+  if (manualPaymentId) r.paymentId = manualPaymentId;
+  await dbLayer.saveReservation(r);
+
+  // Audit
+  try {
+    const year = new Date().getFullYear();
+    await dbLayer.addAuditEntry({
+      ts: Date.now(), year, action: 'reservation_manually_paid',
+      targetType: 'reservation', targetId: String(r.rid),
+      reservationUid: Number(r.uid) || 0,
+      reservationUsername: String(r.username || ''),
+      actorUid: req.uid || 0,
+      note,
+    });
+  } catch (e) {}
+
+  realtime.emitCalendarUpdated({ kind: 'reservation', action: 'paid', rid: String(rid), status: 'paid' });
+
+  // Email requester
+  try {
+    const requesterUid = parseInt(r.uid, 10);
+    const requester = await user.getUserFields(requesterUid, ['username']);
+    if (requesterUid) {
+      const { sendEmail, formatFR, buildCalendarLinks } = shared;
+      await sendEmail('calendar-onekite_paid', requesterUid, 'Location matériel - Paiement reçu', {
+        uid: requesterUid,
+        username: requester && requester.username ? requester.username : '',
+        itemName: (Array.isArray(r.itemNames) ? r.itemNames.join(', ') : (r.itemName || '')),
+        itemNames: (Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : [])),
+        dateRange: `Du ${formatFR(r.start)} au ${formatFR(r.end)}`,
+        paymentReceiptUrl: '',
+        pickupTime: r.pickupTime || '',
+        pickupAddress: r.pickupAddress || '',
+        mapUrl: '',
+        ...(buildCalendarLinks({
+          type: 'reservation', id: String(r.rid || ''), uid: Number(r.uid) || 0,
+          itemNames: Array.isArray(r.itemNames) ? r.itemNames : (r.itemName ? [r.itemName] : []),
+          pickupAddress: r.pickupAddress || '', allDay: true,
+          startYmd: (r.startDate && /^\d{4}-\d{2}-\d{2}$/.test(String(r.startDate))) ? String(r.startDate) : new Date(parseInt(r.start, 10)).toISOString().slice(0, 10),
+          endYmd: (r.endDate && /^\d{4}-\d{2}-\d{2}$/.test(String(r.endDate))) ? String(r.endDate) : new Date(parseInt(r.end, 10)).toISOString().slice(0, 10),
+        })),
+      });
+    }
+  } catch (e) {}
+
+  res.json({ ok: true });
+};
+
 admin.refuseReservation = async function (req, res) {
   const rid = req.params.rid;
   const r = await dbLayer.getReservation(rid);

package/lib/api.js

@@ -775,6 +775,7 @@ api.getCapabilities = async function (req, res) {
   ]);
   res.json({
     canModerate: canMod,
+    isValidator: canMod,
     canCreateSpecial: canSpecialC,
     canDeleteSpecial: canSpecialD,
     canCreateOuting: canReq,
@@ -1224,37 +1225,20 @@ api.createReservation = async function (req, res) {
   const startDate = (typeof startRaw === 'string' && /^\d{4}-\d{2}-\d{2}$/.test(startRaw.trim())) ? startRaw.trim() : null;
   const endDate = (typeof endRaw === 'string' && /^\d{4}-\d{2}-\d{2}$/.test(endRaw.trim())) ? endRaw.trim() : null;
 
-  // Validators can create "free" reservations that skip the payment workflow.
-  // However, long rentals should follow the normal paid workflow.
-  // Setting: validatorFreeMaxDays (days, endDate exclusive). If empty/0 => always free.
-  let validatorFreeMaxDays = 0;
-  try {
-    const v = parseInt(String(settings.validatorFreeMaxDays || '').trim(), 10);
-    validatorFreeMaxDays = Number.isFinite(v) ? v : 0;
-  } catch (e) {
-    validatorFreeMaxDays = 0;
-  }
-
   // Reliable calendar-day count (endDate is EXCLUSIVE)
   const nbDays = (startDate && endDate) ? (calendarDaysExclusiveYmd(startDate, endDate) || 1) : Math.max(1, Math.round((end - start) / (24 * 60 * 60 * 1000)));
 
-  // A validator is "free" only if the rental duration is within the configured threshold.
-  const isValidatorFree = !!isValidator && (validatorFreeMaxDays <= 0 || nbDays <= validatorFreeMaxDays);
+  // Detect past dates once (server-local midnight)
+  const _today0 = new Date();
+  _today0.setHours(0, 0, 0, 0);
+  const isPastDate = start < _today0.getTime();
 
-  // Business rule: a reservation cannot start in the past.
-  // We compare against server-local midnight. (Front-end also prevents it.)
-  try {
-    const today0 = new Date();
-    today0.setHours(0, 0, 0, 0);
-    const today0ts = today0.getTime();
-    if (start < today0ts) {
-      return res.status(400).json({
-        error: 'date-too-soon',
-        message: "Impossible de réserver pour une date passée.",
-      });
-    }
-  } catch (e) {
-    // If anything goes wrong, fail safe by allowing the normal flow.
+  // Block past dates for non-validators
+  if (!isValidator && isPastDate) {
+    return res.status(400).json({
+      error: 'date-too-soon',
+      message: "Impossible de réserver pour une date passée.",
+    });
   }
 
   // Support both legacy single itemId and new itemIds[] payload
@@ -1311,16 +1295,53 @@ api.createReservation = async function (req, res) {
   const now = Date.now();
   const rid = crypto.randomUUID();
 
-  // Snapshot username for display in calendar popups
-  let username = null;
+  // Snapshot creator (validator) username for audit trail
+  let creatorUsername = null;
   try {
-    username = await user.getUserField(uid, 'username');
+    creatorUsername = await user.getUserField(uid, 'username');
   } catch (e) {}
 
+  // Validators can create on behalf of another user
+  let targetUid = uid;
+  let targetUsername = creatorUsername;
+  if (isValidator && req.body.targetUsername) {
+    const tName = String(req.body.targetUsername).trim();
+    if (tName) {
+      try {
+        const tUid = await user.getUidByUsername(tName);
+        if (tUid) {
+          targetUid = parseInt(tUid, 10);
+          const tu = await user.getUserFields(targetUid, ['username']);
+          targetUsername = (tu && tu.username) ? tu.username : tName;
+        } else {
+          return res.status(400).json({ error: 'user-not-found', message: `Utilisateur "${tName}" introuvable.` });
+        }
+      } catch (e) {
+        return res.status(400).json({ error: 'user-not-found', message: "Impossible de trouver l'utilisateur." });
+      }
+    }
+  }
+
+  const isForSelf = (targetUid === uid);
+
+  // Free only when validator creates for themselves with a future date (within configured maxDays)
+  const validatorFreeMaxDays = (() => {
+    try {
+      const v = parseInt(String(settings.validatorFreeMaxDays || '').trim(), 10);
+      return Number.isFinite(v) ? v : 0;
+    } catch (e) { return 0; }
+  })();
+  const isValidatorFree = !!isValidator && isForSelf && !isPastDate && (validatorFreeMaxDays <= 0 || nbDays <= validatorFreeMaxDays);
+
+  // Regularization: past-dated reservation created by a validator → paid immediately with amount
+  const isRegularization = !!isValidator && isPastDate;
+
   const resv = {
     rid,
-    uid,
-    username: username || null,
+    uid: targetUid,
+    username: targetUsername || null,
+    createdBy: uid,
+    createdByUsername: creatorUsername || null,
     itemIds,
     itemNames: itemNames.length ? itemNames : itemIds,
     // keep legacy fields for backward compatibility
@@ -1330,19 +1351,17 @@ api.createReservation = async function (req, res) {
     end,
     startDate,
     endDate,
-    status: isValidatorFree ? 'paid' : 'pending',
+    status: (isValidatorFree || isRegularization) ? 'paid' : 'pending',
     createdAt: now,
-    paidAt: isValidatorFree ? now : 0,
-    approvedBy: isValidatorFree ? uid : 0,
-    // total is used for accounting (paid reservations).
-    // Validator self-reservations are FREE (no payment required) and must not be
-    // counted as revenue.
+    paidAt: (isValidatorFree || isRegularization) ? now : 0,
+    approvedBy: (isValidatorFree || isRegularization) ? uid : 0,
+    approvedByUsername: (isValidatorFree || isRegularization) ? (creatorUsername || '') : '',
     isFree: !!isValidatorFree,
     total: isValidatorFree ? 0 : (isNaN(total) ? 0 : total),
+    manuallyPaid: isRegularization ? true : undefined,
   };
 
-  // NOTE: We intentionally do NOT compute a monetary total for validator self-reservations.
-  // Those are free "sorties" and are tracked separately in the accounting view.
+  // Validator self-reservations are FREE (no payment required) and tracked separately in accounting.
 
   // Save
   await dbLayer.saveReservation(resv);
@@ -1351,12 +1370,17 @@ api.createReservation = async function (req, res) {
   realtime.emitCalendarUpdated({ kind: 'reservation', action: 'created', rid: resv.rid, status: resv.status });
 
   // Audit
-  await auditLog(isValidatorFree ? 'reservation_self_checked' : 'reservation_requested', uid, {
+  const auditAction = isValidatorFree ? 'reservation_self_checked'
+    : isRegularization ? 'reservation_manually_paid'
+    : 'reservation_requested';
+  await auditLog(auditAction, uid, {
     targetType: 'reservation',
     targetId: String(resv.rid),
-    uid: Number(uid) || 0,
-    requesterUid: Number(uid) || 0,
-    requesterUsername: username || '',
+    uid: Number(targetUid) || 0,
+    requesterUid: Number(targetUid) || 0,
+    requesterUsername: targetUsername || '',
+    createdBy: Number(uid) || 0,
+    createdByUsername: creatorUsername || '',
     itemIds: resv.itemIds || [],
     itemNames: resv.itemNames || [],
     startDate: resv.startDate || '',
@@ -1364,7 +1388,7 @@ api.createReservation = async function (req, res) {
     status: resv.status,
   });
 
-  if (!isValidatorFree) {
+  if (!isValidatorFree && !isRegularization) {
 
 
   // Notify groups by email (NodeBB emailer config)
@@ -1438,7 +1462,23 @@ api.createReservation = async function (req, res) {
 
   }
 
-  res.json({ ok: true, rid, status: resv.status, autoPaid: !!isValidatorFree });
+  res.json({ ok: true, rid, status: resv.status, autoPaid: !!(isValidatorFree || isRegularization) });
+};
+
+api.searchUsers = async function (req, res) {
+  const uid = req.uid;
+  if (!uid) return res.status(401).json({ error: 'not-logged-in' });
+  const settings = await getSettings();
+  if (!(await canValidate(uid, settings))) return res.status(403).json({ error: 'not-allowed' });
+  const q = String(req.query.q || '').trim();
+  if (q.length < 2) return res.json([]);
+  try {
+    const result = await user.search({ query: q, searchBy: 'username', resultsPerPage: 8, uid });
+    const list = (result && result.users) ? result.users : [];
+    return res.json(list.map(u => ({ uid: u.uid, username: u.username })));
+  } catch (e) {
+    return res.json([]);
+  }
 };
 
 // Validator actions (from calendar popup)

package/lib/helloassoWebhook.js

@@ -1,18 +1,22 @@
 'use strict';
 
-const crypto = require('crypto');
-
 const db = require.main.require('./src/database');
 const meta = require.main.require('./src/meta');
 const user = require.main.require('./src/user');
-const nconf = require.main.require('nconf');
 
 const dbLayer = require('./db');
 const helloasso = require('./helloasso');
 const discord = require('./discord');
 const realtime = require('./realtime');
 const shared = require('./shared');
-const { formatFR, forumBaseUrl, sendEmail, buildCalendarLinks, signCalendarLink, ymdToCompact } = shared;
+const { formatFR, sendEmail, buildCalendarLinks } = shared;
+
+const SETTINGS_KEY = 'calendar-onekite';
+const PROCESSED_KEY = 'calendar-onekite:helloasso:processedPayments';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
 
 function buildReservationCalendarLinks(r) {
   const startYmd = (r.startDate && /^\d{4}-\d{2}-\d{2}$/.test(String(r.startDate)))
@@ -50,19 +54,21 @@ async function auditLog(action, actorUid, payload) {
   } catch (e) {}
 }
 
-const SETTINGS_KEY = 'calendar-onekite';
-
-// Replay protection: store processed payment ids.
-const PROCESSED_KEY = 'calendar-onekite:helloasso:processedPayments';
-
-// sendEmail imported from shared.js
+function getClientIp(req) {
+  const cf = req.headers['cf-connecting-ip'];
+  if (cf) return String(cf).trim();
+  const xff = req.headers['x-forwarded-for'];
+  if (xff) return String(xff).split(',')[0].trim();
+  return String(req.ip || '').trim();
+}
 
+// Extract reservationId from the metadata field of a webhook payload.
+// HelloAsso uses several payload shapes depending on event type and API version.
 function getReservationIdFromPayload(payload) {
   try {
     const data = payload && payload.data ? payload.data : null;
     if (!data) return null;
 
-    // HelloAsso commonly uses "metadata" for checkout-intents/payments.
     const metaCandidates = [
       data.meta,
       data.metadata,
@@ -74,56 +80,81 @@ function getReservationIdFromPayload(payload) {
       if (typeof metaObj === 'object' && !Array.isArray(metaObj) && metaObj.reservationId) {
         return String(metaObj.reservationId);
       }
-      // Some systems send metadata as array of key/value pairs
+      // Some implementations send metadata as an array of { key, value } pairs
       if (Array.isArray(metaObj)) {
         const found = metaObj.find((x) => x && (x.key === 'reservationId' || x.name === 'reservationId'));
         if (found && (found.value || found.val)) return String(found.value || found.val);
       }
     }
+  } catch (e) {}
+  return null;
+}
+
+function getCheckoutIntentIdFromPayload(payload) {
+  try {
+    const data = payload && payload.data ? payload.data : null;
+    if (!data) return null;
+    const candidates = [
+      data.checkoutIntentId,
+      data.checkoutIntent && (data.checkoutIntent.id || data.checkoutIntent.checkoutIntentId),
+      data.order && (data.order.checkoutIntentId || (data.order.checkoutIntent && data.order.checkoutIntent.id)),
+    ].filter(Boolean);
+    if (candidates.length) return String(candidates[0]);
+  } catch (e) {}
+  return null;
+}
+
+// Returns true for event types and states that represent a completed payment.
+function isConfirmedPayment(payload) {
+  try {
+    if (!payload || !payload.data) return false;
+    const eventType = String(payload.eventType || '').toLowerCase();
+    const state = String(payload.data.state || payload.data.status || payload.data.paymentState || '').toLowerCase();
+    const okState = ['confirmed', 'authorized', 'paid', 'processed', 'succeeded', 'success'].includes(state);
+
+    if (eventType === 'payment') return okState;
+    if (eventType === 'order') {
+      // Order payloads sometimes omit the state field; accept when missing.
+      return !state || okState;
+    }
+    return false;
   } catch (e) {
-    // ignore
+    return false;
   }
-  return null;
 }
 
-async function tryRecoverReservationIdFromPayment(settings, paymentId) {
-  if (!paymentId) return null;
+async function alreadyProcessed(paymentId) {
+  if (!paymentId) return false;
   try {
-    const token = await helloasso.getAccessToken({
-      env: settings.helloassoEnv || 'live',
-      clientId: settings.helloassoClientId,
-      clientSecret: settings.helloassoClientSecret,
-    });
-    if (!token) return null;
-    const details = await helloasso.getPaymentDetails({
-      env: settings.helloassoEnv || 'live',
-      token,
-      paymentId,
-    });
-    if (!details) return null;
-    // Reuse the same extraction logic on the payment details object.
-    return getReservationIdFromPayload({ data: details });
+    return await db.isSetMember(PROCESSED_KEY, String(paymentId));
   } catch (e) {
-    return null;
+    return false;
   }
 }
 
-async function tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId) {
+async function markProcessed(paymentId) {
+  if (!paymentId) return;
+  try {
+    await db.setAdd(PROCESSED_KEY, String(paymentId));
+  } catch (e) {}
+}
+
+// Try to find the reservationId via the checkoutIntentId → rid mapping stored at approval time.
+// Falls back to querying HelloAsso's API when the mapping is missing (older reservations).
+async function tryRecoverRidFromCheckoutIntent(settings, checkoutIntentId) {
   if (!checkoutIntentId) return null;
   try {
-    // First, try a direct mapping stored when the checkout intent was created.
     const mapped = await db.getObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId));
     if (mapped) return String(mapped);
 
-    // If no mapping exists (older reservations), query HelloAsso for intent details to read metadata.
     const token = await helloasso.getAccessToken({
-      env: settings.helloassoEnv || 'live',
+      env: settings.helloassoEnv || 'prod',
       clientId: settings.helloassoClientId,
       clientSecret: settings.helloassoClientSecret,
     });
     if (!token) return null;
     const details = await helloasso.getCheckoutIntentDetails({
-      env: settings.helloassoEnv || 'live',
+      env: settings.helloassoEnv || 'prod',
       token,
       organizationSlug: settings.helloassoOrganizationSlug,
       checkoutIntentId,
@@ -131,171 +162,119 @@ async function tryRecoverReservationIdFromCheckoutIntent(settings, checkoutInten
     if (!details) return null;
     const rid = getReservationIdFromPayload({ data: details });
     if (rid) {
-      // persist mapping for next webhooks
-      try {
-        await db.setObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId), String(rid));
-      } catch (e) {}
+      try { await db.setObjectField(dbLayer.KEY_CHECKOUT_INTENT_TO_RID, String(checkoutIntentId), String(rid)); } catch (e) {}
       return String(rid);
     }
-  } catch (e) {
-    return null;
-  }
+  } catch (e) {}
   return null;
 }
 
-async function alreadyProcessed(paymentId) {
-  if (!paymentId) return false;
-  try {
-    return await db.isSetMember(PROCESSED_KEY, String(paymentId));
-  } catch (e) {
-    return false;
-  }
-}
-
-async function markProcessed(paymentId) {
-  if (!paymentId) return;
-  try {
-    await db.setAdd(PROCESSED_KEY, String(paymentId));
-  } catch (e) {
-    // ignore
-  }
-}
-
-function isConfirmedPayment(payload) {
+// Last-resort: fetch the payment from HelloAsso's API and read metadata from there.
+async function tryRecoverRidFromPayment(settings, paymentId) {
+  if (!paymentId) return null;
   try {
-    if (!payload || !payload.data) return false;
-    const eventType = String(payload.eventType || '').toLowerCase();
-    const stateRaw = payload.data.state || payload.data.status || payload.data.paymentState || '';
-    const state = String(stateRaw).toLowerCase();
-
-    // We accept the most common "paid" states seen in HelloAsso webhooks.
-    const okState = ['confirmed', 'authorized', 'paid', 'processed', 'succeeded', 'success'].includes(state);
-
-    // HelloAsso may send eventType "Payment" and/or "Order".
-    if (eventType === 'payment') {
-      return okState;
-    }
-    if (eventType === 'order') {
-      // Order payloads may not carry a payment-like "state" field; accept if missing,
-      // but still require a recognizable "paid" state when provided.
-      return !state || okState;
-    }
-    return false;
+    const token = await helloasso.getAccessToken({
+      env: settings.helloassoEnv || 'prod',
+      clientId: settings.helloassoClientId,
+      clientSecret: settings.helloassoClientSecret,
+    });
+    if (!token) return null;
+    const details = await helloasso.getPaymentDetails({
+      env: settings.helloassoEnv || 'prod',
+      token,
+      paymentId,
+    });
+    if (!details) return null;
+    return getReservationIdFromPayload({ data: details });
   } catch (e) {
-    return false;
+    return null;
   }
 }
 
-function getCheckoutIntentIdFromPayload(payload) {
-  try {
-    const data = payload && payload.data ? payload.data : null;
-    if (!data) return null;
-    // Common locations based on HelloAsso docs and community reports:
-    // - Order event often contains checkoutIntentId at root of data
-    // - Return/back redirects contain checkoutIntentId in query params (not here)
-    const candidates = [
-      data.checkoutIntentId,
-      data.checkoutIntent && (data.checkoutIntent.id || data.checkoutIntent.checkoutIntentId),
-      data.order && (data.order.checkoutIntentId || (data.order.checkoutIntent && data.order.checkoutIntent.id)),
-    ].filter(Boolean);
-    if (candidates.length) return String(candidates[0]);
-  } catch (e) {}
-  return null;
-}
+// ---------------------------------------------------------------------------
+// Webhook handler
+// ---------------------------------------------------------------------------
 
-/**
- * Hardened HelloAsso webhook handler.
- * - Requires x-ha-signature (HMAC SHA-256) verification.
- * - Only accepts eventType=Payment with state=Confirmed.
- * - Provides basic replay protection using the payment id.
- *
- * This handler is "safe" by default: if we cannot verify the signature,
- * we refuse the request.
- */
 async function handler(req, res, next) {
   try {
-    if (req.method === 'GET') {
-      return res.json({ ok: true });
-    }
-    if (req.method !== 'POST') {
-      return res.status(405).json({ ok: false, error: 'method-not-allowed' });
-    }
+    if (req.method === 'GET') return res.json({ ok: true });
+    if (req.method !== 'POST') return res.status(405).json({ ok: false, error: 'method-not-allowed' });
 
     const settings = await meta.settings.get(SETTINGS_KEY);
 
-    // Restrict webhook calls by IP (HelloAsso partner mode signature is not used).
-    const defaultAllowed = ['51.138.206.200', '4.233.135.234'];
-    const raw = String((settings && settings.helloassoWebhookAllowedIps) || '').trim();
-    const allowedIps = (raw ? raw.split(/[\s,;]+/g) : defaultAllowed).map(s => String(s || '').trim()).filter(Boolean);
-
-    const clientIp = (() => {
-      const cf = req.headers['cf-connecting-ip'];
-      if (cf) return String(cf).trim();
-      const xff = req.headers['x-forwarded-for'];
-      if (xff) return String(xff).split(',')[0].trim();
-      return String(req.ip || '').trim();
-    })();
-
-    if (allowedIps.length && clientIp && !allowedIps.includes(clientIp)) {
-      // eslint-disable-next-line no-console
-      console.warn('[calendar-onekite] HelloAsso webhook blocked by IP allowlist', { ip: clientIp, allowed: allowedIps });
-      return res.status(403).json({ ok: false, error: 'ip-not-allowed' });
+    // Optional IP allowlist (configure helloassoWebhookAllowedIps in ACP).
+    // If empty, all IPs are accepted.
+    const rawIps = String((settings && settings.helloassoWebhookAllowedIps) || '').trim();
+    const allowedIps = rawIps ? rawIps.split(/[\s,;]+/g).map((s) => s.trim()).filter(Boolean) : [];
+    if (allowedIps.length) {
+      const clientIp = getClientIp(req);
+      if (!allowedIps.includes(clientIp)) {
+        // eslint-disable-next-line no-console
+        console.warn('[calendar-onekite] HelloAsso webhook blocked by IP allowlist', { ip: clientIp, allowed: allowedIps });
+        return res.status(403).json({ ok: false, error: 'ip-not-allowed' });
+      }
     }
 
-    // At this point, the payload is trusted.
     const payload = req.body;
 
     if (!isConfirmedPayment(payload)) {
-      // Acknowledge but ignore other event types/states.
       return res.json({ ok: true, ignored: true });
     }
 
-    // Ignore incomplete Payment events (HelloAsso sometimes omits metadata and checkoutIntentId on Payment webhooks).
-    // We rely on Order events (or checkoutIntent mappings) for reliable reconciliation.
-    const _eventType = String((payload && payload.eventType) || '').toLowerCase();
-    const _rid = getReservationIdFromPayload(payload);
-    const _checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
-    if (_eventType === 'payment' && !_rid && !_checkoutIntentId) {
+    const eventType = String((payload && payload.eventType) || '').toLowerCase();
+    const rid = getReservationIdFromPayload(payload);
+    const checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
+
+    // Incomplete Payment events (no metadata, no checkoutIntentId) cannot be reconciled.
+    if (eventType === 'payment' && !rid && !checkoutIntentId) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook: Payment event has no metadata.reservationId and no checkoutIntentId', {
+        paymentId: payload && payload.data && payload.data.id,
+        dataKeys: payload && payload.data ? Object.keys(payload.data) : [],
+      });
       return res.json({ ok: true, ignored: true, incompletePayment: true });
     }
 
     const paymentId = payload && payload.data ? (payload.data.id || payload.data.paymentId) : null;
-    // If we can't identify the payment, acknowledge and ignore (prevents accidental crashes).
     if (!paymentId) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook: missing payment id', { eventType, dataKeys: payload && payload.data ? Object.keys(payload.data) : [] });
       return res.json({ ok: true, ignored: true, missingPaymentId: true });
     }
+
     if (await alreadyProcessed(paymentId)) {
       return res.json({ ok: true, duplicate: true });
     }
 
-    const rid = getReservationIdFromPayload(payload);
+    // Resolve the reservation ID: try metadata first, then checkoutIntentId mapping, then API call.
     let resolvedRid = rid;
-    const checkoutIntentId = getCheckoutIntentIdFromPayload(payload);
     if (!resolvedRid && checkoutIntentId) {
-      // Some webhook payloads omit metadata but provide checkoutIntentId (common on Order events).
-      resolvedRid = await tryRecoverReservationIdFromCheckoutIntent(settings, checkoutIntentId);
+      resolvedRid = await tryRecoverRidFromCheckoutIntent(settings, checkoutIntentId);
     }
-    if (!resolvedRid && paymentId) {
-      // Some webhook payloads omit metadata; try to fetch the payment details.
-      resolvedRid = await tryRecoverReservationIdFromPayment(settings, paymentId);
+    if (!resolvedRid) {
+      resolvedRid = await tryRecoverRidFromPayment(settings, paymentId);
     }
     if (!resolvedRid) {
       // eslint-disable-next-line no-console
-      console.warn('[calendar-onekite] HelloAsso webhook missing reservationId in metadata', { eventType: payload && payload.eventType, paymentId, checkoutIntentId });
-      // Do NOT mark as processed: if metadata/config is fixed later, a manual replay may be possible.
+      console.warn('[calendar-onekite] HelloAsso webhook: could not resolve reservationId — payment NOT recorded', { eventType, paymentId, checkoutIntentId });
+      // Do not mark as processed: a manual replay may be possible after fixing config.
       return res.json({ ok: true, processed: false, missingReservationId: true });
     }
 
     const r = await dbLayer.getReservation(resolvedRid);
     if (!r) {
+      // eslint-disable-next-line no-console
+      console.warn('[calendar-onekite] HelloAsso webhook: reservation not found (expired/deleted?)', { rid: resolvedRid, paymentId });
       await markProcessed(paymentId);
       return res.json({ ok: true, processed: true, reservationNotFound: true });
     }
 
-    // Mark as paid and persist payment metadata.
+    // eslint-disable-next-line no-console
+    console.info('[calendar-onekite] HelloAsso webhook: marking reservation paid', { rid: resolvedRid, prevStatus: r.status, paymentId });
+
     r.status = 'paid';
     r.paidAt = Date.now();
-    r.paymentId = paymentId ? String(paymentId) : '';
+    r.paymentId = String(paymentId);
     if (payload.data && payload.data.paymentReceiptUrl) {
       r.paymentReceiptUrl = String(payload.data.paymentReceiptUrl);
     }
@@ -310,13 +289,11 @@ async function handler(req, res, next) {
       itemNames: r.itemNames || (r.itemName ? [r.itemName] : []),
       startDate: r.startDate || '',
       endDate: r.endDate || '',
-      paymentId: r.paymentId || '',
+      paymentId: r.paymentId,
     });
 
-    // Real-time notify: refresh calendars for all viewers
     realtime.emitCalendarUpdated({ kind: 'reservation', action: 'paid', rid: String(r.rid), status: r.status });
 
-    // Notify requester
     const requesterUid = parseInt(r.uid, 10);
     const requester = await user.getUserFields(requesterUid, ['username']);
     if (requesterUid) {
@@ -340,7 +317,6 @@ async function handler(req, res, next) {
       });
     }
 
-    // Discord webhook (optional)
     try {
       await discord.notifyPaymentReceived(settings, {
         rid: r.rid,
@@ -361,6 +337,4 @@ async function handler(req, res, next) {
   }
 }
 
-module.exports = {
-  handler,
-};
+module.exports = { handler };

package/library.js

@@ -65,6 +65,7 @@ Plugin.init = async function (params) {
   router.get('/api/v3/plugins/calendar-onekite/events', ...publicExpose, api.getEvents);
   router.get('/api/v3/plugins/calendar-onekite/items', ...publicExpose, api.getItems);
   router.get('/api/v3/plugins/calendar-onekite/capabilities', ...publicExpose, api.getCapabilities);
+  router.get('/api/v3/plugins/calendar-onekite/users/search', ...publicExpose, api.searchUsers);
 
   // Maintenance / audit (restricted to validator groups)
   router.get('/api/v3/plugins/calendar-onekite/maintenance', ...publicExpose, api.getMaintenance);
@@ -109,6 +110,7 @@ Plugin.init = async function (params) {
   router.get(`${adminBase}/pending`, ...adminMws, admin.listPending);
   router.put(`${adminBase}/reservations/:rid/approve`, ...adminMws, admin.approveReservation);
   router.put(`${adminBase}/reservations/:rid/refuse`, ...adminMws, admin.refuseReservation);
+  router.put(`${adminBase}/reservations/:rid/mark-paid`, ...adminMws, admin.markReservationPaid);
 
   router.post(`${adminBase}/purge`, ...adminMws, admin.purgeByYear);
   router.get(`${adminBase}/debug`, ...adminMws, admin.debugHelloAsso);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-onekite-calendar",
-  "version": "2.0.72",
+  "version": "2.0.74",
   "description": "FullCalendar-based equipment reservation workflow with admin approval & HelloAsso payment for NodeBB",
   "main": "library.js",
   "license": "MIT",

package/public/admin.js

@@ -573,6 +573,13 @@ define('admin/plugins/calendar-onekite', ['alerts', 'bootbox'], function (alerts
     }
   }
 
+  async function markPaid(rid, payload) {
+    return await fetchJson(`/api/v3/admin/plugins/calendar-onekite/reservations/${rid}/mark-paid`, {
+      method: 'PUT',
+      body: JSON.stringify(payload || {}),
+    });
+  }
+
   async function debugHelloAsso() {
     try {
       return await fetchJson('/api/v3/admin/plugins/calendar-onekite/debug');
@@ -1214,6 +1221,34 @@ define('admin/plugins/calendar-onekite', ['alerts', 'bootbox'], function (alerts
       });
     }
 
+    // Manual mark-as-paid (recovery when HelloAsso webhook failed)
+    const markPaidBtn = document.getElementById('onekite-mark-paid-btn');
+    if (markPaidBtn) {
+      markPaidBtn.addEventListener('click', async () => {
+        const ridInput = document.getElementById('onekite-mark-paid-rid');
+        const rid = (ridInput ? ridInput.value : '').trim();
+        if (!rid) {
+          showAlert('error', 'ID de réservation requis.');
+          return;
+        }
+        bootbox.confirm(
+          `Marquer la réservation <strong>${escapeHtml(rid)}</strong> comme payée manuellement ?<br><small class="text-muted">Un email de confirmation sera envoyé à l'adhérent.</small>`,
+          async (ok) => {
+            if (!ok) return;
+            try {
+              await withLock(`mark-paid:${rid}`, [markPaidBtn], async () => {
+                await markPaid(rid, { note: 'Paiement validé manuellement depuis ACP' });
+                showAlert('success', `Réservation ${rid} marquée comme payée.`);
+                if (ridInput) ridInput.value = '';
+              });
+            } catch (e) {
+              showAlert('error', `Impossible de marquer comme payée : ${e && e.message ? e.message : e}`);
+            }
+          }
+        );
+      });
+    }
+
     // Accounting (paid reservations)
     const accFrom = document.getElementById('onekite-acc-from');
     const accTo = document.getElementById('onekite-acc-to');

package/public/client.js

@@ -821,6 +821,107 @@ async function searchAddresses(query, limit) {
   }).filter(h => h && h.displayName);
 }
 
+async function searchUsers(q, limit) {
+  try {
+    const qs = new URLSearchParams({ q: String(q || ''), limit: String(limit || 8) });
+    const arr = await fetchJson(`/api/v3/plugins/calendar-onekite/users/search?${qs}`);
+    if (!Array.isArray(arr)) return [];
+    return arr;
+  } catch (e) {
+    return [];
+  }
+}
+
+function attachUserAutocomplete(inputEl) {
+  if (!inputEl) return;
+  if (inputEl.getAttribute('data-onekite-user-ac') === '1') return;
+  inputEl.setAttribute('data-onekite-user-ac', '1');
+
+  const host = inputEl.parentNode || document.body;
+  try {
+    const cs = window.getComputedStyle(host);
+    if (!cs || cs.position === 'static') host.style.position = 'relative';
+  } catch (e) {
+    host.style.position = 'relative';
+  }
+
+  const menu = document.createElement('div');
+  menu.className = 'onekite-autocomplete-menu';
+  menu.style.position = 'absolute';
+  menu.style.left = '0';
+  menu.style.right = '0';
+  menu.style.top = '100%';
+  menu.style.zIndex = '2000';
+  menu.style.background = '#fff';
+  menu.style.border = '1px solid rgba(0,0,0,.15)';
+  menu.style.borderTop = '0';
+  menu.style.maxHeight = '220px';
+  menu.style.overflowY = 'auto';
+  menu.style.display = 'none';
+  menu.style.borderRadius = '0 0 .375rem .375rem';
+  host.appendChild(menu);
+
+  let timer = null;
+  let busy = false;
+
+  function hide() { menu.style.display = 'none'; menu.innerHTML = ''; }
+
+  function show(hits) {
+    if (!hits || !hits.length) { hide(); return; }
+    menu.innerHTML = '';
+    hits.forEach((h) => {
+      const btn = document.createElement('button');
+      btn.type = 'button';
+      btn.className = 'onekite-autocomplete-item';
+      btn.textContent = h.username;
+      btn.style.display = 'block';
+      btn.style.width = '100%';
+      btn.style.textAlign = 'left';
+      btn.style.padding = '.35rem .5rem';
+      btn.style.border = '0';
+      btn.style.background = 'transparent';
+      btn.style.cursor = 'pointer';
+      btn.addEventListener('click', () => { inputEl.value = h.username; hide(); });
+      btn.addEventListener('mouseenter', () => { btn.style.background = 'rgba(0,0,0,.05)'; });
+      btn.addEventListener('mouseleave', () => { btn.style.background = 'transparent'; });
+      menu.appendChild(btn);
+    });
+    menu.style.display = 'block';
+  }
+
+  async function run(q) {
+    if (busy) return;
+    busy = true;
+    try {
+      const hits = await searchUsers(q, 8);
+      if (String(inputEl.value || '').trim() !== q) return;
+      show(hits);
+    } catch (e) {
+      hide();
+    } finally {
+      busy = false;
+    }
+  }
+
+  inputEl.addEventListener('input', () => {
+    const q = String(inputEl.value || '').trim();
+    if (timer) clearTimeout(timer);
+    if (q.length < 2) { hide(); return; }
+    timer = setTimeout(() => run(q), 250);
+  });
+
+  inputEl.addEventListener('focus', () => {
+    const q = String(inputEl.value || '').trim();
+    if (q.length >= 2) { if (timer) clearTimeout(timer); timer = setTimeout(() => run(q), 150); }
+  });
+
+  document.addEventListener('click', (e) => {
+    try { if (!host.contains(e.target)) hide(); } catch (err) {}
+  });
+
+  inputEl.addEventListener('keydown', (e) => { if (e.key === 'Escape') hide(); });
+}
+
 function attachAddressAutocomplete(inputEl, onPick) {
   if (!inputEl) return;
   // Avoid double attach
@@ -1022,7 +1123,8 @@ function toDatetimeLocalValue(date) {
     return `${d.getFullYear()}-${pad(d.getMonth() + 1)}-${pad(d.getDate())}T${pad(d.getHours())}:${pad(d.getMinutes())}`;
   }
 
-  async function openReservationDialog(selectionInfo, items) {
+  async function openReservationDialog(selectionInfo, items, opts) {
+    const isValidatorMode = !!(opts && opts.isValidator);
     const start = selectionInfo.start;
     let end = selectionInfo.end;
 
@@ -1122,9 +1224,17 @@ function toDatetimeLocalValue(date) {
 
     const endDisplay = endInclusiveForDisplay(start, end);
 
+    const forUserHtml = isValidatorMode ? `
+      <div class="mb-2 mt-1">
+        <label style="font-size:13px; font-weight:600; margin-bottom:3px; display:block;">Pour (pseudo, vide = moi-même)</label>
+        <input type="text" class="form-control form-control-sm" id="onekite-target-username" placeholder="Pseudo de l'adhérent" autocomplete="off">
+      </div>
+    ` : '';
+
     const messageHtml = `
       <div class="mb-2" id="onekite-period"><strong>Période</strong><br>${formatDt(start)} → ${formatDt(endDisplay)} <span class="text-muted" id="onekite-days">(${days} jour${days > 1 ? 's' : ''})</span></div>
       ${shortcutsHtml}
+      ${forUserHtml}
       <div class="mb-2"><strong>Matériel</strong></div>
       <div id="onekite-items" class="mb-2" style="max-height: 320px; overflow: auto; border: 1px solid var(--bs-border-color, #ddd); border-radius: 6px; padding: 6px;">
         ${rows}
@@ -1169,7 +1279,8 @@ function toDatetimeLocalValue(date) {
               const total = (sum / 100) * days;
               // Return the effective end date (exclusive) because duration shortcuts can
               // change the range without updating the original FullCalendar selection.
-              resolve({ itemIds, itemNames, total, days, endDate: toLocalYmd(end) });
+              const targetUsername = isValidatorMode ? ((document.getElementById('onekite-target-username') || {}).value || '').trim() : '';
+              resolve({ itemIds, itemNames, total, days, endDate: toLocalYmd(end), targetUsername });
             },
           },
         },
@@ -1177,6 +1288,10 @@ function toDatetimeLocalValue(date) {
 
       // live total update
       setTimeout(() => {
+        if (isValidatorMode) {
+          attachUserAutocomplete(document.getElementById('onekite-target-username'));
+        }
+
         const totalEl = document.getElementById('onekite-total');
         const periodEl = document.getElementById('onekite-period');
         const daysEl = document.getElementById('onekite-days');
@@ -1290,6 +1405,7 @@ function toDatetimeLocalValue(date) {
     const canDeleteSpecial = !!caps.canDeleteSpecial;
     const canCreateOuting = !!caps.canCreateOuting;
     const canCreateReservation = !!caps.canCreateReservation;
+    const isValidator = !!caps.isValidator;
     const specialEventCategoryCid = parseInt(caps.specialEventCategoryCid, 10) || 0;
 
     // Creation chooser: Location / Prévision de sortie / Évènement (si autorisé).
@@ -1380,17 +1496,19 @@ function toDatetimeLocalValue(date) {
         }
       } catch (e) {}
 
-      // Business rule: nothing can be created in the past.
-      try {
-        const startDateCheck = toLocalYmd(info.start);
-        const todayCheck = toLocalYmd(new Date());
-        if (startDateCheck < todayCheck) {
-          lastDateRuleToastAt = Date.now();
-          showAlert('error', "Impossible de créer pour une date passée.");
-          try { calendar.unselect(); } catch (e) {}
-          return;
-        }
-      } catch (e) {}
+      // Business rule: nothing can be created in the past (validators are exempt for regularization).
+      if (!isValidator) {
+        try {
+          const startDateCheck = toLocalYmd(info.start);
+          const todayCheck = toLocalYmd(new Date());
+          if (startDateCheck < todayCheck) {
+            lastDateRuleToastAt = Date.now();
+            showAlert('error', "Impossible de créer pour une date passée.");
+            try { calendar.unselect(); } catch (e) {}
+            return;
+          }
+        } catch (e) {}
+      }
 
       function handleCreateError(e) {
         const code = String((e && (e.status || e.message)) || '');
@@ -1437,22 +1555,24 @@ function toDatetimeLocalValue(date) {
               showAlert('error', 'Aucun matériel disponible (items HelloAsso non chargés).');
               return;
             }
-            const chosen = await openReservationDialog(sel, items);
+            const chosen = await openReservationDialog(sel, items, { isValidator });
             if (!chosen || !chosen.itemIds || !chosen.itemIds.length) return;
             const startDate = toLocalYmd(sel.start);
             const endDate = (chosen && chosen.endDate) ? String(chosen.endDate) : toLocalYmd(sel.end);
-            const resp = await requestReservation({
+            const reqPayload = {
               title: (chosen && chosen.title) ? String(chosen.title) : '',
               start: startDate,
               end: endDate,
               itemIds: chosen.itemIds,
               itemNames: chosen.itemNames,
               total: chosen.total,
-            });
+            };
+            if (chosen.targetUsername) reqPayload.targetUsername = chosen.targetUsername;
+            const resp = await requestReservation(reqPayload);
             if (resp && (resp.autoPaid || String(resp.status) === 'paid')) {
-              showAlert('success', 'Réservation confirmée.');
+              showAlert('success', chosen.targetUsername ? `Réservation confirmée pour ${chosen.targetUsername}.` : 'Réservation confirmée.');
             } else {
-              showAlert('success', 'Demande envoyée (en attente de validation).');
+              showAlert('success', chosen.targetUsername ? `Demande créée pour ${chosen.targetUsername}.` : 'Demande envoyée (en attente de validation).');
             }
             invalidateEventsCache();
             scheduleRefetch(calendar);
@@ -1526,22 +1646,24 @@ function toDatetimeLocalValue(date) {
               showAlert('error', 'Aucun matériel disponible (items HelloAsso non chargés).');
               return;
             }
-            const chosen = await openReservationDialog(sel, items);
+            const chosen = await openReservationDialog(sel, items, { isValidator });
             if (!chosen || !chosen.itemIds || !chosen.itemIds.length) return;
             const startDate = toLocalYmd(sel.start);
             const endDate = (chosen && chosen.endDate) ? String(chosen.endDate) : toLocalYmd(sel.end);
-            const resp = await requestReservation({
+            const reqPayload = {
               title: (chosen && chosen.title) ? String(chosen.title) : '',
               start: startDate,
               end: endDate,
               itemIds: chosen.itemIds,
               itemNames: chosen.itemNames,
               total: chosen.total,
-            });
+            };
+            if (chosen.targetUsername) reqPayload.targetUsername = chosen.targetUsername;
+            const resp = await requestReservation(reqPayload);
             if (resp && (resp.autoPaid || String(resp.status) === 'paid')) {
-              showAlert('success', 'Réservation confirmée.');
+              showAlert('success', chosen.targetUsername ? `Réservation confirmée pour ${chosen.targetUsername}.` : 'Réservation confirmée.');
             } else {
-              showAlert('success', 'Demande envoyée (en attente de validation).');
+              showAlert('success', chosen.targetUsername ? `Demande créée pour ${chosen.targetUsername}.` : 'Demande envoyée (en attente de validation).');
             }
             invalidateEventsCache();
             scheduleRefetch(calendar);
@@ -1614,8 +1736,9 @@ function toDatetimeLocalValue(date) {
       longPressDelay: 300,
       selectLongPressDelay: 300,
       dayCellDidMount: function (arg) {
-        // Visually disable past days for reservation creation rules,
-        // without breaking event clicks.
+        // Visually disable past days for reservation creation rules.
+        // Validators are exempt (they can create past-dated reservations for regularization).
+        if (isValidator) return;
         try {
           const cellDate = arg && arg.date ? new Date(arg.date) : null;
           if (!cellDate) return;

package/templates/admin/plugins/calendar-onekite.tpl

@@ -130,8 +130,8 @@
 
           <div class="mb-3">
             <label class="form-label">IPs autorisées pour le webhook HelloAsso (csv)</label>
-            <input class="form-control" name="helloassoWebhookAllowedIps" placeholder="51.138.206.200,4.233.135.234">
-            <div class="form-text">Liste des IPs autorisées à appeler le webhook. Laisse vide pour utiliser la liste par défaut.</div>
+            <input class="form-control" name="helloassoWebhookAllowedIps" placeholder="ex: 1.2.3.4, 5.6.7.8">
+            <div class="form-text">IPs autorisées à appeler le webhook (séparées par virgule). <strong>Si vide : toutes les IPs sont acceptées</strong> (recommandé — HelloAsso change ses IPs sans préavis). Ne remplis ce champ que si tu connais les IPs exactes de ton serveur HelloAsso.</div>
           </div>
 
           <div class="mb-3">
@@ -227,6 +227,17 @@
         <p class="text-muted">Teste la récupération du token et la liste du matériel (catalogue).</p>
         <button type="button" class="btn btn-secondary me-2" id="onekite-debug-run">Tester le chargement du matériel</button>
         <pre id="onekite-debug-output" class="mt-3 p-3 border rounded onekite-debug-output" style="max-height: 360px; overflow: auto;"></pre>
+
+        <hr class="my-4" />
+        <h5>Récupération paiement manuelle</h5>
+        <p class="text-muted" style="max-width: 700px;">
+          Si un adhérent a payé via HelloAsso mais que le webhook n'a pas été reçu (IP bloquée, timeout, etc.), entre l'ID de réservation pour la marquer manuellement comme payée. Un email de confirmation est envoyé à l'adhérent.
+        </p>
+        <div class="d-flex gap-2 align-items-center">
+          <input type="text" class="form-control" id="onekite-mark-paid-rid" placeholder="ID de réservation (ex: 1714234567890)" style="max-width: 400px;">
+          <button type="button" class="btn btn-warning" id="onekite-mark-paid-btn">Marquer comme payée</button>
+        </div>
+        <div class="form-text mt-2">L'ID de réservation est visible dans les logs NodeBB ou dans l'URL d'approbation.</div>
       </div>
 
       <div class="tab-pane fade" id="onekite-tab-accounting" role="tabpanel">