payment-kit 1.29.1 → 1.29.3

package/api/src/routes/{products.ts → hono/products.ts}

@@ -1,23 +1,34 @@
+// Phase 3 (express→hono) — hono fork of routes/products.ts. Sub-app with
+// routes relative to /api/products (mounted via mountResourceGroup). The
+// business logic is unchanged; only the express plumbing becomes hono:
+//   req.body → c.get('sanitizedBody'); res.status(n).json(x) → c.json(x, n).
 import { BN, fromTokenToUnit } from '@ocap/util';
-import { Router } from 'express';
+import { Hono } from 'hono';
 import Joi from 'joi';
 import cloneDeep from 'lodash/cloneDeep';
 import pick from 'lodash/pick';
 import { Op } from 'sequelize';
-
-import { createListParamSchema, getOrder, getWhereFromKvQuery, getWhereFromQuery, MetadataSchema } from '../libs/api';
-import logger from '../libs/logger';
-import { authenticate } from '../libs/security';
-import { formatMetadata } from '../libs/util';
-import { PaymentCurrency } from '../store/models/payment-currency';
-import { Price } from '../store/models/price';
-import { Product } from '../store/models/product';
-import { ProductVendor } from '../store/models/product-vendor';
-
-import type { CustomUnitAmount } from '../store/models/types';
-import { checkCurrencySupportRecurring } from '../libs/product';
-
-const router = Router();
+import { allowChangeLockedPrice } from '../../libs/env';
+
+import {
+  createListParamSchema,
+  getOrder,
+  getWhereFromKvQuery,
+  getWhereFromQuery,
+  MetadataSchema,
+} from '../../libs/api';
+import logger from '../../libs/logger';
+import { authenticate } from '../../middlewares/hono/security';
+import { formatMetadata } from '../../libs/util';
+import { PaymentCurrency } from '../../store/models/payment-currency';
+import { Price } from '../../store/models/price';
+import { Product } from '../../store/models/product';
+import { ProductVendor } from '../../store/models/product-vendor';
+
+import type { CustomUnitAmount } from '../../store/models/types';
+import { checkCurrencySupportRecurring } from '../../libs/product';
+
+const app = new Hono();
 
 const auth = authenticate<Product>({ component: true, roles: ['owner', 'admin'] });
 
@@ -40,7 +51,7 @@ const ProductAndPriceSchema = Joi.object({
   tax_code: Joi.string().max(30).allow(null).empty('').optional(),
   statement_descriptor: Joi.string()
     .max(22)
-    .pattern(/^(?=.*[A-Za-z])[^\u4e00-\u9fa5<>"’\\]*$/)
+    .pattern(/^(?=.*[A-Za-z])[^\u4e00-\u9fa5<>"'’\\]*$/)
     .messages({
       'string.pattern.base':
         'statement_descriptor should be at least one letter and cannot include Chinese characters and special characters such as <, >、"、’ or \\',
@@ -283,32 +294,106 @@ export async function createProductAndPrices(payload: any) {
 
 // FIXME: @wangshijun use schema validation
 // create product and price
-// eslint-disable-next-line consistent-return
-router.post('/', auth, async (req, res) => {
+// static POST route registered before /:id patterns to avoid shadowing
+app.post('/batch-price-update', auth, async (c) => {
+  if (!allowChangeLockedPrice()) {
+    return c.json({ error: 'forbidden' }, 403);
+  }
+
+  const body = c.get('sanitizedBody') ?? {};
+  const dryRun = typeof body.dryRun === 'undefined' || body.dryRun !== '0';
+  const factor = Number(body.factor);
+  if (Number.isNaN(factor)) {
+    return c.json({ error: 'factor is required' }, 400);
+  }
+  if (factor <= 0) {
+    return c.json({ error: 'factor must be positive' }, 400);
+  }
+  if (!body.description) {
+    return c.json({ error: 'description is required' }, 400);
+  }
+  if (!body.before) {
+    return c.json({ error: 'before is required' }, 400);
+  }
+
   try {
-    const { error } = ProductAndPriceSchema.validate(req.body);
+    const updated: any[] = [];
+    const products = await Product.findAll({
+      where: { active: false, livemode: !!c.get('livemode'), created_at: { [Op.lt]: body.before } },
+    });
+    await Promise.all(
+      products.map(async (product) => {
+        if (!product.metadata?.domain) {
+          return;
+        }
+
+        const prices = await Price.findAll({ where: { product_id: product.id } });
+        for (const price of prices) {
+          if (price.currency_id === c.get('baseCurrency').id) {
+            const unit = new BN(price.unit_amount).div(new BN(factor)).toString();
+            const options = cloneDeep(price.currency_options);
+            const option = options.find((x) => x.currency_id === price.currency_id);
+            if (option) {
+              option.unit_amount = unit;
+            }
+
+            const metadata = price.metadata || {};
+            metadata.update_history = [metadata.update_history, body.description].filter(Boolean).join(';');
+
+            if (dryRun) {
+              updated.push({ price: price.toJSON(), metadata, unit_amount: unit, currency_options: options });
+            } else {
+              // eslint-disable-next-line
+              await Price.update(
+                { metadata, unit_amount: unit, currency_options: options },
+                { where: { id: price.id } }
+              );
+              updated.push(product.id);
+            }
+          }
+        }
+      })
+    );
+
+    logger.info('Batch price update completed', {
+      updatedCount: updated.length,
+      dryRun,
+      factor,
+      requestedBy: c.get('user')?.did,
+    });
+    return c.json(updated);
+  } catch (err) {
+    logger.error('batch price update error', err);
+    return c.json({ error: (err as any).message }, 400);
+  }
+});
+
+app.post('/', auth, async (c) => {
+  try {
+    const body = c.get('sanitizedBody') ?? {};
+    const { error } = ProductAndPriceSchema.validate(body);
     if (error) {
-      return res.status(400).json({ error: `Product create request invalid: ${error.message}` });
+      return c.json({ error: `Product create request invalid: ${error.message}` }, 400);
     }
     const result = await createProductAndPrices({
-      ...req.body,
+      ...body,
       active: true,
-      type: req.body.type || 'service',
-      livemode: !!req.livemode,
-      created_via: req.user?.via,
-      currency_id: req.baseCurrency.id,
-      metadata: formatMetadata(req.body.metadata),
+      type: body.type || 'service',
+      livemode: !!c.get('livemode'),
+      created_via: c.get('user')?.via,
+      currency_id: c.get('baseCurrency').id,
+      metadata: formatMetadata(body.metadata),
     });
     logger.info('Product and prices created', {
       productId: result.id,
       name: result.name,
       priceCount: result.prices.length,
-      requestedBy: req.user?.did,
+      requestedBy: c.get('user')?.did,
     });
-    res.json(result);
+    return c.json(result);
   } catch (err) {
     logger.error('create product error', err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: (err as any).message }, 400);
   }
 });
 
@@ -330,16 +415,17 @@ const paginationSchema = createListParamSchema<{
   meter_id: Joi.string().empty(''),
   type: Joi.string().empty(''),
 });
-router.get('/', auth, async (req, res) => {
-  const { page, pageSize, active, livemode, name, description, ...query } = await paginationSchema.validateAsync(
-    req.query,
-    { stripUnknown: false, allowUnknown: true }
-  );
-  const where = getWhereFromKvQuery(query.q);
-
-  if (query.status) {
+app.get('/', auth, async (c) => {
+  const query = c.req.query();
+  const { page, pageSize, active, livemode, name, description, ...rest } = await paginationSchema.validateAsync(query, {
+    stripUnknown: false,
+    allowUnknown: true,
+  });
+  const where = getWhereFromKvQuery(rest.q);
+
+  if (rest.status) {
     // 兼容处理，支持 status
-    where.active = query.status === 'active';
+    where.active = rest.status === 'active';
   }
 
   if (typeof active === 'boolean') {
@@ -354,36 +440,36 @@ router.get('/', auth, async (req, res) => {
   if (description) {
     where.description = description;
   }
-  if (query.donation === 'hide') {
+  if (rest.donation === 'hide') {
     where.created_via = { [Op.not]: 'donation' };
   }
-  Object.keys(query)
+  Object.keys(rest)
     .filter((x) => x.startsWith('metadata.'))
     .forEach((key: string) => {
       // @ts-ignore
-      where[key] = query[key];
+      where[key] = rest[key];
     });
 
-  if (query.type === 'credit') {
+  if (rest.type === 'credit') {
     where.type = 'credit';
   }
   const findOptions: any = {
     where,
-    order: getOrder(req.query, [['created_at', query.o === 'asc' ? 'ASC' : 'DESC']]),
+    order: getOrder(query, [['created_at', rest.o === 'asc' ? 'ASC' : 'DESC']]),
     offset: (page - 1) * pageSize,
     limit: pageSize,
     include: [{ model: Price, as: 'prices' }],
     distinct: true,
   };
 
-  if (query.type !== 'credit' && query.meter_id) {
+  if (rest.type !== 'credit' && rest.meter_id) {
     findOptions.include = [
       {
         model: Price,
         as: 'prices',
         where: {
           recurring: {
-            meter_id: query.meter_id,
+            meter_id: rest.meter_id,
           },
         },
         required: true,
@@ -391,14 +477,14 @@ router.get('/', auth, async (req, res) => {
     ];
   }
 
-  if (query.type === 'credit' && query.meter_id) {
+  if (rest.type === 'credit' && rest.meter_id) {
     findOptions.include = [
       {
         model: Price,
         as: 'prices',
         where: {
           metadata: {
-            meter_id: query.meter_id,
+            meter_id: rest.meter_id,
           },
         },
         required: true,
@@ -408,17 +494,18 @@ router.get('/', auth, async (req, res) => {
 
   const { rows: list, count } = await Product.findAndCountAll(findOptions);
 
-  res.json({ count, list, paging: { page, pageSize } });
+  return c.json({ count, list, paging: { page, pageSize } });
 });
 
 // search products
+// registered before /:id to prevent shadowing
 const searchSchema = createListParamSchema<{
   query: string;
 }>({
   query: Joi.string(),
 });
-router.get('/search', auth, async (req, res) => {
-  const { page, pageSize, query, livemode, q } = await searchSchema.validateAsync(req.query, {
+app.get('/search', auth, async (c) => {
+  const { page, pageSize, query, livemode, q } = await searchSchema.validateAsync(c.req.query(), {
     stripUnknown: false,
     allowUnknown: true,
   });
@@ -430,37 +517,37 @@ router.get('/search', auth, async (req, res) => {
 
   const { rows: list, count } = await Product.findAndCountAll({
     where,
-    order: getOrder(req.query, [['created_at', 'DESC']]),
+    order: getOrder(c.req.query(), [['created_at', 'DESC']]),
     offset: (page - 1) * pageSize,
     limit: pageSize,
     include: [{ model: Price, as: 'prices', separate: true }],
   });
 
-  res.json({ count, list });
+  return c.json({ count, list });
 });
 
 // get product detail
-router.get('/:id', async (req, res) => {
-  const doc = await Product.expand(req.params.id as string);
+app.get('/:id', async (c) => {
+  const doc = await Product.expand(c.req.param('id') as string);
   if (doc) {
-    res.json(doc);
-  } else {
-    res.status(404).json(null);
+    return c.json(doc);
   }
+  return c.json(null, 404);
 });
 
 // update product
-router.put('/:id', auth, async (req, res) => {
-  const product = await Product.findByPk(req.params.id);
+app.put('/:id', auth, async (c) => {
+  const product = await Product.findByPk(c.req.param('id'));
 
   if (!product) {
-    return res.status(404).json({ error: 'product not found' });
+    return c.json({ error: 'product not found' }, 404);
   }
   if (product.locked) {
-    return res.status(403).json({ error: 'product locked' });
+    return c.json({ error: 'product locked' }, 403);
   }
 
-  const updates: Partial<Product> = pick(req.body, [
+  const body = c.get('sanitizedBody') ?? {};
+  const updates: Partial<Product> = pick(body, [
     'status',
     'name',
     'description',
@@ -476,19 +563,19 @@ router.put('/:id', auth, async (req, res) => {
     'tax_code',
   ]);
 
-  if (Array.isArray(req.body.vendor_config)) {
-    const { error: vendorConfigError } = VendorConfigSchema.validate(req.body.vendor_config);
+  if (Array.isArray(body.vendor_config)) {
+    const { error: vendorConfigError } = VendorConfigSchema.validate(body.vendor_config);
     if (vendorConfigError) {
-      return res.status(400).json({ error: `vendor_config validation failed: ${vendorConfigError.message}` });
+      return c.json({ error: `vendor_config validation failed: ${vendorConfigError.message}` }, 400);
     }
 
     const vendorConfigs = await ProductVendor.findAll({
       where: {
-        id: req.body.vendor_config.map((x: any) => x.vendor_id),
+        id: body.vendor_config.map((x: any) => x.vendor_id),
       },
     });
 
-    updates.vendor_config = req.body.vendor_config.map((config: any) => {
+    updates.vendor_config = body.vendor_config.map((config: any) => {
       const vendorConfig = vendorConfigs.find((x) => x.id === config.vendor_id);
       if (!vendorConfig) {
         throw new Error(`vendor ${config.vendor_id} not found`);
@@ -507,7 +594,7 @@ router.put('/:id', auth, async (req, res) => {
   }
   const { error } = ProductAndPriceSchema.validate(updates);
   if (error) {
-    return res.status(400).json({ error: `Product update request invalid: ${error.message}` });
+    return c.json({ error: `Product update request invalid: ${error.message}` }, 400);
   }
   if (updates.metadata) {
     updates.metadata = formatMetadata(updates.metadata);
@@ -516,48 +603,48 @@ router.put('/:id', auth, async (req, res) => {
   logger.info('Product updated', {
     productId: product.id,
     updatedFields: Object.keys(updates),
-    requestedBy: req.user?.did,
+    requestedBy: c.get('user')?.did,
   });
-  return res.json(await Product.expand(req.params.id as string));
+  return c.json(await Product.expand(c.req.param('id') as string));
 });
 
 // archive
-router.put('/:id/archive', auth, async (req, res) => {
-  const product = await Product.findByPk(req.params.id);
+app.put('/:id/archive', auth, async (c) => {
+  const product = await Product.findByPk(c.req.param('id'));
 
   if (!product) {
-    return res.status(404).json({ error: 'product not found' });
+    return c.json({ error: 'product not found' }, 404);
   }
   if (product.locked) {
-    return res.status(403).json({ error: 'product locked' });
+    return c.json({ error: 'product locked' }, 403);
   }
 
   await product.update({ active: !product.active });
 
   // FIXME: deactivate payment-links, pricing-tables
-  return res.json(await Product.expand(req.params.id as string));
+  return c.json(await Product.expand(c.req.param('id') as string));
 });
 
 // delete product
-router.delete('/:id', auth, async (req, res) => {
+app.delete('/:id', auth, async (c) => {
   try {
-    const product = await Product.findByPk(req.params.id);
+    const product = await Product.findByPk(c.req.param('id'));
 
     if (!product) {
-      return res.status(404).json({ error: 'product not found' });
+      return c.json({ error: 'product not found' }, 404);
     }
     if (product.locked) {
-      return res.status(403).json({ error: 'product locked' });
+      return c.json({ error: 'product locked' }, 403);
     }
 
     const prices = await Price.findAll({ where: { product_id: product.id } });
     for (const price of prices) {
       if (price.locked) {
-        return res.status(403).json({ error: 'product have prices that is locked' });
+        return c.json({ error: 'product have prices that is locked' }, 403);
       }
       // eslint-disable-next-line no-await-in-loop
       if (await price.isUsed(false)) {
-        return res.status(403).json({ error: 'product have prices that is used by other resources' });
+        return c.json({ error: 'product have prices that is used by other resources' }, 403);
       }
     }
 
@@ -565,87 +652,13 @@ router.delete('/:id', auth, async (req, res) => {
     await Price.destroy({ where: { product_id: product.id } });
     logger.info('Product and associated prices deleted', {
       productId: product.id,
-      requestedBy: req.user?.did,
+      requestedBy: c.get('user')?.did,
     });
-    return res.json(product);
+    return c.json(product);
   } catch (err) {
     logger.error('delete product error', err);
-    return res.status(400).json({ error: err.message });
-  }
-});
-
-// This is a dangerous operation, only allow to run with a special env variable
-// Only meant to be used in DID Domain
-router.post('/batch-price-update', auth, async (req, res) => {
-  if (process.env.PAYMENT_CHANGE_LOCKED_PRICE !== '1') {
-    return res.status(403).json({ error: 'forbidden' });
-  }
-
-  const dryRun = typeof req.body.dryRun === 'undefined' || req.body.dryRun !== '0';
-  const factor = Number(req.body.factor);
-  if (Number.isNaN(factor)) {
-    return res.status(400).json({ error: 'factor is required' });
-  }
-  if (factor <= 0) {
-    return res.status(400).json({ error: 'factor must be positive' });
-  }
-  if (!req.body.description) {
-    return res.status(400).json({ error: 'description is required' });
-  }
-  if (!req.body.before) {
-    return res.status(400).json({ error: 'before is required' });
-  }
-
-  try {
-    const updated: any[] = [];
-    const products = await Product.findAll({
-      where: { active: false, livemode: !!req.livemode, created_at: { [Op.lt]: req.body.before } },
-    });
-    await Promise.all(
-      products.map(async (product) => {
-        if (!product.metadata?.domain) {
-          return;
-        }
-
-        const prices = await Price.findAll({ where: { product_id: product.id } });
-        for (const price of prices) {
-          if (price.currency_id === req.baseCurrency.id) {
-            const unit = new BN(price.unit_amount).div(new BN(factor)).toString();
-            const options = cloneDeep(price.currency_options);
-            const option = options.find((x) => x.currency_id === price.currency_id);
-            if (option) {
-              option.unit_amount = unit;
-            }
-
-            const metadata = price.metadata || {};
-            metadata.update_history = [metadata.update_history, req.body.description].filter(Boolean).join(';');
-
-            if (dryRun) {
-              updated.push({ price: price.toJSON(), metadata, unit_amount: unit, currency_options: options });
-            } else {
-              // eslint-disable-next-line
-              await Price.update(
-                { metadata, unit_amount: unit, currency_options: options },
-                { where: { id: price.id } }
-              );
-              updated.push(product.id);
-            }
-          }
-        }
-      })
-    );
-
-    logger.info('Batch price update completed', {
-      updatedCount: updated.length,
-      dryRun,
-      factor,
-      requestedBy: req.user?.did,
-    });
-    return res.json(updated);
-  } catch (err) {
-    logger.error('batch price update error', err);
-    return res.status(400).json({ error: err.message });
+    return c.json({ error: (err as any).message }, 400);
   }
 });
 
-export default router;
+export default app;