tango-app-api-payment-subscription 3.5.2 → 3.5.3

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "tango-app-api-payment-subscription",
-    "version": "3.5.2",
+    "version": "3.5.3",
     "description": "paymentSubscription",
     "main": "index.js",
     "type": "module",

package/src/controllers/invoice.controller.js

@@ -2,6 +2,7 @@ import * as invoiceService from '../services/invoice.service.js';
 import * as dailyPricingService from '../services/dailyPrice.service.js';
 import * as clientService from '../services/clientPayment.services.js';
 import * as billingService from '../services/billing.service.js';
+import mongoose from 'mongoose';
 import dayjs from 'dayjs';
 import { logger, checkFileExist, signedUrl, download, sendEmailWithSES, insertOpenSearchData } from 'tango-app-api-middleware';
 // import Handlebars from 'handlebars';
@@ -65,6 +66,25 @@ async function getInvoiceCcEmails( clientId ) {
 export async function createInvoice( req, res ) {
   try {
     let invoiceGroupList = [];
+    // Optional groupIds filter — when present, only those billing groups will
+    // be processed. Lets the UI generate an invoice for a specific subset of
+    // groups instead of every group on the client. Strings are matched against
+    // billing _id.
+    const groupIdsFilter = Array.isArray( req.body.groupIds ) && req.body.groupIds.length > 0 ?
+      req.body.groupIds :
+      null;
+    const groupObjectIdFilter = groupIdsFilter ?
+      groupIdsFilter
+          .map( ( id ) => {
+            try {
+              return new mongoose.Types.ObjectId( id );
+            } catch {
+              return null;
+            }
+          } )
+          .filter( ( id ) => id !== null ) :
+      null;
+
     if ( req.body.allClient ) {
       if ( req.body.clientList && req.body.clientList.length > 0 ) {
         req.body.clientList = req.body.clientList;
@@ -74,12 +94,12 @@ export async function createInvoice( req, res ) {
       }
 
       for ( let client of req.body.clientList ) {
+        const matchStage = { clientId: client };
+        if ( groupObjectIdFilter && groupObjectIdFilter.length ) {
+          matchStage._id = { $in: groupObjectIdFilter };
+        }
         let invoiceGroup = await billingService.aggregatebilling( [
-          {
-            $match: {
-              clientId: client,
-            },
-          },
+          { $match: matchStage },
         ] );
         for ( let invGrp of invoiceGroup ) {
           invoiceGroupList.push( invGrp );
@@ -95,7 +115,14 @@ export async function createInvoice( req, res ) {
 
     for ( let group of invoiceGroupList ) {
       let Finacialyear = getCurrentFinancialYear();
-      let previousinvoice = await invoiceService.findandsort( {}, {}, { invoiceIndex: -1 } );
+      // Scope the highest-index lookup to invoices created in the current FY
+      // (invoice IDs are `INV-${FY}-${index}`). Without this scope the new FY
+      // would continue the previous year's sequence instead of resetting.
+      let previousinvoice = await invoiceService.findandsort(
+          { invoice: { $regex: `^INV-${Finacialyear}-` } },
+          {},
+          { invoiceIndex: -1 },
+      );
       let invoiceNo = '00001';
       if ( previousinvoice && previousinvoice.length > 0 ) {
         invoiceNo = Number( previousinvoice[0].invoiceIndex ) + 1;
@@ -2110,6 +2137,13 @@ export async function updateInvoice( req, res ) {
       return res.sendError( 'Invoice not found', 404 );
     }
 
+    // Lock once final-approved. The UI hides the Edit icon for these rows,
+    // but a direct API call would otherwise still let someone mutate a
+    // finalised invoice. Match the frontend's isInvoiceLocked() check.
+    if ( invoice.status === 'approved' ) {
+      return res.sendError( 'Cannot edit a final-approved invoice.', 409 );
+    }
+
     let updateData = {};
     const allowedFields = [
       'companyName', 'companyAddress', 'GSTNumber', 'PlaceOfSupply',
@@ -2220,6 +2254,12 @@ export async function deleteInvoice( req, res ) {
       return res.sendError( 'Invoice not found', 404 );
     }
 
+    // Same lock the UI enforces — a final-approved invoice must not be
+    // deletable, even by a power user hitting the API directly.
+    if ( invoice.status === 'approved' ) {
+      return res.sendError( 'Cannot delete a final-approved invoice.', 409 );
+    }
+
     await invoiceService.deleteRecord( { _id: invoiceId } );
 
     const logObj = {

package/src/controllers/paymentSubscription.controllers.js

@@ -3772,7 +3772,15 @@ export const invoiceGenerate = async ( req, res ) => {
           }
 
 
-          let previousinvoice = await invoiceService.findandsort( {}, {}, { _id: -1 } );
+          // Scope the highest-index lookup to the current financial year
+          // (invoice IDs are `INV-${FY}-${index}`). Sort by invoiceIndex (not
+          // _id) so the largest sequence number wins even if records were
+          // back-dated or imported out of order.
+          let previousinvoice = await invoiceService.findandsort(
+              { invoice: { $regex: `^INV-${Finacialyear}-` } },
+              {},
+              { invoiceIndex: -1 },
+          );
           let invoiceNo = '00001';
           if ( previousinvoice && previousinvoice.length > 0 ) {
             invoiceNo = Number( previousinvoice[0].invoiceIndex ) + 1;

package/src/hbs/invoicePdf.hbs

@@ -1643,7 +1643,7 @@
                     </div>
                     <div class="frame-54">
                         <div class="ifsc-code">IFSC Code</div>
-                        <div class="hdfc-0000269">HDFC0000269</div>
+                        <div class="hdfc-0000269">HDFC0000386</div>
                     </div>
                     <div class="frame-532">
                         <div class="payment-type">Payment Type</div>