Compare commits
21 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Hugh Hackman
|
e26718be4e | ||
|
the-dogfather-cto[bot]
|
cd25d98384 | ||
|
Test User
|
e9fceb78b3 | ||
|
the-dogfather-cto[bot]
|
7bf9cf9734 | ||
|
groombook-engineer[bot]
|
bf159f8b1f | ||
|
the-dogfather-cto[bot]
|
2f3d4d8d01 | ||
|
Test User
|
db9bb31702 | ||
|
Test User
|
b38db65dde | ||
|
scrubs-mcbarkley-ceo[bot]
|
3178f81b99 | ||
|
scrubs-mcbarkley-ceo[bot]
|
544d65959d | ||
|
the-dogfather-cto[bot]
|
fe2e093b92 | ||
|
Flea Flicker
|
2af1671891 | ||
|
the-dogfather-cto[bot]
|
ad80722eee | ||
|
Flea Flicker
|
c811b58c62 | ||
|
Flea Flicker
|
1dfcdcc2cb | ||
|
Flea Flicker
|
f74e034495 | ||
|
Flea Flicker
|
4c46cec4e3 | ||
|
lint-roller-qa[bot]
|
f38bb244a4 | ||
|
the-dogfather-cto[bot]
|
251b36b863 | ||
|
Test User
|
10ad5e7b04 | ||
|
the-dogfather-cto[bot]
|
abee344ca4 |
@@ -340,7 +340,7 @@ jobs:
|
||||
name: Update Infra Image Tags
|
||||
runs-on: ubuntu-latest
|
||||
needs: [docker]
|
||||
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
||||
if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
+20
-9
@@ -19,7 +19,7 @@ import { impersonationRouter } from "./routes/impersonation.js";
|
||||
import { settingsRouter } from "./routes/settings.js";
|
||||
import { authProviderRouter } from "./routes/authProvider.js";
|
||||
import { searchRouter } from "./routes/search.js";
|
||||
import { getPresignedGetUrl } from "./lib/s3.js";
|
||||
import { getObject } from "./lib/s3.js";
|
||||
import { calendarRouter } from "./routes/calendar.js";
|
||||
import { setupRouter } from "./routes/setup.js";
|
||||
import { getDb, businessSettings, eq, staff } from "@groombook/db";
|
||||
@@ -126,20 +126,31 @@ function validateLogoMagicBytes(
|
||||
}
|
||||
}
|
||||
|
||||
// Public logo proxy — no auth required, streams logo from S3 so browser never sees raw S3 URL
|
||||
app.get("/api/branding/logo", async (c) => {
|
||||
const db = getDb();
|
||||
const [row] = await db.select().from(businessSettings).limit(1);
|
||||
if (!row) return c.json({ error: "Settings not found" }, 404);
|
||||
if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
|
||||
|
||||
const { body, contentType } = await getObject(row.logoKey);
|
||||
return new Response(Buffer.from(body), {
|
||||
status: 200,
|
||||
headers: {
|
||||
"Content-Type": contentType,
|
||||
"Cache-Control": "public, max-age=86400",
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
// Public branding endpoint — no auth required, returns business name/colors/logo
|
||||
app.get("/api/branding", async (c) => {
|
||||
const db = getDb();
|
||||
const [row] = await db.select().from(businessSettings).limit(1);
|
||||
const settings = row ?? { businessName: "GroomBook", primaryColor: "#4f8a6f", accentColor: "#8b7355", logoBase64: null, logoMimeType: null, logoKey: null };
|
||||
|
||||
let logoUrl: string | null = null;
|
||||
if (settings.logoKey) {
|
||||
try {
|
||||
logoUrl = await getPresignedGetUrl(settings.logoKey);
|
||||
} catch {
|
||||
// If S3 URL generation fails, fall back to legacy base64
|
||||
}
|
||||
}
|
||||
// Return the public proxy path so browser never sees a raw S3 URL
|
||||
const logoUrl = settings.logoKey ? "/api/branding/logo" : null;
|
||||
|
||||
// Defensive: validate magic bytes to prevent MIME type confusion attacks
|
||||
// via the legacy base64 logo fields
|
||||
|
||||
@@ -68,6 +68,25 @@ export async function deleteObject(key: string): Promise<void> {
|
||||
);
|
||||
}
|
||||
|
||||
/** Read an object from S3 and return its body buffer and content type. */
|
||||
export async function getObject(key: string): Promise<{ body: Buffer; contentType: string }> {
|
||||
const client = getS3Client();
|
||||
const response = await client.send(
|
||||
new GetObjectCommand({
|
||||
Bucket: getBucket(),
|
||||
Key: key,
|
||||
})
|
||||
);
|
||||
const chunks: Uint8Array[] = [];
|
||||
// response.Body is a Readable stream; collect chunks into a buffer
|
||||
for await (const chunk of response.Body as AsyncIterable<Uint8Array>) {
|
||||
chunks.push(chunk);
|
||||
}
|
||||
const body = Buffer.concat(chunks);
|
||||
const contentType = response.ContentType ?? "application/octet-stream";
|
||||
return { body, contentType };
|
||||
}
|
||||
|
||||
/** Upload an object directly to S3 (server-side only, not a pre-signed URL). */
|
||||
export async function putObject(
|
||||
key: string,
|
||||
|
||||
@@ -101,6 +101,7 @@ invoicesRouter.get(
|
||||
paymentMethod: invoices.paymentMethod,
|
||||
paidAt: invoices.paidAt,
|
||||
notes: invoices.notes,
|
||||
stripePaymentIntentId: invoices.stripePaymentIntentId,
|
||||
createdAt: invoices.createdAt,
|
||||
updatedAt: invoices.updatedAt,
|
||||
})
|
||||
@@ -480,40 +481,50 @@ invoicesRouter.post(
|
||||
|
||||
// Payment stats for admin dashboard
|
||||
invoicesRouter.get("/stats/summary", async (c) => {
|
||||
const db = getDb();
|
||||
const now = new Date();
|
||||
const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
|
||||
try {
|
||||
const db = getDb();
|
||||
const now = new Date();
|
||||
const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1);
|
||||
|
||||
const [revenueResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
|
||||
.from(invoices)
|
||||
.where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
|
||||
const [revenueResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
|
||||
.from(invoices)
|
||||
.where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`));
|
||||
|
||||
const [outstandingResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
|
||||
.from(invoices)
|
||||
.where(eq(invoices.status, "pending"));
|
||||
const [outstandingResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(total_cents), 0)` })
|
||||
.from(invoices)
|
||||
.where(eq(invoices.status, "pending"));
|
||||
|
||||
const [refundsResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
|
||||
.from(refunds)
|
||||
.where(sql`${refunds.createdAt} >= ${startOfMonth}`);
|
||||
const [refundsResult] = await db
|
||||
.select({ total: sql<number>`coalesce(sum(amount_cents), 0)` })
|
||||
.from(refunds)
|
||||
.where(sql`${refunds.createdAt} >= ${startOfMonth}`);
|
||||
|
||||
const methodBreakdown = await db
|
||||
.select({
|
||||
method: invoices.paymentMethod,
|
||||
total: sql<number>`count(*)`,
|
||||
})
|
||||
.from(invoices)
|
||||
.where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
|
||||
.groupBy(invoices.paymentMethod);
|
||||
const methodBreakdown = await db
|
||||
.select({
|
||||
method: invoices.paymentMethod,
|
||||
total: sql<number>`count(*)`,
|
||||
})
|
||||
.from(invoices)
|
||||
.where(and(eq(invoices.status, "paid"), sql`${invoices.paidAt} >= ${startOfMonth}`))
|
||||
.groupBy(invoices.paymentMethod);
|
||||
|
||||
return c.json({
|
||||
revenueThisMonth: revenueResult?.total ?? 0,
|
||||
outstanding: outstandingResult?.total ?? 0,
|
||||
refundsThisMonth: refundsResult?.total ?? 0,
|
||||
methodBreakdown,
|
||||
});
|
||||
return c.json({
|
||||
revenueThisMonth: revenueResult?.total ?? 0,
|
||||
outstanding: outstandingResult?.total ?? 0,
|
||||
refundsThisMonth: refundsResult?.total ?? 0,
|
||||
methodBreakdown,
|
||||
});
|
||||
} catch (err) {
|
||||
console.error("stats/summary error:", err);
|
||||
return c.json({
|
||||
revenueThisMonth: 0,
|
||||
outstanding: 0,
|
||||
refundsThisMonth: 0,
|
||||
methodBreakdown: [],
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
// Get Stripe payment details for an invoice (card last4, payment status, refund status)
|
||||
|
||||
@@ -2,7 +2,7 @@ import { Hono } from "hono";
|
||||
import { zValidator } from "@hono/zod-validator";
|
||||
import { z } from "zod/v3";
|
||||
import { eq, getDb, businessSettings } from "@groombook/db";
|
||||
import { getPresignedUploadUrl, getPresignedGetUrl, deleteObject, putObject } from "../lib/s3.js";
|
||||
import { getPresignedUploadUrl, deleteObject, putObject, getObject } from "../lib/s3.js";
|
||||
import { requireSuperUser } from "../middleware/rbac.js";
|
||||
|
||||
export const settingsRouter = new Hono();
|
||||
@@ -215,7 +215,8 @@ settingsRouter.post(
|
||||
|
||||
/**
|
||||
* GET /api/admin/settings/logo
|
||||
* Returns a presigned GET URL for the logo.
|
||||
* Proxies the logo from S3 so the browser never sees an S3 URL.
|
||||
* Returns the image bytes with proper Content-Type.
|
||||
*/
|
||||
settingsRouter.get("/logo", async (c) => {
|
||||
const db = getDb();
|
||||
@@ -224,8 +225,14 @@ settingsRouter.get("/logo", async (c) => {
|
||||
if (!row) return c.json({ error: "Settings not found" }, 404);
|
||||
if (!row.logoKey) return c.json({ error: "No logo on file" }, 404);
|
||||
|
||||
const url = await getPresignedGetUrl(row.logoKey);
|
||||
return c.json({ url, logoKey: row.logoKey });
|
||||
const { body, contentType } = await getObject(row.logoKey);
|
||||
return new Response(Buffer.from(body), {
|
||||
status: 200,
|
||||
headers: {
|
||||
"Content-Type": contentType,
|
||||
"Cache-Control": "public, max-age=86400",
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
/**
|
||||
|
||||
@@ -44,6 +44,16 @@ test.beforeEach(async ({ page }) => {
|
||||
json: { newClients: [], activeInPeriodCount: 0, churnRisk: [], churnRiskTotal: 0 },
|
||||
});
|
||||
}
|
||||
if (url.includes("/api/invoices/stats/summary")) {
|
||||
return route.fulfill({
|
||||
json: {
|
||||
revenueThisMonth: 0,
|
||||
outstanding: 0,
|
||||
refundsThisMonth: 0,
|
||||
methodBreakdown: [],
|
||||
},
|
||||
});
|
||||
}
|
||||
if (url.includes("/api/invoices")) {
|
||||
return route.fulfill({ json: { data: [], total: 0 } });
|
||||
}
|
||||
|
||||
@@ -112,9 +112,17 @@ export function AppointmentsPage() {
|
||||
const [viewMode, setViewMode] = useState<"status" | "groomer">("status");
|
||||
// null key = unassigned; staffId string = that groomer; undefined set = all visible
|
||||
const [hiddenGroomers, setHiddenGroomers] = useState<Set<string | null>>(new Set());
|
||||
const [paymentStats, setPaymentStats] = useState<{ revenueThisMonth: number; outstanding: number; refundsThisMonth: number; methodBreakdown: { method: string | null; total: number }[] } | null>(null);
|
||||
|
||||
const weekEnd = addDays(weekStart, 6);
|
||||
|
||||
useEffect(() => {
|
||||
fetch("/api/invoices/stats/summary")
|
||||
.then((r) => r.ok ? r.json() : null)
|
||||
.then((data) => { if (data) setPaymentStats(data); })
|
||||
.catch(() => {});
|
||||
}, []);
|
||||
|
||||
const loadAppointments = useCallback(() => {
|
||||
const from = weekStart.toISOString();
|
||||
const to = addDays(weekStart, 7).toISOString();
|
||||
@@ -314,6 +322,24 @@ export function AppointmentsPage() {
|
||||
</button>
|
||||
</div>
|
||||
|
||||
{/* Payment Stats Summary */}
|
||||
{paymentStats && (
|
||||
<div style={{ display: "grid", gridTemplateColumns: "repeat(auto-fit, minmax(160px, 1fr))", gap: "0.75rem", marginBottom: "1.25rem" }}>
|
||||
<div style={{ background: "#f0fdf4", border: "1px solid #bbf7d0", borderRadius: 8, padding: "0.75rem 1rem" }}>
|
||||
<div style={{ fontSize: 12, color: "#166534", fontWeight: 600, marginBottom: "0.25rem" }}>Revenue (paid)</div>
|
||||
<div style={{ fontSize: 20, fontWeight: 700, color: "#15803d" }}>${(paymentStats.revenueThisMonth / 100).toFixed(2)}</div>
|
||||
</div>
|
||||
<div style={{ background: "#fefce8", border: "1px solid #fde047", borderRadius: 8, padding: "0.75rem 1rem" }}>
|
||||
<div style={{ fontSize: 12, color: "#854d0e", fontWeight: 600, marginBottom: "0.25rem" }}>Outstanding</div>
|
||||
<div style={{ fontSize: 20, fontWeight: 700, color: "#a16207" }}>${(paymentStats.outstanding / 100).toFixed(2)}</div>
|
||||
</div>
|
||||
<div style={{ background: "#fef2f2", border: "1px solid #fecaca", borderRadius: 8, padding: "0.75rem 1rem" }}>
|
||||
<div style={{ fontSize: 12, color: "#991b1b", fontWeight: 600, marginBottom: "0.25rem" }}>Refunds (this mo.)</div>
|
||||
<div style={{ fontSize: 20, fontWeight: 700, color: "#dc2626" }}>${(paymentStats.refundsThisMonth / 100).toFixed(2)}</div>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* ── View Mode + Groomer Filters ── */}
|
||||
<div style={{ display: "flex", alignItems: "center", gap: "0.5rem", marginBottom: "0.75rem", flexWrap: "wrap" }}>
|
||||
<span style={{ fontSize: 13, fontWeight: 600, color: "#374151" }}>Color by:</span>
|
||||
|
||||
@@ -89,24 +89,14 @@ export function SettingsPage() {
|
||||
fetch("/api/admin/settings")
|
||||
.then((r) => r.json())
|
||||
.then(async (data) => {
|
||||
let logoUrl: string | null = null;
|
||||
if (data.logoKey) {
|
||||
try {
|
||||
const logoRes = await fetch("/api/admin/settings/logo");
|
||||
if (logoRes.ok) {
|
||||
const logoData = await logoRes.json();
|
||||
logoUrl = logoData.url;
|
||||
}
|
||||
} catch {
|
||||
// ignore
|
||||
}
|
||||
}
|
||||
// The logo is now proxied through the API server so the browser
|
||||
// never receives an S3 URL — use the proxy path directly as the src.
|
||||
setForm({
|
||||
businessName: data.businessName ?? "GroomBook",
|
||||
primaryColor: data.primaryColor ?? "#4f8a6f",
|
||||
accentColor: data.accentColor ?? "#8b7355",
|
||||
logoKey: data.logoKey ?? null,
|
||||
logoUrl,
|
||||
logoUrl: data.logoKey ? "/api/admin/settings/logo" : null,
|
||||
logoBase64: data.logoBase64 ?? null,
|
||||
logoMimeType: data.logoMimeType ?? null,
|
||||
});
|
||||
@@ -172,15 +162,7 @@ export function SettingsPage() {
|
||||
throw new Error(err?.error ?? "Failed to upload logo");
|
||||
}
|
||||
const { logoKey } = await uploadRes.json();
|
||||
|
||||
// Fetch the presigned GET URL for display
|
||||
const logoRes = await fetch("/api/admin/settings/logo");
|
||||
if (logoRes.ok) {
|
||||
const logoData = await logoRes.json();
|
||||
setForm((f) => ({ ...f, logoKey, logoUrl: logoData.url, logoBase64: null, logoMimeType: null }));
|
||||
} else {
|
||||
setForm((f) => ({ ...f, logoKey, logoUrl: null, logoBase64: null, logoMimeType: null }));
|
||||
}
|
||||
setForm((f) => ({ ...f, logoKey, logoUrl: `/api/admin/settings/logo?t=${Date.now()}`, logoBase64: null, logoMimeType: null }));
|
||||
setMessage({ type: "success", text: "Logo uploaded." });
|
||||
refresh();
|
||||
} catch (err: unknown) {
|
||||
|
||||
@@ -119,3 +119,10 @@ uri
|
||||
database-url
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Auth secret name — always use groombook-auth (sealed secret name)
|
||||
*/}}
|
||||
{{- define "groombook.authSecretName" -}}
|
||||
{{- printf "%s" "groombook-auth" }}
|
||||
{{- end }}
|
||||
|
||||
@@ -50,6 +50,27 @@ spec:
|
||||
- name: OIDC_AUDIENCE
|
||||
value: {{ .Values.api.env.oidcAudience | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.api.env.internalBaseUrl }}
|
||||
- name: OIDC_INTERNAL_BASE
|
||||
value: {{ .Values.api.env.internalBaseUrl | quote }}
|
||||
{{- end }}
|
||||
- name: BETTER_AUTH_URL
|
||||
value: {{ .Values.api.env.betterAuthUrl | quote }}
|
||||
- name: OIDC_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "groombook.authSecretName" . }}
|
||||
key: OIDC_CLIENT_ID
|
||||
- name: OIDC_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "groombook.authSecretName" . }}
|
||||
key: OIDC_CLIENT_SECRET
|
||||
- name: BETTER_AUTH_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "groombook.authSecretName" . }}
|
||||
key: BETTER_AUTH_SECRET
|
||||
- name: DATABASE_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
|
||||
@@ -18,6 +18,8 @@ api:
|
||||
corsOrigin: ""
|
||||
oidcIssuer: ""
|
||||
oidcAudience: groombook
|
||||
betterAuthUrl: ""
|
||||
internalBaseUrl: ""
|
||||
port: "3000"
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
+10
-1
@@ -883,6 +883,7 @@ async function seed() {
|
||||
let appointmentCount = 0;
|
||||
let invoiceCount = 0;
|
||||
let visitLogCount = 0;
|
||||
let paidInvoiceCounter = 0;
|
||||
|
||||
// Process in batches per client to keep memory manageable
|
||||
const apptBatchSize = 100;
|
||||
@@ -977,6 +978,10 @@ async function seed() {
|
||||
|
||||
const invoiceStatus = rand() < 0.95 ? "paid" as const : "pending" as const;
|
||||
const paidAt = invoiceStatus === "paid" ? new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000) : null;
|
||||
paidInvoiceCounter++;
|
||||
const stripePaymentIntentId = invoiceStatus === "paid"
|
||||
? `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`
|
||||
: null;
|
||||
|
||||
invoiceBatch.push({
|
||||
id: invoiceId,
|
||||
@@ -989,6 +994,7 @@ async function seed() {
|
||||
status: invoiceStatus,
|
||||
paymentMethod: invoiceStatus === "paid" ? pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check" : null,
|
||||
paidAt,
|
||||
stripePaymentIntentId,
|
||||
notes: rand() < 0.05 ? "Added extra service at checkout" : null,
|
||||
});
|
||||
|
||||
@@ -1092,13 +1098,16 @@ async function seed() {
|
||||
const taxCents = Math.round(effectivePrice * 0.08);
|
||||
const totalCents = effectivePrice + taxCents + tipCents;
|
||||
const paidAt = new Date(endTime.getTime() + randInt(5, 30) * 60 * 1000);
|
||||
paidInvoiceCounter++;
|
||||
|
||||
invoiceBatch.push({
|
||||
id: invoiceId, appointmentId: apptId, clientId,
|
||||
subtotalCents: effectivePrice, taxCents, tipCents, totalCents,
|
||||
status: "paid" as const,
|
||||
paymentMethod: pick(["cash", "card", "card", "card", "check"]) as "cash" | "card" | "check",
|
||||
paidAt, notes: null,
|
||||
paidAt,
|
||||
stripePaymentIntentId: `pi_test_seed_${String(paidInvoiceCounter).padStart(6, "0")}`,
|
||||
notes: null,
|
||||
});
|
||||
lineItemBatch.push({
|
||||
id: uuid(), invoiceId, description: svc.name, quantity: 1,
|
||||
|
||||
Reference in New Issue
Block a user