feat(bookings): add payment and document upload to confirmation page

Allow users to select payment method and upload receipts before confirming.
Add public API endpoints for payment updates and document management.

server/api/public/bookings/[token].get.ts

@@ -3,7 +3,7 @@ import { getBookingByConfirmationToken } from '../../../utils/booking-repository
 
 export default defineEventHandler(async (event) => {
   const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
-  const booking = await getBookingByConfirmationToken(token)
+  const booking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
 
   if (!booking) {
     httpError(404, 'Booking not found')

server/api/public/bookings/[token]/cancel.post.ts

@@ -5,7 +5,7 @@ import { getRequiredRouteParam, httpError } from '../../../../utils/http'
 
 export default defineEventHandler(async (event): Promise<CancelBookingConfirmationResponse> => {
   const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
-  const existingBooking = await getBookingByConfirmationToken(token)
+  const existingBooking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
 
   if (!existingBooking) {
     httpError(404, 'Booking not found')
@@ -25,7 +25,7 @@ export default defineEventHandler(async (event): Promise<CancelBookingConfirmati
   }
 
   return {
-    booking,
+    booking: await getBookingByConfirmationToken(token, { includeTransactionDocument: true }) || booking,
     alreadyPending: false
   }
 })

server/api/public/bookings/[token]/confirm.post.ts

@@ -6,7 +6,7 @@ import { sendBookingTicketReceiptViaWhatsApp } from '../../../../utils/whatsapp'
 
 export default defineEventHandler(async (event): Promise<ConfirmBookingResponse> => {
   const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
-  const existingBooking = await getBookingByConfirmationToken(token)
+  const existingBooking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
 
   if (!existingBooking) {
     httpError(404, 'Booking not found')
@@ -39,9 +39,10 @@ export default defineEventHandler(async (event): Promise<ConfirmBookingResponse>
   }
 
   const ticketReceiptWhatsApp = await sendBookingTicketReceiptViaWhatsApp(event, booking)
+  const refreshedBooking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
 
   return {
-    booking,
+    booking: refreshedBooking || booking,
     alreadyConfirmed: false,
     ticketReceiptWhatsApp
   }

server/api/public/bookings/[token]/payment.patch.ts

@@ -0,0 +1,51 @@
+import type { UpdateBookingDetailsResponse } from '~~/shared/booking'
+
+import {
+  clearBookingTransactionDocumentByConfirmationToken,
+  getBookingByConfirmationToken,
+  updateBookingPaymentMethodByConfirmationToken
+} from '../../../../utils/booking-repository'
+import { parsePaymentMethodInput } from '../../../../utils/bookings'
+import { getRequiredRouteParam, httpError } from '../../../../utils/http'
+import { deleteTransactionDocument } from '../../../../utils/transaction-documents'
+
+export default defineEventHandler(async (event): Promise<UpdateBookingDetailsResponse> => {
+  const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
+  const existingBooking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
+
+  if (!existingBooking) {
+    httpError(404, 'Booking not found')
+  }
+
+  if (existingBooking.status !== 'pending') {
+    httpError(409, 'Payment details can only be changed before confirmation')
+  }
+
+  const body = await readBody<{ paymentMethod?: string | null }>(event)
+  const input = parsePaymentMethodInput(body)
+
+  const booking = await updateBookingPaymentMethodByConfirmationToken({
+    confirmationToken: token,
+    paymentMethod: input.paymentMethod
+  })
+
+  if (!booking) {
+    httpError(404, 'Booking not found')
+  }
+
+  if (input.paymentMethod === 'cash') {
+    const cleared = await clearBookingTransactionDocumentByConfirmationToken(token)
+
+    if (cleared) {
+      await deleteTransactionDocument(cleared.previousStorageName)
+
+      return {
+        booking: cleared.booking
+      }
+    }
+  }
+
+  return {
+    booking
+  }
+})

server/api/public/bookings/[token]/transaction-document.delete.ts

@@ -0,0 +1,33 @@
+import type { UpdateBookingDetailsResponse } from '~~/shared/booking'
+
+import {
+  clearBookingTransactionDocumentByConfirmationToken,
+  getBookingByConfirmationToken
+} from '../../../../utils/booking-repository'
+import { getRequiredRouteParam, httpError } from '../../../../utils/http'
+import { deleteTransactionDocument } from '../../../../utils/transaction-documents'
+
+export default defineEventHandler(async (event): Promise<UpdateBookingDetailsResponse> => {
+  const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
+  const booking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
+
+  if (!booking) {
+    httpError(404, 'Booking not found')
+  }
+
+  if (booking.status !== 'pending') {
+    httpError(409, 'Transaction document can only be changed before confirmation')
+  }
+
+  const result = await clearBookingTransactionDocumentByConfirmationToken(token)
+
+  if (!result) {
+    httpError(404, 'Booking not found')
+  }
+
+  await deleteTransactionDocument(result.previousStorageName)
+
+  return {
+    booking: result.booking
+  }
+})

server/api/public/bookings/[token]/transaction-document.get.ts

@@ -0,0 +1,29 @@
+import { sendStream, setHeader } from 'h3'
+
+import { getBookingTransactionDocumentByConfirmationToken } from '../../../../utils/booking-repository'
+import { getRequiredRouteParam, httpError } from '../../../../utils/http'
+import {
+  getSafeDownloadName,
+  getTransactionDocumentFile
+} from '../../../../utils/transaction-documents'
+
+export default defineEventHandler(async (event) => {
+  const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
+  const document = await getBookingTransactionDocumentByConfirmationToken(token)
+
+  if (!document) {
+    httpError(404, 'Transaction document not found')
+  }
+
+  const file = await getTransactionDocumentFile(document.storageName)
+  const downloadName = getSafeDownloadName(document.originalName)
+
+  setHeader(event, 'content-type', document.mimeType)
+  setHeader(event, 'content-length', String(file.size))
+  setHeader(event, 'content-disposition', `attachment; filename="${downloadName}"`)
+  setHeader(event, 'x-content-type-options', 'nosniff')
+  setHeader(event, 'cache-control', 'private, no-store')
+  setHeader(event, 'content-security-policy', 'sandbox')
+
+  return sendStream(event, file.stream)
+})

server/api/public/bookings/[token]/transaction-document.post.ts

@@ -0,0 +1,83 @@
+import type { UpdateBookingDetailsResponse } from '~~/shared/booking'
+
+import { getHeader, readMultipartFormData } from 'h3'
+
+import {
+  getBookingByConfirmationToken,
+  replaceBookingTransactionDocumentByConfirmationToken
+} from '../../../../utils/booking-repository'
+import { getRequiredRouteParam, httpError } from '../../../../utils/http'
+import {
+  deleteTransactionDocument,
+  saveTransactionDocument,
+  TRANSACTION_DOCUMENT_MAX_SIZE,
+  validateTransactionDocumentUpload
+} from '../../../../utils/transaction-documents'
+
+export default defineEventHandler(async (event): Promise<UpdateBookingDetailsResponse> => {
+  const token = getRequiredRouteParam(event, 'token', 'Confirmation token')
+  const booking = await getBookingByConfirmationToken(token, { includeTransactionDocument: true })
+
+  if (!booking) {
+    httpError(404, 'Booking not found')
+  }
+
+  if (booking.status !== 'pending') {
+    httpError(409, 'Transaction document can only be changed before confirmation')
+  }
+
+  if (booking.paymentMethod !== 'bank') {
+    httpError(400, 'Transaction document can only be uploaded for Bank payments')
+  }
+
+  const contentType = String(getHeader(event, 'content-type') || '').toLowerCase()
+
+  if (!contentType.startsWith('multipart/form-data;')) {
+    httpError(400, 'Transaction document upload must use multipart form data')
+  }
+
+  const contentLength = Number(getHeader(event, 'content-length') || 0)
+
+  if (contentLength > TRANSACTION_DOCUMENT_MAX_SIZE + 1024 * 1024) {
+    httpError(413, 'Transaction document must be 10MB or smaller')
+  }
+
+  const formData = await readMultipartFormData(event)
+  const filePart = formData?.find((part) => part.name === 'document' && part.filename)
+
+  if (!filePart) {
+    httpError(400, 'Transaction document is required')
+  }
+
+  const upload = validateTransactionDocumentUpload({
+    data: filePart.data,
+    filename: filePart.filename,
+    contentType: filePart.type
+  })
+
+  const storageName = await saveTransactionDocument(filePart.data, upload.fileType)
+
+  try {
+    const result = await replaceBookingTransactionDocumentByConfirmationToken({
+      confirmationToken: token,
+      originalName: upload.originalName,
+      storageName,
+      mimeType: upload.fileType.mimeType,
+      size: filePart.data.length
+    })
+
+    if (!result) {
+      await deleteTransactionDocument(storageName)
+      httpError(404, 'Booking not found')
+    }
+
+    await deleteTransactionDocument(result.previousStorageName)
+
+    return {
+      booking: result.booking
+    }
+  } catch (error) {
+    await deleteTransactionDocument(storageName)
+    throw error
+  }
+})

server/utils/booking-repository.ts

@@ -239,7 +239,7 @@ function mapTicketCatalogItem(row: DbTicketCatalogItemRow): TicketCatalogItemRec
   }
 }
 
-function mapBookingTransactionDocument(row: DbBookingTransactionDocumentRow, bookingId: string): BookingTransactionDocumentRecord | null {
+function mapBookingTransactionDocument(row: DbBookingTransactionDocumentRow, url: string): BookingTransactionDocument | null {
   if (
     row.payment_method !== 'bank'
     || !row.transaction_document_original_name
@@ -253,16 +253,29 @@ function mapBookingTransactionDocument(row: DbBookingTransactionDocumentRow, boo
 
   return {
     originalName: row.transaction_document_original_name,
-    storageName: row.transaction_document_storage_name,
     mimeType: row.transaction_document_mime_type,
     size: parseInteger(row.transaction_document_size),
     uploadedAt: toIsoString(row.transaction_document_uploaded_at) ?? new Date().toISOString(),
-    url: `/api/bookings/${bookingId}/transaction-document`
+    url
+  }
+}
+
+function mapBookingTransactionDocumentRecord(row: DbBookingTransactionDocumentRow, url: string): BookingTransactionDocumentRecord | null {
+  const document = mapBookingTransactionDocument(row, url)
+
+  if (!document || !row.transaction_document_storage_name) {
+    return null
+  }
+
+  return {
+    ...document,
+    storageName: row.transaction_document_storage_name
   }
 }
 
 function mapBooking(row: DbBookingRow, options?: {
   includeTransactionDocument?: boolean
+  transactionDocumentUrl?: string
 }): PublicBooking {
   const seatCount = parseInteger(row.seat_count)
   const status = isBookingStatus(row.status) ? row.status : 'pending'
@@ -293,7 +306,9 @@ function mapBooking(row: DbBookingRow, options?: {
     personInChargeName: row.person_in_charge_name || '',
     personInChargePhoneNumber: row.person_in_charge_phone_number || '',
     paymentMethod,
-    transactionDocument: options?.includeTransactionDocument ? mapBookingTransactionDocument(row, row.id) : null,
+    transactionDocument: options?.includeTransactionDocument
+      ? mapBookingTransactionDocument(row, options.transactionDocumentUrl || `/api/bookings/${row.id}/transaction-document`)
+      : null,
     remark: row.remark || null,
     status,
     statusLabel: row.status_label || getBookingStatusLabel(status),
@@ -603,7 +618,9 @@ export async function createBooking(input: {
   }
 }
 
-export async function getBookingByConfirmationToken(confirmationToken: string): Promise<PublicBooking | null> {
+export async function getBookingByConfirmationToken(confirmationToken: string, options?: {
+  includeTransactionDocument?: boolean
+}): Promise<PublicBooking | null> {
   await ensureDatabaseReady()
   const sql = getSqlClient()
 
@@ -616,7 +633,12 @@ export async function getBookingByConfirmationToken(confirmationToken: string):
     limit 1
   `
 
-  return row ? mapBooking(row) : null
+  return row
+    ? mapBooking(row, {
+        includeTransactionDocument: options?.includeTransactionDocument,
+        transactionDocumentUrl: `/api/public/bookings/${confirmationToken}/transaction-document`
+      })
+    : null
 }
 
 export async function getBookingByReceiptToken(receiptToken: string): Promise<PublicBooking | null> {
@@ -924,7 +946,164 @@ export async function getBookingTransactionDocument(input: {
       limit 1
     `
 
-  return row ? mapBookingTransactionDocument(row, row.id) : null
+  return row ? mapBookingTransactionDocumentRecord(row, `/api/bookings/${row.id}/transaction-document`) : null
+}
+
+export async function getBookingTransactionDocumentByConfirmationToken(confirmationToken: string): Promise<BookingTransactionDocumentRecord | null> {
+  await ensureDatabaseReady()
+  const sql = getSqlClient()
+
+  const [row] = await sql<(DbBookingTransactionDocumentRow & { confirmation_token: string })[]>`
+    select
+      confirmation_token,
+      payment_method,
+      transaction_document_original_name,
+      transaction_document_storage_name,
+      transaction_document_mime_type,
+      transaction_document_size,
+      transaction_document_uploaded_at
+    from bookings
+    where confirmation_token = ${confirmationToken}
+      and deleted_at is null
+    limit 1
+  `
+
+  return row ? mapBookingTransactionDocumentRecord(row, `/api/public/bookings/${row.confirmation_token}/transaction-document`) : null
+}
+
+export async function updateBookingPaymentMethodByConfirmationToken(input: {
+  confirmationToken: string
+  paymentMethod: PaymentMethod
+}): Promise<PublicBooking | null> {
+  await ensureDatabaseReady()
+  const sql = getSqlClient()
+
+  const [row] = await sql<DbBookingRow[]>`
+    with updated_booking as (
+      update bookings
+      set
+        payment_method = ${input.paymentMethod},
+        updated_at = now()
+      where confirmation_token = ${input.confirmationToken}
+        and deleted_at is null
+        and status = 'pending'
+      returning *
+    )
+    select ${bookingSelectColumns(sql)}
+    from updated_booking as bookings
+    ${bookingJoins(sql)}
+    limit 1
+  `
+
+  return row
+    ? mapBooking(row, {
+        includeTransactionDocument: true,
+        transactionDocumentUrl: `/api/public/bookings/${input.confirmationToken}/transaction-document`
+      })
+    : null
+}
+
+export async function replaceBookingTransactionDocumentByConfirmationToken(input: {
+  confirmationToken: string
+  originalName: string
+  storageName: string
+  mimeType: string
+  size: number
+}): Promise<{ booking: PublicBooking, previousStorageName: string | null } | null> {
+  await ensureDatabaseReady()
+  const sql = getSqlClient()
+
+  const [row] = await sql<(DbBookingRow & { previous_storage_name: string | null })[]>`
+    with current_booking as (
+      select transaction_document_storage_name
+      from bookings
+      where confirmation_token = ${input.confirmationToken}
+        and deleted_at is null
+        and status = 'pending'
+      limit 1
+    ),
+    updated_booking as (
+      update bookings
+      set
+        payment_method = 'bank',
+        transaction_document_original_name = ${input.originalName},
+        transaction_document_storage_name = ${input.storageName},
+        transaction_document_mime_type = ${input.mimeType},
+        transaction_document_size = ${input.size},
+        transaction_document_uploaded_at = now(),
+        updated_at = now()
+      where confirmation_token = ${input.confirmationToken}
+        and deleted_at is null
+        and status = 'pending'
+      returning *
+    )
+    select
+      ${bookingSelectColumns(sql)},
+      (select transaction_document_storage_name from current_booking) as previous_storage_name
+    from updated_booking as bookings
+    ${bookingJoins(sql)}
+    limit 1
+  `
+
+  if (!row) {
+    return null
+  }
+
+  return {
+    booking: mapBooking(row, {
+      includeTransactionDocument: true,
+      transactionDocumentUrl: `/api/public/bookings/${input.confirmationToken}/transaction-document`
+    }),
+    previousStorageName: row.previous_storage_name
+  }
+}
+
+export async function clearBookingTransactionDocumentByConfirmationToken(confirmationToken: string): Promise<{ booking: PublicBooking, previousStorageName: string | null } | null> {
+  await ensureDatabaseReady()
+  const sql = getSqlClient()
+
+  const [row] = await sql<(DbBookingRow & { previous_storage_name: string | null })[]>`
+    with current_booking as (
+      select transaction_document_storage_name
+      from bookings
+      where confirmation_token = ${confirmationToken}
+        and deleted_at is null
+        and status = 'pending'
+      limit 1
+    ),
+    updated_booking as (
+      update bookings
+      set
+        transaction_document_original_name = null,
+        transaction_document_storage_name = null,
+        transaction_document_mime_type = null,
+        transaction_document_size = null,
+        transaction_document_uploaded_at = null,
+        updated_at = now()
+      where confirmation_token = ${confirmationToken}
+        and deleted_at is null
+        and status = 'pending'
+      returning *
+    )
+    select
+      ${bookingSelectColumns(sql)},
+      (select transaction_document_storage_name from current_booking) as previous_storage_name
+    from updated_booking as bookings
+    ${bookingJoins(sql)}
+    limit 1
+  `
+
+  if (!row) {
+    return null
+  }
+
+  return {
+    booking: mapBooking(row, {
+      includeTransactionDocument: true,
+      transactionDocumentUrl: `/api/public/bookings/${confirmationToken}/transaction-document`
+    }),
+    previousStorageName: row.previous_storage_name
+  }
 }
 
 export async function replaceBookingTransactionDocument(input: {

server/utils/bookings.ts

@@ -106,6 +106,20 @@ export function parseBookingPicTransferInput(body: {
   }
 }
 
+export function parsePaymentMethodInput(body: {
+  paymentMethod?: PaymentMethod | string | null
+}) {
+  const paymentMethod = typeof body.paymentMethod === 'string'
+    ? body.paymentMethod.trim().toLowerCase()
+    : body.paymentMethod
+
+  assertBadRequest(isPaymentMethod(paymentMethod), 'Payment method must be Cash or Bank')
+
+  return {
+    paymentMethod
+  }
+}
+
 export function buildBookingMessage(booking: PublicBooking, confirmationUrl: string) {
   if (booking.locale === 'zh') {
     return [