elpatron/beauty-bookings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: README dompurify note; fix: sanitize plaintext names in booking emails; feat: use sanitizePhone in email templates; feat: extend sanitizeHtml allowed tags and URL allowlist

Browse Source
This commit is contained in:
elpatron
2025-10-06 13:31:53 +02:00
parent df26c7da6b
commit 90029f4b6a
7 changed files with 250 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
README.md
View File

@@ -12,6 +12,8 @@ Ein vollständiges Buchungssystem für Nagelstudios mit Admin-Panel, Kalender un
- [Hono](https://hono.dev/)
- [Zod](https://zod.dev/)
> Hinweis zu DOMPurify: Wir nutzen `isomorphic-dompurify`, das DOMPurify bereits mitliefert und sowohl in Node.js als auch im Browser funktioniert. Eine zusätzliche Installation von `dompurify` ist daher nicht erforderlich und würde eine redundante Abhängigkeit erzeugen.
## Setup
### 1. Umgebungsvariablen konfigurieren
@@ -22,33 +24,28 @@ Kopiere die `.env.example` Datei zu `.env` und konfiguriere deine Umgebungsvaria
cp .env.example .env
```
### 2. Admin-Passwort Hash generieren
### 2. Admin-Passwort Hash generieren (bcrypt)
Das Admin-Passwort wird als Base64-Hash in der `.env` Datei gespeichert. Hier sind verschiedene Methoden, um einen Hash zu generieren:
Das Admin-Passwort wird als bcrypt-Hash in der `.env` Datei gespeichert. So erzeugst du einen Hash:
#### PowerShell (Windows)
```powershell
# Einfache Methode mit Base64-Encoding
$password = "dein_sicheres_passwort"
$bytes = [System.Text.Encoding]::UTF8.GetBytes($password)
$hash = [System.Convert]::ToBase64String($bytes)
Write-Host "Password Hash: $hash"
# Alternative mit PowerShell 7+ (kürzer)
$password = "dein_sicheres_passwort"
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($password))
#### Node.js (empfohlen)
```bash
node -e "require('bcrypt').hash('dein_sicheres_passwort', 10).then(console.log)"
```
#### Node.js (falls verfügbar)
Alternativ kannst du ein kleines Script verwenden (falls du es öfter brauchst):
```javascript
// In der Node.js Konsole oder als separates Script
const password = "dein_sicheres_passwort";
const hash = Buffer.from(password).toString('base64');
console.log("Password Hash:", hash);
// scripts/generate-hash.js
require('bcrypt').hash(process.argv[2] || 'dein_sicheres_passwort', 10).then(h => {
console.log(h);
});
```
#### Online-Tools (nur für Entwicklung)
- Verwende einen Base64-Encoder wie [base64encode.org](https://www.base64encode.org/)
Ausführen:
```bash
node scripts/generate-hash.js "dein_sicheres_passwort"
```
### 3. .env Datei konfigurieren
@@ -57,7 +54,8 @@ Bearbeite deine `.env` Datei und setze die generierten Werte:
```env
# Admin Account Configuration
ADMIN_USERNAME=owner
ADMIN_PASSWORD_HASH=ZGVpbl9zaWNoZXJlc19wYXNzd29ydA== # Dein generierter Hash
# bcrypt-Hash des Admin-Passworts (kein Base64). Beispielwert:
ADMIN_PASSWORD_HASH=$2b$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
# Domain Configuration
DOMAIN=localhost:5173 # Für Produktion: deine-domain.de
@@ -209,10 +207,12 @@ Nach dem Setup kannst du dich mit den in der `.env` konfigurierten Admin-Credent
⚠️ **Wichtige Hinweise:**
- Ändere das Standard-Passwort vor dem Produktionseinsatz
- Das Passwort wird als Base64-Hash in der `.env` Datei gespeichert
- Das Passwort wird als bcrypt-Hash in der `.env` Datei gespeichert
- Verwende ein sicheres Passwort und generiere den entsprechenden Hash
- Die `.env` Datei sollte niemals in das Repository committet werden
Hinweis zur Migration: Vorhandene Base64-Hashes aus älteren Versionen werden beim Server-Start automatisch in bcrypt migriert. Zusätzlich erfolgt beim nächsten erfolgreichen Login ebenfalls eine Migration, falls noch erforderlich.
### Security.txt Endpoint
Die Anwendung bietet einen RFC 9116 konformen Security.txt Endpoint unter `/.well-known/security.txt`:

3
package.json
View File

@@ -12,6 +12,8 @@
"preview": "vite preview"
},
"dependencies": {
"@types/bcrypt": "^5.0.2",
"bcrypt": "^5.1.1",
"@hono/node-server": "^1.19.5",
"@orpc/client": "^1.8.8",
"@orpc/server": "^1.8.8",
@@ -20,6 +22,7 @@
"@tanstack/react-query": "^5.85.5",
"dotenv": "^17.2.3",
"hono": "^4.9.4",
"isomorphic-dompurify": "^2.16.0",
"jsonrepair": "^3.13.0",
"openai": "^5.17.0",
"react": "^19.1.1",

22
src/server/index.ts
View File

@@ -14,6 +14,28 @@ app.use("*", async (c, next) => {
return next();
});
// Content-Security-Policy and other security headers
app.use("*", async (c, next) => {
const isDev = process.env.NODE_ENV === 'development';
const directives = [
"default-src 'self'",
`script-src 'self'${isDev ? " 'unsafe-inline'" : ''}`,
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: https:",
"font-src 'self' data:",
"connect-src 'self'",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
];
const csp = directives.join('; ');
c.header('Content-Security-Policy', csp);
c.header('X-Content-Type-Options', 'nosniff');
c.header('X-Frame-Options', 'DENY');
c.header('Referrer-Policy', 'strict-origin-when-cross-origin');
await next();
});
// Health check endpoint
app.get("/health", (c) => {
return c.json({ status: "ok", timestamp: new Date().toISOString() });

67
src/server/lib/email-templates.ts
View File

@@ -1,4 +1,5 @@
import { readFile } from "node:fs/promises";
import { sanitizeText, sanitizeHtml, sanitizePhone } from "./sanitize.js";
import { fileURLToPath } from "node:url";
import { dirname, resolve } from "node:path";
@@ -60,13 +61,14 @@ async function renderBrandedEmail(title: string, bodyHtml: string): Promise<stri
export async function renderBookingPendingHTML(params: { name: string; date: string; time: string; statusUrl?: string }) {
const { name, date, time, statusUrl } = params;
const safeName = sanitizeText(name);
const formattedDate = formatDateGerman(date);
const domain = process.env.DOMAIN || 'localhost:5173';
const protocol = domain.includes('localhost') ? 'http' : 'https';
const legalUrl = `${protocol}://${domain}/legal`;
const inner = `
<p>Hallo ${name},</p>
<p>Hallo ${safeName},</p>
<p>wir haben deine Anfrage für <strong>${formattedDate}</strong> um <strong>${time}</strong> erhalten.</p>
<p>Wir bestätigen deinen Termin in Kürze. Du erhältst eine weitere E-Mail, sobald der Termin bestätigt ist.</p>
${statusUrl ? `
@@ -87,13 +89,14 @@ export async function renderBookingPendingHTML(params: { name: string; date: str
export async function renderBookingConfirmedHTML(params: { name: string; date: string; time: string; cancellationUrl?: string; reviewUrl?: string }) {
const { name, date, time, cancellationUrl, reviewUrl } = params;
const safeName = sanitizeText(name);
const formattedDate = formatDateGerman(date);
const domain = process.env.DOMAIN || 'localhost:5173';
const protocol = domain.includes('localhost') ? 'http' : 'https';
const legalUrl = `${protocol}://${domain}/legal`;
const inner = `
<p>Hallo ${name},</p>
<p>Hallo ${safeName},</p>
<p>wir haben deinen Termin am <strong>${formattedDate}</strong> um <strong>${time}</strong> bestätigt.</p>
<p>Wir freuen uns auf dich!</p>
<div style="background-color: #f8fafc; border-left: 4px solid #db2777; padding: 16px; margin: 20px 0; border-radius: 4px;">
@@ -126,13 +129,14 @@ export async function renderBookingConfirmedHTML(params: { name: string; date: s
export async function renderBookingCancelledHTML(params: { name: string; date: string; time: string }) {
const { name, date, time } = params;
const safeName = sanitizeText(name);
const formattedDate = formatDateGerman(date);
const domain = process.env.DOMAIN || 'localhost:5173';
const protocol = domain.includes('localhost') ? 'http' : 'https';
const legalUrl = `${protocol}://${domain}/legal`;
const inner = `
<p>Hallo ${name},</p>
<p>Hallo ${safeName},</p>
<p>dein Termin am <strong>${formattedDate}</strong> um <strong>${time}</strong> wurde abgesagt.</p>
<p>Bitte buche einen neuen Termin. Bei Fragen helfen wir dir gerne weiter.</p>
<div style="background-color: #f8fafc; border-left: 4px solid #3b82f6; padding: 16px; margin: 20px 0; border-radius: 4px;">
@@ -154,6 +158,10 @@ export async function renderAdminBookingNotificationHTML(params: {
hasInspirationPhoto: boolean;
}) {
const { name, date, time, treatment, phone, notes, hasInspirationPhoto } = params;
const safeName = sanitizeText(name);
const safeTreatment = sanitizeText(treatment);
const safePhone = sanitizePhone(phone);
const safeNotes = sanitizeHtml(notes);
const formattedDate = formatDateGerman(date);
const inner = `
<p>Hallo Admin,</p>
@@ -161,12 +169,12 @@ export async function renderAdminBookingNotificationHTML(params: {
<div style="background-color: #f8fafc; border-left: 4px solid #db2777; padding: 16px; margin: 20px 0; border-radius: 4px;">
<p style="margin: 0; font-weight: 600; color: #db2777;">📅 Buchungsdetails:</p>
<ul style="margin: 8px 0 0 0; color: #475569; list-style: none; padding: 0;">
<li><strong>Name:</strong> ${name}</li>
<li><strong>Telefon:</strong> ${phone}</li>
<li><strong>Behandlung:</strong> ${treatment}</li>
<li><strong>Name:</strong> ${safeName}</li>
<li><strong>Telefon:</strong> ${safePhone}</li>
<li><strong>Behandlung:</strong> ${safeTreatment}</li>
<li><strong>Datum:</strong> ${formattedDate}</li>
<li><strong>Uhrzeit:</strong> ${time}</li>
${notes ? `<li><strong>Notizen:</strong> ${notes}</li>` : ''}
${safeNotes ? `<li><strong>Notizen:</strong> ${safeNotes}</li>` : ''}
<li><strong>Inspiration-Foto:</strong> ${hasInspirationPhoto ? '✅ Im Anhang verfügbar' : '❌ Kein Foto hochgeladen'}</li>
</ul>
</div>
@@ -188,13 +196,15 @@ export async function renderBookingRescheduleProposalHTML(params: {
declineUrl: string;
expiresAt: string;
}) {
const safeName = sanitizeText(params.name);
const safeTreatment = sanitizeText(params.treatmentName);
const formattedOriginalDate = formatDateGerman(params.originalDate);
const formattedProposedDate = formatDateGerman(params.proposedDate);
const expiryDate = new Date(params.expiresAt);
const formattedExpiry = `${expiryDate.toLocaleDateString('de-DE')} ${expiryDate.toLocaleTimeString('de-DE', { hour: '2-digit', minute: '2-digit' })}`;
const inner = `
<p>Hallo ${params.name},</p>
<p>Hallo ${safeName},</p>
<p>wir müssen deinen Termin leider verschieben. Hier ist unser Vorschlag:</p>
<div style="background-color: #f8fafc; border-left: 4px solid #f59e0b; padding: 16px; margin: 20px 0; border-radius: 4px;">
<p style="margin: 0; font-weight: 600; color: #92400e;">📅 Übersicht</p>
@@ -209,7 +219,7 @@ export async function renderBookingRescheduleProposalHTML(params: {
</tr>
<tr>
<td style="padding:6px 0; width:45%"><strong>Behandlung</strong></td>
<td style="padding:6px 0;">${params.treatmentName}</td>
<td style="padding:6px 0;">${safeTreatment}</td>
</tr>
</table>
</div>
@@ -239,15 +249,19 @@ export async function renderAdminRescheduleDeclinedHTML(params: {
customerEmail?: string;
customerPhone?: string;
}) {
const safeCustomerName = sanitizeText(params.customerName);
const safeTreatment = sanitizeText(params.treatmentName);
const safeEmail = params.customerEmail ? sanitizeText(params.customerEmail) : undefined;
const safePhone = params.customerPhone ? sanitizeText(params.customerPhone) : undefined;
const inner = `
<p>Hallo Admin,</p>
<p>der Kunde <strong>${params.customerName}</strong> hat den Terminänderungsvorschlag abgelehnt.</p>
<p>der Kunde <strong>${safeCustomerName}</strong> hat den Terminänderungsvorschlag abgelehnt.</p>
<div style="background-color:#f8fafc; border-left:4px solid #ef4444; padding:16px; margin:16px 0; border-radius:4px;">
<ul style="margin:0; padding:0; list-style:none; color:#475569; font-size:14px;">
<li><strong>Kunde:</strong> ${params.customerName}</li>
${params.customerEmail ? `<li><strong>E-Mail:</strong> ${params.customerEmail}</li>` : ''}
${params.customerPhone ? `<li><strong>Telefon:</strong> ${params.customerPhone}</li>` : ''}
<li><strong>Behandlung:</strong> ${params.treatmentName}</li>
<li><strong>Kunde:</strong> ${safeCustomerName}</li>
${safeEmail ? `<li><strong>E-Mail:</strong> ${safeEmail}</li>` : ''}
${safePhone ? `<li><strong>Telefon:</strong> ${safePhone}</li>` : ''}
<li><strong>Behandlung:</strong> ${safeTreatment}</li>
<li><strong>Ursprünglicher Termin:</strong> ${formatDateGerman(params.originalDate)} um ${params.originalTime} Uhr (bleibt bestehen)</li>
<li><strong>Abgelehnter Vorschlag:</strong> ${formatDateGerman(params.proposedDate)} um ${params.proposedTime} Uhr</li>
</ul>
@@ -265,13 +279,15 @@ export async function renderAdminRescheduleAcceptedHTML(params: {
newTime: string;
treatmentName: string;
}) {
const safeCustomerName = sanitizeText(params.customerName);
const safeTreatment = sanitizeText(params.treatmentName);
const inner = `
<p>Hallo Admin,</p>
<p>der Kunde <strong>${params.customerName}</strong> hat den Terminänderungsvorschlag akzeptiert.</p>
<p>der Kunde <strong>${safeCustomerName}</strong> hat den Terminänderungsvorschlag akzeptiert.</p>
<div style="background-color:#ecfeff; border-left:4px solid #10b981; padding:16px; margin:16px 0; border-radius:4px;">
<ul style="margin:0; padding:0; list-style:none; color:#475569; font-size:14px;">
<li><strong>Kunde:</strong> ${params.customerName}</li>
<li><strong>Behandlung:</strong> ${params.treatmentName}</li>
<li><strong>Kunde:</strong> ${safeCustomerName}</li>
<li><strong>Behandlung:</strong> ${safeTreatment}</li>
<li><strong>Alter Termin:</strong> ${formatDateGerman(params.originalDate)} um ${params.originalTime} Uhr</li>
<li><strong>Neuer Termin:</strong> ${formatDateGerman(params.newDate)} um ${params.newTime} Uhr ✅</li>
</ul>
@@ -299,19 +315,24 @@ export async function renderAdminRescheduleExpiredHTML(params: {
<p><strong>${params.expiredProposals.length} Terminänderungsvorschlag${params.expiredProposals.length > 1 ? 'e' : ''} ${params.expiredProposals.length > 1 ? 'sind' : 'ist'} abgelaufen</strong> und wurde${params.expiredProposals.length > 1 ? 'n' : ''} automatisch entfernt.</p>
<div style="background-color:#fef2f2; border-left:4px solid #ef4444; padding:16px; margin:16px 0; border-radius:4px;">
<p style="margin:0 0 12px 0; font-weight:600; color:#dc2626;">⚠️ Abgelaufene Vorschläge:</p>
${params.expiredProposals.map(proposal => `
${params.expiredProposals.map(proposal => {
const safeName = sanitizeText(proposal.customerName);
const safeTreatment = sanitizeText(proposal.treatmentName);
const safeEmail = proposal.customerEmail ? sanitizeText(proposal.customerEmail) : undefined;
const safePhone = proposal.customerPhone ? sanitizeText(proposal.customerPhone) : undefined;
return `
<div style="background-color:#ffffff; border:1px solid #fecaca; border-radius:4px; padding:12px; margin:8px 0;">
<ul style="margin:0; padding:0; list-style:none; color:#475569; font-size:13px;">
<li><strong>Kunde:</strong> ${proposal.customerName}</li>
${proposal.customerEmail ? `<li><strong>E-Mail:</strong> ${proposal.customerEmail}</li>` : ''}
${proposal.customerPhone ? `<li><strong>Telefon:</strong> ${proposal.customerPhone}</li>` : ''}
<li><strong>Behandlung:</strong> ${proposal.treatmentName}</li>
<li><strong>Kunde:</strong> ${safeName}</li>
${safeEmail ? `<li><strong>E-Mail:</strong> ${safeEmail}</li>` : ''}
${safePhone ? `<li><strong>Telefon:</strong> ${safePhone}</li>` : ''}
<li><strong>Behandlung:</strong> ${safeTreatment}</li>
<li><strong>Ursprünglicher Termin:</strong> ${formatDateGerman(proposal.originalDate)} um ${proposal.originalTime} Uhr</li>
<li><strong>Vorgeschlagener Termin:</strong> ${formatDateGerman(proposal.proposedDate)} um ${proposal.proposedTime} Uhr</li>
<li><strong>Abgelaufen am:</strong> ${new Date(proposal.expiredAt).toLocaleString('de-DE')}</li>
</ul>
</div>
`).join('')}
`;}).join('')}
</div>
<p style="color:#dc2626; font-weight:600;">Bitte kontaktiere die Kunden, um eine alternative Lösung zu finden.</p>
<p>Die ursprünglichen Termine bleiben bestehen.</p>

37
src/server/lib/sanitize.ts Normal file
View File

@@ -0,0 +1,37 @@
import DOMPurify from "isomorphic-dompurify";
/**
* Sanitize plain text inputs by stripping all HTML tags.
* Use for names, phone numbers, and simple text fields.
*/
export function sanitizeText(input: string | undefined): string {
if (!input) return "";
const cleaned = DOMPurify.sanitize(input, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
return cleaned.trim();
}
/**
* Sanitize rich text notes allowing only a minimal, safe subset of tags.
* Use for free-form notes or comments where basic formatting is acceptable.
*/
export function sanitizeHtml(input: string | undefined): string {
if (!input) return "";
const cleaned = DOMPurify.sanitize(input, {
ALLOWED_TAGS: ["br", "p", "strong", "em", "u", "a", "ul", "li"],
ALLOWED_ATTR: ["href", "title", "target", "rel"],
ALLOWED_URI_REGEXP: /^(?:https?:)?\/\//i,
KEEP_CONTENT: true,
});
return cleaned.trim();
}
/**
* Sanitize phone numbers by stripping HTML and keeping only digits and a few symbols.
* Allowed characters: digits, +, -, (, ), and spaces.
*/
export function sanitizePhone(input: string | undefined): string {
const text = sanitizeText(input);
return text.replace(/[^0-9+\-()\s]/g, "");
}

92
src/server/rpc/auth.ts
View File

@@ -3,6 +3,7 @@ import { z } from "zod";
import { randomUUID } from "crypto";
import { createKV } from "../lib/create-kv.js";
import { config } from "dotenv";
import bcrypt from "bcrypt";
// Load environment variables from .env file
config();
@@ -29,18 +30,63 @@ type Session = z.output<typeof SessionSchema>;
const usersKV = createKV<User>("users");
const sessionsKV = createKV<Session>("sessions");
// Simple password hashing (in production, use bcrypt or similar)
const hashPassword = (password: string): string => {
return Buffer.from(password).toString('base64');
// Password hashing using bcrypt
const BCRYPT_PREFIX = "$2"; // $2a, $2b, $2y
const isBase64Hash = (hash: string): boolean => {
if (hash.startsWith(BCRYPT_PREFIX)) return false;
try {
const decoded = Buffer.from(hash, 'base64');
// If re-encoding yields the same string and the decoded buffer is valid UTF-8, treat as base64
const reencoded = decoded.toString('base64');
// Additionally ensure that decoding does not produce too short/empty unless original was empty
return reencoded === hash && decoded.toString('utf8').length > 0;
} catch {
return false;
}
};
const verifyPassword = (password: string, hash: string): boolean => {
return hashPassword(password) === hash;
const hashPassword = async (password: string): Promise<string> => {
return bcrypt.hash(password, 10);
};
const verifyPassword = async (password: string, hash: string): Promise<boolean> => {
if (hash.startsWith(BCRYPT_PREFIX)) {
return bcrypt.compare(password, hash);
}
if (isBase64Hash(hash)) {
const base64OfPassword = Buffer.from(password).toString('base64');
return base64OfPassword === hash;
}
// Unknown format -> fail closed
return false;
};
// Export hashPassword for external use (e.g., generating hashes for .env)
export const generatePasswordHash = hashPassword;
// Migrate all legacy Base64 password hashes to bcrypt on server startup
const migrateLegacyHashesOnStartup = async (): Promise<void> => {
const users = await usersKV.getAllItems();
let migratedCount = 0;
for (const user of users) {
if (isBase64Hash(user.passwordHash)) {
try {
const plaintext = Buffer.from(user.passwordHash, 'base64').toString('utf8');
const bcryptHash = await hashPassword(plaintext);
const updatedUser: User = { ...user, passwordHash: bcryptHash };
await usersKV.setItem(user.id, updatedUser);
migratedCount += 1;
} catch {
// ignore individual failures; continue with others
}
}
}
if (migratedCount > 0) {
console.log(`🔄 Migrated ${migratedCount} legacy Base64 password hash(es) to bcrypt at startup.`);
}
};
// Initialize default owner account
const initializeOwner = async () => {
const existingUsers = await usersKV.getAllItems();
@@ -49,7 +95,12 @@ const initializeOwner = async () => {
// Get admin credentials from environment variables
const adminUsername = process.env.ADMIN_USERNAME || "owner";
const adminPasswordHash = process.env.ADMIN_PASSWORD_HASH || hashPassword("admin123");
let adminPasswordHash = process.env.ADMIN_PASSWORD_HASH || await hashPassword("admin123");
// If provided hash looks like legacy Base64, decode to plaintext and re-hash with bcrypt
if (process.env.ADMIN_PASSWORD_HASH && isBase64Hash(process.env.ADMIN_PASSWORD_HASH)) {
const plaintext = Buffer.from(process.env.ADMIN_PASSWORD_HASH, 'base64').toString('utf8');
adminPasswordHash = await hashPassword(plaintext);
}
const adminEmail = process.env.ADMIN_EMAIL || "owner@stargirlnails.de";
const owner: User = {
@@ -66,8 +117,14 @@ const initializeOwner = async () => {
}
};
// Initialize on module load
initializeOwner();
// Initialize on module load: first migrate legacy hashes, then ensure owner exists
(async () => {
try {
await migrateLegacyHashesOnStartup();
} finally {
await initializeOwner();
}
})();
const login = os
.input(z.object({
@@ -78,10 +135,22 @@ const login = os
const users = await usersKV.getAllItems();
const user = users.find(u => u.username === input.username);
if (!user || !verifyPassword(input.password, user.passwordHash)) {
if (!user) {
throw new Error("Invalid credentials");
}
const isValid = await verifyPassword(input.password, user.passwordHash);
if (!isValid) {
throw new Error("Invalid credentials");
}
// Seamless migration: if stored hash is legacy Base64, upgrade to bcrypt
if (isBase64Hash(user.passwordHash)) {
const migratedHash = await hashPassword(input.password);
const migratedUser = { ...user, passwordHash: migratedHash } as User;
await usersKV.setItem(user.id, migratedUser);
}
// Create session
const sessionId = randomUUID();
const expiresAt = new Date();
@@ -159,13 +228,14 @@ const changePassword = os
throw new Error("User not found");
}
if (!verifyPassword(input.currentPassword, user.passwordHash)) {
const currentOk = await verifyPassword(input.currentPassword, user.passwordHash);
if (!currentOk) {
throw new Error("Current password is incorrect");
}
const updatedUser = {
...user,
passwordHash: hashPassword(input.newPassword),
passwordHash: await hashPassword(input.newPassword),
};
await usersKV.setItem(user.id, updatedUser);

62
src/server/rpc/bookings.ts
View File

@@ -2,6 +2,7 @@ import { call, os } from "@orpc/server";
import { z } from "zod";
import { randomUUID } from "crypto";
import { createKV } from "../lib/create-kv.js";
import { sanitizeText, sanitizeHtml, sanitizePhone } from "../lib/sanitize.js";
import { sendEmail, sendEmailWithAGB, sendEmailWithAGBAndCalendar, sendEmailWithInspirationPhoto } from "../lib/email.js";
import { renderBookingPendingHTML, renderBookingConfirmedHTML, renderBookingCancelledHTML, renderAdminBookingNotificationHTML, renderBookingRescheduleProposalHTML, renderAdminRescheduleAcceptedHTML, renderAdminRescheduleDeclinedHTML } from "../lib/email-templates.js";
import { router as rootRouter } from "./index.js";
@@ -292,14 +293,26 @@ const create = os
treatment.duration
);
// Sanitize user-provided fields before storage
const sanitizedName = sanitizeText(input.customerName);
const sanitizedPhone = input.customerPhone ? sanitizePhone(input.customerPhone) : undefined;
const sanitizedNotes = input.notes ? sanitizeHtml(input.notes) : undefined;
const id = randomUUID();
const booking = {
id,
...input,
treatmentId: input.treatmentId,
customerName: sanitizedName,
customerEmail: input.customerEmail,
customerPhone: sanitizedPhone,
appointmentDate: input.appointmentDate,
appointmentTime: input.appointmentTime,
notes: sanitizedNotes,
inspirationPhoto: input.inspirationPhoto,
bookedDurationMinutes: treatment.duration, // Snapshot treatment duration
status: "pending" as const,
createdAt: new Date().toISOString()
};
} as Booking;
// Save the booking
await kv.setItem(id, booking);
@@ -313,7 +326,7 @@ const create = os
const formattedDate = formatDateGerman(input.appointmentDate);
const homepageUrl = generateUrl();
const html = await renderBookingPendingHTML({
name: input.customerName,
name: sanitizedName,
date: input.appointmentDate,
time: input.appointmentTime,
statusUrl: bookingUrl
@@ -321,7 +334,7 @@ const create = os
await sendEmail({
to: input.customerEmail,
subject: "Deine Terminanfrage ist eingegangen",
text: `Hallo ${input.customerName},\n\nwir haben deine Anfrage für ${formattedDate} um ${input.appointmentTime} erhalten. Wir bestätigen deinen Termin in Kürze. Du erhältst eine weitere E-Mail, sobald der Termin bestätigt ist.\n\nTermin-Status ansehen: ${bookingUrl}\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
text: `Hallo ${sanitizedName},\n\nwir haben deine Anfrage für ${formattedDate} um ${input.appointmentTime} erhalten. Wir bestätigen deinen Termin in Kürze. Du erhältst eine weitere E-Mail, sobald der Termin bestätigt ist.\n\nTermin-Status ansehen: ${bookingUrl}\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
html,
}).catch(() => {});
})();
@@ -336,24 +349,24 @@ const create = os
const treatmentName = treatment?.name || "Unbekannte Behandlung";
const adminHtml = await renderAdminBookingNotificationHTML({
name: input.customerName,
name: sanitizedName,
date: input.appointmentDate,
time: input.appointmentTime,
treatment: treatmentName,
phone: input.customerPhone || "Nicht angegeben",
notes: input.notes,
phone: sanitizedPhone || "Nicht angegeben",
notes: sanitizedNotes,
hasInspirationPhoto: !!input.inspirationPhoto
});
const homepageUrl = generateUrl();
const adminText = `Neue Buchungsanfrage eingegangen:\n\n` +
`Name: ${input.customerName}\n` +
`Telefon: ${input.customerPhone || "Nicht angegeben"}\n` +
`Name: ${sanitizedName}\n` +
`Telefon: ${sanitizedPhone || "Nicht angegeben"}\n` +
`Behandlung: ${treatmentName}\n` +
`Datum: ${formatDateGerman(input.appointmentDate)}\n` +
`Uhrzeit: ${input.appointmentTime}\n` +
`${input.notes ? `Notizen: ${input.notes}\n` : ''}` +
`${sanitizedNotes ? `Notizen: ${sanitizedNotes}\n` : ''}` +
`Inspiration-Foto: ${input.inspirationPhoto ? 'Im Anhang verfügbar' : 'Kein Foto hochgeladen'}\n\n` +
`Zur Website: ${homepageUrl}\n\n` +
`Bitte logge dich in das Admin-Panel ein, um die Buchung zu bearbeiten.`;
@@ -361,14 +374,14 @@ const create = os
if (input.inspirationPhoto) {
await sendEmailWithInspirationPhoto({
to: process.env.ADMIN_EMAIL,
subject: `Neue Buchungsanfrage - ${input.customerName}`,
subject: `Neue Buchungsanfrage - ${sanitizedName}`,
text: adminText,
html: adminHtml,
}, input.inspirationPhoto, input.customerName).catch(() => {});
}, input.inspirationPhoto, sanitizedName).catch(() => {});
} else {
await sendEmail({
to: process.env.ADMIN_EMAIL,
subject: `Neue Buchungsanfrage - ${input.customerName}`,
subject: `Neue Buchungsanfrage - ${sanitizedName}`,
text: adminText,
html: adminHtml,
}).catch(() => {});
@@ -441,7 +454,7 @@ const updateStatus = os
await sendEmailWithAGBAndCalendar({
to: booking.customerEmail,
subject: "Dein Termin wurde bestätigt - AGB im Anhang",
text: `Hallo ${booking.customerName},\n\nwir haben deinen Termin am ${formattedDate} um ${booking.appointmentTime} bestätigt.\n\nWichtiger Hinweis: Die Allgemeinen Geschäftsbedingungen (AGB) findest du im Anhang dieser E-Mail. Bitte lies sie vor deinem Termin durch.\n\nTermin-Status ansehen und verwalten: ${bookingUrl}\nFalls du den Termin stornieren möchtest, kannst du das über den obigen Link tun.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nBis bald!\nStargirlnails Kiel`,
text: `Hallo ${sanitizeText(booking.customerName)},\n\nwir haben deinen Termin am ${formattedDate} um ${booking.appointmentTime} bestätigt.\n\nWichtiger Hinweis: Die Allgemeinen Geschäftsbedingungen (AGB) findest du im Anhang dieser E-Mail. Bitte lies sie vor deinem Termin durch.\n\nTermin-Status ansehen und verwalten: ${bookingUrl}\nFalls du den Termin stornieren möchtest, kannst du das über den obigen Link tun.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nBis bald!\nStargirlnails Kiel`,
html,
bcc: process.env.ADMIN_EMAIL ? [process.env.ADMIN_EMAIL] : undefined,
}, {
@@ -460,7 +473,7 @@ const updateStatus = os
await sendEmail({
to: booking.customerEmail,
subject: "Dein Termin wurde abgesagt",
text: `Hallo ${booking.customerName},\n\nleider wurde dein Termin am ${formattedDate} um ${booking.appointmentTime} abgesagt. Bitte buche einen neuen Termin.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
text: `Hallo ${sanitizeText(booking.customerName)},\n\nleider wurde dein Termin am ${formattedDate} um ${booking.appointmentTime} abgesagt. Bitte buche einen neuen Termin.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
html,
bcc: process.env.ADMIN_EMAIL ? [process.env.ADMIN_EMAIL] : undefined,
});
@@ -508,7 +521,7 @@ const remove = os
await sendEmail({
to: booking.customerEmail,
subject: "Dein Termin wurde abgesagt",
text: `Hallo ${booking.customerName},\n\nleider wurde dein Termin am ${formattedDate} um ${booking.appointmentTime} abgesagt. Bitte buche einen neuen Termin.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
text: `Hallo ${sanitizeText(booking.customerName)},\n\nleider wurde dein Termin am ${formattedDate} um ${booking.appointmentTime} abgesagt. Bitte buche einen neuen Termin.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nLiebe Grüße\nStargirlnails Kiel`,
html,
bcc: process.env.ADMIN_EMAIL ? [process.env.ADMIN_EMAIL] : undefined,
});
@@ -577,16 +590,21 @@ const createManual = os
treatment.duration
);
// Sanitize user-provided fields before storage (admin manual booking)
const sanitizedName = sanitizeText(input.customerName);
const sanitizedPhone = input.customerPhone ? sanitizePhone(input.customerPhone) : undefined;
const sanitizedNotes = input.notes ? sanitizeHtml(input.notes) : undefined;
const id = randomUUID();
const booking = {
id,
treatmentId: input.treatmentId,
customerName: input.customerName,
customerName: sanitizedName,
customerEmail: input.customerEmail,
customerPhone: input.customerPhone,
customerPhone: sanitizedPhone,
appointmentDate: input.appointmentDate,
appointmentTime: input.appointmentTime,
notes: input.notes,
notes: sanitizedNotes,
bookedDurationMinutes: treatment.duration,
status: "confirmed" as const,
createdAt: new Date().toISOString()
@@ -607,7 +625,7 @@ const createManual = os
const homepageUrl = generateUrl();
const html = await renderBookingConfirmedHTML({
name: input.customerName,
name: sanitizedName,
date: input.appointmentDate,
time: input.appointmentTime,
cancellationUrl: bookingUrl,
@@ -617,13 +635,13 @@ const createManual = os
await sendEmailWithAGBAndCalendar({
to: input.customerEmail!,
subject: "Dein Termin wurde bestätigt - AGB im Anhang",
text: `Hallo ${input.customerName},\n\nwir haben deinen Termin am ${formattedDate} um ${input.appointmentTime} bestätigt.\n\nWichtiger Hinweis: Die Allgemeinen Geschäftsbedingungen (AGB) findest du im Anhang dieser E-Mail. Bitte lies sie vor deinem Termin durch.\n\nTermin-Status ansehen und verwalten: ${bookingUrl}\nFalls du den Termin stornieren möchtest, kannst du das über den obigen Link tun.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nBis bald!\nStargirlnails Kiel`,
text: `Hallo ${sanitizedName},\n\nwir haben deinen Termin am ${formattedDate} um ${input.appointmentTime} bestätigt.\n\nWichtiger Hinweis: Die Allgemeinen Geschäftsbedingungen (AGB) findest du im Anhang dieser E-Mail. Bitte lies sie vor deinem Termin durch.\n\nTermin-Status ansehen und verwalten: ${bookingUrl}\nFalls du den Termin stornieren möchtest, kannst du das über den obigen Link tun.\n\nRechtliche Informationen: ${generateUrl('/legal')}\nZur Website: ${homepageUrl}\n\nBis bald!\nStargirlnails Kiel`,
html,
}, {
date: input.appointmentDate,
time: input.appointmentTime,
durationMinutes: treatment.duration,
customerName: input.customerName,
customerName: sanitizedName,
treatmentName: treatment.name
});
} catch (e) {