test/shop10
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity

feat: бронирование товаров и сброс пароля по email

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
shop
2026-05-17 11:38:52 +03:00
parent bda73e1662
commit ade031b0e7
22 changed files with 666 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/account.js
+25 -1
View File
@@ -6,6 +6,7 @@ const { requireAuth } = require('../middleware/auth');
const { requireCookieConsent } = require('../middleware/cookieConsent');
const { ROLE_LABELS } = require('../constants/roles');
const { asyncHandler } = require('../utils/asyncHandler');
const { expireOldReservations } = require('../services/reservations');
const router = express.Router();
@@ -35,12 +36,22 @@ async function verifyPassword(userId, password) {
}
function accountRender(res, options) {
const { user, orderCount, error, success, activeTab } = options;
const {
user,
orderCount,
reservations,
error,
success,
activeTab,
formatPrice,
} = options;
res.render('account/index', {
title: 'Личный кабинет',
user,
orderCount,
reservations: reservations || [],
roleLabels: ROLE_LABELS,
formatPrice: formatPrice || res.locals.formatPrice,
error: error || null,
success: success || null,
activeTab: activeTab || 'profile',
@@ -51,14 +62,27 @@ router.get(
'/',
requireAuth,
asyncHandler(async (req, res) => {
await expireOldReservations();
const user = await loadAccountUser(req.session.userId);
const countResult = await query(
'SELECT COUNT(*)::int AS n FROM orders WHERE user_id = $1',
[user.id]
);
const { rows: reservations } = await query(
`SELECT r.*, p.name AS product_name, p.slug AS product_slug, p.price_cents, p.image_url
FROM reservations r
JOIN products p ON p.id = r.product_id
WHERE r.user_id = $1
ORDER BY r.created_at DESC`,
[user.id]
);
accountRender(res, {
user,
orderCount: countResult.rows[0].n,
reservations,
formatPrice,
success: req.query.success ? decodeURIComponent(String(req.query.success)) : null,
error: req.query.error ? decodeURIComponent(String(req.query.error)) : null,
activeTab: req.query.tab || 'profile',
src/routes/admin.js
+38
View File
@@ -104,4 +104,42 @@ router.get(
})
);
router.get(
'/reservations',
asyncHandler(async (req, res) => {
const { expireOldReservations } = require('../services/reservations');
await expireOldReservations();
const { rows: reservations } = await query(
`SELECT r.*, p.name AS product_name, u.email AS user_email, u.name AS user_name
FROM reservations r
JOIN products p ON p.id = r.product_id
JOIN users u ON u.id = r.user_id
ORDER BY r.created_at DESC`
);
res.render('admin/reservations', {
title: 'Бронирования',
reservations,
formatPrice,
});
})
);
router.post(
'/reservations/:id/status',
asyncHandler(async (req, res) => {
const { status } = req.body;
const allowed = ['active', 'fulfilled', 'cancelled', 'expired'];
if (!allowed.includes(status)) {
return res.redirect('/admin/reservations');
}
await query('UPDATE reservations SET status = $1 WHERE id = $2', [
status,
req.params.id,
]);
res.redirect('/admin/reservations');
})
);
module.exports = router;
src/routes/password-reset.js
+176
View File
@@ -0,0 +1,176 @@
const express = require('express');
const crypto = require('crypto');
const bcrypt = require('bcryptjs');
const { query } = require('../db');
const { getCart, cartCount } = require('../cart');
const { formatPrice } = require('../db');
const { requireCookieConsent } = require('../middleware/cookieConsent');
const { asyncHandler } = require('../utils/asyncHandler');
const { sendPasswordResetEmail, siteUrl } = require('../services/mail');
const router = express.Router();
const TOKEN_TTL_MS = 60 * 60 * 1000;
router.use((req, res, next) => {
res.locals.cartCount = cartCount(getCart(req));
res.locals.formatPrice = formatPrice;
next();
});
function hashToken(token) {
return crypto.createHash('sha256').update(token).digest('hex');
}
router.get('/forgot-password', requireCookieConsent, (req, res) => {
res.render('auth/forgot-password', {
title: 'Сброс пароля',
error: null,
success: null,
values: {},
});
});
router.post(
'/forgot-password',
requireCookieConsent,
asyncHandler(async (req, res) => {
const email = (req.body.email || '').trim().toLowerCase();
const values = { email };
const genericSuccess =
'Если аккаунт с таким email существует, мы отправили ссылку для сброса пароля.';
if (!email) {
return res.status(400).render('auth/forgot-password', {
title: 'Сброс пароля',
error: 'Укажите email',
success: null,
values,
});
}
const { rows } = await query('SELECT id, email FROM users WHERE email = $1', [email]);
if (rows[0]) {
const token = crypto.randomBytes(32).toString('hex');
const tokenHash = hashToken(token);
const expiresAt = new Date(Date.now() + TOKEN_TTL_MS);
await query(
`UPDATE password_reset_tokens SET used_at = NOW()
WHERE user_id = $1 AND used_at IS NULL`,
[rows[0].id]
);
await query(
`INSERT INTO password_reset_tokens (user_id, token_hash, expires_at)
VALUES ($1, $2, $3)`,
[rows[0].id, tokenHash, expiresAt]
);
const resetLink = `${siteUrl()}/reset-password?token=${token}`;
try {
await sendPasswordResetEmail(rows[0].email, resetLink);
} catch (err) {
console.error('Ошибка отправки email:', err.message);
return res.status(500).render('auth/forgot-password', {
title: 'Сброс пароля',
error: 'Не удалось отправить письмо. Проверьте настройки SMTP.',
success: null,
values,
});
}
}
res.render('auth/forgot-password', {
title: 'Сброс пароля',
error: null,
success: genericSuccess,
values: {},
});
})
);
router.get(
'/reset-password',
requireCookieConsent,
asyncHandler(async (req, res) => {
const token = req.query.token || '';
if (!token) {
return res.redirect('/forgot-password');
}
const valid = await findValidToken(token);
if (!valid) {
return res.render('auth/reset-password', {
title: 'Новый пароль',
error: 'Ссылка недействительна или устарела. Запросите сброс снова.',
token: null,
});
}
res.render('auth/reset-password', {
title: 'Новый пароль',
error: null,
token,
});
})
);
router.post(
'/reset-password',
requireCookieConsent,
asyncHandler(async (req, res) => {
const { token, password, password2 } = req.body;
if (!token) {
return res.redirect('/forgot-password');
}
if (!password || password.length < 6) {
return res.render('auth/reset-password', {
title: 'Новый пароль',
error: 'Пароль не менее 6 символов',
token,
});
}
if (password !== password2) {
return res.render('auth/reset-password', {
title: 'Новый пароль',
error: 'Пароли не совпадают',
token,
});
}
const row = await findValidToken(token);
if (!row) {
return res.render('auth/reset-password', {
title: 'Новый пароль',
error: 'Ссылка недействительна или устарела',
token: null,
});
}
const hash = bcrypt.hashSync(password, 10);
await query('UPDATE users SET password_hash = $1 WHERE id = $2', [hash, row.user_id]);
await query(
`UPDATE password_reset_tokens SET used_at = NOW() WHERE id = $1`,
[row.id]
);
res.render('auth/reset-password-done', { title: 'Пароль изменён' });
})
);
async function findValidToken(token) {
const tokenHash = hashToken(token);
const { rows } = await query(
`SELECT id, user_id FROM password_reset_tokens
WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()
ORDER BY created_at DESC LIMIT 1`,
[tokenHash]
);
return rows[0] || null;
}
module.exports = router;
src/routes/reservations.js
+95
View File
@@ -0,0 +1,95 @@
const express = require('express');
const { query, formatPrice } = require('../db');
const { getCart, cartCount } = require('../cart');
const { requireAuth } = require('../middleware/auth');
const { requireCookieConsent } = require('../middleware/cookieConsent');
const { asyncHandler } = require('../utils/asyncHandler');
const { sendReservationEmail } = require('../services/mail');
const router = express.Router();
router.use(requireCookieConsent);
router.use(requireAuth);
router.use((req, res, next) => {
res.locals.cartCount = cartCount(getCart(req));
res.locals.formatPrice = formatPrice;
next();
});
router.post(
'/',
asyncHandler(async (req, res) => {
const productId = parseInt(req.body.product_id, 10);
const quantity = Math.max(1, parseInt(req.body.quantity, 10) || 1);
const slug = req.body.slug || '';
const { rows: products } = await query(
'SELECT id, name, stock FROM products WHERE id = $1',
[productId]
);
const product = products[0];
if (!product) {
return res.redirect('/');
}
if (product.stock < quantity) {
return res.redirect(
`/product/${slug}?error=${encodeURIComponent('Недостаточно товара на складе')}`
);
}
const { rows: existing } = await query(
`SELECT id FROM reservations
WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
[req.session.userId, productId]
);
if (existing[0]) {
return res.redirect(
`/product/${slug}?error=${encodeURIComponent('У вас уже есть активная бронь этого товара')}`
);
}
const { rows: inserted } = await query(
`INSERT INTO reservations (user_id, product_id, quantity, status, expires_at)
VALUES ($1, $2, $3, 'active', NOW() + INTERVAL '48 hours')
RETURNING id, expires_at`,
[req.session.userId, productId, quantity]
);
const { rows: userRows } = await query('SELECT email FROM users WHERE id = $1', [
req.session.userId,
]);
try {
await sendReservationEmail(
userRows[0].email,
product.name,
quantity,
inserted[0].expires_at
);
} catch (err) {
console.error('Ошибка email бронирования:', err.message);
}
res.redirect(
`/product/${slug}?reserved=1`
);
})
);
router.post(
'/:id/cancel',
asyncHandler(async (req, res) => {
await query(
`UPDATE reservations SET status = 'cancelled'
WHERE id = $1 AND user_id = $2 AND status = 'active'`,
[req.params.id, req.session.userId]
);
res.redirect('/account?tab=reservations&success=' + encodeURIComponent('Бронь отменена'));
})
);
module.exports = router;
src/routes/shop.js
+20 -1
View File
@@ -77,7 +77,26 @@ router.get(
});
}
res.render('product', { title: product.name, product });
let userReservation = null;
if (req.session.userId) {
const { rows: resRows } = await query(
`SELECT id, quantity, expires_at FROM reservations
WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
[req.session.userId, product.id]
);
userReservation = resRows[0] || null;
}
const errorMsg = req.query.error ? decodeURIComponent(String(req.query.error)) : null;
const reserved = req.query.reserved === '1';
res.render('product', {
title: product.name,
product,
userReservation,
error: errorMsg,
reserved,
});
})
);
src/server.js
+4
View File
@@ -15,6 +15,8 @@ const authRoutes = require('./routes/auth');
const accountRoutes = require('./routes/account');
const adminRoutes = require('./routes/admin');
const cookiesRoutes = require('./routes/cookies');
const passwordResetRoutes = require('./routes/password-reset');
const reservationsRoutes = require('./routes/reservations');
const PORT = process.env.PORT || 3000;
const HOST = process.env.HOST || '0.0.0.0';
@@ -62,6 +64,8 @@ async function start() {
app.use(loadCookieConsent);
app.use(loadUser);
app.use('/cookies', cookiesRoutes);
app.use('/', passwordResetRoutes);
app.use('/reservations', reservationsRoutes);
app.use('/', shopRoutes);
app.use('/', authRoutes);
app.use('/account', accountRoutes);
src/services/mail.js
+77
View File
@@ -0,0 +1,77 @@
const nodemailer = require('nodemailer');
let transporter = null;
function isConfigured() {
return Boolean(process.env.SMTP_HOST && process.env.SMTP_FROM);
}
function getTransporter() {
if (!isConfigured()) return null;
if (!transporter) {
transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: parseInt(process.env.SMTP_PORT || '587', 10),
secure: process.env.SMTP_SECURE === 'true',
auth:
process.env.SMTP_USER && process.env.SMTP_PASS
? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS }
: undefined,
});
}
return transporter;
}
function siteUrl() {
return (process.env.SITE_URL || 'http://localhost:3000').replace(/\/$/, '');
}
async function sendMail({ to, subject, text, html }) {
const from = process.env.SMTP_FROM || 'shop@localhost';
const payload = { from, to, subject, text, html: html || text };
const transport = getTransporter();
if (!transport) {
console.log('--- Email (SMTP не настроен) ---');
console.log('To:', to);
console.log('Subject:', subject);
console.log(text);
console.log('--------------------------------');
return { logged: true };
}
await transport.sendMail(payload);
return { sent: true };
}
async function sendPasswordResetEmail(to, resetLink) {
const subject = 'Сброс пароля — Shop';
const text = `Вы запросили сброс пароля.\n\nПерейдите по ссылке (действует 1 час):\n${resetLink}\n\nЕсли это были не вы, проигнорируйте письмо.`;
const html = `
<p>Вы запросили сброс пароля в магазине Shop.</p>
<p><a href="${resetLink}">Сбросить пароль</a></p>
<p>Ссылка действует <strong>1 час</strong>.</p>
<p style="color:#666">Если вы не запрашивали сброс, просто удалите это письмо.</p>
`;
return sendMail({ to, subject, text, html });
}
async function sendReservationEmail(to, productName, quantity, expiresAt) {
const subject = `Бронирование: ${productName}`;
const exp = new Date(expiresAt).toLocaleString('ru-RU');
const text = `Товар «${productName}» забронирован (${quantity} шт.) до ${exp}.\n\n${siteUrl()}/account?tab=reservations`;
const html = `
<p>Вы забронировали <strong>${productName}</strong> — ${quantity} шт.</p>
<p>Бронь активна до: <strong>${exp}</strong></p>
<p><a href="${siteUrl()}/account?tab=reservations">Мои бронирования</a></p>
`;
return sendMail({ to, subject, text, html });
}
module.exports = {
isConfigured,
sendMail,
sendPasswordResetEmail,
sendReservationEmail,
siteUrl,
};
src/services/reservations.js
+10
View File
@@ -0,0 +1,10 @@
const { query } = require('../db');
async function expireOldReservations() {
await query(
`UPDATE reservations SET status = 'expired'
WHERE status = 'active' AND expires_at < NOW()`
);
}
module.exports = { expireOldReservations };
src/views/account/index.ejs
+40
View File
@@ -10,6 +10,7 @@
<a href="/account?tab=profile" class="account-tabs__link <%= activeTab === 'profile' ? 'account-tabs__link--active' : '' %>">Профиль</a>
<a href="/account?tab=email" class="account-tabs__link <%= activeTab === 'email' ? 'account-tabs__link--active' : '' %>">Смена email</a>
<a href="/account?tab=password" class="account-tabs__link <%= activeTab === 'password' ? 'account-tabs__link--active' : '' %>">Смена пароля</a>
<a href="/account?tab=reservations" class="account-tabs__link <%= activeTab === 'reservations' ? 'account-tabs__link--active' : '' %>">Бронирования</a>
</nav>
<% if (activeTab === 'profile') { %>
@@ -62,6 +63,45 @@
</section>
<% } %>
<% if (activeTab === 'reservations') { %>
<section class="card account-section">
<h2>Мои бронирования</h2>
<% if (!reservations.length) { %>
<p class="muted">Активных броней нет.</p>
<% } else { %>
<table class="cart-table">
<thead>
<tr>
<th>Товар</th>
<th>Кол-во</th>
<th>Статус</th>
<th>До</th>
<th></th>
</tr>
</thead>
<tbody>
<% const resStatus = { active: 'Активна', fulfilled: 'Выполнена', cancelled: 'Отменена', expired: 'Истекла' }; %>
<% reservations.forEach(r => { %>
<tr>
<td><a href="/product/<%= r.product_slug %>"><%= r.product_name %></a></td>
<td><%= r.quantity %></td>
<td><span class="status status--<%= r.status === 'active' ? 'pending' : r.status %>"><%= resStatus[r.status] || r.status %></span></td>
<td><%= r.status === 'active' ? new Date(r.expires_at).toLocaleString('ru-RU') : '—' %></td>
<td>
<% if (r.status === 'active') { %>
<form action="/reservations/<%= r.id %>/cancel" method="post" class="inline-form">
<button type="submit" class="btn btn--ghost btn--sm">Отменить</button>
</form>
<% } %>
</td>
</tr>
<% }) %>
</tbody>
</table>
<% } %>
</section>
<% } %>
<% if (activeTab === 'password') { %>
<section class="card account-section account-section--narrow">
<h2>Смена пароля</h2>
src/views/admin/dashboard.ejs
+1
View File
@@ -7,6 +7,7 @@
<a href="/admin/orders" class="admin-nav__link">Заказы</a>
<a href="/admin/users" class="admin-nav__link">Пользователи</a>
<a href="/admin/products" class="admin-nav__link">Товары</a>
<a href="/admin/reservations" class="admin-nav__link">Бронирования</a>
<a href="/" class="admin-nav__link">В магазин</a>
</nav>
</div>
src/views/admin/orders.ejs
+1
View File
@@ -7,6 +7,7 @@
<a href="/admin/orders" class="admin-nav__link admin-nav__link--active">Заказы</a>
<a href="/admin/users" class="admin-nav__link">Пользователи</a>
<a href="/admin/products" class="admin-nav__link">Товары</a>
<a href="/admin/reservations" class="admin-nav__link">Бронирования</a>
<a href="/" class="admin-nav__link">В магазин</a>
</nav>
</div>
src/views/admin/products.ejs
+1
View File
@@ -7,6 +7,7 @@
<a href="/admin/orders" class="admin-nav__link">Заказы</a>
<a href="/admin/users" class="admin-nav__link">Пользователи</a>
<a href="/admin/products" class="admin-nav__link admin-nav__link--active">Товары</a>
<a href="/admin/reservations" class="admin-nav__link">Бронирования</a>
<a href="/" class="admin-nav__link">В магазин</a>
</nav>
</div>
src/views/admin/reservations.ejs
+53
View File
@@ -0,0 +1,53 @@
<%- include('../partials/layout-start') %>
<div class="admin-header">
<h1>Бронирования</h1>
<nav class="admin-nav">
<a href="/admin" class="admin-nav__link">Обзор</a>
<a href="/admin/orders" class="admin-nav__link">Заказы</a>
<a href="/admin/users" class="admin-nav__link">Пользователи</a>
<a href="/admin/products" class="admin-nav__link">Товары</a>
<a href="/admin/reservations" class="admin-nav__link admin-nav__link--active">Бронирования</a>
<a href="/" class="admin-nav__link">В магазин</a>
</nav>
</div>
<% const resStatus = { active: 'Активна', fulfilled: 'Выполнена', cancelled: 'Отменена', expired: 'Истекла' }; %>
<table class="cart-table">
<thead>
<tr>
<th>№</th>
<th>Клиент</th>
<th>Товар</th>
<th>Кол-во</th>
<th>Статус</th>
<th>До</th>
<th>Действие</th>
</tr>
</thead>
<tbody>
<% reservations.forEach(r => { %>
<tr>
<td>#<%= r.id %></td>
<td><%= r.user_name %><br><span class="muted"><%= r.user_email %></span></td>
<td><%= r.product_name %></td>
<td><%= r.quantity %></td>
<td><span class="status status--<%= r.status === 'active' ? 'pending' : r.status %>"><%= resStatus[r.status] || r.status %></span></td>
<td><%= r.status === 'active' ? new Date(r.expires_at).toLocaleString('ru-RU') : '—' %></td>
<td>
<form method="post" action="/admin/reservations/<%= r.id %>/status" class="admin-status-form">
<select name="status" class="input input--sm">
<% ['active','fulfilled','cancelled','expired'].forEach(s => { %>
<option value="<%= s %>" <%= r.status === s ? 'selected' : '' %>><%= resStatus[s] %></option>
<% }) %>
</select>
<button type="submit" class="btn btn--ghost btn--sm">OK</button>
</form>
</td>
</tr>
<% }) %>
</tbody>
</table>
<%- include('../partials/layout-end') %>
src/views/admin/users.ejs
+1
View File
@@ -7,6 +7,7 @@
<a href="/admin/orders" class="admin-nav__link">Заказы</a>
<a href="/admin/users" class="admin-nav__link admin-nav__link--active">Пользователи</a>
<a href="/admin/products" class="admin-nav__link">Товары</a>
<a href="/admin/reservations" class="admin-nav__link">Бронирования</a>
<a href="/" class="admin-nav__link">В магазин</a>
</nav>
</div>
src/views/auth/forgot-password.ejs
+18
View File
@@ -0,0 +1,18 @@
<%- include('../partials/layout-start') %>
<div class="auth">
<form action="/forgot-password" method="post" class="form card">
<h1>Сброс пароля</h1>
<% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
<% if (success) { %><p class="alert alert--success"><%= success %></p><% } %>
<p class="muted">Укажите email аккаунта — отправим ссылку для нового пароля.</p>
<label class="label">
Email
<input type="email" name="email" class="input" required value="<%= values.email || '' %>" autocomplete="email">
</label>
<button type="submit" class="btn btn--primary btn--block">Отправить ссылку</button>
<p class="form-footer"><a href="/login">← Вход</a></p>
</form>
</div>
<%- include('../partials/layout-end') %>
src/views/auth/reset-password-done.ejs
+11
View File
@@ -0,0 +1,11 @@
<%- include('../partials/layout-start') %>
<div class="auth">
<div class="card form">
<h1>Пароль изменён</h1>
<p class="alert alert--success">Теперь можно войти с новым паролем.</p>
<a href="/login" class="btn btn--primary btn--block">Войти</a>
</div>
</div>
<%- include('../partials/layout-end') %>
src/views/auth/reset-password.ejs
+28
View File
@@ -0,0 +1,28 @@
<%- include('../partials/layout-start') %>
<div class="auth">
<% if (token) { %>
<form action="/reset-password" method="post" class="form card">
<h1>Новый пароль</h1>
<% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
<input type="hidden" name="token" value="<%= token %>">
<label class="label">
Новый пароль
<input type="password" name="password" class="input" required minlength="6" autocomplete="new-password">
</label>
<label class="label">
Повторите пароль
<input type="password" name="password2" class="input" required minlength="6" autocomplete="new-password">
</label>
<button type="submit" class="btn btn--primary btn--block">Сохранить пароль</button>
</form>
<% } else { %>
<div class="card form">
<h1>Ссылка недействительна</h1>
<% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
<a href="/forgot-password" class="btn btn--primary">Запросить снова</a>
</div>
<% } %>
</div>
<%- include('../partials/layout-end') %>
src/views/login.ejs
+4 -1
View File
@@ -14,7 +14,10 @@
<input type="password" name="password" class="input" required>
</label>
<button type="submit" class="btn btn--primary btn--block">Войти</button>
<p class="form-footer">Нет аккаунта? <a href="/register">Регистрация</a></p>
<p class="form-footer">
<a href="/forgot-password">Забыли пароль?</a><br>
Нет аккаунта? <a href="/register">Регистрация</a>
</p>
</form>
</div>
src/views/product.ejs
+23
View File
@@ -17,6 +17,15 @@
<p class="product-detail__desc"><%= product.description %></p>
<p class="product-detail__stock">В наличии: <strong><%= product.stock %></strong> шт.</p>
<% if (error) { %><p class="alert alert--error"><%= error %></p><% } %>
<% if (reserved) { %><p class="alert alert--success">Товар успешно забронирован. Подробности на почте и в личном кабинете.</p><% } %>
<% if (userReservation) { %>
<p class="alert alert--success">
У вас активная бронь: <%= userReservation.quantity %> шт. до <%= new Date(userReservation.expires_at).toLocaleString('ru-RU') %>.
<a href="/account?tab=reservations">Мои бронирования</a>
</p>
<% } %>
<% if (product.stock > 0) { %>
<form action="/cart/add" method="post" class="product-detail__form">
<input type="hidden" name="product_id" value="<%= product.id %>">
@@ -27,6 +36,20 @@
<input type="hidden" name="redirect" value="/cart">
<button type="submit" class="btn btn--primary btn--lg">Добавить в корзину</button>
</form>
<% if (user && !userReservation) { %>
<form action="/reservations" method="post" class="product-detail__form">
<input type="hidden" name="product_id" value="<%= product.id %>">
<input type="hidden" name="slug" value="<%= product.slug %>">
<label class="label">
Бронь (48 ч)
<input type="number" name="quantity" value="1" min="1" max="<%= product.stock %>" class="input input--qty">
</label>
<button type="submit" class="btn btn--ghost btn--lg">Забронировать</button>
</form>
<% } else if (!user) { %>
<p class="muted">Для бронирования <a href="/login">войдите</a> в аккаунт.</p>
<% } %>
<% } else { %>
<p class="alert alert--warn">Нет в наличии</p>
<% } %>