feat: бронирование товаров и сброс пароля по email

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-17 11:38:52 +03:00
parent bda73e1662
commit ade031b0e7
22 changed files with 666 additions and 3 deletions
@@ -6,6 +6,7 @@ const { requireAuth } = require('../middleware/auth');
 const { requireCookieConsent } = require('../middleware/cookieConsent');
 const { ROLE_LABELS } = require('../constants/roles');
 const { asyncHandler } = require('../utils/asyncHandler');
+const { expireOldReservations } = require('../services/reservations');

 const router = express.Router();

@@ -35,12 +36,22 @@ async function verifyPassword(userId, password) {
 }

 function accountRender(res, options) {
-  const { user, orderCount, error, success, activeTab } = options;
+  const {
+    user,
+    orderCount,
+    reservations,
+    error,
+    success,
+    activeTab,
+    formatPrice,
+  } = options;
  res.render('account/index', {
    title: 'Личный кабинет',
    user,
    orderCount,
+    reservations: reservations || [],
    roleLabels: ROLE_LABELS,
+    formatPrice: formatPrice || res.locals.formatPrice,
    error: error || null,
    success: success || null,
    activeTab: activeTab || 'profile',
@@ -51,14 +62,27 @@ router.get(
  '/',
  requireAuth,
  asyncHandler(async (req, res) => {
+    await expireOldReservations();
    const user = await loadAccountUser(req.session.userId);
    const countResult = await query(
      'SELECT COUNT(*)::int AS n FROM orders WHERE user_id = $1',
      [user.id]
    );
+
+    const { rows: reservations } = await query(
+      `SELECT r.*, p.name AS product_name, p.slug AS product_slug, p.price_cents, p.image_url
+       FROM reservations r
+       JOIN products p ON p.id = r.product_id
+       WHERE r.user_id = $1
+       ORDER BY r.created_at DESC`,
+      [user.id]
+    );
+
    accountRender(res, {
      user,
      orderCount: countResult.rows[0].n,
+      reservations,
+      formatPrice,
      success: req.query.success ? decodeURIComponent(String(req.query.success)) : null,
      error: req.query.error ? decodeURIComponent(String(req.query.error)) : null,
      activeTab: req.query.tab || 'profile',
@@ -104,4 +104,42 @@ router.get(
  })
 );

+router.get(
+  '/reservations',
+  asyncHandler(async (req, res) => {
+    const { expireOldReservations } = require('../services/reservations');
+    await expireOldReservations();
+
+    const { rows: reservations } = await query(
+      `SELECT r.*, p.name AS product_name, u.email AS user_email, u.name AS user_name
+       FROM reservations r
+       JOIN products p ON p.id = r.product_id
+       JOIN users u ON u.id = r.user_id
+       ORDER BY r.created_at DESC`
+    );
+
+    res.render('admin/reservations', {
+      title: 'Бронирования',
+      reservations,
+      formatPrice,
+    });
+  })
+);
+
+router.post(
+  '/reservations/:id/status',
+  asyncHandler(async (req, res) => {
+    const { status } = req.body;
+    const allowed = ['active', 'fulfilled', 'cancelled', 'expired'];
+    if (!allowed.includes(status)) {
+      return res.redirect('/admin/reservations');
+    }
+    await query('UPDATE reservations SET status = $1 WHERE id = $2', [
+      status,
+      req.params.id,
+    ]);
+    res.redirect('/admin/reservations');
+  })
+);
+
 module.exports = router;
@@ -0,0 +1,176 @@
+const express = require('express');
+const crypto = require('crypto');
+const bcrypt = require('bcryptjs');
+const { query } = require('../db');
+const { getCart, cartCount } = require('../cart');
+const { formatPrice } = require('../db');
+const { requireCookieConsent } = require('../middleware/cookieConsent');
+const { asyncHandler } = require('../utils/asyncHandler');
+const { sendPasswordResetEmail, siteUrl } = require('../services/mail');
+
+const router = express.Router();
+const TOKEN_TTL_MS = 60 * 60 * 1000;
+
+router.use((req, res, next) => {
+  res.locals.cartCount = cartCount(getCart(req));
+  res.locals.formatPrice = formatPrice;
+  next();
+});
+
+function hashToken(token) {
+  return crypto.createHash('sha256').update(token).digest('hex');
+}
+
+router.get('/forgot-password', requireCookieConsent, (req, res) => {
+  res.render('auth/forgot-password', {
+    title: 'Сброс пароля',
+    error: null,
+    success: null,
+    values: {},
+  });
+});
+
+router.post(
+  '/forgot-password',
+  requireCookieConsent,
+  asyncHandler(async (req, res) => {
+    const email = (req.body.email || '').trim().toLowerCase();
+    const values = { email };
+    const genericSuccess =
+      'Если аккаунт с таким email существует, мы отправили ссылку для сброса пароля.';
+
+    if (!email) {
+      return res.status(400).render('auth/forgot-password', {
+        title: 'Сброс пароля',
+        error: 'Укажите email',
+        success: null,
+        values,
+      });
+    }
+
+    const { rows } = await query('SELECT id, email FROM users WHERE email = $1', [email]);
+
+    if (rows[0]) {
+      const token = crypto.randomBytes(32).toString('hex');
+      const tokenHash = hashToken(token);
+      const expiresAt = new Date(Date.now() + TOKEN_TTL_MS);
+
+      await query(
+        `UPDATE password_reset_tokens SET used_at = NOW()
+         WHERE user_id = $1 AND used_at IS NULL`,
+        [rows[0].id]
+      );
+
+      await query(
+        `INSERT INTO password_reset_tokens (user_id, token_hash, expires_at)
+         VALUES ($1, $2, $3)`,
+        [rows[0].id, tokenHash, expiresAt]
+      );
+
+      const resetLink = `${siteUrl()}/reset-password?token=${token}`;
+      try {
+        await sendPasswordResetEmail(rows[0].email, resetLink);
+      } catch (err) {
+        console.error('Ошибка отправки email:', err.message);
+        return res.status(500).render('auth/forgot-password', {
+          title: 'Сброс пароля',
+          error: 'Не удалось отправить письмо. Проверьте настройки SMTP.',
+          success: null,
+          values,
+        });
+      }
+    }
+
+    res.render('auth/forgot-password', {
+      title: 'Сброс пароля',
+      error: null,
+      success: genericSuccess,
+      values: {},
+    });
+  })
+);
+
+router.get(
+  '/reset-password',
+  requireCookieConsent,
+  asyncHandler(async (req, res) => {
+    const token = req.query.token || '';
+    if (!token) {
+      return res.redirect('/forgot-password');
+    }
+
+    const valid = await findValidToken(token);
+    if (!valid) {
+      return res.render('auth/reset-password', {
+        title: 'Новый пароль',
+        error: 'Ссылка недействительна или устарела. Запросите сброс снова.',
+        token: null,
+      });
+    }
+
+    res.render('auth/reset-password', {
+      title: 'Новый пароль',
+      error: null,
+      token,
+    });
+  })
+);
+
+router.post(
+  '/reset-password',
+  requireCookieConsent,
+  asyncHandler(async (req, res) => {
+    const { token, password, password2 } = req.body;
+
+    if (!token) {
+      return res.redirect('/forgot-password');
+    }
+
+    if (!password || password.length < 6) {
+      return res.render('auth/reset-password', {
+        title: 'Новый пароль',
+        error: 'Пароль не менее 6 символов',
+        token,
+      });
+    }
+
+    if (password !== password2) {
+      return res.render('auth/reset-password', {
+        title: 'Новый пароль',
+        error: 'Пароли не совпадают',
+        token,
+      });
+    }
+
+    const row = await findValidToken(token);
+    if (!row) {
+      return res.render('auth/reset-password', {
+        title: 'Новый пароль',
+        error: 'Ссылка недействительна или устарела',
+        token: null,
+      });
+    }
+
+    const hash = bcrypt.hashSync(password, 10);
+    await query('UPDATE users SET password_hash = $1 WHERE id = $2', [hash, row.user_id]);
+    await query(
+      `UPDATE password_reset_tokens SET used_at = NOW() WHERE id = $1`,
+      [row.id]
+    );
+
+    res.render('auth/reset-password-done', { title: 'Пароль изменён' });
+  })
+);
+
+async function findValidToken(token) {
+  const tokenHash = hashToken(token);
+  const { rows } = await query(
+    `SELECT id, user_id FROM password_reset_tokens
+     WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()
+     ORDER BY created_at DESC LIMIT 1`,
+    [tokenHash]
+  );
+  return rows[0] || null;
+}
+
+module.exports = router;
@@ -0,0 +1,95 @@
+const express = require('express');
+const { query, formatPrice } = require('../db');
+const { getCart, cartCount } = require('../cart');
+const { requireAuth } = require('../middleware/auth');
+const { requireCookieConsent } = require('../middleware/cookieConsent');
+const { asyncHandler } = require('../utils/asyncHandler');
+const { sendReservationEmail } = require('../services/mail');
+
+const router = express.Router();
+
+router.use(requireCookieConsent);
+router.use(requireAuth);
+
+router.use((req, res, next) => {
+  res.locals.cartCount = cartCount(getCart(req));
+  res.locals.formatPrice = formatPrice;
+  next();
+});
+
+router.post(
+  '/',
+  asyncHandler(async (req, res) => {
+    const productId = parseInt(req.body.product_id, 10);
+    const quantity = Math.max(1, parseInt(req.body.quantity, 10) || 1);
+    const slug = req.body.slug || '';
+
+    const { rows: products } = await query(
+      'SELECT id, name, stock FROM products WHERE id = $1',
+      [productId]
+    );
+    const product = products[0];
+
+    if (!product) {
+      return res.redirect('/');
+    }
+
+    if (product.stock < quantity) {
+      return res.redirect(
+        `/product/${slug}?error=${encodeURIComponent('Недостаточно товара на складе')}`
+      );
+    }
+
+    const { rows: existing } = await query(
+      `SELECT id FROM reservations
+       WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
+      [req.session.userId, productId]
+    );
+
+    if (existing[0]) {
+      return res.redirect(
+        `/product/${slug}?error=${encodeURIComponent('У вас уже есть активная бронь этого товара')}`
+      );
+    }
+
+    const { rows: inserted } = await query(
+      `INSERT INTO reservations (user_id, product_id, quantity, status, expires_at)
+       VALUES ($1, $2, $3, 'active', NOW() + INTERVAL '48 hours')
+       RETURNING id, expires_at`,
+      [req.session.userId, productId, quantity]
+    );
+
+    const { rows: userRows } = await query('SELECT email FROM users WHERE id = $1', [
+      req.session.userId,
+    ]);
+
+    try {
+      await sendReservationEmail(
+        userRows[0].email,
+        product.name,
+        quantity,
+        inserted[0].expires_at
+      );
+    } catch (err) {
+      console.error('Ошибка email бронирования:', err.message);
+    }
+
+    res.redirect(
+      `/product/${slug}?reserved=1`
+    );
+  })
+);
+
+router.post(
+  '/:id/cancel',
+  asyncHandler(async (req, res) => {
+    await query(
+      `UPDATE reservations SET status = 'cancelled'
+       WHERE id = $1 AND user_id = $2 AND status = 'active'`,
+      [req.params.id, req.session.userId]
+    );
+    res.redirect('/account?tab=reservations&success=' + encodeURIComponent('Бронь отменена'));
+  })
+);
+
+module.exports = router;
@@ -77,7 +77,26 @@ router.get(
      });
    }

-    res.render('product', { title: product.name, product });
+    let userReservation = null;
+    if (req.session.userId) {
+      const { rows: resRows } = await query(
+        `SELECT id, quantity, expires_at FROM reservations
+         WHERE user_id = $1 AND product_id = $2 AND status = 'active'`,
+        [req.session.userId, product.id]
+      );
+      userReservation = resRows[0] || null;
+    }
+
+    const errorMsg = req.query.error ? decodeURIComponent(String(req.query.error)) : null;
+    const reserved = req.query.reserved === '1';
+
+    res.render('product', {
+      title: product.name,
+      product,
+      userReservation,
+      error: errorMsg,
+      reserved,
+    });
  })
 );