calvana

quikcue/calvana

Fork 0

Commit Graph

Author	SHA1	Message	Date
Omair Saleh	3b46222118	Stripe integration: charity connects their own Stripe account Model: PNPL never touches the money. Each charity connects their own Stripe account by pasting their API key in Settings. When a donor chooses card payment, they're redirected to Stripe Checkout. The money lands in the charity's Stripe balance. ## Schema - Organization.stripeSecretKey (new column) - Organization.stripeWebhookSecret (new column) ## New/rewritten files - src/lib/stripe.ts — getStripeForOrg(secretKey), per-org client - src/app/api/stripe/checkout/route.ts — uses org's key, not env var - src/app/api/stripe/webhook/route.ts — tries all org webhook secrets - src/app/p/[token]/steps/card-payment-step.tsx — redirect to Stripe Checkout (no fake card form — Stripe handles PCI) ## Settings page - New 'Card payments' section between Bank and Charity - Instructions: how to get your Stripe API key - Webhook setup in collapsed <details> (optional, for auto-confirm) - 'Card payments live' green banner when connected - Readiness bar shows Stripe status (5 columns now) ## Pledge flow - PaymentStep shows card option ONLY if org has Stripe configured - hasStripe flag passed from /api/qr/[token] → PaymentStep - Secret key never exposed to frontend (only boolean hasStripe) ## How it works 1. Charity pastes sk_live_... in Settings → Save 2. Donor opens pledge link → sees 'Bank Transfer', 'Direct Debit', 'Card' 3. Donor picks card → enters name + email → redirects to Stripe Checkout 4. Stripe processes payment → money in charity's Stripe balance 5. (Optional) Webhook auto-confirms pledge as paid Payment options: - Bank Transfer: zero fees (default, always available) - Direct Debit via GoCardless: 1% + 20p (if org configured) - Card via Stripe: standard Stripe fees (if org configured)	2026-03-04 22:46:08 +08:00
Omair Saleh	b477dc30d1	Role-based access control: guards on all critical APIs + redirects INTEGRATION AUDIT — Fixed all gaps: 1. LOGIN REDIRECT - Community leaders → /dashboard/community (not /dashboard) - Fetches session after login to check role before redirect - Auth0 callback still goes to /dashboard (handled by #2) 2. DASHBOARD HOME REDIRECT - If role === community_leader or volunteer → router.replace(/community) - Prevents them from seeing the admin home page 3. API ROLE GUARDS (server-side) New: src/lib/roles.ts — permission matrix: - settings.write: super_admin, org_admin only - pledges.write: super_admin, org_admin only (status changes) - events.create: super_admin, org_admin only - imports.upload: super_admin, org_admin only (bank statements) - links.create: super_admin, org_admin, community_leader (they can create) - pledges.read: everyone except volunteer - dashboard.read: everyone except volunteer New: requirePermission() in session.ts Applied to: - PATCH /api/settings → settings.write - PUT /api/settings → settings.write - PATCH /api/pledges/[id] → pledges.write - POST /api/events → events.create - POST /api/imports/bank-statement → imports.upload Community leader attempting these gets 403 'Admin access required' 4. LAYOUT NAV (already done in previous commit) - community_leader sees: My Community, Share Links, Reports - No Money, No Settings, No 'New Appeal' button WHAT COMMUNITY LEADER CAN DO: ✓ View /dashboard/community (their scoped dashboard) ✓ View /dashboard/collect (share links — they can create new links) ✓ View /dashboard/reports (financial summary) ✓ Create QR sources / links (POST /api/events/[id]/qr) ✓ Read pledges and dashboard data WHAT COMMUNITY LEADER CANNOT DO: ✗ Change pledge statuses (PATCH /api/pledges/[id] → 403) ✗ Change settings (PATCH/PUT /api/settings → 403) ✗ Create appeals (POST /api/events → 403) ✗ Upload bank statements (POST /api/imports/bank-statement → 403) ✗ Manage team (POST/PATCH/DELETE /api/team → 403, already guarded) ✗ See /dashboard/money, /dashboard/settings (not in nav, home redirects)	2026-03-04 21:58:25 +08:00
Omair Saleh	9c7990e05c	Reconciliation embedded in Money — no more separate page The reconcile feature was hidden behind a text link at the bottom of the Money page. That's backwards. Reconciliation IS the Money page. Aaisha's actual thought process: 1. People pledged 2. Some say they paid 3. 'Did the money actually arrive?' → opens bank website, downloads CSV 4. 'Let me match it' → THIS SHOULD BE RIGHT HERE, not behind a link 5. '8 out of 10 matched' → pledges auto-move to 'received' Changes: - Full bank statement upload area is NOW embedded directly in /dashboard/money With icon, description, drop zone — always visible, not a link - When CSV is selected: file name + detected bank format shown inline Column mapping is collapsed by default (auto-detected) but expandable - 'Match payments' button is blue, full-width, prominent - Results appear INLINE below the upload area: - Summary stats (gap-px grid): rows, incoming, matched, possible, auto-confirmed - Green success banner when pledges are auto-confirmed - Full match results table with confidence icons - 'Upload another' button to reset - After matching: dashboard data auto-refreshes to show updated pledge statuses - 'Said they paid' section now says 'Upload a bank statement above to confirm' instead of linking to a separate page - /dashboard/reconcile now redirects to /dashboard/money (backward compat) - Contextual sections (confirm/nudge) hide when match results are showing to avoid visual clutter Architecture is now: Stats → MATCH PAYMENTS → Confirm these → Need a nudge → All pledges table Not: Stats → table → small link at bottom → navigate away → separate page	2026-03-04 21:35:23 +08:00

Author

SHA1

Message

Date

Omair Saleh

3b46222118

Stripe integration: charity connects their own Stripe account

Model: PNPL never touches the money. Each charity connects their own
Stripe account by pasting their API key in Settings. When a donor
chooses card payment, they're redirected to Stripe Checkout. The money
lands in the charity's Stripe balance.

## Schema
- Organization.stripeSecretKey (new column)
- Organization.stripeWebhookSecret (new column)

## New/rewritten files
- src/lib/stripe.ts — getStripeForOrg(secretKey), per-org client
- src/app/api/stripe/checkout/route.ts — uses org's key, not env var
- src/app/api/stripe/webhook/route.ts — tries all org webhook secrets
- src/app/p/[token]/steps/card-payment-step.tsx — redirect to Stripe
  Checkout (no fake card form — Stripe handles PCI)

## Settings page
- New 'Card payments' section between Bank and Charity
- Instructions: how to get your Stripe API key
- Webhook setup in collapsed <details> (optional, for auto-confirm)
- 'Card payments live' green banner when connected
- Readiness bar shows Stripe status (5 columns now)

## Pledge flow
- PaymentStep shows card option ONLY if org has Stripe configured
- hasStripe flag passed from /api/qr/[token] → PaymentStep
- Secret key never exposed to frontend (only boolean hasStripe)

## How it works
1. Charity pastes sk_live_... in Settings → Save
2. Donor opens pledge link → sees 'Bank Transfer', 'Direct Debit', 'Card'
3. Donor picks card → enters name + email → redirects to Stripe Checkout
4. Stripe processes payment → money in charity's Stripe balance
5. (Optional) Webhook auto-confirms pledge as paid

Payment options:
- Bank Transfer: zero fees (default, always available)
- Direct Debit via GoCardless: 1% + 20p (if org configured)
- Card via Stripe: standard Stripe fees (if org configured)

2026-03-04 22:46:08 +08:00

Omair Saleh

b477dc30d1

Role-based access control: guards on all critical APIs + redirects

INTEGRATION AUDIT — Fixed all gaps:

1. LOGIN REDIRECT
   - Community leaders → /dashboard/community (not /dashboard)
   - Fetches session after login to check role before redirect
   - Auth0 callback still goes to /dashboard (handled by #2)

2. DASHBOARD HOME REDIRECT
   - If role === community_leader or volunteer → router.replace(/community)
   - Prevents them from seeing the admin home page

3. API ROLE GUARDS (server-side)
   New: src/lib/roles.ts — permission matrix:
   - settings.write: super_admin, org_admin only
   - pledges.write: super_admin, org_admin only (status changes)
   - events.create: super_admin, org_admin only
   - imports.upload: super_admin, org_admin only (bank statements)
   - links.create: super_admin, org_admin, community_leader (they can create)
   - pledges.read: everyone except volunteer
   - dashboard.read: everyone except volunteer

   New: requirePermission() in session.ts
   Applied to:
   - PATCH /api/settings → settings.write
   - PUT /api/settings → settings.write
   - PATCH /api/pledges/[id] → pledges.write
   - POST /api/events → events.create
   - POST /api/imports/bank-statement → imports.upload

   Community leader attempting these gets 403 'Admin access required'

4. LAYOUT NAV (already done in previous commit)
   - community_leader sees: My Community, Share Links, Reports
   - No Money, No Settings, No 'New Appeal' button

WHAT COMMUNITY LEADER CAN DO:
✓ View /dashboard/community (their scoped dashboard)
✓ View /dashboard/collect (share links — they can create new links)
✓ View /dashboard/reports (financial summary)
✓ Create QR sources / links (POST /api/events/[id]/qr)
✓ Read pledges and dashboard data

WHAT COMMUNITY LEADER CANNOT DO:
✗ Change pledge statuses (PATCH /api/pledges/[id] → 403)
✗ Change settings (PATCH/PUT /api/settings → 403)
✗ Create appeals (POST /api/events → 403)
✗ Upload bank statements (POST /api/imports/bank-statement → 403)
✗ Manage team (POST/PATCH/DELETE /api/team → 403, already guarded)
✗ See /dashboard/money, /dashboard/settings (not in nav, home redirects)

2026-03-04 21:58:25 +08:00

Omair Saleh

9c7990e05c

Reconciliation embedded in Money — no more separate page

The reconcile feature was hidden behind a text link at the bottom of
the Money page. That's backwards. Reconciliation IS the Money page.

Aaisha's actual thought process:
1. People pledged
2. Some say they paid
3. 'Did the money actually arrive?' → opens bank website, downloads CSV
4. 'Let me match it' → THIS SHOULD BE RIGHT HERE, not behind a link
5. '8 out of 10 matched' → pledges auto-move to 'received'

Changes:
- Full bank statement upload area is NOW embedded directly in /dashboard/money
  With icon, description, drop zone — always visible, not a link
- When CSV is selected: file name + detected bank format shown inline
  Column mapping is collapsed by default (auto-detected) but expandable
- 'Match payments' button is blue, full-width, prominent
- Results appear INLINE below the upload area:
  - Summary stats (gap-px grid): rows, incoming, matched, possible, auto-confirmed
  - Green success banner when pledges are auto-confirmed
  - Full match results table with confidence icons
  - 'Upload another' button to reset
- After matching: dashboard data auto-refreshes to show updated pledge statuses
- 'Said they paid' section now says 'Upload a bank statement above to confirm'
  instead of linking to a separate page
- /dashboard/reconcile now redirects to /dashboard/money (backward compat)
- Contextual sections (confirm/nudge) hide when match results are showing
  to avoid visual clutter

Architecture is now:
Stats → MATCH PAYMENTS → Confirm these → Need a nudge → All pledges table

Not: Stats → table → small link at bottom → navigate away → separate page

2026-03-04 21:35:23 +08:00

3 Commits