Webhook support #2

Open
ChrisChrome wants to merge 2 commits from dev into main
6 changed files with 351 additions and 23 deletions
Showing only changes of commit ba84e78d61 - Show all commits

147
lib/roblox.js Normal file
View file

@ -0,0 +1,147 @@
// Thin wrapper around Roblox's public Users API for resolving usernames <-> user ids. These
// endpoints require no authentication, so we just use the runtime's built-in fetch() - same
// pattern as lib/webhooks.js and the group-role lookup in routes/api/v1/ingame.js - rather than
// pulling in the heavier noblox.js package (which is mainly aimed at cookie-authenticated game
// automation, not simple id/username lookups).
//
// All lookups are cached in-memory (including negative/not-found results) for CACHE_TTL_MS, both
// to keep the dashboard snappy when the same ids show up repeatedly (ACL entries, access group
// members, scan logs) and to avoid tripping Roblox's rate limits.
const USERNAME_TO_ID_URL = 'https://users.roblox.com/v1/usernames/users';
const IDS_TO_USERS_URL = 'https://users.roblox.com/v1/users';
const singleUserUrl = (id) => `https://users.roblox.com/v1/users/${id}`;
const CACHE_TTL_MS = 10 * 60 * 1000; // 10 minutes
const byId = new Map(); // id (string) -> { value: {id,name,displayName} | null, expires }
const byUsername = new Map(); // lowercased username -> same shape
function getCached(map, key) {
const entry = map.get(key);
if (!entry) return undefined;
if (Date.now() > entry.expires) {
map.delete(key);
return undefined;
}
return entry.value;
}
function setCached(map, key, value) {
map.set(key, { value, expires: Date.now() + CACHE_TTL_MS });
}
// Caches a resolved user under both its id and username, so a lookup by either later hits cache.
function cacheUser(user) {
setCached(byId, String(user.id), user);
setCached(byUsername, user.name.toLowerCase(), user);
}
// Splits an array into chunks of at most `size` items (Roblox's bulk endpoints are happy with
// large batches, but we chunk defensively so one call can't grow unbounded).
function chunk(arr, size) {
const out = [];
for (let i = 0; i < arr.length; i += size) out.push(arr.slice(i, i + size));
return out;
}
// Looks up a single Roblox user by username. Returns { id, name, displayName } or null if no such
// user exists (or the lookup failed). Both hits and misses are cached.
async function getUserByUsername(username) {
const key = String(username || '').trim().toLowerCase();
if (!key) return null;
const cached = getCached(byUsername, key);
if (cached !== undefined) return cached;
try {
const res = await fetch(USERNAME_TO_ID_URL, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ usernames: [username], excludeBannedUsers: false })
});
if (!res.ok) throw new Error(`Roblox responded with ${res.status}`);
const body = await res.json();
const match = (body.data || [])[0];
const value = match ? { id: match.id, name: match.name, displayName: match.displayName } : null;
setCached(byUsername, key, value);
if (value) setCached(byId, String(value.id), value);
return value;
} catch (err) {
console.error('Roblox username lookup failed:', err.message);
return null;
}
}
// Looks up a single Roblox user by id. Returns { id, name, displayName } or null.
async function getUserById(userId) {
const key = String(userId || '').trim();
if (!key || Number.isNaN(Number(key))) return null;
const cached = getCached(byId, key);
if (cached !== undefined) return cached;
try {
const res = await fetch(singleUserUrl(key));
if (res.status === 404) {
setCached(byId, key, null);
return null;
}
if (!res.ok) throw new Error(`Roblox responded with ${res.status}`);
const body = await res.json();
const value = { id: body.id, name: body.name, displayName: body.displayName };
cacheUser(value);
return value;
} catch (err) {
console.error('Roblox user id lookup failed:', err.message);
return null;
}
}
// Batch-resolves multiple Roblox user ids to usernames at once (e.g. for a whole page of ACL
// entries or scan logs), to avoid one request per row. Returns a plain object mapping id (string)
// -> { id, name, displayName }; ids that don't resolve are simply omitted from the result.
async function getUsersByIds(userIds) {
const ids = [...new Set((userIds || []).map(id => String(id).trim()).filter(id => id && !Number.isNaN(Number(id))))];
const result = {};
const uncached = [];
for (const id of ids) {
const cached = getCached(byId, id);
if (cached !== undefined) {
if (cached) result[id] = cached;
} else {
uncached.push(id);
}
}
for (const batch of chunk(uncached, 100)) {
try {
const res = await fetch(IDS_TO_USERS_URL, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ userIds: batch.map(Number), excludeBannedUsers: false })
});
if (!res.ok) throw new Error(`Roblox responded with ${res.status}`);
const body = await res.json();
const found = new Set();
for (const user of body.data || []) {
const value = { id: user.id, name: user.name, displayName: user.displayName };
cacheUser(value);
result[String(user.id)] = value;
found.add(String(user.id));
}
// Cache misses too, so we don't keep re-requesting ids that don't exist.
for (const id of batch) {
if (!found.has(id)) setCached(byId, id, null);
}
} catch (err) {
console.error('Roblox batch user lookup failed:', err.message);
}
}
return result;
}
module.exports = { getUserByUsername, getUserById, getUsersByIds };

View file

@ -434,6 +434,40 @@ button.danger {
font-size: 14px;
}
.input-with-button {
display: flex;
gap: 8px;
}
.input-with-button input {
flex: 1;
margin-bottom: 0;
}
.input-with-button button {
white-space: nowrap;
}
.field-hint {
display: block;
font-size: 12px;
margin: -12px 0 12px;
color: var(--muted);
}
.field-hint.success {
color: var(--success);
}
.field-hint.error {
color: var(--danger);
}
.roblox-username {
color: var(--muted);
font-size: 12px;
}
.hidden {
display: none !important;
}

View file

@ -206,7 +206,11 @@
</div>
<div class="field-group" id="acl-data-group">
<label for="acl-data">User ID</label>
<div class="input-with-button">
<input type="text" id="acl-data">
<button type="button" class="secondary" id="acl-data-lookup-btn">Look up username</button>
</div>
<span class="field-hint hidden" id="acl-data-hint"></span>
</div>
<div class="field-group hidden" id="acl-group-id-group">
<label for="acl-group-id">Group ID</label>
@ -269,7 +273,11 @@
</div>
<div class="field-group" id="group-member-data-group">
<label for="group-member-data">User ID</label>
<div class="input-with-button">
<input type="text" id="group-member-data">
<button type="button" class="secondary" id="group-member-data-lookup-btn">Look up username</button>
</div>
<span class="field-hint hidden" id="group-member-data-hint"></span>
</div>
<div class="field-group hidden" id="group-member-group-id-group">
<label for="group-member-group-id">Group ID</label>

View file

@ -500,6 +500,92 @@ function escapeHtml(str) {
return div.innerHTML;
}
// --- Roblox username <-> user id helpers ---
// A small in-memory cache so switching between modals/readers doesn't re-request the same ids
// over and over; the server itself also caches, but this avoids the round-trip entirely.
const robloxUserCache = new Map(); // id (string) -> { id, name, displayName } | null
// Looks up a Roblox username and returns its user id as a string, or null if not found/blank.
// Also caches the resolved user so any username shown right after doesn't need a second request.
async function lookupRobloxUsername(username) {
const trimmed = (username || '').trim();
if (!trimmed) return null;
const result = await api(`/dashboard/roblox/lookup?username=${encodeURIComponent(trimmed)}`);
if (!result.success) return null;
robloxUserCache.set(String(result.user.id), result.user);
return String(result.user.id);
}
// Batch-resolves Roblox user ids to usernames, filling robloxUserCache as it goes, then returns
// the cache so callers can look up whichever ids they need. Ids already cached are skipped.
async function resolveRobloxUsernames(userIds) {
const ids = [...new Set((userIds || []).map(String).filter(id => id && /^\d+$/.test(id)))];
const missing = ids.filter(id => !robloxUserCache.has(id));
if (missing.length > 0) {
const result = await api(`/dashboard/roblox/users?ids=${missing.map(encodeURIComponent).join(',')}`);
if (result.success) {
missing.forEach((id) => {
robloxUserCache.set(id, result.users[id] || null);
});
}
}
return robloxUserCache;
}
// Renders a Roblox user id alongside its cached username (if any), e.g. "123456 (builderman)".
function formatRobloxUserId(userId) {
if (!userId) return escapeHtml(userId || 'unknown');
const user = robloxUserCache.get(String(userId));
if (user) {
return `${escapeHtml(userId)} <span class="roblox-username">(${escapeHtml(user.name)})</span>`;
}
return escapeHtml(userId);
}
// Wires up a "Look up username" button next to a User ID input: on click, prompts for a username,
// resolves it via the Roblox API, fills the input with the id, and shows a status hint.
function setupUsernameLookupButton(buttonId, inputId, hintId) {
const button = document.getElementById(buttonId);
const input = document.getElementById(inputId);
const hint = document.getElementById(hintId);
if (!button || !input) return;
button.addEventListener('click', async () => {
const username = prompt('Enter a Roblox username to look up its user id:');
if (username === null) return;
if (!username.trim()) return;
const originalLabel = button.textContent;
button.textContent = 'Looking up...';
button.disabled = true;
hint.classList.add('hidden');
try {
const userId = await lookupRobloxUsername(username);
if (userId) {
input.value = userId;
const user = robloxUserCache.get(userId);
hint.textContent = `Found: ${user.name} (id ${userId})`;
hint.className = 'field-hint success';
} else {
hint.textContent = `No Roblox user found with username "${username.trim()}"`;
hint.className = 'field-hint error';
}
hint.classList.remove('hidden');
} finally {
button.textContent = originalLabel;
button.disabled = false;
}
});
}
setupUsernameLookupButton('acl-data-lookup-btn', 'acl-data', 'acl-data-hint');
setupUsernameLookupButton('group-member-data-lookup-btn', 'group-member-data', 'group-member-data-hint');
async function saveReader(readerId, card) {
const enabled = card.querySelector('[data-field="enabled"]').checked;
const armState = card.querySelector('[data-field="armState"]').checked ? 1 : 0;
@ -807,25 +893,25 @@ const ACL_TYPE_LABELS = {
function aclEntryDescription(entry) {
switch (entry.type) {
case 0:
return `User ID: ${entry.data}`;
return `User ID: ${formatRobloxUserId(entry.data)}`;
case 1:
return `Card number: ${entry.data}`;
return `Card number: ${escapeHtml(entry.data)}`;
case 2: {
const [group, rank] = entry.data.split(':');
return `Group ${group}, exact rank ${rank}`;
return `Group ${escapeHtml(group)}, exact rank ${escapeHtml(rank)}`;
}
case 3: {
const [group, rank] = entry.data.split(':');
return `Group ${group}, rank ${rank}+`;
return `Group ${escapeHtml(group)}, rank ${escapeHtml(rank)}+`;
}
case 4:
return 'Everyone';
case 5: {
const group = accessGroups.find(g => String(g.id) === String(entry.data));
return `Access group: ${group ? group.name : entry.data}`;
return `Access group: ${escapeHtml(group ? group.name : entry.data)}`;
}
default:
return entry.data;
return escapeHtml(entry.data);
}
}
@ -882,6 +968,7 @@ async function openAclModal(readerId, readerName) {
document.getElementById('acl-modal').classList.remove('hidden');
document.getElementById('add-acl-form').reset();
document.getElementById('add-acl-form').classList.toggle('hidden', !currentPlaceCanEdit);
document.getElementById('acl-data-hint').classList.add('hidden');
updateAclFormFields();
await loadAcl();
}
@ -894,7 +981,9 @@ function closeAclModal() {
async function loadAcl() {
if (!currentAclReaderId) return;
const data = await api(`/dashboard/places/${encodeURIComponent(currentPlaceId)}/access-points/${encodeURIComponent(currentAclReaderId)}/acl`);
renderAclList(data.acl || []);
const entries = data.acl || [];
await resolveRobloxUsernames(entries.filter(e => e.type === 0).map(e => e.data));
renderAclList(entries);
}
function renderAclList(entries) {
@ -913,7 +1002,7 @@ function renderAclList(entries) {
li.className = 'acl-entry';
li.innerHTML = `
<span class="badge type-badge">${escapeHtml(ACL_TYPE_LABELS[entry.type] || 'Unknown')}</span>
<span class="acl-description">${escapeHtml(aclEntryDescription(entry))}</span>
<span class="acl-description">${aclEntryDescription(entry)}</span>
${currentPlaceCanEdit ? '<button class="danger acl-delete-btn">Remove</button>' : ''}
`;
if (currentPlaceCanEdit) {
@ -1080,6 +1169,7 @@ async function openGroupModal(groupId, groupName) {
document.getElementById('group-modal').classList.remove('hidden');
document.getElementById('add-group-member-form').reset();
document.getElementById('add-group-member-form').classList.toggle('hidden', !currentPlaceCanEdit);
document.getElementById('group-member-data-hint').classList.add('hidden');
updateGroupMemberFormFields();
await loadGroupMembers();
}
@ -1092,7 +1182,9 @@ function closeGroupModal() {
async function loadGroupMembers() {
if (!currentGroupId) return;
const data = await api(`/dashboard/places/${encodeURIComponent(currentPlaceId)}/access-groups/${encodeURIComponent(currentGroupId)}/members`);
renderGroupMembersList(data.members || []);
const members = data.members || [];
await resolveRobloxUsernames(members.filter(m => m.type === 0).map(m => m.data));
renderGroupMembersList(members);
}
function renderGroupMembersList(members) {
@ -1111,7 +1203,7 @@ function renderGroupMembersList(members) {
li.className = 'acl-entry';
li.innerHTML = `
<span class="badge type-badge">${escapeHtml(ACL_TYPE_LABELS[member.type] || 'Unknown')}</span>
<span class="acl-description">${escapeHtml(aclEntryDescription(member))}</span>
<span class="acl-description">${aclEntryDescription(member)}</span>
${currentPlaceCanEdit ? '<button class="danger group-member-delete-btn">Remove</button>' : ''}
`;
if (currentPlaceCanEdit) {
@ -1188,7 +1280,9 @@ function closeLogsModal() {
async function loadLogs() {
if (!currentLogsReaderId) return;
const data = await api(`/dashboard/places/${encodeURIComponent(currentPlaceId)}/access-points/${encodeURIComponent(currentLogsReaderId)}/logs`);
renderLogsList(data.logs || []);
const logs = data.logs || [];
await resolveRobloxUsernames(logs.map(l => l.userId));
renderLogsList(logs);
}
function renderLogsList(logs) {
@ -1207,9 +1301,10 @@ function renderLogsList(logs) {
li.className = 'acl-entry';
const granted = !!log.granted;
const cards = log.cardNumbers ? `, cards: ${escapeHtml(log.cardNumbers)}` : '';
const user = log.userId ? formatRobloxUserId(log.userId) : 'unknown';
li.innerHTML = `
<span class="badge type-badge" style="background:${granted ? 'var(--success)' : 'var(--danger)'};">${granted ? 'Granted' : 'Denied'}</span>
<span class="acl-description">${escapeHtml(log.scannedAt)} user: ${escapeHtml(log.userId || 'unknown')}${cards}</span>
<span class="acl-description">${escapeHtml(log.scannedAt)} user: ${user}${cards}</span>
`;
list.appendChild(li);
});

View file

@ -2,12 +2,21 @@ let db;
const express = require('express');
const router = express.Router();
const { sendPlaceWebhook } = require('../../../lib/webhooks');
const { getUserById } = require('../../../lib/roblox');
module.exports = (dbInit) => {
db = dbInit;
return router;
};
// Formats a Roblox user id for display in a Discord embed field, appending the username if it can
// be resolved (e.g. "123456 (builderman)"). Falls back to just the id if the lookup fails/is unset.
async function formatUserIdForWebhook(userId) {
if (!userId) return 'unknown';
const user = await getUserById(userId);
return user ? `${userId} (${user.name})` : String(userId);
}
router.get('/', (req, res) => {
res.json({ success: true, message: "Welcome to the NOTXCS API!" });
@ -140,12 +149,14 @@ router.get('/:placeId/:accessPointId/onScan', async (req, res) => {
if (err) console.error('Failed to record scan log:', err.message);
}
);
formatUserIdForWebhook(userId).then((userLabel) => {
sendPlaceWebhook(place, 'access_denied', {
Reader: ap.name,
'User ID': userId || 'unknown',
'User ID': userLabel,
'Card(s)': cardNumbers.join(', ') || undefined,
Reason: globalLockdownActive ? 'Site-wide lockdown active' : 'Place lockdown active'
});
});
return res.json({
success: true,
grant_type: 'user_scan',
@ -232,11 +243,13 @@ router.get('/:placeId/:accessPointId/onScan', async (req, res) => {
if (err) console.error('Failed to record scan log:', err.message);
}
);
formatUserIdForWebhook(userId).then((userLabel) => {
sendPlaceWebhook(place, responseCode, {
Reader: ap.name,
'User ID': userId || 'unknown',
'User ID': userLabel,
'Card(s)': cardNumbers.join(', ') || undefined
});
});
const responseData = granted ? {
success: true,

View file

@ -6,6 +6,7 @@ const { requireAuth, ROLES, ORG_ROLES } = require('../lib/auth');
const { generatePlaceId, generateApiKey, generateReaderId } = require('../lib/generators');
const { getEffectiveOrgRole } = require('../lib/orgs');
const { sendPlaceWebhook, sendTestWebhook } = require('../lib/webhooks');
const { getUserByUsername, getUserById, getUsersByIds } = require('../lib/roblox');
const KIT_TEMPLATE_PATH = path.join(__dirname, '..', 'xcs-template.rbxmx');
@ -123,6 +124,36 @@ router.get('/lockdown', (req, res) => {
});
});
// --- Roblox username/id lookups (used to resolve usernames typed into ACL/group forms to ids for
// storage, and to show usernames alongside ids wherever they're displayed) ---
// Resolves a Roblox username to its user id (?username=). Used by the "look up" button next to
// User ID fields in the dashboard, so users can type a username instead of hunting for the id.
router.get('/roblox/lookup', async (req, res) => {
const username = req.query.username;
if (!username) {
return res.status(400).json({ success: false, message: "A username is required" });
}
const user = await getUserByUsername(username);
if (!user) {
return res.status(404).json({ success: false, message: "No Roblox user with that username was found" });
}
res.json({ success: true, user });
});
// Batch-resolves Roblox user ids to usernames (?ids=1,2,3). Used to annotate ACL entries, access
// group members and scan logs with the corresponding username wherever a user id is shown.
router.get('/roblox/users', async (req, res) => {
const ids = (req.query.ids || '').split(',').map(s => s.trim()).filter(Boolean);
if (ids.length === 0) {
return res.json({ success: true, users: {} });
}
const users = await getUsersByIds(ids);
res.json({ success: true, users });
});
// --- Organizations ---
// List organizations the current user belongs to, plus (for platform elevated/admin/superadmin