TerraGuessr Story Manager & API

This project contains a full-stack application for managing "stories" for TerraGuessr. It includes:

1. A Node.js/Express API server written in TypeScript that connects to a MySQL database.
2. A React-based admin dashboard to moderate and manage stories.

📑 Table des matières

• 🏛️ Architecture Overview
• 🆕 Latest Features
  • Payment System & User Registration
  • Email System
  • User Management System
  • Support Tickets System
  • Enhanced Security
  • Story Types & Quizz System
  • Official Story Fields
  • Views and Votes System
  • Caching System
• 🚀 Setup and Installation
  • Prerequisites
  • Backend API Server Setup
  • Frontend Admin Dashboard
• 📋 Database Schema
• 🔒 Security
• 📖 API Documentation
  • Authentication
  • Payment & User Registration Routes
  • Support Tickets Routes
  • User Management Routes
  • Story Routes
  • Score / Leaderboard Route
  • AI Chat Route
  • Views and Votes Routes
  • Configuration Stripe Automatique
• 📁 Project Structure

---

🏛️ How It Works: Architecture Overview

This application follows a classic client-server architecture:

• Backend (API Server): Built with Node.js, Express, and TypeScript, the server is the core of the application. It handles all business logic, validates data, interacts with the MySQL database, and exposes a secure REST API for managing stories and scores.

• Frontend (Admin Dashboard): A React-based Single-Page Application (SPA) that runs entirely in the browser. It provides a user-friendly interface for administrators to interact with the data by making requests to the backend API.

• Database: A MySQL database is used to persist all story and score data. The server is responsible for all database queries.

• Security: The API is protected by public API keys, which must be sent with every request. Each key has a configurable daily request quota to prevent abuse.

🆕 Latest Features

Payment System & User Registration

• Stripe integration for paid user registration
• Stripe Checkout sessions for secure payment processing
• Webhook handling for payment confirmation
• User activation flow with email notifications
• Password reset system with secure token-based reset

Email System

• SMTP configuration with multiple provider support (Gmail, SendGrid, Mailgun, OVH)
• HTML email templates with TerraGuessr branding
• Email types: Account activation, password reset, payment confirmation
• Security features: Token expiration, secure links, anti-spam protection
• Flexible authentication: Password reset supports both email and username identification

Internationalization (i18n) System

• Multi-language support for 12 languages (French, English, Arabic, German, Spanish, Italian, Japanese, Korean, Portuguese, Swedish, Turkish, Chinese)
• Automatic language detection from HTTP headers and user preferences
• Translated email templates with dynamic content interpolation
• Localized HTML pages for activation and password reset
• RTL support for Arabic language
• Fallback system to English for missing translations
• User language preferences stored in database

User Management System

• Complete user profiles with extended fields (logo, description, public name, links, preferred language)
• Role-based access control with three roles: poweruser, storyadmin, and bot
• User creation and management with full CRUD operations
• Search and filtering capabilities for user administration

Support Tickets System

• Complete ticketing system for user support and issue tracking
• Ticket categories with customizable colors and descriptions
• Ticket status workflow: submitted → seen → discussion → in_progress → resolved → closed
• Reply system for ongoing conversations
• Privacy controls (private/public tickets)
• Story linking (tickets can be linked to specific stories)

Enhanced Security

• JWT authentication for admin routes
• bcrypt password hashing with salt rounds
• Rate limiting on login endpoints
• Helmet security headers
• CORS configuration for frontend domains
• SQL injection prevention with prepared statements

Story Types & Quizz System

• Story types: Support for both "story" and "quizz" content types
• Type filtering: Filter stories by type in all fetch operations
• Backward compatibility: Existing stories automatically marked as "story" type
• Admin management: Full type management in admin interfaces

Official Story Fields

• Extended metadata: Stories now support official title, description, range, source, and additional information
• Optional fields: All official fields are optional and can be used by both public and private routes
• Long text support: Official description and additional info support long text content
• Backward compatibility: Existing stories continue to work without official fields

Views and Votes System

• View tracking: Automatic view counting for stories with timestamp tracking
• Voting system: 5-star rating system with duplicate vote prevention
• Statistics: Comprehensive view and vote statistics for each story
• Anti-spam protection: Unique identifier system prevents multiple votes from same source

---

🚀 Setup and Installation

Prerequisites

• Node.js (v18 or later recommended)
• MySQL or MariaDB database instance
• Git (for cloning the repository)

1. Backend API Server Setup

Follow these steps to get the API server running:

Step 1: Clone and Install

1. Clone the repository and navigate to the project's root directory:

   git clone <repository-url>
   cd terraguessr-api-manager_beforeAdmin
   

2. Install Node.js dependencies:

   npm install
   

   Required packages (automatically installed):

   Core Dependencies:

   • express - Web framework for Node.js
   • mysql2 - MySQL database driver with Promise support
   • bcrypt - Password hashing for security
   • jsonwebtoken - JWT token generation and verification
   • helmet - Security headers middleware
   • cors - Cross-origin resource sharing
   • express-rate-limit - Rate limiting middleware
   • marked - Markdown parsing for documentation
   • dotenv - Environment variables loader
   • uuid - UUID generation for unique IDs

   Development Dependencies:

   • ts-node-dev - Development server with auto-restart
   • typescript - TypeScript compiler
   • @types/* - TypeScript type definitions

Step 2: Database Setup

3. Create MySQL database:

   CREATE DATABASE nous_terraguessr_prod;
   CREATE USER 'nous_trgsr'@'localhost' IDENTIFIED BY 'your_secure_password';
   GRANT ALL PRIVILEGES ON nous_terraguessr_prod.* TO 'nous_trgsr'@'localhost';
   FLUSH PRIVILEGES;
   

4. Run database migrations (automatic on first server start): The server will automatically create all required tables on first startup in the correct order:

   1. users table
   2. stories table
   3. story_ownership table (with foreign keys)
   4. ticket_categories table
   5. tickets table (with foreign keys)
   6. ticket_replies table (with foreign keys)

   ⚠️ Important: If you get foreign key constraint errors, ensure your database is completely empty and let the server create all tables automatically.

Step 3: Environment Configuration

5. Create .env file in the root directory:

   touch .env
   

6. Configure environment variables in .env:

   # --- Database Configuration ---
   # Connection URL for your MySQL database
   # Format: mysql://USER:PASSWORD@HOST:PORT/DATABASE
   DATABASE_URL="mysql://nous_trgsr:your_secure_password@localhost:3306/nous_terraguessr_prod"
   
   # --- Server Configuration ---
   # Port for the API server (default: 3001)
   PORT=3001
   
   # --- Authentication Configuration ---
   # JWT secret for admin authentication (REQUIRED - change this!)
   JWT_SECRET="your_very_long_and_secure_random_string_here_at_least_32_characters"
   
   # --- Frontend Configuration ---
   # Frontend URL for CORS (optional, for admin dashboard)
   FRONTEND_URL="http://localhost:3000"
   
   # --- Stripe Configuration ---
   # Stripe secret key for payment processing
   STRIPE_SECRET_KEY="sk_live_your_stripe_secret_key_here"
   # Stripe webhook secret for payment confirmation
   STRIPE_WEBHOOK_SECRET="whsec_your_webhook_secret_here"
   
   # --- Email Configuration (SMTP) ---
   # SMTP settings for sending emails (activation, password reset, etc.)
   SMTP_HOST="smtp.gmail.com"
   SMTP_PORT=587
   SMTP_SECURE=false
   SMTP_USER="your-email@gmail.com"
   SMTP_PASS="your-app-password"
   SMTP_FROM_NAME="TerraGuessr"
   SMTP_FROM_EMAIL="noreply@terraguessr.org"
   
   # --- AI Configuration ---
   # Google Gemini AI API key for AI chat functionality (REQUIRED for AI features)
   GEMINI_API_KEY="your_gemini_api_key_here"
   

   📋 Configuration Examples: See env.example for complete configuration examples with different SMTP providers (Gmail, SendGrid, Mailgun, OVH).

   ⚠️ Important:

   • Replace your_secure_password with your actual database password
   • Replace your_very_long_and_secure_random_string_here_at_least_32_characters with a secure random string
   • Replace your_gemini_api_key_here with your actual Gemini AI API key
   • Keep the .env file secure and never commit it to version control

Step 4: API Keys Configuration

7. Configure Public API Keys in api/public_keys.json:

   {
     "keys": [
       {
         "key": "your_public_api_key_here",
         "quota": 1000,
         "description": "Main API key"
       }
     ]
   }
   

Step 5: Launch the Server

8. Start the development server:

   npm run dev
   

   Alternative commands:

   # Development mode with auto-restart
   npm run dev
   
   # Production build
   npm run build
   npm start
   
   # Direct TypeScript execution
   npx ts-node api/server.ts
   

9. Verify the server is running:

   • Open your browser and go to http://localhost:3001
   • You should see the API documentation page
   • Check the terminal for startup messages:

     🚀 Server is running on http://localhost:3001
     Loaded 2 public API keys.
     Connected to the MySQL database
     

Step 6: Initial Setup (First Time Only)

10. Create initial admin users (see see.txt for detailed SQL instructions):

    -- Create poweruser
    INSERT INTO users (id, username, email, password_hash, role, created_at, date_rgpd, nom_public, description, status)
    VALUES ('<UUID-POWERUSER>', 'admin', 'admin@example.com', '<BCRYPT_HASH>', 'poweruser', NOW(), NOW(), 'Administrator', 'System administrator', 'verified');
    
    -- Create storyadmin
    INSERT INTO users (id, username, email, password_hash, role, created_at, date_rgpd, nom_public, description, status)
    VALUES ('<UUID-STORYADMIN>', 'storyadmin', 'story@example.com', '<BCRYPT_HASH>', 'storyadmin', NOW(), NOW(), 'Story Admin', 'Story administrator', 'verified');
    

11. Test the API:

    # Test public endpoint
    curl -X POST "http://localhost:3001/api/stories/fetch" \
      -H "Content-Type: application/json" \
      -d '{"key":"NOWyouknowLesothoYOUSTUPID"}'
    
    # Test admin login
    curl -X POST "http://localhost:3001/api/auth/login" \
      -H "Content-Type: application/json" \
      -d '{"username":"admin","password":"admin123"}'
    

2. Troubleshooting

Common Issues:

• Port already in use: Change PORT in .env or kill existing processes
• Database connection failed: Check DATABASE_URL in .env
• JWT_SECRET not set: Add JWT_SECRET to .env
• CORS errors: Check FRONTEND_URL in .env
• Foreign key constraint errors: The server automatically creates tables in the correct order. If you get constraint errors, ensure your database is empty and let the server create all tables automatically.

Development Tips:

• Auto-restart: The server automatically restarts when you modify files
• Logs: Check terminal output for detailed error messages
• Database: Tables are created automatically on first startup
• Hot reload: TypeScript files are transpiled on-the-fly

3. Available Scripts

The project includes several npm scripts for different purposes:

# Development (recommended for development)
npm run dev          # Start with auto-restart and TypeScript compilation

# Production
npm run build        # Compile TypeScript to JavaScript
npm start           # Run the compiled JavaScript (production)

# Manual execution
npx ts-node api/server.ts    # Direct TypeScript execution

4. Environment Variables Reference

Variable	Required	Default	Description
DATABASE_URL	✅ Yes	-	MySQL connection string
JWT_SECRET	✅ Yes	-	Secret for JWT token signing
GEMINI_API_KEY	✅ Yes	-	Google Gemini AI API key for AI chat functionality
PORT	❌ No	3001	Server port
FRONTEND_URL	❌ No	-	CORS origin for frontend

5. File Structure

terraguessr-api-manager_beforeAdmin/
├── api/                    # Backend API code
│   ├── server.ts          # Main server file
│   ├── db.ts             # Database connection
│   ├── schema.ts         # Database schema
│   ├── *.controller.ts   # Route controllers
│   ├── *.middleware.ts   # Express middleware
│   └── public_keys.json  # API keys configuration
├── components/            # React components (frontend)
├── services/             # Frontend services
├── types.ts             # TypeScript type definitions
├── package.json         # Dependencies and scripts
├── tsconfig.json        # TypeScript configuration
├── .env                 # Environment variables (create this)
└── see.txt             # Database setup instructions

6. Content-Type Handling for JSON This server is configured to parse request bodies as JSON even if they are sent with a Content-Type: text/plain header. This is a workaround for clients that might send JSON data with an incorrect content type.

   The configuration in api/server.ts uses the type option of the express.json() middleware:

   // api/server.ts
   app.use(express.json({ type: ['application/json', 'text/plain'] }));
   

   This ensures that payloads are correctly parsed, allowing the API key validation to function as expected regardless of the Content-Type header being application/json or text/plain. No additional installation is needed for this feature.

7. Set up the Database: Connect to your MySQL database and run the SQL commands from the Database Schema section to create the stories and scores tables.

8. Run the server:

   • For development (with automatic reloading):

     npm run dev
     

   • For production: First, build the TypeScript code into JavaScript:

     npm run build
     

     Then, start the server:

     npm run start
     

The server will start, and you can access the admin dashboard at http://localhost:3001.

---

🖥️ Frontend Admin Dashboard

The frontend application is an administration tool designed for moderating and managing user-submitted stories.

Workflow & Features

• Moderation Queue: By default, the dashboard displays stories with the "submitted" status. This is your primary work queue, showing all stories that require moderation.
• Status Filters: You can easily switch between views using the filter buttons:
  • Pending Submission: Shows stories with submitted status.
  • Published: Shows stories with verified or validated status.
  • All Stories: Shows all stories regardless of their status.
• Language Filter: A text input allows you to further refine the list by language code (e.g., fr, en).
• Quick Actions: For stories in the "Pending Submission" view, two icons appear, allowing for one-click moderation:
  • Verify (Check icon): Changes the story's status to verified.
  • Validate (Shield icon): Changes the story's status to validated.
• Editing and Creation:
  • The Edit button (pencil icon) opens a modal form where you can modify all details of a story.
  • The "Add New Story" button opens the same form to create a new story entry from scratch.

---

📋 Database Schema

Table: stories

If you are setting up the database for the first time, use the following SQL command to create the stories table:

CREATE TABLE `stories` (
  `id` VARCHAR(36) NOT NULL,
  `language` VARCHAR(10) DEFAULT NULL,
  `source` VARCHAR(255) DEFAULT NULL,
  `indicator` VARCHAR(255) DEFAULT NULL,
  `category` VARCHAR(100) DEFAULT NULL,
  `title` VARCHAR(255) NOT NULL,
  `yearevents` TEXT DEFAULT NULL,
  `email` VARCHAR(255) DEFAULT NULL,
  `pseudo` VARCHAR(100) DEFAULT NULL,
  `oganisation` VARCHAR(255) DEFAULT NULL,
  `url` TEXT,
  `description` TEXT,
  `image` TEXT,
  `creation_date` DATETIME NOT NULL,
  `modif_date` DATETIME DEFAULT NULL,
  `password` VARCHAR(255) DEFAULT NULL,
  `prestatus` VARCHAR(50) DEFAULT NULL,
  `status` VARCHAR(50) NOT NULL,
  `votes` INT DEFAULT 0,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

If you have an existing stories table, you may need to apply updates:

• To allow long text for yearevents:

  ALTER TABLE stories MODIFY COLUMN yearevents TEXT;
  

Table: scores

Use the following command to create the scores table for the leaderboard:

CREATE TABLE `scores` (
  `id` INT AUTO_INCREMENT PRIMARY KEY,
  `timestamp` DATETIME NOT NULL,
  `pseudo` VARCHAR(100) NOT NULL,
  `pays` VARCHAR(100) DEFAULT NULL,
  `score` INT NOT NULL,
  `resume` TEXT DEFAULT NULL,
  `niveau` VARCHAR(100) DEFAULT NULL,
  `champion` VARCHAR(100) DEFAULT NULL,
  INDEX `score_index` (`score` DESC)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

---

🔒 Security

Several security measures have been implemented to protect the API from common attacks and abuse.

API Key Quotas

To prevent abuse, each public API key has a daily request limit.

• Configuration: Quotas are defined in the api/public_keys.json file using the quota property for each key.
• Rate Limit Headers: The API responds with the following headers to help clients track their usage:
  • X-RateLimit-Limit: The maximum number of requests allowed in the window.
  • X-RateLimit-Remaining: The number of requests remaining in the current window.
  • X-RateLimit-Reset: The UTC timestamp for when the quota will reset.
• Error: If a client exceeds their quota, they will receive a 429 Too Many Requests HTTP response.

IP-Based Rate Limiting

In addition to key-based quotas, the API also uses IP-based rate limiting to prevent brute-force attacks.

• General Limit: All API endpoints are limited to 100 requests per 15 minutes per IP.
• Stricter Limit: The story creation endpoint (POST /api/stories) has a stricter limit of 10 requests per 15 minutes per IP to prevent spam submissions.

HTTP Header Security (Helmet)

This application uses the helmet middleware to set various security-related HTTP headers automatically. This helps protect against well-known web vulnerabilities such as Cross-Site Scripting (XSS), clickjacking, and more.

Caching System

The API implements an intelligent in-memory caching system to improve performance and reduce database load for frequently accessed data.

Cache Features

• TTL (Time To Live): 10 minutes for all cached entries
• Automatic Invalidation: Cache is automatically cleared when data is modified
• Authentication-Aware: JWT-authenticated requests bypass the cache (admins always see fresh data)
• Manual Bypass: Use ?noCache=true parameter to force fresh data retrieval

Cached Routes

The following routes benefit from caching:

• GET /api/stories/:id - Individual story retrieval
• POST /api/stories/fetch - Story list with filters
• GET /api/scores - Leaderboard data
• POST /api/scores - Score queries (read-only operations)
• GET /api/views-votes/stats/:id - View and vote statistics

Cache Headers

The API returns cache status headers for debugging:

• X-Cache: HIT - Data served from cache
• X-Cache: MISS - Data fetched from database and cached
• X-Cache: BYPASS - Cache bypassed (JWT auth or noCache parameter)

Cache Invalidation

Cache is automatically invalidated when:

• Stories are created, updated, or deleted
• New scores are recorded
• Views or votes are recorded

Cache Statistics & Monitoring

The cache system includes comprehensive statistics and monitoring capabilities:

Statistics Available:

• Hit rate (percentage of requests served from cache)
• Total hits, misses, and bypasses
• Cache size and invalidation count
• Uptime and performance metrics
• Per-route statistics

Administrative Endpoints (Poweruser only):

• GET /api/admin/cache/stats - Detailed cache statistics
• GET /api/admin/cache/health - Cache health status
• POST /api/admin/cache/clear - Clear all cached data
• POST /api/admin/cache/reset-stats - Reset statistics counters

Logging Configuration: Set CACHE_LOGS_ENABLED=true in your .env file to enable detailed cache logs:

• Cache hits with response times
• Cache misses and bypasses
• Invalidation events
• Periodic statistics (every 5 minutes)

Example Statistics Response:

{
  "success": true,
  "stats": {
    "hits": 1570,
    "miss": 430,
    "bypass": 89,
    "invalidations": 23,
    "hitRate": 78.5,
    "totalRequests": 2089,
    "cacheSize": 45,
    "uptime": "2h 15m",
    "uptimeMs": 8100000,
    "startedAt": "2025-10-29T10:30:00.000Z"
  }
}

---

reCAPTCHA Server-side Validation

To protect public submission routes, the API supports server-side validation of Google reCAPTCHA v2 Invisible.

Environment Variable:

• RECAPTCHA_SECRET — Your server-side secret key (never expose to clients)

Client Payload (Story Editor):

• recaptchaToken: token from client reCAPTCHA
• recaptchaVersion: 'v2_invisible' (informational)

Server Behaviour:

• On POST /api/stories, the server verifies the token with Google at https://www.google.com/recaptcha/api/siteverify.
• If verification fails → responds 400 with details; otherwise the usual creation flow continues.

Notes:

• IP is taken from X-Forwarded-For when present (first IP), or fallback to socket IP.
• Log Google error-codes on failure for diagnostics.

Bad Words Filter (Content Moderation)

The API implements a content moderation system to prevent the use of inappropriate language in public user names (nom_public).

Data Source:

• LDNOOBW (List of Dirty, Naughty, Obscene, and Otherwise Bad Words)
• License: Public Domain (CC0)
• Repository: https://github.com/LDNOOBW/List-of-Dirty-Naughty-Obscene-and-Otherwise-Bad-Words

Supported Languages: The filter supports all 12 languages of the TerraGuessr interface:

• French (fr), English (en), Spanish (es), German (de), Italian (it), Portuguese (pt)
• Arabic (ar), Japanese (ja), Korean (ko), Turkish (tr), Swedish (sv), Chinese (zh)

Validation Behavior:

• nom_public is validated on creation and update
• Validation is case-insensitive
• Words are checked across all supported languages by default
• Minimum length: 2 characters
• Empty or null nom_public is allowed (validation skipped)

Error Response (400):

{
  "error": "nom_public contains inappropriate content",
  "details": "Contains forbidden words: word1, word2"
}

Implementation:

• Files are stored in data/badwords/ (one file per language)
• Words are loaded at server startup into memory-efficient Sets for O(1) lookup
• Total size: ~15KB for all languages
• If filter fails to load, validation is skipped (non-blocking)

Validation Endpoints:

• POST /api/users - User creation
• POST /api/users (HMAC) - User creation via WooCommerce/Stripe (INTERNAL USE ONLY)
• PATCH /api/users/:id - User profile update
• POST /api/users/register - User registration

Content Moderation & Pre-moderation Scores

The API implements a pre-moderation scoring system to help PowerUsers identify potentially problematic content in stories and quizzes.

Score Types:

1. Bad Words Score (moderation_badwords_score): Number of occurrences of forbidden words found in all textual fields

   • Calculated automatically on story/quiz creation and update
   • All textual fields are analyzed: title, description, yearevents, pseudo, organisation, official_title, official_description, official_more
   • Each occurrence is counted (e.g., if a word appears 3 times, score increases by 3)
   • Score = 0 means no forbidden words found
   • Higher scores indicate more occurrences of inappropriate language

2. LLM Score (moderation_llm_score): Future score based on LLM analysis

   • Currently NULL (not implemented yet)
   • Field prepared for future implementation

When Scores Are Calculated:

• Creation: Score calculated automatically when a story/quiz is created
• Update: Score recalculated automatically when textual fields are modified (title, description, yearevents, pseudo, organisation, or official_* fields)
• Non-textual updates: Score not recalculated if only non-textual fields are modified (e.g., status, type, level)

Response Format: Stories returned by admin endpoints include moderation scores:

{
  "id": "uuid",
  "title": "Ma story",
  "description": "...",
  "moderation_badwords_score": 3,
  "moderation_llm_score": null,
  "moderation_badwords_calculated_at": "2025-01-15T10:30:00Z",
  ...
}

Admin Endpoints:

• GET /api/admin/poweruser/stories - Returns stories with moderation scores
• GET /api/admin/stories/:id - Returns story with moderation scores
• PATCH /api/admin/poweruser/stories/:id - Updates story and recalculates score if textual fields changed
• PATCH /api/admin/stories/:id - Updates story and recalculates score if textual fields changed

Usage for PowerUsers:

• Use moderation_badwords_score to quickly identify stories/quizzes with inappropriate language
• Higher scores indicate more occurrences of forbidden words
• Combine with manual review for final moderation decision
• Future moderation_llm_score will provide additional context for content quality

---

📖 API Documentation

Authentication

There are two authentication modes depending on the route type:

• Public routes (/api/stories/*, /api/scores/*) require a public API key
• Admin routes (/api/auth/*, /api/admin/*) require a JWT Bearer token

Public API Key

Public routes require a public API key sent with each request. The key can be provided in one of three ways:

1. JSON Body: Include a key field in the request body (for POST, PATCH, etc.).

   {
     "key": "your_api_key_here",
     ...
   }
   

2. Query Parameter: Append ?key=your_api_key_here to the URL. This is necessary for GET requests.
3. HTTP Header: Send the key in an X-API-Key header.
   • X-API-Key: your_api_key_here

Admin Stories - Attachment Utilities

• POST /api/admin/stories/check-attachment (JWT required)
  • Purpose: Check if a story is already attached to any user
  • Body (one of): { "id": "<story_uuid>" } or { "url": "https://terraguessr.org/?story=<uuid>" }
  • Response: { success: true, storyId, attached: boolean, owner_user_id: string|null }
  • Errors:
    • 400 if neither id nor url provided
    • 404 if no story found for provided id/url
    • 500 on server error

User Roles

The system supports three user roles:

• poweruser: Full administrative access (create, read, update, delete users and stories)
• storyadmin: Can manage their own stories and view their profile
• bot: Can create users (for e-commerce integration)

Internationalization (i18n) System

The API supports multi-language content for emails and HTML pages. The system automatically detects the user's preferred language and serves content accordingly.

Supported Languages

The system supports 12 languages:

• French (fr) - Default for French users
• English (en) - Default fallback language
• Arabic (ar) - With RTL support
• German (de)
• Spanish (es)
• Italian (it)
• Japanese (ja)
• Korean (ko)
• Portuguese (pt)
• Swedish (sv)
• Turkish (tr)
• Chinese (zh)

Language Detection

The system detects the user's preferred language in the following order:

1. Query parameter: ?lang=fr (for HTML pages)
2. User database preference: langue_preferee column in users table
3. HTTP Accept-Language header: Parsed from browser settings
4. Default fallback: English (en)

Translated Content

All user-facing content is automatically translated:

• Email templates: Activation, password reset, payment confirmation
• HTML pages: Account activation and password reset pages
• API responses: Error messages and success messages
• Form labels: Password reset forms and validation messages

RTL Support

Arabic language includes RTL (Right-to-Left) support:

• HTML pages automatically set dir="rtl" attribute
• CSS styles adapt to RTL layout
• Text alignment and form layouts are optimized for RTL reading

Usage Examples

Email with language detection:

// The system automatically detects language from:
// 1. User's langue_preferee in database
// 2. Accept-Language header
// 3. Query parameter ?lang=fr
await emailService.sendActivationEmail(email, firstName, token, userId, language);

HTML page with language detection:

// GET /activate?token=abc123&user=456&lang=fr
// Automatically serves French content

API response with translations:

// Error messages are automatically translated
res.json({ 
  error: i18nService.t('api.errors.emailSendError', language) 
});

Admin Authentication (JWT)

Admin routes are protected by JWT and must use the Authorization: Bearer <token> header. Public routes are unchanged and still use the public API key.

• Environment: add JWT_SECRET to your .env.

# --- Auth Configuration ---
JWT_SECRET="change_me_to_a_long_random_secret"

Endpoints:

• POST /api/auth/register → Create an admin user

  • Body: { "username": string, "email": string, "password": string, "role": "poweruser" | "storyadmin" }
  • Response: { success: true, id }

• POST /api/auth/login → Get a JWT

  • Body: { "username": string, "password": string }
  • Response: { token, user: { id, role } }

• POST /api/auth/forgot-password → Placeholder (200 OK)

  • Body: { "email": string }

Token payload: { userId: string, role: "poweruser" | "storyadmin" }, expiration 12h.

Login sequence (client):

1. Register (one-time) or ensure the user exists
2. Login to obtain a JWT
3. Call admin endpoints with Authorization: Bearer <token>

Examples (cURL):

# 1) Register (once)
curl -X POST http://localhost:3001/api/auth/register \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "editor1",
    "email": "editor1@example.com",
    "password": "changeme",
    "role": "storyadmin"
  }'

# 2) Login
TOKEN=$(curl -s -X POST http://localhost:3001/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "editor1",
    "password": "changeme"
  }' | jq -r .token)

# 3a) Admin: update a story (poweruser or owner)
curl -X PATCH http://localhost:3001/api/admin/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "title": "New title" }'

# 3b) Admin: claim a story (storyadmin only)
curl -X POST http://localhost:3001/api/admin/stories/<STORY_ID>/claim \
  -H "Authorization: Bearer $TOKEN"

Access control:

• poweruser: can edit all stories
• storyadmin: can edit only owned stories (in story_ownership) or after /claim

User Management Routes

JWT-protected routes for user management:

• POST /api/users → create user (poweruser, bot)
• GET /api/users → list all users with pagination (poweruser only)
• GET /api/users/search → search users (poweruser only)
• GET /api/users/:id → get user profile (own profile or poweruser)
• PATCH /api/users/:id → update user profile (own profile or poweruser)
• DELETE /api/users/:id → delete user (poweruser only)

Payment & User Registration Routes

Public routes for payment processing and user registration:

Stripe Payment Routes

• POST /api/stripe/create-checkout-session → create Stripe checkout session
• POST /api/stripe/webhook → handle Stripe webhook events

Types de paiement gérés :

• Paiement normal : Montant ≥ 0.50€ → Payment Intent (paiement immédiat)
• Empreinte de carte : Montant = 0€ ou < 0.50€ → Setup Intent (vérification de carte sans paiement)

Configuration webhook Stripe requise :

• checkout.session.completed → Paiements normaux
• setup_intent.succeeded → Empreintes de carte
• payment_intent.succeeded → Paiements avec capture manuelle

Détails techniques :

• Setup Intent : Utilisé pour les empreintes de carte sans paiement (montant 0€)
• Payment Intent : Utilisé pour les paiements réels (montant ≥ 0.50€)
• Mode setup : Session Stripe sans line_items pour les empreintes
• Mode payment : Session Stripe avec line_items pour les paiements
• Activation automatique : L'utilisateur est activé après succès du webhook

User Registration Routes

• POST /api/users/register → NOUVELLE ROUTE UNIFIÉE - create complete account with optional payment
• POST /api/users/hmac → create user via HMAC (INTERNAL USE ONLY - Stripe webhooks)
• GET /activate → display account activation page
• POST /api/users/activate → finalize account activation with password
• POST /api/users/forgot-password → request password reset (supports email OR username)
• POST /api/users/reset-password → reset password with token

Password Reset with Email/Username Support

The forgotPassword route now supports both email and username identification:

Request Body:

{
  "username": "user@example.com"  // Can be either email or username
}

Automatic Detection:

• Email: If the value contains @, searches by email field
• Username: If no @ is found, searches by username field

Examples:

# Using email
curl -X POST http://localhost:3001/api/users/forgot-password \
  -H 'Content-Type: application/json' \
  -d '{"username": "user@example.com"}'

# Using username  
curl -X POST http://localhost:3001/api/users/forgot-password \
  -H 'Content-Type: application/json' \
  -d '{"username": "john_doe"}'

Response:

{
  "message": "Si cet email ou nom d'utilisateur existe dans notre système, vous recevrez un lien de réinitialisation"
}

Support Tickets Routes

JWT-protected routes for support ticket management:

All Roles (poweruser, storyadmin, bot)

• POST /api/tickets → create ticket
• GET /api/tickets/categories → list ticket categories
• GET /api/tickets → list user's own tickets (with pagination)
• GET /api/tickets/:id → get single ticket with replies
• POST /api/tickets/:id/reply → reply to ticket
• PATCH /api/tickets/:id/close → close own ticket

Poweruser Only

• GET /api/tickets/admin/all → list all tickets (with pagination and filters)
• PATCH /api/tickets/admin/:id → update any ticket
• POST /api/tickets/categories → create ticket category
• PATCH /api/tickets/categories/:id → update ticket category
• DELETE /api/tickets/categories/:id → delete ticket category

Payment Flow Examples

NOUVEAU FLUX UNIFIÉ - Création de compte avec paiement immédiat :

# Création de compte avec paiement normal (≥ 0.50€)
curl -X POST http://localhost:3001/api/users/register \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "john_doe",
    "email": "user@example.com",
    "password": "superSecret123",
    "subscription_type": "lifetime",
    "amount": 99.99,
    "defer_payment": false
  }'

NOUVEAU FLUX UNIFIÉ - Création de compte avec empreinte de carte :

# Création de compte avec empreinte de carte (0€)
curl -X POST http://localhost:3001/api/users/register \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "jane_smith",
    "email": "jane@example.com",
    "password": "superSecret123",
    "subscription_type": "annual",
    "amount": 0,
    "defer_payment": false
  }'

NOUVEAU FLUX UNIFIÉ - Création de compte avec validation différée :

# Création de compte sans paiement immédiat
curl -X POST http://localhost:3001/api/users/register \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "bob_wilson",
    "email": "bob@example.com",
    "password": "superSecret123",
    "subscription_type": "annual",
    "defer_payment": true
  }'

2. Request password reset (supports email OR username)

curl -X POST http://localhost:3001/api/users/forgot-password
-H 'Content-Type: application/json'
-d '{ "username": "user@example.com" }'

Alternative: using username instead of email

curl -X POST http://localhost:3001/api/users/forgot-password
-H 'Content-Type: application/json'
-d '{ "username": "john_doe" }'

3. Reset password with token

curl -X POST http://localhost:3001/api/users/reset-password
-H 'Content-Type: application/json'
-d '{ "token": "reset_token_from_email", "password": "new_password123" }'

#### User Management Examples

```bash
# Create a new user (poweruser or bot)
curl -X POST http://localhost:3001/api/users \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "newuser",
    "email": "user@example.com",
    "password": "password123",
    "role": "storyadmin",
    "nom_public": "Public Name",
    "description": "User description",
    "lien": "https://example.com",
    "langue_preferee": "fr",
    "status": "submitted"
  }'

# List all users with pagination
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/users?page=1&limit=20"

# Search users
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/users/search?q=john&limit=10"

# Get user profile
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/users/<USER_ID>

# Update user profile
curl -X PATCH http://localhost:3001/api/users/<USER_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "nom_public": "Updated Public Name",
    "description": "Updated description",
    "status": "verified"
  }'

# Delete user
curl -X DELETE http://localhost:3001/api/users/<USER_ID> \
  -H "Authorization: Bearer $TOKEN"

Support Tickets Examples

# Create a new ticket
curl -X POST http://localhost:3001/api/tickets \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "title": "Bug in story creation",
    "category_id": 1,
    "message": "I cannot create a new story, getting an error",
    "story_id": "<STORY_ID>",
    "is_private": true
  }'

# List ticket categories
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/tickets/categories

# List my tickets
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/tickets?page=1&limit=10"

# Get single ticket with replies
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/tickets/<TICKET_ID>

# Reply to ticket
curl -X POST http://localhost:3001/api/tickets/<TICKET_ID>/reply \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"message": "Thank you for the information, I will look into this"}'

# Close my ticket
curl -X PATCH http://localhost:3001/api/tickets/<TICKET_ID>/close \
  -H "Authorization: Bearer $TOKEN"

# Poweruser: List all tickets
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/tickets/admin/all?status=submitted&page=1&limit=20"

# Poweruser: Update ticket status
curl -X PATCH http://localhost:3001/api/tickets/admin/<TICKET_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"status": "in_progress"}'

# Poweruser: Create ticket category
curl -X POST http://localhost:3001/api/tickets/categories \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Technical Issue",
    "description": "Technical problems and bugs",
    "color": "#dc3545"
  }'

# Poweruser: Update ticket category
curl -X PATCH http://localhost:3001/api/tickets/categories/<CATEGORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "Bug",
    "description": "Repeated technical error message. Please copy the error message in your question.",
    "color": "#ed333b"
  }'

# Poweruser: Delete ticket category
curl -X DELETE http://localhost:3001/api/tickets/categories/<CATEGORY_ID> \
  -H "Authorization: Bearer $TOKEN"

Poweruser Admin Routes

Advanced admin routes for poweruser role only:

• GET /api/admin/poweruser/stories → all stories with owner info
  • Query params: ?ownerId=<user_id>&language=<lang>&status=<status>
• PATCH /api/admin/poweruser/stories/:id → update story metadata and reassign ownership
  • Body: { "title": "...", "ownerId": "<user_id>", "status": "..." }

Examples (cURL):

# List all stories with owner info
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/admin/poweruser/stories

# Filter by owner
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/admin/poweruser/stories?ownerId=<USER_ID>"

# Filter by language and status
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/admin/poweruser/stories?language=fr&status=verified"

# Update story and reassign to another user
curl -X PATCH http://localhost:3001/api/admin/poweruser/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "title": "Updated by poweruser", "ownerId": "<NEW_USER_ID>", "status": "validated" }'

# Remove ownership (set ownerId to null/empty)
curl -X PATCH http://localhost:3001/api/admin/poweruser/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "ownerId": "" }'

Admin Stories (ownership)

JWT-protected routes for story admins:

• GET /api/admin/stories → poweruser: all stories (all statuses); storyadmin: stories owned by current user
• GET /api/admin/stories/:id → get a single story (poweruser: any story; storyadmin: only owned stories)
• POST /api/admin/stories/attach { url, password, id? } → attach a story by URL+password or by ID+password
• PATCH /api/admin/stories/:id → update a story (poweruser or owner) - can change status to any value
• DELETE /api/admin/stories/:id → delete story completely (poweruser or owner)
• DELETE /api/admin/stories/:id/detach → detach the story (remove ownership only)

Story Attachment (POST /api/admin/stories/attach)

The attach route allows story admins to claim ownership of existing stories by providing authentication credentials.

Request Body Options:

• By URL: { "url": "story-url", "password": "story-password" }
• By ID: { "id": "story-uuid", "password": "story-password" }

Password Authentication: The route supports multiple password formats for backward compatibility:

• Plain text passwords: Direct string comparison
• bcrypt hashes: Secure password hashing (starts with $2)
• SHA-256 hashes: Legacy format for older stories
• Empty passwords: Stories without passwords can be attached with empty password

URL Processing:

• Protocol normalization (http:// and https://)
• Case-insensitive matching
• Trailing slash removal
• Query parameter extraction (looks for ?story=UUID in URLs)

Success Response:

{
  "success": true,
  "storyId": "attached-story-uuid"
}

Error Responses:

• 400 Bad Request: Missing URL/ID or password
• 403 Forbidden: Invalid password for this story
• 404 Not Found: Story not found for provided URL or ID

Examples (cURL):

# List my stories
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/admin/stories

# Get a single story
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/admin/stories/<STORY_ID>

# Attach a story by URL
curl -X POST http://localhost:3001/api/admin/stories/attach \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "url": "https://example.com/story-1", "password": "secret" }'

# Attach by ID (for stories without URLs)
curl -X POST http://localhost:3001/api/admin/stories/attach \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "id": "<STORY_ID>", "password": "secret" }'

# Attach story without password (empty password)
curl -X POST http://localhost:3001/api/admin/stories/attach \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "id": "<STORY_ID>", "password": "" }'

# Update one of my stories
curl -X PATCH http://localhost:3001/api/admin/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "title": "Updated by owner" }'

# Change story status (moderation)
curl -X PATCH http://localhost:3001/api/admin/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{ "status": "verified" }'

# Delete a story completely
curl -X DELETE http://localhost:3001/api/admin/stories/<STORY_ID> \
  -H "Authorization: Bearer $TOKEN"

# Detach a story (remove ownership only)
curl -X DELETE http://localhost:3001/api/admin/stories/<STORY_ID>/detach \
  -H "Authorization: Bearer $TOKEN"

Story Statuses

The system supports the following story statuses:

• draft: Story in draft mode (not published, not accessible via public routes)
• submitted: Story submitted by user, awaiting moderation
• verified: Story verified by moderator (published)
• validated: Story validated by moderator (published)
• banned: Story banned (not accessible via public routes)
• quarantine: Story in quarantine (not accessible via public routes)
• private: Story is private (not accessible via public routes)

Story Versioning

The system automatically saves versions of stories when they are modified, with different retention strategies based on story status:

For verified/validated stories (hybrid retention):

• All versions from the last 30 days are kept
• Weekly snapshots from the last 3 months (90 days)
• Monthly snapshots from the last 2 years (730 days)
• All versions with diff > 10% are kept

For other stories (simple retention):

• Only the last 2 versions are kept

API Endpoints:

Version Management:

• GET /api/admin/stories/:id/versions - List all versions of a story (requires ownership or poweruser)
• GET /api/admin/stories/:id/versions/:versionId - Get a specific version
• POST /api/admin/stories/:id/versions/:versionId/restore - Restore a version (poweruser only)

Statistics Endpoints:

• GET /api/admin/stories/versions/stats - Global versioning statistics (poweruser only)
  • Query params: startDate, endDate, storyId (optional)
  • Returns: total versions, total stories, average versions per story, modifications by day, snapshots count, high diff versions, top modified stories
• GET /api/admin/stories/versions/activity - Recent version activity feed (poweruser only)
  • Query params: limit (default: 50), offset (default: 0)
  • Returns: paginated list of recent versions with story info, diff percentage, changed fields, creator
• GET /api/admin/stories/:id/versions/stats - Statistics for a specific story (poweruser or owner)
  • Returns: total versions, first/last version dates, average diff percentage, snapshots count, modifications by user, modifications by field, timeline

Story Types

The system supports the following story types:

• story: Traditional story content (default for existing stories)
• quizz: Quiz/quiz content for interactive learning

Note: All existing stories in the database are automatically marked as "story" type during migration.

User Fields

The system supports the following user fields:

• id: Unique user identifier (UUID)
• username: Login username (unique)
• email: User email address (unique)
• password_hash: Hashed password (bcrypt)
• role: User role (poweruser, storyadmin, bot)
• created_at: Account creation timestamp (auto-set by server, format: YYYY-MM-DD HH:MM:SS)
• date_modif: Last modification timestamp (auto-updated by server on any change, format: YYYY-MM-DD HH:MM:SS)
• logo: Profile image URL (PNG, WebP, JPG, GIF)
• description: Long text description
• nom_public: Public display name
• lien: User website/link URL
• langue_preferee: Preferred language (default: 'fr')
• organisation: User organization name
• status: User status (same as story statuses)
• date_rgpd: GDPR acceptance date

Story Fields

• id: Unique story identifier (UUID)
• title: Story title (required)
• description: Story description
• language: Language code (e.g., 'fr', 'en')
• source: Story source
• indicator: Story indicator
• category: Story category
• yearevents: Year events text
• email: Contact email
• pseudo: Author pseudonym
• organisation: Organization name
• url: Story URL
• image: Story image URL
• creation_date: Creation timestamp
• modif_date: Last modification timestamp
• password: Story password (for secure updates)
• prestatus: Previous status
• status: Current status (draft, submitted, verified, validated, banned, quarantine, private)
• type: Story type (story, quizz)
• votes: Number of votes
• level: Optional level field (integer)
• token: Optional token field for story identification (can be set during creation or by admin)

Recommended Client Workflows

Workflow A: Create Story with Password (Recommended)

// 1. Create story with password
const storyData = {
  key: "public-api-key",
  title: "My Story",
  description: "Story description",
  password: "my-secure-password",  // Set password during creation
  token: "my-identifier"
};

const response = await fetch('/api/stories', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify(storyData)
});

// 2. Attach story to user account
const attachData = {
  id: storyId,
  password: "my-secure-password"
};

await fetch('/api/admin/stories/attach', {
  method: 'POST',
  headers: { 
    'Content-Type': 'application/json',
    'Authorization': `Bearer ${jwtToken}`
  },
  body: JSON.stringify(attachData)
});

Workflow B: Create Story without Password

// 1. Create story without password
const storyData = {
  key: "public-api-key",
  title: "My Story",
  description: "Story description",
  token: "my-identifier"
  // No password field
};

// 2. Attach story with empty password
const attachData = {
  id: storyId,
  password: ""  // Empty password for stories without passwords
};

Ticket Statuses

The system supports the following ticket statuses:

• submitted: Ticket submitted by user, awaiting review
• seen: Ticket has been seen by support team
• discussion: Active discussion between user and support
• in_progress: Support team is working on the issue
• resolved: Issue has been resolved
• closed: Ticket closed by user or support
• deleted: Ticket deleted (soft delete)

Ticket Fields

The system supports the following ticket fields:

• id: Unique ticket identifier (UUID)
• title: Ticket title (max 200 characters)
• category_id: Reference to ticket category
• message: Initial ticket message
• user_id: Creator of the ticket
• story_id: Optional linked story (UUID)
• is_private: Privacy setting (true/false)
• status: Current ticket status
• created_at: Ticket creation timestamp (auto-set by server)
• date_modif: Last modification timestamp (auto-updated by server)

Ticket Reply Fields

• id: Unique reply identifier (UUID)
• ticket_id: Reference to parent ticket
• user_id: Author of the reply
• message: Reply message content
• created_at: Reply creation timestamp (auto-set by server)

Date Management

The server automatically manages timestamps:

• created_at: Set to current timestamp when user is created (cannot be modified)
• date_modif: Automatically updated to current timestamp on any user update
• date_rgpd: Set to current timestamp when user is created (can be updated manually)

Important: These date fields are managed by the server and should not be included in request bodies for POST or PATCH operations.

Story Routes

1. Fetch Stories

• Endpoint: POST /api/stories/fetch
• Description: Retrieves a list of stories. Can be filtered by status and/or language.
• Authentication-based filtering:
  • Public API key only: Returns stories with status "verified" or "validated" (published content only)
  • JWT + Public API key: Returns stories with status "verified", "validated", or "submitted" (includes pending moderation)
  • Other statuses ("banned", "quarantine", "onhold"): Only accessible via admin routes
• Request Body:
  • status (string, optional): Filters stories by status (e.g., submitted, draft). If set to "published", it returns stories with a status of either "verified" or "validated".
  • language (string, optional): Filters stories by language code (e.g., fr).
  • type (string, optional): Filters stories by type. Valid values: "story" or "quizz".
  • categoryIds (array of numbers, optional): Filter stories by one or more category IDs.
  • sortBy (string, optional): Sort by "views", "votes", or "creation_date" (default: "creation_date").
  • sortOrder (string, optional): Sort order "asc" or "desc" (default: "desc").
• Example Payload:

  {
    "key": "your_api_key_here",
    "status": "published",
    "language": "fr",
    "type": "story"
  }
  

• Success Response (200 OK):

  {
    "count": 1,
    "stories": [
      {
        "id": "some-uuid-1234",
        "title": "A Validated Story",
        "status": "validated",
        ...
      }
    ]
  }
  

---

2. Get Story by ID

• Endpoint: GET /api/stories/:id
• Description: Retrieves a single story by its unique ID.
• URL Parameters:
  • id (string, required): The UUID of the story.
• Success Response (200 OK):

  {
    "id": "some-uuid-1234",
    "title": "A Validated Story",
    ...
  }
  

• Error Response (404 Not Found):

  { "error": "Story not found" }
  

---

Official Story Fields

Stories now support extended official metadata fields that can be used by both public and private routes:

• official_title (string, optional, max 255 chars): Official title for the story
• official_description (string, optional, long text): Extended official description
• official_range (string, optional, max 20 chars): Official time range or period
• official_source (string, optional, max 255 chars): Official data source
• official_more (string, optional, long text): Additional official information

These fields are:

• Optional: All official fields are optional and can be omitted
• Backward Compatible: Existing stories continue to work without official fields
• Long Text Support: official_description and official_more support unlimited text
• Public & Private: Available in all story routes (create, update, fetch)

Example with Official Fields:

{
  "title": "Climate Change Story",
  "description": "User description",
  "official_title": "Global Temperature Trends 2020-2024",
  "official_description": "Comprehensive analysis of global temperature data from multiple sources including satellite measurements, ground stations, and ocean temperature records.",
  "official_range": "2020-2024",
  "official_source": "NASA Climate Data",
  "official_more": "Data collected from 15,000+ weather stations worldwide, validated through peer review process, updated monthly."
}

---

Story Categories

The system supports multiple categories per story, allowing better organization and filtering. Categories are fully multilingual, supporting 24 languages.

Multilingual Support

Categories support translations for 24 languages: en, fr, es, de, it, pt, ru, zh, ja, ar, hi, ko, tr, nl, pl, sv, da, fi, no, cs, hu, ro, el, he

The API automatically detects the user's preferred language using:

1. Query parameter ?lang=fr
2. User's langue_preferee preference (if authenticated)
3. HTTP Accept-Language header
4. Fallback to English (en) or French (fr)

Category Management (Poweruser Only)

• GET /api/admin/stories/categories?lang=fr - List all active categories (JWT required)
  • Returns categories with name and description translated according to the detected language
  • Response includes language field indicating the language used
• POST /api/admin/stories/categories - Create a new category (poweruser only, JWT required)
  • Body: { "translations": { "en": { "name": "Geography", "description": "..." }, "fr": { "name": "Géographie", "description": "..." } }, "color": "#007bff" }
  • At least one language translation must be provided
  • Uniqueness is checked on the English name (translations.en.name)
• PATCH /api/admin/stories/categories/:id - Update a category (poweruser only, JWT required)
  • Body: { "translations": { "es": { "name": "Geografía", "description": "..." } }, "color": "#ff0000", "is_active": true }
  • Translations are merged with existing translations (partial updates allowed)
  • Uniqueness is checked if the English name changes
• DELETE /api/admin/stories/categories/:id - Delete a category (poweruser only, JWT required)
  • Cannot delete if category is used by any stories

Category Response Structure (translated according to language):

{
  "categories": [
    {
      "id": 1,
      "name": "Géographie",
      "description": "Histoires sur la géographie",
      "color": "#007bff",
      "is_active": true,
      "created_at": "2025-01-15T10:30:00.000Z"
    }
  ],
  "language": "fr"
}

Translation Format (stored in database):

{
  "translations": {
    "en": { "name": "Geography", "description": "Stories about geography" },
    "fr": { "name": "Géographie", "description": "Histoires sur la géographie" },
    "es": { "name": "Geografía", "description": "Historias sobre geografía" }
  }
}

Fallback Behavior:

• If translation for requested language is missing → fallback to English (en)
• If English is missing → fallback to French (fr)
• If both are missing → use first available translation
• If no translations → return "Untitled Category" for name, empty string for description

Using Categories in Stories

When creating or updating a story, use categoryIds (array of category IDs):

Create Story with Categories:

{
  "key": "public-api-key",
  "title": "My Story",
  "categoryIds": [1, 2, 3]
}

Update Story Categories:

{
  "categoryIds": [1, 5]
}

Story Response includes categories:

{
  "id": "story-uuid",
  "title": "My Story",
  "categories": [
    { "id": 1, "name": "Géographie", "color": "#007bff" },
    { "id": 2, "name": "Histoire", "color": "#28a745" }
  ]
}

Filtering and Sorting Stories by Category

The POST /api/stories/fetch endpoint supports filtering by categories and sorting by views/votes:

Request Body:

{
  "key": "your_api_key_here",
  "categoryIds": [1, 2],
  "sortBy": "views",
  "sortOrder": "desc"
}

Parameters:

• categoryIds (array of numbers, optional): Filter stories by one or more categories
• sortBy (string, optional): "views" | "votes" | "creation_date" (default: "creation_date")
• sortOrder (string, optional): "asc" | "desc" (default: "desc")

Examples:

// Get stories in category 1, sorted by views (descending)
{
  "categoryIds": [1],
  "sortBy": "views",
  "sortOrder": "desc"
}

// Get stories in categories 1 or 2, sorted by votes (ascending)
{
  "categoryIds": [1, 2],
  "sortBy": "votes",
  "sortOrder": "asc"
}

Note: The old category field (string) is deprecated but still supported for backward compatibility. Use categoryIds (array) for the new system.

---

3. Create a New Story

• Endpoint: POST /api/stories
• Description: Creates a new story. A unique ID and creation_date are automatically generated.
• Request Body: A JSON object for the story. title is required. Optional fields include token for story identification, password for future attachment, level for story level, status for initial status (only "draft" or "submitted" allowed), categoryIds (array of category IDs) for categories, and official fields for extended metadata.
• Example Request Body:

  {
    "key": "public-api-key",
    "title": "My Story Title",
    "description": "Story description",
    "language": "fr",
    "level": 5,
    "status": "draft",
    "token": "my-story-identifier-123",
    "password": "my-story-password",
    "official_title": "Official Story Title",
    "official_description": "Extended official description with detailed information",
    "official_range": "2020-2024",
    "official_source": "Official Data Source",
    "official_more": "Additional official information and context"
  }
  

• Status Behavior:
  • If status is "draft" or "submitted", it will be used as specified
  • If status is any other value or not provided, it defaults to "submitted"
  • This ensures only appropriate initial statuses can be set during creation
• Success Response (201 Created):

  {
    "success": true,
    "id": "newly-generated-uuid-5678"
  }
  

---

4. Update a Story (Admin)

• Endpoint: PATCH /api/stories/:id
• Description: Updates one or more fields of an existing story. The modif_date is automatically updated.
• Success Response (200 OK):

  {
    "success": true,
    "id": "some-uuid-1234",
    "updated": ["status", "title"]
  }
  

---

5. Securely Update a Story (User)

• Endpoint: PATCH /api/stories/:id/secure

• Description: Updates a story only if the provided password matches the one stored for that story.

• Request Body: A JSON object with the fields to update, plus a mandatory password field.

• Success Response (200 OK):

  {
    "success": true,
    "id": "some-uuid-1234",
    "updated": ["title", "description"]
  }
  

• Endpoint: POST /api/stories/update-with-token

• Description: Updates a story by matching the provided token field with the story's token field in the database. Only allows updating specific fields and clears the token field after successful update.

• Request Body:

  {
    "id": "story-uuid",
    "token": "story-token-value",
    "key": "public-api-key",
    "language": "fr",
    "source": "Updated source",
    "indicator": "Updated indicator",
    "category": "Updated category",
    "yearevents": "Updated events",
    "description": "Updated description"
  }
  

• Allowed Fields: Only language, source, indicator, category, yearevents, and description can be updated.

• Success Response (200 OK):

  {
    "success": true,
    "id": "story-uuid",
    "updated": ["language", "description"],
    "message": "Story updated successfully and token cleared"
  }
  

• Error Responses:

  • 400 Bad Request: Missing required fields or no valid fields to update
  • 403 Forbidden: Token field doesn't match
  • 404 Not Found: Story not found

---

Score / Leaderboard Route

This is a multi-purpose endpoint that mimics the functionality of the original Google Apps Script API for scores.

• Endpoint: GET or POST /api/scores
• Description: Handles all score-related actions based on the parameters provided in the query string (for GET) or JSON body (for POST).

Action 1: Record a New Score

• Trigger: Provide pseudo and score parameters.
• Parameters:
  • pseudo (string, required)
  • score (number, required)
  • pays, resume, niveau, champion (string, optional)
• Success Response: A plain text response OK with a 200 status code.

Action 2: Get Hypothetical Rank

• Trigger: Provide testScore parameter.
• Success Response (200 OK):

  {
    "testScore": 500,
    "rank": 101,
    "total": 5000
  }
  

Action 3: Get Score Context

• Trigger: Provide scoreContext parameter.
• Description: Returns a list of scores around the rank of the provided score (3 before, 9 after).
• Success Response (200 OK):

  {
    "score": 450,
    "rank": 150,
    "context": [
      { "rank": 147, "pseudo": "PlayerA", "score": 455, "isSelf": false, ... },
      { "rank": 150, "pseudo": "PlayerB", "score": 450, "isSelf": true, ... },
      { "rank": 151, "pseudo": "PlayerC", "score": 449, ... }
    ]
  }
  

Action 4: Get Leaderboard (Default)

• Trigger: No other specific parameters are provided.
• Parameters:
  • start (number, optional, default: 1): The starting rank.
  • end (number, optional, default: 100): The ending rank.
• Success Response (200 OK): An array of score objects.

  [
    { "rank": 1, "pseudo": "Champ", "score": 999, ... },
    { "rank": 2, "pseudo": "RunnerUp", "score": 990, ... }
  ]
  

Admin Scores Routes (PowerUser only)

JWT-protected routes for PowerUsers to manage game scores:

• GET /api/admin/poweruser/scores → List all scores with pagination and filters
• DELETE /api/admin/poweruser/scores/:id → Delete a specific score by ID

GET /api/admin/poweruser/scores

Authentication: JWT with poweruser role required

Query Parameters:

• page (optional, default: 1): Page number
• limit (optional, default: 50, max: 200): Results per page
• pseudo (optional): Filter by pseudo (partial match)
• pays (optional): Filter by country (exact match)
• minScore (optional): Minimum score
• maxScore (optional): Maximum score
• sortBy (optional, default: 'score'): Sort by 'score', 'timestamp', or 'pseudo'
• sortOrder (optional, default: 'DESC'): 'ASC' or 'DESC'

Response (200 OK):

{
  "scores": [
    {
      "id": 123,
      "rank": 1,
      "timestamp": "2025-01-15T10:30:00Z",
      "pseudo": "Player1",
      "pays": "France",
      "score": 1000,
      "resume": "...",
      "niveau": "...",
      "champion": "..."
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 50,
    "total": 5000,
    "totalPages": 100
  }
}

Example:

# List first page
curl -H "Authorization: Bearer $TOKEN" http://localhost:3001/api/admin/poweruser/scores

# Filter by pseudo and paginate
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/admin/poweruser/scores?pseudo=Player&page=2&limit=25"

# Filter by score range
curl -H "Authorization: Bearer $TOKEN" "http://localhost:3001/api/admin/poweruser/scores?minScore=500&maxScore=1000"

DELETE /api/admin/poweruser/scores/:id

Authentication: JWT with poweruser role required

Parameters: id in URL path (score ID to delete)

Response (200 OK):

{
  "success": true,
  "message": "Score deleted successfully",
  "deletedId": 123
}

Errors:

• 400: Invalid score ID
• 404: Score not found
• 500: Server error

Example:

curl -X DELETE \
  -H "Authorization: Bearer $TOKEN" \
  http://localhost:3001/api/admin/poweruser/scores/123

Security Notes:

• Only users with poweruser role can access these routes
• Score deletion is permanent and cannot be undone
• Use with caution in production

---

AI Chat Route

This endpoint provides AI-powered chat functionality using Google's Gemini AI model.

• Endpoint: POST /api/ai/chat
• Authentication: JWT Bearer token required
• Description: Sends a prompt to Gemini AI and returns the generated response.

Request

• Headers:
  • Authorization: Bearer <JWT_TOKEN> (required)
  • Content-Type: application/json
• Request Body:

  {
    "prompt": "Your question or prompt for the AI"
  }
  

Response

• Success Response (200 OK):

  {
    "success": true,
    "response": "AI generated response text",
    "model": "gemini-2.5-flash",
    "duration": 1500,
    "timestamp": "2024-01-15T10:30:00.000Z"
  }
  

• Error Responses:

  • 400 Bad Request: Missing or invalid prompt
  • 401 Unauthorized: Missing or invalid JWT token
  • 500 Internal Server Error: AI service configuration error
  • 504 Gateway Timeout: AI request timeout (after 4 minutes)

Features

• Timeout Handling: Requests timeout after 4 minutes to prevent hanging
• CORS Support: Configured for cross-origin requests
• Rate Limiting: Protected by JWT authentication
• Logging: Detailed request/response logging for debugging

---

Views and Votes Routes

These endpoints provide view tracking and voting functionality for stories.

1. Record a View

• Endpoint: POST /api/views-votes/viewed

• Authentication: Public API key required

• Description: Increments the view count for a specific story.

• Request Body:

  {
    "id_story": "story-uuid-here",
    "key": "your-api-key"
  }
  

• Success Response (200 OK):

  {
    "success": true,
    "id_story": "story-uuid-here",
    "vues": 15,
    "last_view": "2024-01-15T10:30:00.000Z"
  }
  

2. Record a Vote

• Endpoint: POST /api/views-votes/voted

• Authentication: Public API key required

• Description: Records a vote for a story (0-5 stars). Prevents duplicate votes from the same identifier.

• Request Body:

  {
    "id_story": "story-uuid-here",
    "vote_value": 4,
    "identifiant": "user123_session456",
    "key": "your-api-key"
  }
  

• Success Response (200 OK) - New vote:

  {
    "success": true,
    "id_story": "story-uuid-here",
    "vote_value": 4,
    "identifiant": "user123_session456",
    "vote_date": "2024-01-15T10:30:00.000Z",
    "message": "Vote successfully recorded",
    "vote_recorded": true
  }
  

• Success Response (200 OK) - Duplicate vote:

  {
    "success": true,
    "id_story": "story-uuid-here",
    "vote_value": 3,
    "identifiant": "user123_session456",
    "vote_date": "2024-01-15T10:30:00.000Z",
    "message": "Vote not counted - this identifier has already voted for this story",
    "vote_recorded": false
  }
  

3. Get Story Statistics

• Endpoint: GET /api/views-votes/stats/:id

• Authentication: Public API key required

• Description: Retrieves view and vote statistics for a specific story.

• URL Parameters:

  • id (string, required): The UUID of the story.

• Success Response (200 OK):

  {
    "success": true,
    "id_story": "story-uuid-here",
    "views": {
      "total": 150,
      "last_view": "2024-01-15T10:30:00.000Z"
    },
    "votes": {
      "total": 25,
      "average_rating": 4.2
    }
  }
  

Features

• Duplicate Prevention: Same identifier cannot vote multiple times for the same story
• View Tracking: Automatic view counting with timestamp tracking
• Statistics: Comprehensive metrics including total views, votes, and average rating
• Anti-Spam: Unique identifier system prevents vote manipulation

---

Configuration Stripe Automatique

Initialisation

Pour configurer automatiquement Stripe (produits, webhooks, Customer Portal) :

# 1. Configurer les variables d'environnement de base
STRIPE_SECRET_KEY=sk_test_...
API_URL=https://api.terraguessr.org

# 2. Lancer l'initialisation
npm run stripe:setup

Vérification

Pour vérifier la configuration actuelle :

npm run stripe:check

Reset (développement uniquement)

Pour réinitialiser la configuration de test :

npm run stripe:reset

Produits créés

1. Abonnement annuel récurrent : Renouvellement automatique avec prix libre
2. Paiement one-shot 1 an : Accès 1 an sans renouvellement avec prix libre

Fichiers générés

• .stripe-config.test.json : Configuration pour l'environnement de test
• .stripe-config.live.json : Configuration pour l'environnement de production

Environnements

Le script détecte automatiquement l'environnement via la clé API :

• sk_test_... : Environnement de test
• sk_live_... : Environnement de production

Notes importantes

• Les webhooks existants ne sont jamais modifiés, un nouveau endpoint est créé si nécessaire
• La configuration est sauvegardée dans .stripe-config.{environment}.json
• Le Customer Portal utilise la configuration par défaut de Stripe
• Les prix par défaut (50€) sont indicatifs, le système utilise price_data pour les prix libres

---

📁 Project Structure

.
├── api/                           # Backend source code
│   ├── db.ts                      # Database connection pool
│   ├── middleware.ts              # Express middlewares (e.g., public key check)
│   ├── public_keys.json           # Manages public API keys and quotas
│   ├── quotaManager.ts            # Logic for key loading and quota tracking
│   ├── server.ts                  # Express server setup and entry point
│   ├── schema.ts                  # Database schema creation
│   ├── auth.middleware.ts         # JWT authentication middleware
│   ├── auth.controller.ts         # User authentication (login, register)
│   ├── users.controller.ts        # User management
│   ├── tickets.controller.ts      # Support tickets system
│   ├── stories.controller.ts      # Public stories routes
│   ├── admin.stories.controller.ts # Admin stories management
│   ├── mystories.controller.ts    # User story ownership
│   ├── poweruser.controller.ts    # Poweruser admin functions
│   └── scores.controller.ts       # Scores and statistics
├── components/                     # Frontend React components
...