40227-vm/backend/docs/payments.md

Payments Backend

Purpose

payments is the per-organization record of payments received against invoices. It is a generic-CRUD slice assembled from the shared factories; the backend is the source of truth for payment records.

Slice Files (by layer)

• Route: src/routes/payments.ts — createCrudRouter(controller, { permission: 'payments' }).
• Controller: src/api/controllers/payments.controller.ts — createCrudController(service, { csvFields }).
• Service (BLL): src/services/payments.ts — createCrudService(DbApi, { notFoundCode: 'paymentsNotFound' }).
• Repository (DAL): src/db/api/payments.ts (PaymentsDBApi) — entity-specific create/bulkImport/update/findBy/findAll; remove/deleteByIds/findAllAutocomplete delegate to db/api/shared/repository.ts.
• Model: src/db/models/payments.ts.
• Shared used: CRUD factories (services/shared/crud-service.ts, api/controllers/shared/crud-controller.ts, api/http/crud-router.ts), repository helpers (db/api/shared/repository.ts), shared/constants/pagination.ts (resolvePagination), db/api/file.ts (replaceRelationFiles for the proof relation).

API

The standard generic-CRUD surface (all under /api/payments, JWT + ${METHOD}_PAYMENTS permission, all 200) — see backend-architecture.md for the shared contract:

• POST / — body { data }, returns true.
• POST /bulk-import — multipart CSV file, returns true.
• PUT /:id — body { data, id } (the service reads the id from the body, not the path param), returns true.
• DELETE /:id — returns true.
• POST /deleteByIds — body { data: string[] }, returns true.
• GET / — query filters, returns { rows, count }; ?filetype=csv streams a CSV of csvFields.
• GET /count — returns { rows: [], count }.
• GET /autocomplete — ?query&limit&offset, returns [{ id, label }] where label is receipt_number.
• GET /:id — returns the record with eager associations (see Data Contract).

csvFields: id, receipt_number, reference_code, notes, amount, paid_at.

Access Rules

• JWT required; the whole router is guarded by checkCrudPermissions('payments'), deriving READ_PAYMENTS / CREATE_PAYMENTS / UPDATE_PAYMENTS / DELETE_PAYMENTS per HTTP method.
• Access is granted by role permission or per-user custom_permissions (see permissions.md).

Tenant Scope

• findAll scopes where.organizationId to currentUser.organizationId; a globalAccess role clears the org filter (sees all tenants).
• create assigns the organization from currentUser.organizationId; update only reassigns organization for globalAccess users (otherwise it stays the caller's org).

Data Contract

Model columns (paranoid, soft-delete via deletedAt):

• id (UUID PK), receipt_number, reference_code, notes (TEXT, nullable).
• paid_at — DATE.
• amount — DECIMAL.
• method — ENUM cash | bank_transfer | card | mobile_money | cheque | other.
• importHash (unique), invoiceId, organizationId, received_byId, createdById, updatedById, timestamps.

Associations: belongsTo organization, invoice, received_by (staff), createdBy/updatedBy (users); hasMany file as proof (scoped relation). findBy/GET /:id eager-load organization, invoice, received_by, proof in a single Promise.all.

List filters (PaymentsFilter): id, receipt_number, reference_code, notes, paid_atRange, amountRange, method, invoice (id or invoice_number, |-separated), received_by (id or employee_number, |-separated), organization, createdAtRange, plus field/sort ordering and limit/page pagination.

Behavior / Notes

• create/bulkImport/update manage the proof file relation via FileDBApi.replaceRelationFiles.
• bulkImport offsets createdAt per row by BULK_IMPORT_TIMESTAMP_STEP_MS to preserve order.
• List pagination uses the shared resolvePagination defaults (page size 10, capped at 100).
• Note: PaymentsFilter accepts an active flag the model has no column for; it is currently inert (kept for source accuracy).

Tests

None yet.

Related

• Generic-CRUD contract: backend-architecture.md; related slices: invoices, staff, file.md, permissions.md.