feat: Update Forum Notification Widget documentation and add plugin XML configuration

Author: frasermolyneux

docs/forum-notification-widget.md

@@ -4,122 +4,58 @@
 
 This document describes how to embed the XtremeIdiots Portal notification widget on the xtremeidiots.com Invision Community forum. The widget shows personalised notifications for logged-in forum users and a public activity feed for guests.
 
-## Prerequisites
+## Installation (2 steps)
 
-1. The HMAC shared secret must be configured in both:
-   - **Portal**: via Azure App Configuration key `XtremeIdiots:ExternalWidget:HmacSecret` (auto-provisioned by portal-environments Terraform)
-   - **Forum**: as a custom Invision Community setting (see step 2 below)
-
-2. The portal must be deployed with the external notifications API (`/api/external/notifications`)
-
-## Step 1: Add the HMAC Secret to Invision Community
-
-1. Go to **ACP → System → Settings** (or use a custom plugin settings page)
-2. Add a custom setting:
-   - **Key**: `portal_hmac_secret`
-   - **Value**: Copy the HMAC secret from Azure Key Vault (`external-widget-hmac-secret` in the shared Key Vault)
-
-> **Important**: The secret value must match exactly between the portal and forum. After the initial Terraform apply, retrieve the value from Azure Key Vault and paste it into the forum setting.
-
-## Step 2: Add the Widget to the Forum Template
-
-Edit the Invision Community theme template where you want the widget to appear (e.g., sidebar, footer, or a custom page block).
-
-### Option A: Global Template (sidebar on all pages)
-
-Edit the **globalTemplate** or **sidebar** template in your theme:
-
-```html
-{{if member.member_id}}
-    <?php
-        $secret = \IPS\Settings::i()->portal_hmac_secret;
-        $memberId = \IPS\Member::loggedIn()->member_id;
-        $timestamp = time();
-        $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
-        $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
-    ?>
-    <div id="portal-notifications-widget"
-         data-token="<?php echo $token; ?>"
-         data-portal-url="https://portal.xtremeidiots.com">
-    </div>
-{{else}}
-    <div id="portal-notifications-widget"
-         data-token=""
-         data-portal-url="https://portal.xtremeidiots.com">
-    </div>
-{{endif}}
-<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
-```
+### Step 1: Install the Settings Plugin
+
+1. Upload `docs/invision-plugin/plugin.xml` via **ACP → System → Plugins → Install New Plugin**
+2. Click the cog icon next to the plugin to open settings
+3. Set **HMAC Shared Secret** — paste from Azure Key Vault (`external-widget-hmac-secret`)
+4. Set **Portal Base URL** — `https://portal.xtremeidiots.com` (default)
+5. Set **Enable Widget** — Yes
+
+This plugin only registers settings — it does not inject any code or hooks.
 
-### Option B: Using an Invision Community Plugin Hook
+### Step 2: Create a Custom PHP Block
 
-If you prefer not to mix PHP into templates, create a simple plugin:
+1. Go to **ACP → Pages → Blocks → Create New Block → Custom → PHP**
+2. Give it a name (e.g., "Portal Notifications")
+3. Paste the following as the block content:
 
-**File: `hooks/portalWidget.php`**
 ```php
-class portalWidget
-{
-    public function globalTemplate($html)
-    {
-        $member = \IPS\Member::loggedIn();
-        $token = '';
-
-        if ($member->member_id) {
-            $secret = \IPS\Settings::i()->portal_hmac_secret;
-            $memberId = $member->member_id;
-            $timestamp = time();
-            $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
-            $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
-        }
-
-        $widget = <<<HTML
-<div id="portal-notifications-widget"
-     data-token="{$token}"
-     data-portal-url="https://portal.xtremeidiots.com">
-</div>
-<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
-HTML;
-
-        // Insert before </body>
-        return str_replace('</body>', $widget . '</body>', $html);
+$portalToken = '';
+$portalUrl = rtrim( \IPS\Settings::i()->portal_base_url ?: 'https://portal.xtremeidiots.com', '/' );
+$member = \IPS\Member::loggedIn();
+if ( $member->member_id ) {
+    $secret = \IPS\Settings::i()->portal_hmac_secret;
+    if ( !empty( $secret ) ) {
+        $memberId = (string) $member->member_id;
+        $timestamp = (string) time();
+        $hmac = hash_hmac( 'sha256', "{$memberId}:{$timestamp}", $secret );
+        $portalToken = base64_encode( "{$memberId}:{$timestamp}:{$hmac}" );
     }
 }
+echo '<div id="portal-notifications-widget" data-token="' . htmlspecialchars( $portalToken, ENT_QUOTES, 'UTF-8' ) . '" data-portal-url="' . htmlspecialchars( $portalUrl, ENT_QUOTES, 'UTF-8' ) . '"></div>';
+echo '<script src="' . htmlspecialchars( $portalUrl, ENT_QUOTES, 'UTF-8' ) . '/js/forum-widget.js" defer></script>';
 ```
 
-### Option C: Custom HTML Block (simplest)
+4. Save the block
+5. Place the block via the front-end widget manager — drag it into the sidebar or wherever you want it
 
-If you just want a quick test, use the **Pages** app or a **Custom Block**:
+## Prerequisites
 
-1. Go to **ACP → Pages → Blocks → Create New Block**
-2. Choose **Custom HTML**
-3. Paste:
-```html
-<?php
-$token = '';
-$member = \IPS\Member::loggedIn();
-if ($member->member_id) {
-    $secret = \IPS\Settings::i()->portal_hmac_secret;
-    $memberId = $member->member_id;
-    $timestamp = time();
-    $hmac = hash_hmac('sha256', "{$memberId}:{$timestamp}", $secret);
-    $token = base64_encode("{$memberId}:{$timestamp}:{$hmac}");
-}
-?>
-<div id="portal-notifications-widget"
-     data-token="<?php echo $token; ?>"
-     data-portal-url="https://portal.xtremeidiots.com">
-</div>
-<script src="https://portal.xtremeidiots.com/js/forum-widget.js" defer></script>
-```
-4. Place the block in your desired sidebar/widget area
+- The HMAC shared secret must be configured in both:
+  - **Portal**: via Azure App Configuration key `XtremeIdiots:ExternalWidget:HmacSecret` (auto-provisioned by portal-environments Terraform)
+  - **Forum**: via the plugin settings page (Step 1 above)
+- The portal must be deployed with the external notifications API (`/api/external/notifications`)
 
 ## How It Works
 
-1. **Token generation** (forum-side): When a logged-in forum user loads a page, the PHP template generates an HMAC-SHA256 signed token containing their forum member ID and a Unix timestamp, signed with the shared secret.
+1. **Token generation** (forum-side): The plugin widget generates an HMAC-SHA256 signed token containing the logged-in forum member's ID and a Unix timestamp, signed with the shared secret.
 
 2. **Token format**: `Base64({forumMemberId}:{timestampUnix}:{hmacHex})`
 
-3. **Widget load**: The JavaScript widget (`forum-widget.js`) reads the token from the `data-token` attribute and calls the portal API.
+3. **Widget load**: The JavaScript widget (`forum-widget.js`, served from the portal) reads the token from the `data-token` attribute and calls the portal API.
 
 4. **API response**:
    - **No token / invalid token**: Returns a public feed (recent admin actions)
@@ -157,7 +93,13 @@ To customise, override the styles in your forum theme CSS:
 
 | Issue | Cause | Fix |
 |-------|-------|-----|
-| Widget shows "Portal URL not configured" | Missing `data-portal-url` attribute | Ensure the attribute is set in the template |
+| Widget shows "Portal URL not configured" | Missing portal base URL in plugin settings | Check plugin settings in ACP |
 | Widget shows "Unable to load notifications" | CORS or network error | Check browser console; verify portal CORS allows the forum domain |
-| All users see public feed only | HMAC secret mismatch | Ensure the forum `portal_hmac_secret` matches the Azure Key Vault value |
+| All users see public feed only | HMAC secret mismatch | Ensure the plugin's HMAC secret matches the Azure Key Vault value |
 | Token always expired | Server clock drift | Ensure both servers have NTP synced clocks (±1 minute tolerance) |
+
+## Updating
+
+To update the plugin, upload the new `plugin.xml` via ACP → System → Plugins. Settings are preserved across updates.
+
+To rotate the HMAC secret: update both the Azure Key Vault value and the plugin setting in ACP. Changes take effect immediately.

docs/invision-plugin/README.md

@@ -0,0 +1,24 @@
+# XtremeIdiots Portal Notifications — Invision Community Plugin
+
+## What This Plugin Does
+
+Registers 3 ACP settings for the portal notification widget:
+- **Enable Widget** (Yes/No toggle)
+- **HMAC Shared Secret** (for signing auth tokens)
+- **Portal Base URL** (defaults to `https://portal.xtremeidiots.com`)
+
+This plugin **only provides settings** — the widget itself is delivered via a custom PHP block (see below).
+
+## Installation
+
+1. Upload `plugin.xml` via **ACP → System → Plugins → Install New Plugin**
+2. Click the cog icon next to the plugin → configure the 3 settings
+3. Create a custom PHP block: **ACP → Pages → Blocks → Create New Block → Custom → PHP**
+4. Paste the PHP snippet from `docs/forum-notification-widget.md` as the block content (use `echo`, not `return`)
+5. Place the block via the front-end widget manager into the sidebar
+
+See `docs/forum-notification-widget.md` for the full snippet and troubleshooting guide.
+
+## Why a Custom Block?
+
+IPS4's plugin template compiler doesn't support `hash_hmac()` and `base64_encode()` calls needed for HMAC token generation. A custom PHP block executes raw PHP directly, bypassing the template compiler.

docs/invision-plugin/plugin.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin name="XtremeIdiots Portal Notifications" version_long="10004" version_human="1.0.4" author="XtremeIdiots" website="https://portal.xtremeidiots.com" update_check=""><hooks/><settings><setting><key>portal_notifications_enabled</key><default>1</default></setting><setting><key>portal_hmac_secret</key><default></default></setting><setting><key>portal_base_url</key><default>https://portal.xtremeidiots.com</default></setting></settings><settingsCode><![CDATA[//<?php
+
+$form->addHeader('Portal Notifications Widget');
+$form->add( new \IPS\Helpers\Form\YesNo( 'portal_notifications_enabled', \IPS\Settings::i()->portal_notifications_enabled, FALSE, array(), NULL, NULL, NULL, 'portal_notifications_enabled' ) );
+$form->add( new \IPS\Helpers\Form\Text( 'portal_hmac_secret', \IPS\Settings::i()->portal_hmac_secret, FALSE, array(), NULL, NULL, NULL, 'portal_hmac_secret' ) );
+$form->add( new \IPS\Helpers\Form\Url( 'portal_base_url', \IPS\Settings::i()->portal_base_url ?: 'https://portal.xtremeidiots.com', FALSE, array(), NULL, NULL, NULL, 'portal_base_url' ) );
+
+if ( $values = $form->values() )
+{
+	$form->saveAsSettings();
+	return TRUE;
+}
+
+return $form;]]></settingsCode><tasks/><widgets/><htmlFiles/><cssFiles/><jsFiles/><resourcesFiles/><lang><word key="portal_notifications_enabled" js="0">Enable Widget</word><word key="portal_hmac_secret" js="0">HMAC Shared Secret</word><word key="portal_hmac_secret_desc" js="0">Copy from Azure Key Vault (external-widget-hmac-secret). Must match the portal value.</word><word key="portal_base_url" js="0">Portal Base URL</word><word key="portal_base_url_desc" js="0">The base URL of the XtremeIdiots Portal (no trailing slash).</word></lang><versions><version long="10004" human="1.0.4"><![CDATA[//<?php
+
+if ( !defined( '\IPS\SUITE_UNIQUE_KEY' ) )
+{
+	header( ( isset( $_SERVER['SERVER_PROTOCOL'] ) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.0' ) . ' 403 Forbidden' );
+	exit;
+}
+
+class ips_plugins_setup_install
+{
+	public function step1()
+	{
+		return TRUE;
+	}
+}]]></version></versions></plugin>

src/XtremeIdiots.Portal.Web/wwwroot/js/forum-widget.js

@@ -219,28 +219,28 @@
         var style = document.createElement('style');
         style.id = 'xi-pw-styles';
         style.textContent =
-            '.xi-portal-widget{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;font-size:13px;border:1px solid #ddd;border-radius:6px;background:#fff;overflow:hidden;max-width:400px}' +
-            '.xi-pw-header{display:flex;justify-content:space-between;align-items:center;padding:10px 14px;background:#2b3a4a;color:#fff;font-weight:600}' +
+            '.xi-portal-widget{font-family:inherit;font-size:13px;border:1px solid #333;border-radius:4px;background:#262626;overflow:hidden;max-width:400px;color:#ccc}' +
+            '.xi-pw-header{display:flex;justify-content:space-between;align-items:center;padding:8px 12px;background:#1a1a1a;color:#e0e0e0;font-weight:600;border-bottom:1px solid #333}' +
             '.xi-pw-title{display:flex;align-items:center;gap:6px}' +
             '.xi-pw-bell{font-size:16px}' +
-            '.xi-pw-badge{background:#e74c3c;color:#fff;font-size:11px;padding:1px 6px;border-radius:10px;margin-left:4px}' +
-            '.xi-pw-mark-all{color:#aec6e0;font-size:11px;text-decoration:none;white-space:nowrap}' +
-            '.xi-pw-mark-all:hover{color:#fff}' +
+            '.xi-pw-badge{background:#c0392b;color:#fff;font-size:11px;padding:1px 6px;border-radius:10px;margin-left:4px}' +
+            '.xi-pw-mark-all{color:#7eaac4;font-size:11px;text-decoration:none;white-space:nowrap}' +
+            '.xi-pw-mark-all:hover{color:#aed6f1}' +
             '.xi-pw-list{max-height:360px;overflow-y:auto}' +
-            '.xi-pw-item{display:block;padding:10px 14px;border-bottom:1px solid #f0f0f0;text-decoration:none;color:#333;transition:background .15s}' +
-            '.xi-pw-item:hover{background:#f8f9fa;text-decoration:none;color:#333}' +
-            '.xi-pw-unread{background:#f0f7ff;border-left:3px solid #3498db}' +
+            '.xi-pw-item{display:block;padding:8px 12px;border-bottom:1px solid #333;text-decoration:none;color:#ccc;transition:background .15s}' +
+            '.xi-pw-item:hover{background:#2f2f2f;text-decoration:none;color:#fff}' +
+            '.xi-pw-unread{background:#1e2a35;border-left:3px solid #3498db}' +
             '.xi-pw-item-header{display:flex;justify-content:space-between;align-items:baseline;gap:8px}' +
-            '.xi-pw-item-title{font-weight:600;font-size:12px;flex:1;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}' +
-            '.xi-pw-item-time{font-size:11px;color:#999;white-space:nowrap}' +
-            '.xi-pw-item-msg{font-size:12px;color:#666;margin-top:2px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}' +
-            '.xi-pw-unclaimed{display:block;padding:8px 14px;background:#fff3cd;color:#856404;font-size:12px;text-decoration:none;border-top:1px solid #ffeaa7}' +
-            '.xi-pw-unclaimed:hover{background:#ffe69c;text-decoration:none;color:#856404}' +
-            '.xi-pw-footer{padding:8px 14px;text-align:center;background:#f8f9fa;border-top:1px solid #eee}' +
-            '.xi-pw-footer a{color:#3498db;text-decoration:none;font-size:12px;font-weight:500}' +
-            '.xi-pw-footer a:hover{text-decoration:underline}' +
-            '.xi-pw-empty{padding:24px;text-align:center;color:#999}' +
-            '.xi-pw-loading{padding:24px;text-align:center;color:#999}' +
+            '.xi-pw-item-title{font-weight:600;font-size:12px;flex:1;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;color:#e0e0e0}' +
+            '.xi-pw-item-time{font-size:11px;color:#777;white-space:nowrap}' +
+            '.xi-pw-item-msg{font-size:12px;color:#999;margin-top:2px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}' +
+            '.xi-pw-unclaimed{display:block;padding:8px 12px;background:#3d2f0a;color:#f0c040;font-size:12px;text-decoration:none;border-top:1px solid #4a3a10}' +
+            '.xi-pw-unclaimed:hover{background:#4a3a10;text-decoration:none;color:#ffd54f}' +
+            '.xi-pw-footer{padding:8px 12px;text-align:center;background:#1a1a1a;border-top:1px solid #333}' +
+            '.xi-pw-footer a{color:#7eaac4;text-decoration:none;font-size:12px;font-weight:500}' +
+            '.xi-pw-footer a:hover{color:#aed6f1;text-decoration:underline}' +
+            '.xi-pw-empty{padding:24px;text-align:center;color:#777}' +
+            '.xi-pw-loading{padding:24px;text-align:center;color:#777}' +
             '.xi-pw-error{padding:16px;text-align:center;color:#e74c3c;font-size:12px}';
         document.head.appendChild(style);
     }