samouraiworld
diff --git a/‎backend/broadcast_event.go‎
Lines changed: 1 addition & 1 deletion b/‎backend/broadcast_event.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/confirm_ticket_payment.go‎
Lines changed: 165 additions & 14 deletions b/‎backend/confirm_ticket_payment.go‎
Lines changed: 165 additions & 14 deletions
diff --git a/‎backend/confirm_ticket_payment_test.go‎
Lines changed: 12 additions & 7 deletions b/‎backend/confirm_ticket_payment_test.go‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎backend/create_event.go‎
Lines changed: 1 addition & 1 deletion b/‎backend/create_event.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/mail.go‎
Lines changed: 50 additions & 2 deletions b/‎backend/mail.go‎
Lines changed: 50 additions & 2 deletions
@@ -100,7 +100,7 @@ func (s *ZenaoServer) BroadcastEvent(
 		attachments := make([]*resend.Attachment, 0, len(tickets))
 		if req.Msg.AttachTicket {
 			for i, ticket := range tickets[authParticipant.ID] {
-				pdfData, err := GeneratePDFTicket(evt, ticket.Ticket.Secret(), ticket.User.DisplayName, authParticipant.Email, ticket.CreatedAt, s.Logger)
+				pdfData, err := GeneratePDFTicket(evt, ticket.Ticket.Secret(), ticket.User.DisplayName, authParticipant.Email, ticket.CreatedAt, nil, s.Logger)
 				if err != nil {
 					s.Logger.Error("generate-ticket-pdf", zap.Error(err), zap.String("ticket-id", ticket.Ticket.Secret()))
 					return nil, err
 
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"errors"
+	"fmt"
 	"strings"
 	"time"
 
@@ -141,6 +142,165 @@ func (s *ZenaoServer) issueTicketsAfterConfirmation(ctx context.Context, order *
 		zap.String("order-id", order.ID),
 		zap.Int("issued-count", issuedCount),
 	)
+
+	// Tickets just transitioned to "issued": this block runs exactly once per
+	// order (the early-return above guards re-entry), so it is safe to deliver
+	// the ticket email here without resending it on every confirm poll.
+	//
+	// Building the email generates a PDF per ticket and can be slow for large
+	// orders, so it runs off the request path. The issued transition is already
+	// committed, so the confirm endpoint can return immediately. A detached
+	// context keeps the send alive after the request context is cancelled.
+	emailCtx := context.WithoutCancel(issueCtx)
+	go func() {
+		if err := s.sendOrderTicketsEmail(emailCtx, order); err != nil {
+			s.Logger.Error("send-order-tickets-email", zap.Error(err), zap.String("order-id", order.ID))
+		}
+	}()
+}
+
+// sendOrderTicketsEmail delivers a single email to the buyer with every ticket
+// of the order: each one as an inline QR code in the body and as an attached
+// PDF, plus an ICS calendar invite. The QR codes (entry tokens) go only to the
+// buyer, never to attendee-provided emails, following standard ticketing
+// practice (the buyer paid and controls distribution).
+func (s *ZenaoServer) sendOrderTicketsEmail(ctx context.Context, order *zeni.Order) error {
+	if s.MailClient == nil || s.Auth == nil || order == nil {
+		return nil
+	}
+
+	buyerEmail, err := s.userEmail(ctx, order.BuyerID)
+	if err != nil {
+		return err
+	}
+
+	tickets, err := s.DB.WithContext(ctx).GetOrderTickets(order.ID)
+	if err != nil {
+		return err
+	}
+	if len(tickets) == 0 {
+		return errors.New("order has no tickets")
+	}
+
+	evt, err := s.DB.WithContext(ctx).GetEvent(order.EventID)
+	if err != nil {
+		return err
+	}
+	if evt == nil {
+		return errors.New("event not found")
+	}
+
+	// Resolve attendee emails to label each ticket inside the buyer's own email.
+	authIDs := make([]string, 0, len(tickets))
+	for _, ticket := range tickets {
+		if ticket == nil || ticket.User == nil || strings.TrimSpace(ticket.User.AuthID) == "" {
+			continue
+		}
+		authIDs = append(authIDs, ticket.User.AuthID)
+	}
+	authUsers, err := s.Auth.GetUsersFromIDs(ctx, authIDs)
+	if err != nil {
+		return err
+	}
+	emailByAuthID := make(map[string]string, len(authUsers))
+	for _, user := range authUsers {
+		if user != nil {
+			emailByAuthID[user.ID] = user.Email
+		}
+	}
+
+	items := make([]ticketEmailItem, 0, len(tickets))
+	for _, ticket := range tickets {
+		if ticket == nil || ticket.Ticket == nil {
+			continue
+		}
+		email := ""
+		displayName := ""
+		if ticket.User != nil {
+			email = emailByAuthID[ticket.User.AuthID]
+			displayName = ticket.User.DisplayName
+		}
+		items = append(items, ticketEmailItem{
+			Secret:      ticket.Ticket.Secret(),
+			DisplayName: displayName,
+			Email:       email,
+		})
+	}
+
+	qrs, attachments, err := buildTicketEmailAttachments(evt, items, s.MailSender, s.Logger)
+	if err != nil {
+		return err
+	}
+
+	htmlStr, text, err := ticketsConfirmationMailContent(evt, "Your tickets are attached and shown below.", qrs)
+	if err != nil {
+		return err
+	}
+
+	tracer := otel.Tracer("mail")
+	mailCtx, span := tracer.Start(ctx, "mail.OrderTickets", trace.WithSpanKind(trace.SpanKindClient))
+	defer span.End()
+
+	// XXX: Replace sender name with organizer name
+	_, err = s.MailClient.Emails.SendWithContext(mailCtx, &resend.SendEmailRequest{
+		From:        fmt.Sprintf("Zenao <%s>", s.MailSender),
+		To:          []string{buyerEmail},
+		Subject:     fmt.Sprintf("%s - Your tickets", evt.Title),
+		Html:        htmlStr,
+		Text:        text,
+		Attachments: attachments,
+	})
+	return err
+}
+
+// resolvePaymentSeller builds the merchant-of-record details shown to the buyer.
+// It prefers the Stripe business profile mirrored on the payment account and
+// falls back to the community display name.
+func (s *ZenaoServer) resolvePaymentSeller(ctx context.Context, order *zeni.Order) paymentSeller {
+	seller := paymentSeller{}
+
+	if communities, err := s.DB.WithContext(ctx).CommunitiesByEvent(order.EventID); err != nil {
+		s.Logger.Error("resolve-payment-seller", zap.Error(err), zap.String("order-id", order.ID))
+	} else if len(communities) > 0 && communities[0] != nil {
+		seller.Name = communities[0].DisplayName
+	}
+
+	account, err := s.DB.WithContext(ctx).GetOrderPaymentAccount(order.ID)
+	if err != nil {
+		s.Logger.Error("resolve-payment-seller", zap.Error(err), zap.String("order-id", order.ID))
+		return seller
+	}
+	if account != nil {
+		if name := strings.TrimSpace(account.BusinessName); name != "" {
+			seller.Name = name
+		} else if name := strings.TrimSpace(account.LegalName); name != "" {
+			seller.Name = name
+		}
+		seller.SupportEmail = strings.TrimSpace(account.SupportEmail)
+		seller.Address = strings.TrimSpace(account.BusinessAddress)
+	}
+
+	return seller
+}
+
+// userEmail resolves a Zenao user ID to its authenticated email address.
+func (s *ZenaoServer) userEmail(ctx context.Context, userID string) (string, error) {
+	users, err := s.DB.WithContext(ctx).GetUsersByIDs([]string{userID})
+	if err != nil {
+		return "", err
+	}
+	if len(users) == 0 || users[0] == nil || strings.TrimSpace(users[0].AuthID) == "" {
+		return "", errors.New("user auth id not found")
+	}
+
+	authUsers, err := s.Auth.GetUsersFromIDs(ctx, []string{users[0].AuthID})
+	if err != nil {
+		return "", err
+	}
+	if len(authUsers) == 0 || authUsers[0] == nil || strings.TrimSpace(authUsers[0].Email) == "" {
+		return "", errors.New("user email not found")
+	}
+	return authUsers[0].Email, nil
 }
 
 func (s *ZenaoServer) issueOrderTickets(ctx context.Context, order *zeni.Order) (int, error) {
@@ -257,21 +417,10 @@ func (s *ZenaoServer) sendPurchaseConfirmationEmail(ctx context.Context, order *
 		return nil
 	}
 
-	users, err := s.DB.WithContext(ctx).GetUsersByIDs([]string{order.BuyerID})
+	buyerEmail, err := s.userEmail(ctx, order.BuyerID)
 	if err != nil {
 		return err
 	}
-	if len(users) == 0 || users[0] == nil || strings.TrimSpace(users[0].AuthID) == "" {
-		return errors.New("buyer auth id not found")
-	}
-
-	authUsers, err := s.Auth.GetUsersFromIDs(ctx, []string{users[0].AuthID})
-	if err != nil {
-		return err
-	}
-	if len(authUsers) == 0 || authUsers[0] == nil || strings.TrimSpace(authUsers[0].Email) == "" {
-		return errors.New("buyer email not found")
-	}
 
 	evt, err := s.DB.WithContext(ctx).GetEvent(order.EventID)
 	if err != nil {
@@ -281,7 +430,9 @@ func (s *ZenaoServer) sendPurchaseConfirmationEmail(ctx context.Context, order *
 		return errors.New("event not found")
 	}
 
-	htmlStr, text, err := purchaseConfirmationMailContent(evt, "Purchase confirmed! Your tickets will arrive in a separate email.")
+	seller := s.resolvePaymentSeller(ctx, order)
+
+	htmlStr, text, err := purchaseConfirmationMailContent(evt, order, seller, "Purchase confirmed! Your tickets will arrive in a separate email.")
 	if err != nil {
 		return err
 	}
@@ -293,7 +444,7 @@ func (s *ZenaoServer) sendPurchaseConfirmationEmail(ctx context.Context, order *
 	_, err = s.MailClient.Emails.SendWithContext(mailCtx, &resend.SendEmailRequest{
 		// XXX: Replace sender name with organizer name
 		From:    "Zenao <" + s.MailSender + ">",
-		To:      []string{authUsers[0].Email},
+		To:      []string{buyerEmail},
 		Subject: evt.Title + " - Purchase confirmed",
 		Html:    htmlStr,
 		Text:    text,
 
@@ -8,6 +8,7 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -166,10 +167,11 @@ func setupPaymentConfirmationFixtureWithAttendees(t *testing.T, attendeeEmails [
 	return db, sqlDB, orderID, sessionID.String, checkoutAuth
 }
 
-func newTestResendClient(t *testing.T) (*resend.Client, *int) {
-	count := 0
+func newTestResendClient(t *testing.T) (*resend.Client, *atomic.Int64) {
+	// atomic because ticket emails are sent from a background goroutine.
+	count := &atomic.Int64{}
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		count++
+		count.Add(1)
 		w.Header().Set("Content-Type", "application/json")
 		_, _ = w.Write([]byte(`{"id":"email_123"}`))
 	}))
@@ -180,7 +182,7 @@ func newTestResendClient(t *testing.T) (*resend.Client, *int) {
 	require.NoError(t, err)
 	client.BaseURL = baseURL
 
-	return client, &count
+	return client, count
 }
 
 func TestConfirmTicketPaymentSuccessUpdatesOrderAndSendsEmailOnce(t *testing.T) {
@@ -229,7 +231,9 @@ func TestConfirmTicketPaymentSuccessUpdatesOrderAndSendsEmailOnce(t *testing.T)
 	require.Equal(t, string(zeni.OrderStatusSuccess), status)
 	require.Equal(t, "pi_test_123", intent.String)
 	require.True(t, confirmed.Valid)
-	require.Equal(t, 1, *sendCount)
+	// 1 purchase confirmation email (sent synchronously) + 1 ticket email
+	// bundling the order (sent from a background goroutine, hence Eventually).
+	require.Eventually(t, func() bool { return sendCount.Load() == 2 }, 2*time.Second, 10*time.Millisecond)
 
 	_, err = server.ConfirmTicketPayment(
 		context.Background(),
@@ -239,7 +243,8 @@ func TestConfirmTicketPaymentSuccessUpdatesOrderAndSendsEmailOnce(t *testing.T)
 		}),
 	)
 	require.NoError(t, err)
-	require.Equal(t, 1, *sendCount)
+	// Re-confirming must not resend the purchase or ticket emails.
+	require.Never(t, func() bool { return sendCount.Load() != 2 }, 200*time.Millisecond, 20*time.Millisecond)
 }
 
 func TestConfirmTicketPaymentPendingSkipsEmail(t *testing.T) {
@@ -283,7 +288,7 @@ func TestConfirmTicketPaymentPendingSkipsEmail(t *testing.T) {
 	require.NoError(t, row.Scan(&status, &confirmed))
 	require.Equal(t, string(zeni.OrderStatusPending), status)
 	require.False(t, confirmed.Valid)
-	require.Equal(t, 0, *sendCount)
+	require.Equal(t, int64(0), sendCount.Load())
 }
 
 func TestConfirmTicketPaymentStripeErrorDoesNotUpdateOrder(t *testing.T) {
 
@@ -172,7 +172,7 @@ func (s *ZenaoServer) CreateEvent(
 	webhook.TrySendDiscordMessage(s.Logger, s.DiscordToken, evt)
 
 	if s.MailClient != nil {
-		htmlStr, text, err := ticketsConfirmationMailContent(evt, "Event created!")
+		htmlStr, text, err := ticketsConfirmationMailContent(evt, "Event created!", nil)
 		if err != nil {
 			s.Logger.Error("generate-event-email-content", zap.Error(err), zap.String("event-id", evt.ID))
 		} else {
 
@@ -3,7 +3,10 @@ package main
 import (
 	"context"
 	_ "embed"
+	"encoding/base64"
 	"fmt"
+	"html/template"
+	"os"
 	"strings"
 	"time"
 
@@ -43,12 +46,57 @@ func execMail() error {
 	}
 	evt.ID = "10"
 
-	str, _, err := ticketsConfirmationMailContent(evt, "Welcome! Tickets will be sent in a few weeks!")
+	// For the browser preview, inline the QR codes as data URIs (real emails use
+	// "cid:" references resolved from attachments, which a standalone HTML file
+	// cannot display).
+	previewTickets := make([]ticketQR, 0, 2)
+	for i, secret := range []string{"PREVIEW-TICKET-SECRET-1", "PREVIEW-TICKET-SECRET-2"} {
+		png, err := qrCodePNG(secret, ticketEmailQRSize)
+		if err != nil {
+			return err
+		}
+		previewTickets = append(previewTickets, ticketQR{
+			Src:   template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(png)),
+			Label: fmt.Sprintf("attendee%d@example.com", i+1),
+		})
+	}
+
+	ticketsHTML, _, err := ticketsConfirmationMailContent(evt, "Your tickets are attached and shown below.", previewTickets)
 	if err != nil {
 		return err
 	}
 
-	fmt.Println(str)
+	order := &zeni.Order{
+		ID:           "ord_9f3a1c7e",
+		EventID:      evt.ID,
+		AmountMinor:  5000,
+		CurrencyCode: "EUR",
+	}
+	purchaseHTML, purchaseText, err := purchaseConfirmationMailContent(
+		evt,
+		order,
+		paymentSeller{
+			Name:         "Ground Control Collective",
+			SupportEmail: "support@groundcontrol.example",
+			Address:      "12 Rue du Charolais, 75012, Paris, FR",
+		},
+		"Purchase confirmed! Your tickets will arrive in a separate email.",
+	)
+	if err != nil {
+		return err
+	}
+
+	previews := map[string]string{
+		"/tmp/zenao-mail-tickets.html":  ticketsHTML,
+		"/tmp/zenao-mail-purchase.html": purchaseHTML,
+		"/tmp/zenao-mail-purchase.txt":  purchaseText,
+	}
+	for path, content := range previews {
+		if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+			return err
+		}
+		fmt.Println("wrote", path)
+	}
 
 	return nil
 }