feat(whatsapp-setup): make token optional when org already has one stored

If an org already has a systemUserToken, the /whatsapp-setup route now
reuses it automatically. Admins can reconfigure WABA ID + Phone Number ID
without re-entering the token — useful for adding a new phone number to
an existing connected account.

apps/admin/src/pages/SettingsPage.tsx

@@ -284,13 +284,15 @@ export default function SettingsPage() {
                                     />
                                 </div>
                                 <div>
-                                    <label className="block text-xs text-slate-400 mb-1">System User Token *</label>
+                                    <label className="block text-xs text-slate-400 mb-1">
+                                        System User Token
+                                        {org.systemUserToken && <span className="ml-2 text-emerald-400">(optionnel — token existant conservé)</span>}
+                                    </label>
                                     <input
-                                        required
                                         type="password"
                                         value={waForm.accessToken}
                                         onChange={e => setWaForm(f => ({ ...f, accessToken: e.target.value }))}
-                                        placeholder="EAAxxxxxxx..."
+                                        placeholder={org.systemUserToken ? 'Laisser vide pour conserver le token actuel' : 'EAAxxxxxxx...'}
                                         className="w-full px-3 py-2 bg-slate-700 border border-slate-600 rounded-lg text-white text-xs font-mono focus:ring-2 focus:ring-emerald-500 outline-none"
                                     />
                                 </div>

apps/api/src/routes/organizations.ts

@@ -133,31 +133,42 @@ export async function organizationRoutes(fastify: FastifyInstance) {
 
         const { phoneNumber, phoneNumberId, wabaId } = body.data;
 
-        // Resolve token: request body first, then env var (for platform-owner direct setup)
-        const accessToken = body.data.accessToken || process.env.WHATSAPP_ACCESS_TOKEN;
-        if (!accessToken) {
-            return reply.code(400).send({ error: 'accessToken required — set it in the request or configure WHATSAPP_ACCESS_TOKEN env var' });
+        // Resolve token: request body → env var → existing stored token (so re-entry is not needed)
+        let realToken: string | null = body.data.accessToken || process.env.WHATSAPP_ACCESS_TOKEN || null;
+
+        if (!realToken) {
+            // Fall back to the token already stored for this org
+            const existing = await prisma.organization.findUnique({
+                where: { id },
+                select: { systemUserToken: true }
+            });
+            if (existing?.systemUserToken) {
+                const { decryptSecrets } = await import('../services/organization');
+                const decrypted = decryptSecrets(existing as any);
+                realToken = (decrypted as any).systemUserToken ?? null;
+            }
+        }
+
+        if (!realToken) {
+            return reply.code(400).send({ error: 'accessToken required — no token provided and none stored for this organization' });
         }
 
         // Exchange OAuth code for a long-lived token if needed.
         // Meta Embedded Signup returns a short-lived OAuth code (not starting with EAA).
-        let realToken = accessToken;
-        if (!accessToken.startsWith('EAA')) {
+        if (!realToken.startsWith('EAA')) {
             const appId = process.env.META_APP_ID;
             const appSecret = process.env.WHATSAPP_APP_SECRET;
             if (!appId || !appSecret) {
                 return reply.code(500).send({ error: 'META_APP_ID and WHATSAPP_APP_SECRET must be configured to exchange OAuth code' });
             }
-            // Step 1: code → short-lived user access token
             const exchangeRes = await fetch(
-                `https://graph.facebook.com/oauth/access_token?client_id=${appId}&client_secret=${appSecret}&code=${accessToken}&redirect_uri=`
+                `https://graph.facebook.com/oauth/access_token?client_id=${appId}&client_secret=${appSecret}&code=${realToken}&redirect_uri=`
             );
             const exchangeData = await exchangeRes.json() as { access_token?: string; error?: { message: string } };
             if (!exchangeData.access_token) {
                 logger.error({ detail: exchangeData.error?.message }, '[WHATSAPP-SETUP] OAuth code exchange failed');
                 return reply.code(400).send({ error: 'Failed to exchange OAuth code with Meta', detail: exchangeData.error?.message });
             }
-            // Step 2: short-lived → long-lived token (60 days)
             const longLivedRes = await fetch(
                 `https://graph.facebook.com/oauth/access_token?grant_type=fb_exchange_token&client_id=${appId}&client_secret=${appSecret}&fb_exchange_token=${exchangeData.access_token}`
             );
@@ -170,7 +181,7 @@ export async function organizationRoutes(fastify: FastifyInstance) {
             await prisma.$transaction(async (tx) => {
                 await tx.organization.update({
                     where: { id },
-                    data: encryptSecrets({ systemUserToken: realToken, wabaId, systemUserTokenIssuedAt: new Date() })
+                    data: encryptSecrets({ systemUserToken: realToken!, wabaId, systemUserTokenIssuedAt: new Date() })
                 });
 
                 if (phoneNumberId) {