feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across security, correctness, and reliability. Tests: 698 → 758 passing (+60), 0 failing, 2 skipped. CRITICAL (security) Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead useHelcim.js deleted. Production token MUST BE ROTATED post-deploy (was previously exposed in window.__NUXT__ payload). Fix #2 — /api/helcim/customer gated with origin check + per-IP/email rate limit + magic-link email verification (replaces unauthenticated setAuthCookie). Adds payment-bridge token for paid-tier signup so users can complete Helcim checkout before email verify. New utils: server/utils/{magicLink,rateLimit}.js. UX: signup success copy now prompts user to check email. Fix #3 — /api/events/[id]/payment deleted (dead code with unauth member-spoof bypass — processHelcimPayment was a permanent stub). Removes processHelcimPayment export and eventPaymentSchema. Fix #4 — /api/helcim/initialize-payment re-derives ticket amount server-side via calculateTicketPrice and calculateSeriesTicketPrice. Adds new series_ticket metadata type (was being shoved through event_ticket with seriesId in metadata.eventId). Fix #5 — /api/helcim/customer upgrades existing status:guest members in place rather than rejecting with 409. Lowercases email at lookup; preserves _id so prior event registrations stay linked. HIGH (correctness / reliability) Fix #6 — Daily reconciliation cron via Netlify scheduled function (@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs, server/api/internal/reconcile-payments.post.js. Shared-secret auth via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff on Helcim transactions API. Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist endpoints) to dodge legacy location validators. Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest Member when caller is unauthenticated, mirrors event-ticket flow byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and client auth refresh on signedIn:true response. Fix #9 — /api/members/cancel-subscription leaves status active per ratified bylaws (was pending_payment). Adds lastCancelledAt audit field on Member model. Indirectly fixes false-positive detectStuckPendingPayment admin alert for cancelled members. Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema (verifyMagicLinkSchema, max 2000 chars). Fix #11 — 8 vitest cases for cancel-subscription handler (was uncovered). Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md. LAUNCH_READINESS.md updated with new test count, 3 deploy-time tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00 · 2026-04-25 18:42:36 +01:00 · 208638e374
commit 208638e374
parent 0f2f1d1cbf
37 changed files with 1980 additions and 340 deletions
--- a/app/components/SeriesPassPurchase.vue
+++ b/app/components/SeriesPassPurchase.vue
@ -144,6 +144,7 @@
          <p class="text-xs text-[--ui-text-muted] text-center">
            By registering, you'll be automatically registered for all
            {{ seriesInfo.totalEvents }} events in this series.
+            <span v-if="!isLoggedIn"> We'll create a free guest account so you can access your pass.</span>
          </p>
        </form>
      </div>
@ -182,7 +183,7 @@ const props = defineProps({
 const emit = defineEmits(["purchase-success", "purchase-error"]);

 const toast = useToast();
-const { initializeTicketPayment, verifyPayment } = useHelcimPay();
+const { initializeSeriesTicketPayment, verifyPayment } = useHelcimPay();

 // State
 const loading = ref(true);
@ -264,10 +265,9 @@ const handleSubmit = async () => {
      paymentProcessing.value = true;

      // Initialize Helcim payment for series pass
-      await initializeTicketPayment(
+      await initializeSeriesTicketPayment(
        props.seriesId,
        form.value.email,
-        passInfo.value.ticket.price,
        props.seriesInfo.title,
      );

@ -298,6 +298,11 @@ const handleSubmit = async () => {
      }
    );

+    // Refresh client auth state if server signed us in (guest upgrade)
+    if (purchaseResponse?.signedIn) {
+      await useAuth().checkMemberStatus();
+    }
+
    // Show success message
    toast.add({
      title: "Series Pass Purchased!",
--- a/app/components/SignupFlowOverlay.vue
+++ b/app/components/SignupFlowOverlay.vue
@ -33,14 +33,9 @@
            </dl>
          </DashedBox>
          <p class="signup-flow-body" style="margin-top: 16px">
-            We've sent a confirmation email to {{ summary?.email }}. Redirecting
-            you to your dashboard...
+            Check {{ summary?.email }} for a sign-in link to finish setting up
+            your account. The link expires in 15 minutes.
          </p>
-          <div class="button-row" style="margin-top: 20px">
-            <NuxtLink :to="dashboardHref" class="btn btn-primary">
-              Go to Dashboard Now
-            </NuxtLink>
-          </div>
        </template>

        <template v-if="state === 'error'">