feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.

server/api/auth/verify.post.js

@@ -1,17 +1,11 @@
 // server/api/auth/verify.post.js
 import jwt from 'jsonwebtoken'
 import Member from '../../models/member.js'
+import { validateBody } from '../../utils/validateBody.js'
+import { verifyMagicLinkSchema } from '../../utils/schemas.js'
 
 export default defineEventHandler(async (event) => {
-  const body = await readBody(event)
-  const token = body?.token
-
-  if (!token) {
-    throw createError({
-      statusCode: 400,
-      statusMessage: 'Token is required',
-    })
-  }
+  const { token } = await validateBody(event, verifyMagicLinkSchema)
 
   const config = useRuntimeConfig(event)
 

server/api/events/[id]/payment.post.js

@@ -1,128 +0,0 @@
-import Event from '../../../models/event.js'
-import Member from '../../../models/member.js'
-import { connectDB } from '../../../utils/mongoose.js'
-import { processHelcimPayment } from '../../../utils/helcim.js'
-import mongoose from 'mongoose'
-
-export default defineEventHandler(async (event) => {
-  try {
-    await connectDB()
-    const identifier = getRouterParam(event, 'id')
-    const body = await validateBody(event, eventPaymentSchema)
-
-    if (!identifier) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'Event identifier is required'
-      })
-    }
-    
-    // Fetch the event
-    let eventData
-    if (mongoose.Types.ObjectId.isValid(identifier)) {
-      eventData = await Event.findById(identifier)
-    }
-    if (!eventData) {
-      eventData = await Event.findOne({ slug: identifier })
-    }
-    
-    if (!eventData) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: 'Event not found'
-      })
-    }
-    
-    // Check if event requires payment
-    if (eventData.pricing.isFree || !eventData.pricing.paymentRequired) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'This event does not require payment'
-      })
-    }
-    
-    // Check if user is already registered
-    const existingRegistration = eventData.registrations.find(
-      reg => reg.email.toLowerCase() === body.email.toLowerCase()
-    )
-    
-    if (existingRegistration) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: 'You are already registered for this event'
-      })
-    }
-    
-    // Check if user is a member (members get free access)
-    const member = await Member.findOne({ email: body.email.toLowerCase() })
-    
-    if (member) {
-      // Members get free access - register directly without payment
-      eventData.registrations.push({
-        name: body.name,
-        email: body.email.toLowerCase(),
-        membershipLevel: `${member.circle}-${member.contributionAmount}`,
-        isMember: true,
-        paymentStatus: 'not_required',
-        amountPaid: 0
-      })
-      
-      await eventData.save()
-      
-      return {
-        success: true,
-        message: 'Successfully registered as a member (no payment required)',
-        registration: eventData.registrations[eventData.registrations.length - 1]
-      }
-    }
-    
-    // Process payment for non-members
-    const paymentResult = await processHelcimPayment({
-      amount: eventData.pricing.publicPrice,
-      paymentToken: body.paymentToken,
-      customerData: {
-        name: body.name,
-        email: body.email
-      }
-    })
-    
-    if (!paymentResult.success) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: paymentResult.message || 'Payment failed'
-      })
-    }
-    
-    // Add registration with successful payment
-    eventData.registrations.push({
-      name: body.name,
-      email: body.email.toLowerCase(),
-      membershipLevel: 'non-member',
-      isMember: false,
-      paymentStatus: 'completed',
-      paymentId: paymentResult.transactionId,
-      amountPaid: eventData.pricing.publicPrice
-    })
-    
-    await eventData.save()
-    
-    return {
-      success: true,
-      message: 'Payment successful and registered for event',
-      paymentId: paymentResult.transactionId,
-      registration: eventData.registrations[eventData.registrations.length - 1]
-    }
-    
-  } catch (error) {
-    console.error('Error processing event payment:', error)
-    
-    if (error.statusCode) {
-      throw error
-    }
-    
-    throw createError({
-      statusCode: 500,
-      statusMessage: 'Failed to process payment and registration'
-    })
-  }
-})

server/api/events/[id]/waitlist.delete.js

@@ -32,7 +32,8 @@ export default defineEventHandler(async (event) => {
     }
 
     eventData.tickets.waitlist.entries.splice(waitlistIndex, 1);
-    await eventData.save();
+    // Skip validators to avoid tripping on legacy location data unrelated to this write.
+    await eventData.save({ validateBeforeSave: false });
 
     return {
       success: true,

server/api/events/[id]/waitlist.post.js

@@ -87,7 +87,8 @@ export default defineEventHandler(async (event) => {
       notified: false,
     });
 
-    await eventData.save();
+    // Skip validators to avoid tripping on legacy location data unrelated to this write.
+    await eventData.save({ validateBeforeSave: false });
 
     // Get position in waitlist
     const position = eventData.tickets.waitlist.entries.length;

server/api/helcim/customer.post.js

@@ -1,49 +1,117 @@
-// Create a Helcim customer
+// Public signup endpoint. Creates a Helcim customer + Member record and
+// dispatches a magic link for email verification. The full session cookie
+// is set when the user clicks the magic link (see /api/auth/verify); paid-tier
+// signups also receive a short-lived payment-bridge cookie so they can complete
+// Helcim checkout in the same tab without verifying email first.
+import { getRequestHeader, getRequestIP } from 'h3'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { createHelcimCustomer } from '../../utils/helcim.js'
+import { sendMagicLink } from '../../utils/magicLink.js'
+import { setPaymentBridgeCookie } from '../../utils/auth.js'
+import { rateLimit } from '../../utils/rateLimit.js'
 
 export default defineEventHandler(async (event) => {
   try {
+    // --- Origin check (CSRF defense in depth on top of SameSite=Lax) ---
+    const origin = getRequestHeader(event, 'origin')
+    const allowed = process.env.BASE_URL
+    if (!origin || (allowed && origin !== allowed)) {
+      throw createError({ statusCode: 403, statusMessage: 'Invalid origin' })
+    }
+
+    // --- Per-IP rate limit (5 / hour) ---
+    const ip = getRequestIP(event, { xForwardedFor: true }) || 'unknown'
+    if (!rateLimit(`signup:ip:${ip}`, { max: 5, windowMs: 3600_000 })) {
+      throw createError({ statusCode: 429, statusMessage: 'Too many signup attempts' })
+    }
+
     await connectDB()
     const body = await validateBody(event, helcimCustomerSchema)
 
-    // Check if member already exists
-    const existingMember = await Member.findOne({ email: body.email })
-    if (existingMember) {
+    // --- Per-email rate limit (3 / hour) ---
+    if (!rateLimit(`signup:email:${body.email}`, { max: 3, windowMs: 3600_000 })) {
+      throw createError({
+        statusCode: 429,
+        statusMessage: 'Too many signup attempts for this email'
+      })
+    }
+
+    // Check if member already exists. Lowercase the lookup so guest docs
+    // created via the public ticket-purchase path (which lowercases on insert)
+    // are actually found by mixed-case submissions.
+    const normalizedEmail = body.email.toLowerCase()
+    const existingMember = await Member.findOne({ email: normalizedEmail })
+    if (existingMember && existingMember.status !== 'guest') {
       throw createError({
         statusCode: 409,
         statusMessage: 'A member with this email already exists'
       })
     }
 
-    // Create customer in Helcim
+    // Create customer in Helcim (guest docs have no helcimCustomerId yet).
     const customerData = await createHelcimCustomer({
       customerType: 'PERSON',
       contactName: body.name,
       email: body.email
     })
 
-    // Create member in database
-    const member = await Member.create({
-      email: body.email,
-      name: body.name,
-      circle: body.circle,
-      contributionAmount: body.contributionAmount,
-      helcimCustomerId: customerData.id,
-      status: 'pending_payment',
-      agreement: { acceptedAt: new Date() }
+    // If the lookup matched a guest doc, upgrade in place to preserve _id,
+    // memberNumber (if any), emailHistory, and the event-registration
+    // references that point at this _id. Use findByIdAndUpdate with
+    // runValidators:false per the project's member-save-risks pattern.
+    let member
+    if (existingMember) {
+      member = await Member.findByIdAndUpdate(
+        existingMember._id,
+        {
+          $set: {
+            name: body.name,
+            circle: body.circle,
+            contributionAmount: body.contributionAmount,
+            helcimCustomerId: customerData.id,
+            status: 'pending_payment',
+            'agreement.acceptedAt': new Date()
+          }
+        },
+        { new: true, runValidators: false }
+      )
+    } else {
+      member = await Member.create({
+        email: normalizedEmail,
+        name: body.name,
+        circle: body.circle,
+        contributionAmount: body.contributionAmount,
+        helcimCustomerId: customerData.id,
+        status: 'pending_payment',
+        agreement: { acceptedAt: new Date() }
+      })
+    }
+
+    // Issue a magic link instead of an immediate session — the auth-token
+    // cookie is set when the user clicks through, proving email ownership.
+    // Use the normalized email so guest upgrades (which may not project
+    // the email field back) still get a magic link.
+    await sendMagicLink(normalizedEmail, {
+      subject: 'Verify your Ghost Guild signup',
+      intro: 'Verify your email to finish your Ghost Guild signup:'
     })
 
-    setAuthCookie(event, member)
+    // Paid-tier signups need to complete Helcim checkout in the same tab
+    // before the magic link can be clicked. Issue a short-lived, payment-only
+    // bridge cookie so /api/helcim/initialize-payment accepts the request.
+    if (body.contributionAmount > 0) {
+      setPaymentBridgeCookie(event, member)
+    }
 
     return {
       success: true,
       customerId: customerData.id,
       customerCode: customerData.customerCode,
+      verificationEmailSent: true,
       member: {
         id: member._id,
-        email: member.email,
+        email: normalizedEmail,
         name: member.name,
         circle: member.circle,
         contributionAmount: member.contributionAmount,

server/api/helcim/initialize-payment.post.js

@@ -1,23 +1,84 @@
 // Initialize HelcimPay.js session
-import { requireAuth } from '../../utils/auth.js'
+import Member from '../../models/member.js'
+import Series from '../../models/series.js'
+import { loadPublicEvent } from '../../utils/loadEvent.js'
+import { calculateTicketPrice, calculateSeriesTicketPrice, hasMemberAccess } from '../../utils/tickets.js'
+import { requireAuth, getOptionalMember, getPaymentBridgeMember } from '../../utils/auth.js'
 import { initializeHelcimPaySession } from '../../utils/helcim.js'
 
 export default defineEventHandler(async (event) => {
   try {
     const body = await validateBody(event, helcimInitializePaymentSchema)
+    const metaType = body.metadata?.type
 
-    // Event ticket purchases can be made without authentication
-    const isEventTicket = body.metadata?.type === 'event_ticket'
-    if (!isEventTicket) {
-      await requireAuth(event)
+    const isEventTicket = metaType === 'event_ticket'
+    const isSeriesTicket = metaType === 'series_ticket'
+    const isTicket = isEventTicket || isSeriesTicket
+    // Membership signup uses a short-lived payment-bridge cookie (set by
+    // /api/helcim/customer) so the user can complete checkout before clicking
+    // their email-verification magic link.
+    const isMembershipSignup = metaType === 'membership_signup'
+
+    if (!isTicket) {
+      if (isMembershipSignup) {
+        const bridgeMember = await getPaymentBridgeMember(event)
+        if (!bridgeMember) {
+          await requireAuth(event)
+        }
+      } else {
+        await requireAuth(event)
+      }
     }
 
-    const amount = body.amount || 0
+    let amount = 0
+    let description = body.metadata?.eventTitle
 
-    // For event tickets with amount > 0, we do a purchase
-    // For subscriptions or card verification, we do verify
-    const paymentType = isEventTicket && amount > 0 ? 'purchase' : 'verify'
+    if (isTicket) {
+      // Re-derive price server-side; never trust body.amount for ticket flows.
+      const caller = await getOptionalMember(event).catch(() => null)
+      const lookupEmail = body.metadata?.email?.toLowerCase()
+      const member = caller || (lookupEmail
+        ? await Member.findOne({ email: lookupEmail })
+        : null)
+      const accessMember = hasMemberAccess(member) ? member : null
 
+      if (isEventTicket) {
+        const eventId = body.metadata?.eventId
+        if (!eventId) {
+          throw createError({ statusCode: 400, statusMessage: 'metadata.eventId is required for event_ticket' })
+        }
+        const eventDoc = await loadPublicEvent(event, eventId)
+        const ticketInfo = calculateTicketPrice(eventDoc, accessMember)
+        if (!ticketInfo) {
+          throw createError({ statusCode: 403, statusMessage: 'No tickets available for your membership status' })
+        }
+        amount = ticketInfo.price
+        description = description || eventDoc.title
+      } else {
+        const seriesId = body.metadata?.seriesId
+        if (!seriesId) {
+          throw createError({ statusCode: 400, statusMessage: 'metadata.seriesId is required for series_ticket' })
+        }
+        const isObjectId = /^[0-9a-fA-F]{24}$/.test(seriesId)
+        const seriesQuery = isObjectId
+          ? { $or: [{ _id: seriesId }, { id: seriesId }, { slug: seriesId }] }
+          : { $or: [{ id: seriesId }, { slug: seriesId }] }
+        const series = await Series.findOne(seriesQuery)
+        if (!series) {
+          throw createError({ statusCode: 404, statusMessage: 'Series not found' })
+        }
+        const ticketInfo = calculateSeriesTicketPrice(series, accessMember)
+        if (!ticketInfo) {
+          throw createError({ statusCode: 403, statusMessage: 'No series passes available for your membership status' })
+        }
+        amount = ticketInfo.price
+        description = description || series.title
+      }
+    } else {
+      amount = body.amount || 0
+    }
+
+    const paymentType = isTicket && amount > 0 ? 'purchase' : 'verify'
     const requestBody = {
       paymentType,
       amount: paymentType === 'purchase' ? amount : 0,
@@ -25,20 +86,15 @@ export default defineEventHandler(async (event) => {
       paymentMethod: 'cc'
     }
 
-    // For subscription setup (verify mode), include customer code if provided
-    // For one-time purchases (event tickets), don't include customer code
-    // as the customer may not exist in Helcim yet
     if (body.customerCode && paymentType === 'verify') {
       requestBody.customerCode = body.customerCode
     }
 
-    // Add product/event information for better display in Helcim modal
-    if (body.metadata?.eventTitle) {
-      // Some Helcim accounts don't support invoice numbers in initialization
-      // Try multiple fields that might display in the modal
-      requestBody.description = body.metadata.eventTitle
-      requestBody.notes = body.metadata.eventTitle
-      requestBody.orderNumber = `${body.metadata.eventId}`
+    if (description) {
+      requestBody.description = description
+      requestBody.notes = description
+      const orderId = body.metadata?.eventId || body.metadata?.seriesId
+      if (orderId) requestBody.orderNumber = `${orderId}`
     }
 
     const paymentData = await initializeHelcimPaySession(requestBody)
@@ -46,7 +102,9 @@ export default defineEventHandler(async (event) => {
     return {
       success: true,
       checkoutToken: paymentData.checkoutToken,
-      secretToken: paymentData.secretToken
+      secretToken: paymentData.secretToken,
+      // Echo derived amount so the client can sanity-check before opening modal.
+      amount
     }
   } catch (error) {
     if (error.statusCode) throw error

server/api/helcim/subscription.post.js

@@ -3,7 +3,7 @@ import { getHelcimPlanId, requiresPayment } from '../../config/contributions.js'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
-import { requireAuth } from '../../utils/auth.js'
+import { requireAuth, getPaymentBridgeMember } from '../../utils/auth.js'
 import { createHelcimSubscription, generateIdempotencyKey, listHelcimCustomerTransactions } from '../../utils/helcim.js'
 import { sendWelcomeEmail } from '../../utils/resend.js'
 import { upsertPaymentFromHelcim } from '../../utils/payments.js'
@@ -81,7 +81,12 @@ async function inviteToSlack(member) {
 
 export default defineEventHandler(async (event) => {
   try {
-    await requireAuth(event)
+    // Membership signup completes subscription before email verify; allow the
+    // payment-bridge cookie set by /api/helcim/customer to satisfy auth here.
+    const bridgeMember = await getPaymentBridgeMember(event)
+    if (!bridgeMember) {
+      await requireAuth(event)
+    }
     await connectDB()
     const body = await validateBody(event, helcimSubscriptionSchema)
 

server/api/internal/reconcile-payments.post.js

@@ -0,0 +1,116 @@
+/**
+ * Reconciliation cron route — invoked by `netlify/functions/reconcile-payments.mjs`
+ * on a daily schedule. Mirrors the loop in `scripts/reconcile-helcim-payments.mjs`
+ * but lives inside Nitro so it can use auto-imported utils + the runtime config.
+ *
+ * Auth: shared-secret header `X-Reconcile-Token` matched against
+ * `runtimeConfig.reconcileToken` (env: NUXT_RECONCILE_TOKEN). Machine-to-machine
+ * only — no user session involved.
+ *
+ * Behavior:
+ *   - For every Member with a helcimCustomerId, list Helcim transactions and
+ *     upsert Payment docs (idempotent via `helcimTransactionId` unique index).
+ *   - Transient Helcim API errors are retried up to 3 times with exponential
+ *     backoff (250ms / 500ms / 1000ms). On final failure the member is counted
+ *     as `memberErrors` and the loop continues.
+ *   - Never passes `sendConfirmation: true` — the cron back-fills history and
+ *     must not re-send confirmation emails.
+ *   - `?apply=false` switches to dry-run: counts what WOULD be created via
+ *     Payment.findOne, no writes.
+ *
+ * Returns a JSON summary; logs `[reconcile] done <summary>` to stdout.
+ */
+import Member from '../../models/member.js'
+import Payment from '../../models/payment.js'
+import { listHelcimCustomerTransactions } from '../../utils/helcim.js'
+import { upsertPaymentFromHelcim } from '../../utils/payments.js'
+
+const RETRY_ATTEMPTS = 3
+const BASE_DELAY_MS = 250
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms))
+}
+
+async function listTransactionsWithRetry(customerCode) {
+  let lastErr
+  for (let attempt = 1; attempt <= RETRY_ATTEMPTS; attempt++) {
+    try {
+      return await listHelcimCustomerTransactions(customerCode)
+    } catch (err) {
+      lastErr = err
+      if (attempt < RETRY_ATTEMPTS) {
+        await sleep(BASE_DELAY_MS * 2 ** (attempt - 1))
+      }
+    }
+  }
+  throw lastErr
+}
+
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig()
+  const expected = config.reconcileToken
+  const provided = getHeader(event, 'x-reconcile-token')
+  if (!expected || provided !== expected) {
+    throw createError({ statusCode: 401, statusMessage: 'Unauthorized' })
+  }
+
+  const apply = getQuery(event).apply !== 'false'
+
+  const members = await Member.find(
+    { helcimCustomerId: { $exists: true, $ne: null } },
+    { _id: 1, email: 1, name: 1, helcimCustomerId: 1, helcimSubscriptionId: 1, billingCadence: 1 }
+  ).lean()
+
+  let txExamined = 0
+  let created = 0
+  let existed = 0
+  let skipped = 0
+  let memberErrors = 0
+
+  for (const member of members) {
+    let txs
+    try {
+      txs = await listTransactionsWithRetry(member.helcimCustomerId)
+    } catch (err) {
+      memberErrors++
+      console.error(`[reconcile] member=${member._id}: ${err?.message || err}`)
+      continue
+    }
+
+    for (const tx of txs) {
+      txExamined++
+      if (tx.status === 'other') {
+        skipped++
+        continue
+      }
+
+      if (!apply) {
+        const existing = await Payment.findOne({ helcimTransactionId: tx.id })
+        if (existing) existed++
+        else created++
+        continue
+      }
+
+      // Note: deliberately NOT passing sendConfirmation — cron back-fills must
+      // not re-send confirmation emails for transactions the member has already
+      // been notified about (or that pre-date Mongo Payment tracking entirely).
+      const result = await upsertPaymentFromHelcim(member, tx)
+      if (result.created) created++
+      else if (result.payment) existed++
+      else skipped++
+    }
+  }
+
+  const summary = {
+    membersScanned: members.length,
+    txExamined,
+    created,
+    existed,
+    skipped,
+    memberErrors,
+    apply
+  }
+  console.log('[reconcile] done', summary)
+  return summary
+})

server/api/members/cancel-subscription.post.js

@@ -23,16 +23,17 @@ export default defineEventHandler(async (event) => {
       // Continue anyway - we'll update the member record
     }
 
-    // Update member status — pending_payment (not cancelled) so member can re-subscribe
+    // Update member: drop to free tier (status stays 'active' — they're still a member)
     await Member.findByIdAndUpdate(
       member._id,
       {
         $set: {
-          status: 'pending_payment',
+          status: 'active',
           contributionAmount: 0,
           helcimSubscriptionId: null,
           paymentMethod: 'none',
           subscriptionEndDate: new Date(),
+          lastCancelledAt: new Date(),
         },
         $unset: { nextBillingDate: 1 },
       },
@@ -46,7 +47,7 @@ export default defineEventHandler(async (event) => {
     return {
       success: true,
       message: "Subscription cancelled successfully",
-      status: 'pending_payment',
+      status: 'active',
       contributionAmount: 0,
     };
   } catch (error) {

server/api/series/[id]/tickets/purchase.post.js

@@ -38,6 +38,7 @@ export default defineEventHandler(async (event) => {
     // Only members with access (active or pending_payment) get member-tier
     // pricing; guest, suspended, and cancelled are treated as non-members.
     let member = null;
+    let accountCreated = false;
     try {
       member = await requireAuth(event);
     } catch {
@@ -83,6 +84,29 @@ export default defineEventHandler(async (event) => {
       });
     }
 
+    // If no Member yet, atomically create a guest Member. Series passes grant
+    // access to a bundle of events over time — a buyer without an account
+    // can't view their registrations or be recognized by per-event pages,
+    // so we always create the guest (unlike single-event tickets which are
+    // opt-in). findOneAndUpdate with $setOnInsert handles concurrent
+    // registrations on the same email (email has a unique index).
+    if (!member) {
+      member = await Member.findOneAndUpdate(
+        { email: canonicalEmail },
+        {
+          $setOnInsert: {
+            email: canonicalEmail,
+            name,
+            circle: "community",
+            contributionAmount: 0,
+            status: "guest",
+          },
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      accountCreated = true;
+    }
+
     // Create series registration
     const registration = {
       memberId: member?._id,
@@ -102,6 +126,17 @@ export default defineEventHandler(async (event) => {
     series.registrations.push(registration);
     await completeSeriesTicketPurchase(series, ticketInfo.ticketType);
 
+    // Decide on auto-login: safe for new accounts and existing guests, not for
+    // real members (stranger could hijack by typing email into a public form).
+    let signedIn = false;
+    let requiresSignIn = false;
+    if (member && (accountCreated || member.status === "guest")) {
+      setAuthCookie(event, member);
+      signedIn = true;
+    } else if (member) {
+      requiresSignIn = true;
+    }
+
     // Get the newly created registration
     const newRegistration =
       series.registrations[series.registrations.length - 1];
@@ -172,6 +207,9 @@ export default defineEventHandler(async (event) => {
         success: r.success,
         reason: r.reason,
       })),
+      accountCreated,
+      signedIn,
+      requiresSignIn,
     };
   } catch (error) {
     console.error("Error purchasing series pass:", error);

server/models/member.js

@@ -56,6 +56,7 @@ const memberSchema = new mongoose.Schema({
   subscriptionStartDate: Date,
   subscriptionEndDate: Date,
   nextBillingDate: Date,
+  lastCancelledAt: Date,
   slackInvited: { type: Boolean, default: false },
   slackInviteStatus: {
     type: String,

server/utils/auth.js

@@ -22,6 +22,59 @@ export function setAuthCookie(event, member) {
   })
 }
 
+/**
+ * Issue a 30-minute payment-bridge cookie scoped to membership-signup checkout.
+ *
+ * The signup flow (POST /api/helcim/customer) defers the full session cookie
+ * to email-verify (magic link). For paid tiers the user still needs to complete
+ * Helcim checkout in the same browser tab — this short-lived, payment-only
+ * token lets `/api/helcim/initialize-payment` accept the call without a full
+ * session. The cookie is NOT honored by requireAuth and grants nothing else.
+ */
+export function setPaymentBridgeCookie(event, member) {
+  const token = jwt.sign(
+    {
+      memberId: member._id.toString(),
+      email: member.email,
+      scope: 'payment_bridge'
+    },
+    useRuntimeConfig(event).jwtSecret,
+    { expiresIn: '30m' }
+  )
+
+  setCookie(event, 'payment-bridge', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 30
+  })
+}
+
+/**
+ * Verify a payment-bridge cookie and return the associated Member, or null.
+ * Used by /api/helcim/initialize-payment to allow the membership-signup
+ * checkout to proceed before email verification.
+ */
+export async function getPaymentBridgeMember(event) {
+  const token = getCookie(event, 'payment-bridge')
+  if (!token) return null
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig(event).jwtSecret)
+  } catch {
+    return null
+  }
+
+  if (decoded.scope !== 'payment_bridge') return null
+
+  await connectDB()
+  const member = await Member.findById(decoded.memberId)
+  if (!member) return null
+  return member
+}
+
 /**
  * Verify JWT from cookie and return the decoded member.
  * Throws 401 if token is missing or invalid.

server/utils/helcim.js

@@ -262,15 +262,3 @@ export function generateIdempotencyKey() {
   }
   return key
 }
-
-/**
- * Legacy stub — kept alive ONLY so `server/api/events/[id]/payment.post.js`
- * still imports cleanly. The direct purchase API was never implemented.
- * Always returns `{ success: false }`; callers surface the message to the user.
- */
-export async function processHelcimPayment(_paymentData) {
-  return {
-    success: false,
-    message: 'Direct purchase API not implemented; use HelcimPay.js flow'
-  }
-}

server/utils/magicLink.js

@@ -0,0 +1,66 @@
+// Send a magic-link verification email. Mirrors the token/email logic in
+// server/api/auth/login.post.js so callers (signup, login, etc.) can request
+// a verification link with their own subject/intro copy.
+import jwt from 'jsonwebtoken'
+import { randomUUID } from 'crypto'
+import { Resend } from 'resend'
+import Member from '../models/member.js'
+
+const resend = new Resend(process.env.RESEND_API_KEY)
+
+/**
+ * Issue a 15-minute magic-link JWT for `email` and email it.
+ *
+ * @param {string} email
+ * @param {object} [options]
+ * @param {string} [options.subject] - Email subject (default: "Your Ghost Guild login link")
+ * @param {string} [options.intro]   - Optional one-line intro before the link.
+ * @returns {Promise<{ sent: boolean }>} - sent=false when no member exists for the email
+ *   (caller can decide whether to surface that; the auth/login endpoint hides it for
+ *   anti-enumeration, signup knows the member was just created).
+ */
+export async function sendMagicLink(email, options = {}) {
+  const baseUrl = process.env.BASE_URL
+  if (!baseUrl) {
+    throw createError({
+      statusCode: 500,
+      statusMessage: 'BASE_URL environment variable is not set'
+    })
+  }
+
+  const member = await Member.findOne({ email })
+  if (!member) return { sent: false }
+
+  const jti = randomUUID()
+  const token = jwt.sign(
+    { memberId: member._id, jti },
+    useRuntimeConfig().jwtSecret,
+    { expiresIn: '15m' }
+  )
+
+  await Member.findByIdAndUpdate(
+    member._id,
+    { $set: { magicLinkJti: jti, magicLinkJtiUsed: false } },
+    { runValidators: false }
+  )
+
+  const magicLink = `${baseUrl}/verify#${token}`
+  const subject = options.subject || 'Your Ghost Guild login link'
+  const intro = options.intro || 'Sign in to Ghost Guild:'
+  const text = `Hi,\n\n${intro}\n${magicLink}\n\nThis link expires in 15 minutes. If you didn't request it, ignore this email.`
+
+  await resend.emails.send({
+    from: 'Ghost Guild <ghostguild@babyghosts.org>',
+    to: email,
+    subject,
+    text
+  })
+
+  logActivity(member._id, 'email_sent', {
+    emailType: 'magic_link',
+    subject,
+    body: text
+  })
+
+  return { sent: true }
+}

server/utils/rateLimit.js

@@ -0,0 +1,18 @@
+// Tiny in-memory sliding-window rate limiter.
+// Acceptable for single-instance Nitro on Netlify; swap to Mongo/Upstash if
+// we move to multi-instance.
+const buckets = new Map()
+
+export function rateLimit(key, { max, windowMs }) {
+  const now = Date.now()
+  const arr = (buckets.get(key) || []).filter((t) => now - t < windowMs)
+  if (arr.length >= max) return false
+  arr.push(now)
+  buckets.set(key, arr)
+  return true
+}
+
+// Test helper — clears all buckets so each test starts clean.
+export function resetRateLimit() {
+  buckets.clear()
+}

server/utils/schemas.js

@@ -5,6 +5,10 @@ export const emailSchema = z.object({
   email: z.string().trim().toLowerCase().email()
 })
 
+export const verifyMagicLinkSchema = z.object({
+  token: z.string().min(1).max(2000)
+}).strict()
+
 export const memberCreateSchema = z.object({
   email: z.string().trim().toLowerCase().email(),
   name: z.string().min(1).max(200),
@@ -62,12 +66,16 @@ export const helcimCustomerSchema = z.object({
 })
 
 export const helcimInitializePaymentSchema = z.object({
+  // amount is accepted but IGNORED for ticket types (server re-derives).
+  // Kept for verify-mode (subscription card-on-file) where 0 is sent.
   amount: z.number().min(0).optional(),
   customerCode: z.string().max(200).optional(),
   metadata: z.object({
-    type: z.string().max(100).optional(),
+    type: z.enum(['event_ticket', 'series_ticket', 'subscription', 'card_verify', 'membership_signup']).optional(),
     eventTitle: z.string().max(500).optional(),
-    eventId: z.string().max(200).optional()
+    eventId: z.string().max(200).optional(),
+    seriesId: z.string().max(200).optional(),
+    email: z.string().trim().toLowerCase().email().optional()
   }).optional()
 })
 
@@ -131,12 +139,6 @@ export const checkRegistrationSchema = z.object({
   email: z.string().trim().toLowerCase().email()
 })
 
-export const eventPaymentSchema = z.object({
-  name: z.string().min(1).max(200),
-  email: z.string().trim().toLowerCase().email(),
-  paymentToken: z.string().min(1).max(500)
-})
-
 // --- Member schemas ---
 
 export const updateContributionSchema = z.object({