feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across security, correctness, and reliability. Tests: 698 → 758 passing (+60), 0 failing, 2 skipped. CRITICAL (security) Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead useHelcim.js deleted. Production token MUST BE ROTATED post-deploy (was previously exposed in window.__NUXT__ payload). Fix #2 — /api/helcim/customer gated with origin check + per-IP/email rate limit + magic-link email verification (replaces unauthenticated setAuthCookie). Adds payment-bridge token for paid-tier signup so users can complete Helcim checkout before email verify. New utils: server/utils/{magicLink,rateLimit}.js. UX: signup success copy now prompts user to check email. Fix #3 — /api/events/[id]/payment deleted (dead code with unauth member-spoof bypass — processHelcimPayment was a permanent stub). Removes processHelcimPayment export and eventPaymentSchema. Fix #4 — /api/helcim/initialize-payment re-derives ticket amount server-side via calculateTicketPrice and calculateSeriesTicketPrice. Adds new series_ticket metadata type (was being shoved through event_ticket with seriesId in metadata.eventId). Fix #5 — /api/helcim/customer upgrades existing status:guest members in place rather than rejecting with 409. Lowercases email at lookup; preserves _id so prior event registrations stay linked. HIGH (correctness / reliability) Fix #6 — Daily reconciliation cron via Netlify scheduled function (@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs, server/api/internal/reconcile-payments.post.js. Shared-secret auth via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff on Helcim transactions API. Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist endpoints) to dodge legacy location validators. Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest Member when caller is unauthenticated, mirrors event-ticket flow byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and client auth refresh on signedIn:true response. Fix #9 — /api/members/cancel-subscription leaves status active per ratified bylaws (was pending_payment). Adds lastCancelledAt audit field on Member model. Indirectly fixes false-positive detectStuckPendingPayment admin alert for cancelled members. Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema (verifyMagicLinkSchema, max 2000 chars). Fix #11 — 8 vitest cases for cancel-subscription handler (was uncovered). Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md. LAUNCH_READINESS.md updated with new test count, 3 deploy-time tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00 · 2026-04-25 18:42:36 +01:00 · 208638e374
commit 208638e374
parent 0f2f1d1cbf
37 changed files with 1980 additions and 340 deletions
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@ -1,49 +1,117 @@
-// Create a Helcim customer
+// Public signup endpoint. Creates a Helcim customer + Member record and
+// dispatches a magic link for email verification. The full session cookie
+// is set when the user clicks the magic link (see /api/auth/verify); paid-tier
+// signups also receive a short-lived payment-bridge cookie so they can complete
+// Helcim checkout in the same tab without verifying email first.
+import { getRequestHeader, getRequestIP } from 'h3'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { createHelcimCustomer } from '../../utils/helcim.js'
+import { sendMagicLink } from '../../utils/magicLink.js'
+import { setPaymentBridgeCookie } from '../../utils/auth.js'
+import { rateLimit } from '../../utils/rateLimit.js'

 export default defineEventHandler(async (event) => {
  try {
+    // --- Origin check (CSRF defense in depth on top of SameSite=Lax) ---
+    const origin = getRequestHeader(event, 'origin')
+    const allowed = process.env.BASE_URL
+    if (!origin || (allowed && origin !== allowed)) {
+      throw createError({ statusCode: 403, statusMessage: 'Invalid origin' })
+    }
+
+    // --- Per-IP rate limit (5 / hour) ---
+    const ip = getRequestIP(event, { xForwardedFor: true }) || 'unknown'
+    if (!rateLimit(`signup:ip:${ip}`, { max: 5, windowMs: 3600_000 })) {
+      throw createError({ statusCode: 429, statusMessage: 'Too many signup attempts' })
+    }
+
    await connectDB()
    const body = await validateBody(event, helcimCustomerSchema)

-    // Check if member already exists
-    const existingMember = await Member.findOne({ email: body.email })
-    if (existingMember) {
+    // --- Per-email rate limit (3 / hour) ---
+    if (!rateLimit(`signup:email:${body.email}`, { max: 3, windowMs: 3600_000 })) {
+      throw createError({
+        statusCode: 429,
+        statusMessage: 'Too many signup attempts for this email'
+      })
+    }
+
+    // Check if member already exists. Lowercase the lookup so guest docs
+    // created via the public ticket-purchase path (which lowercases on insert)
+    // are actually found by mixed-case submissions.
+    const normalizedEmail = body.email.toLowerCase()
+    const existingMember = await Member.findOne({ email: normalizedEmail })
+    if (existingMember && existingMember.status !== 'guest') {
      throw createError({
        statusCode: 409,
        statusMessage: 'A member with this email already exists'
      })
    }

-    // Create customer in Helcim
+    // Create customer in Helcim (guest docs have no helcimCustomerId yet).
    const customerData = await createHelcimCustomer({
      customerType: 'PERSON',
      contactName: body.name,
      email: body.email
    })

-    // Create member in database
-    const member = await Member.create({
-      email: body.email,
-      name: body.name,
-      circle: body.circle,
-      contributionAmount: body.contributionAmount,
-      helcimCustomerId: customerData.id,
-      status: 'pending_payment',
-      agreement: { acceptedAt: new Date() }
+    // If the lookup matched a guest doc, upgrade in place to preserve _id,
+    // memberNumber (if any), emailHistory, and the event-registration
+    // references that point at this _id. Use findByIdAndUpdate with
+    // runValidators:false per the project's member-save-risks pattern.
+    let member
+    if (existingMember) {
+      member = await Member.findByIdAndUpdate(
+        existingMember._id,
+        {
+          $set: {
+            name: body.name,
+            circle: body.circle,
+            contributionAmount: body.contributionAmount,
+            helcimCustomerId: customerData.id,
+            status: 'pending_payment',
+            'agreement.acceptedAt': new Date()
+          }
+        },
+        { new: true, runValidators: false }
+      )
+    } else {
+      member = await Member.create({
+        email: normalizedEmail,
+        name: body.name,
+        circle: body.circle,
+        contributionAmount: body.contributionAmount,
+        helcimCustomerId: customerData.id,
+        status: 'pending_payment',
+        agreement: { acceptedAt: new Date() }
+      })
+    }
+
+    // Issue a magic link instead of an immediate session — the auth-token
+    // cookie is set when the user clicks through, proving email ownership.
+    // Use the normalized email so guest upgrades (which may not project
+    // the email field back) still get a magic link.
+    await sendMagicLink(normalizedEmail, {
+      subject: 'Verify your Ghost Guild signup',
+      intro: 'Verify your email to finish your Ghost Guild signup:'
    })

-    setAuthCookie(event, member)
+    // Paid-tier signups need to complete Helcim checkout in the same tab
+    // before the magic link can be clicked. Issue a short-lived, payment-only
+    // bridge cookie so /api/helcim/initialize-payment accepts the request.
+    if (body.contributionAmount > 0) {
+      setPaymentBridgeCookie(event, member)
+    }

    return {
      success: true,
      customerId: customerData.id,
      customerCode: customerData.customerCode,
+      verificationEmailSent: true,
      member: {
        id: member._id,
-        email: member.email,
+        email: normalizedEmail,
        name: member.name,
        circle: member.circle,
        contributionAmount: member.contributionAmount,
--- a/server/api/helcim/initialize-payment.post.js
+++ b/server/api/helcim/initialize-payment.post.js
@ -1,23 +1,84 @@
 // Initialize HelcimPay.js session
-import { requireAuth } from '../../utils/auth.js'
+import Member from '../../models/member.js'
+import Series from '../../models/series.js'
+import { loadPublicEvent } from '../../utils/loadEvent.js'
+import { calculateTicketPrice, calculateSeriesTicketPrice, hasMemberAccess } from '../../utils/tickets.js'
+import { requireAuth, getOptionalMember, getPaymentBridgeMember } from '../../utils/auth.js'
 import { initializeHelcimPaySession } from '../../utils/helcim.js'

 export default defineEventHandler(async (event) => {
  try {
    const body = await validateBody(event, helcimInitializePaymentSchema)
+    const metaType = body.metadata?.type

-    // Event ticket purchases can be made without authentication
-    const isEventTicket = body.metadata?.type === 'event_ticket'
-    if (!isEventTicket) {
-      await requireAuth(event)
+    const isEventTicket = metaType === 'event_ticket'
+    const isSeriesTicket = metaType === 'series_ticket'
+    const isTicket = isEventTicket || isSeriesTicket
+    // Membership signup uses a short-lived payment-bridge cookie (set by
+    // /api/helcim/customer) so the user can complete checkout before clicking
+    // their email-verification magic link.
+    const isMembershipSignup = metaType === 'membership_signup'
+
+    if (!isTicket) {
+      if (isMembershipSignup) {
+        const bridgeMember = await getPaymentBridgeMember(event)
+        if (!bridgeMember) {
+          await requireAuth(event)
+        }
+      } else {
+        await requireAuth(event)
+      }
    }

-    const amount = body.amount || 0
+    let amount = 0
+    let description = body.metadata?.eventTitle

-    // For event tickets with amount > 0, we do a purchase
-    // For subscriptions or card verification, we do verify
-    const paymentType = isEventTicket && amount > 0 ? 'purchase' : 'verify'
+    if (isTicket) {
+      // Re-derive price server-side; never trust body.amount for ticket flows.
+      const caller = await getOptionalMember(event).catch(() => null)
+      const lookupEmail = body.metadata?.email?.toLowerCase()
+      const member = caller || (lookupEmail
+        ? await Member.findOne({ email: lookupEmail })
+        : null)
+      const accessMember = hasMemberAccess(member) ? member : null

+      if (isEventTicket) {
+        const eventId = body.metadata?.eventId
+        if (!eventId) {
+          throw createError({ statusCode: 400, statusMessage: 'metadata.eventId is required for event_ticket' })
+        }
+        const eventDoc = await loadPublicEvent(event, eventId)
+        const ticketInfo = calculateTicketPrice(eventDoc, accessMember)
+        if (!ticketInfo) {
+          throw createError({ statusCode: 403, statusMessage: 'No tickets available for your membership status' })
+        }
+        amount = ticketInfo.price
+        description = description || eventDoc.title
+      } else {
+        const seriesId = body.metadata?.seriesId
+        if (!seriesId) {
+          throw createError({ statusCode: 400, statusMessage: 'metadata.seriesId is required for series_ticket' })
+        }
+        const isObjectId = /^[0-9a-fA-F]{24}$/.test(seriesId)
+        const seriesQuery = isObjectId
+          ? { $or: [{ _id: seriesId }, { id: seriesId }, { slug: seriesId }] }
+          : { $or: [{ id: seriesId }, { slug: seriesId }] }
+        const series = await Series.findOne(seriesQuery)
+        if (!series) {
+          throw createError({ statusCode: 404, statusMessage: 'Series not found' })
+        }
+        const ticketInfo = calculateSeriesTicketPrice(series, accessMember)
+        if (!ticketInfo) {
+          throw createError({ statusCode: 403, statusMessage: 'No series passes available for your membership status' })
+        }
+        amount = ticketInfo.price
+        description = description || series.title
+      }
+    } else {
+      amount = body.amount || 0
+    }
+
+    const paymentType = isTicket && amount > 0 ? 'purchase' : 'verify'
    const requestBody = {
      paymentType,
      amount: paymentType === 'purchase' ? amount : 0,
@ -25,20 +86,15 @@ export default defineEventHandler(async (event) => {
      paymentMethod: 'cc'
    }

-    // For subscription setup (verify mode), include customer code if provided
-    // For one-time purchases (event tickets), don't include customer code
-    // as the customer may not exist in Helcim yet
    if (body.customerCode && paymentType === 'verify') {
      requestBody.customerCode = body.customerCode
    }

-    // Add product/event information for better display in Helcim modal
-    if (body.metadata?.eventTitle) {
-      // Some Helcim accounts don't support invoice numbers in initialization
-      // Try multiple fields that might display in the modal
-      requestBody.description = body.metadata.eventTitle
-      requestBody.notes = body.metadata.eventTitle
-      requestBody.orderNumber = `${body.metadata.eventId}`
+    if (description) {
+      requestBody.description = description
+      requestBody.notes = description
+      const orderId = body.metadata?.eventId || body.metadata?.seriesId
+      if (orderId) requestBody.orderNumber = `${orderId}`
    }

    const paymentData = await initializeHelcimPaySession(requestBody)
@ -46,7 +102,9 @@ export default defineEventHandler(async (event) => {
    return {
      success: true,
      checkoutToken: paymentData.checkoutToken,
-      secretToken: paymentData.secretToken
+      secretToken: paymentData.secretToken,
+      // Echo derived amount so the client can sanity-check before opening modal.
+      amount
    }
  } catch (error) {
    if (error.statusCode) throw error
--- a/server/api/helcim/subscription.post.js
+++ b/server/api/helcim/subscription.post.js
@ -3,7 +3,7 @@ import { getHelcimPlanId, requiresPayment } from '../../config/contributions.js'
 import Member from '../../models/member.js'
 import { connectDB } from '../../utils/mongoose.js'
 import { getSlackService } from '../../utils/slack.ts'
-import { requireAuth } from '../../utils/auth.js'
+import { requireAuth, getPaymentBridgeMember } from '../../utils/auth.js'
 import { createHelcimSubscription, generateIdempotencyKey, listHelcimCustomerTransactions } from '../../utils/helcim.js'
 import { sendWelcomeEmail } from '../../utils/resend.js'
 import { upsertPaymentFromHelcim } from '../../utils/payments.js'
@ -81,7 +81,12 @@ async function inviteToSlack(member) {

 export default defineEventHandler(async (event) => {
  try {
-    await requireAuth(event)
+    // Membership signup completes subscription before email verify; allow the
+    // payment-bridge cookie set by /api/helcim/customer to satisfy auth here.
+    const bridgeMember = await getPaymentBridgeMember(event)
+    if (!bridgeMember) {
+      await requireAuth(event)
+    }
    await connectDB()
    const body = await validateBody(event, helcimSubscriptionSchema)