feat(launch): security and correctness fixes for 2026-05-01 launch

Day-of-launch deep-dive audit and remediation. 11 issues fixed across security, correctness, and reliability. Tests: 698 → 758 passing (+60), 0 failing, 2 skipped. CRITICAL (security) Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead useHelcim.js deleted. Production token MUST BE ROTATED post-deploy (was previously exposed in window.__NUXT__ payload). Fix #2 — /api/helcim/customer gated with origin check + per-IP/email rate limit + magic-link email verification (replaces unauthenticated setAuthCookie). Adds payment-bridge token for paid-tier signup so users can complete Helcim checkout before email verify. New utils: server/utils/{magicLink,rateLimit}.js. UX: signup success copy now prompts user to check email. Fix #3 — /api/events/[id]/payment deleted (dead code with unauth member-spoof bypass — processHelcimPayment was a permanent stub). Removes processHelcimPayment export and eventPaymentSchema. Fix #4 — /api/helcim/initialize-payment re-derives ticket amount server-side via calculateTicketPrice and calculateSeriesTicketPrice. Adds new series_ticket metadata type (was being shoved through event_ticket with seriesId in metadata.eventId). Fix #5 — /api/helcim/customer upgrades existing status:guest members in place rather than rejecting with 409. Lowercases email at lookup; preserves _id so prior event registrations stay linked. HIGH (correctness / reliability) Fix #6 — Daily reconciliation cron via Netlify scheduled function (@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs, server/api/internal/reconcile-payments.post.js. Shared-secret auth via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff on Helcim transactions API. Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist endpoints) to dodge legacy location validators. Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest Member when caller is unauthenticated, mirrors event-ticket flow byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and client auth refresh on signedIn:true response. Fix #9 — /api/members/cancel-subscription leaves status active per ratified bylaws (was pending_payment). Adds lastCancelledAt audit field on Member model. Indirectly fixes false-positive detectStuckPendingPayment admin alert for cancelled members. Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema (verifyMagicLinkSchema, max 2000 chars). Fix #11 — 8 vitest cases for cancel-subscription handler (was uncovered). Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md. LAUNCH_READINESS.md updated with new test count, 3 deploy-time tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00 · 2026-04-25 18:42:36 +01:00 · 208638e374
commit 208638e374
parent 0f2f1d1cbf
37 changed files with 1980 additions and 340 deletions
--- a/server/api/series/[id]/tickets/purchase.post.js
+++ b/server/api/series/[id]/tickets/purchase.post.js
@ -38,6 +38,7 @@ export default defineEventHandler(async (event) => {
    // Only members with access (active or pending_payment) get member-tier
    // pricing; guest, suspended, and cancelled are treated as non-members.
    let member = null;
+    let accountCreated = false;
    try {
      member = await requireAuth(event);
    } catch {
@ -83,6 +84,29 @@ export default defineEventHandler(async (event) => {
      });
    }

+    // If no Member yet, atomically create a guest Member. Series passes grant
+    // access to a bundle of events over time — a buyer without an account
+    // can't view their registrations or be recognized by per-event pages,
+    // so we always create the guest (unlike single-event tickets which are
+    // opt-in). findOneAndUpdate with $setOnInsert handles concurrent
+    // registrations on the same email (email has a unique index).
+    if (!member) {
+      member = await Member.findOneAndUpdate(
+        { email: canonicalEmail },
+        {
+          $setOnInsert: {
+            email: canonicalEmail,
+            name,
+            circle: "community",
+            contributionAmount: 0,
+            status: "guest",
+          },
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      accountCreated = true;
+    }
+
    // Create series registration
    const registration = {
      memberId: member?._id,
@ -102,6 +126,17 @@ export default defineEventHandler(async (event) => {
    series.registrations.push(registration);
    await completeSeriesTicketPurchase(series, ticketInfo.ticketType);

+    // Decide on auto-login: safe for new accounts and existing guests, not for
+    // real members (stranger could hijack by typing email into a public form).
+    let signedIn = false;
+    let requiresSignIn = false;
+    if (member && (accountCreated || member.status === "guest")) {
+      setAuthCookie(event, member);
+      signedIn = true;
+    } else if (member) {
+      requiresSignIn = true;
+    }
+
    // Get the newly created registration
    const newRegistration =
      series.registrations[series.registrations.length - 1];
@ -172,6 +207,9 @@ export default defineEventHandler(async (event) => {
        success: r.success,
        reason: r.reason,
      })),
+      accountCreated,
+      signedIn,
+      requiresSignIn,
    };
  } catch (error) {
    console.error("Error purchasing series pass:", error);