jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(launch): security and correctness fixes for 2026-05-01 launch

Browse source 
Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.
This commit is contained in:
Jennie Robinson Faber 2026-04-25 18:42:36 +01:00
parent 0f2f1d1cbf
commit 208638e374
37 changed files with 1980 additions and 340 deletions
Download patch file Download diff file Expand all files Collapse all files

171
tests/server/api/helcim-payment.test.js
View file

@ -1,14 +1,23 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
import { requireAuth } from '../../../server/utils/auth.js'
import { requireAuth, getOptionalMember } from '../../../server/utils/auth.js'
import { validateBody as importedValidateBody } from '../../../server/utils/validateBody.js'
import { loadPublicEvent } from '../../../server/utils/loadEvent.js'
import Member from '../../../server/models/member.js'
import Series from '../../../server/models/series.js'
import initPaymentHandler from '../../../server/api/helcim/initialize-payment.post.js'
import verifyPaymentHandler from '../../../server/api/helcim/verify-payment.post.js'
import { createMockEvent } from '../helpers/createMockEvent.js'
vi.mock('../../../server/utils/auth.js', () => ({ requireAuth: vi.fn() }))
vi.mock('../../../server/utils/auth.js', () => ({
requireAuth: vi.fn(),
getOptionalMember: vi.fn()
}))
vi.mock('../../../server/utils/validateBody.js', () => ({ validateBody: vi.fn() }))
vi.mock('../../../server/utils/schemas.js', () => ({ paymentVerifySchema: {} }))
vi.mock('../../../server/utils/loadEvent.js', () => ({ loadPublicEvent: vi.fn() }))
vi.mock('../../../server/models/member.js', () => ({ default: { findOne: vi.fn() } }))
vi.mock('../../../server/models/series.js', () => ({ default: { findOne: vi.fn() } }))
// helcimInitializePaymentSchema is a Nitro auto-import used by validateBody
vi.stubGlobal('helcimInitializePaymentSchema', {})
@ -19,6 +28,9 @@ vi.stubGlobal('fetch', mockFetch)
describe('initialize-payment endpoint', () => {
beforeEach(() => {
vi.clearAllMocks()
getOptionalMember.mockResolvedValue(null)
Member.findOne.mockResolvedValue(null)
Series.findOne.mockResolvedValue(null)
})
afterEach(() => {
@ -31,6 +43,11 @@ describe('initialize-payment endpoint', () => {
metadata: { type: 'event_ticket', eventTitle: 'Test Event', eventId: 'evt-1' }
}
globalThis.validateBody.mockResolvedValue(body)
loadPublicEvent.mockResolvedValue({
_id: 'evt-1',
title: 'Test Event',
tickets: { enabled: true, public: { available: true, price: 2500 } }
})
mockFetch.mockResolvedValue({
ok: true,
@ -75,6 +92,11 @@ describe('initialize-payment endpoint', () => {
metadata: { type: 'event_ticket', eventTitle: 'Workshop', eventId: 'evt-2' }
}
globalThis.validateBody.mockResolvedValue(body)
loadPublicEvent.mockResolvedValue({
_id: 'evt-2',
title: 'Workshop',
tickets: { enabled: true, public: { available: true, price: 1500 } }
})
mockFetch.mockResolvedValue({
ok: true,
@ -92,9 +114,152 @@ describe('initialize-payment endpoint', () => {
expect(result).toEqual({
success: true,
checkoutToken: 'ct-abc',
secretToken: 'st-xyz'
secretToken: 'st-xyz',
amount: 1500
})
})
it('ignores client-supplied amount and re-derives event_ticket price server-side', async () => {
const body = {
amount: 1, // tampered low value
metadata: { type: 'event_ticket', eventId: 'evt-x' }
}
globalThis.validateBody.mockResolvedValue(body)
loadPublicEvent.mockResolvedValue({
_id: 'evt-x',
title: 'Pricey Workshop',
tickets: { enabled: true, public: { available: true, price: 5000 } }
})
mockFetch.mockResolvedValue({
ok: true,
text: async () => JSON.stringify({ checkoutToken: 'ct-1', secretToken: 'st-1' })
})
const event = createMockEvent({
method: 'POST',
path: '/api/helcim/initialize-payment',
body
})
const result = await initPaymentHandler(event)
// Verify the fetch to Helcim was called with the server-derived amount, not body.amount
expect(mockFetch).toHaveBeenCalledTimes(1)
const [, init] = mockFetch.mock.calls[0]
const sentBody = JSON.parse(init.body)
expect(sentBody.amount).toBe(5000)
expect(sentBody.amount).not.toBe(1)
expect(sentBody.paymentType).toBe('purchase')
expect(result.amount).toBe(5000)
})
it('returns 400 when event_ticket metadata is missing eventId', async () => {
const body = { amount: 25, metadata: { type: 'event_ticket' } }
globalThis.validateBody.mockResolvedValue(body)
const event = createMockEvent({
method: 'POST',
path: '/api/helcim/initialize-payment',
body
})
await expect(initPaymentHandler(event)).rejects.toMatchObject({
statusCode: 400
})
})
it('returns 400 when series_ticket metadata is missing seriesId', async () => {
const body = { amount: 50, metadata: { type: 'series_ticket' } }
globalThis.validateBody.mockResolvedValue(body)
const event = createMockEvent({
method: 'POST',
path: '/api/helcim/initialize-payment',
body
})
await expect(initPaymentHandler(event)).rejects.toMatchObject({
statusCode: 400
})
})
it('re-derives series_ticket price via Series.findOne + calculateSeriesTicketPrice', async () => {
const body = {
amount: 100, // tampered
metadata: { type: 'series_ticket', seriesId: 'ser-x' }
}
globalThis.validateBody.mockResolvedValue(body)
Series.findOne.mockResolvedValue({
_id: 'ser-x',
title: 'Coop Foundations',
tickets: { enabled: true, public: { available: true, price: 7500 } }
})
mockFetch.mockResolvedValue({
ok: true,
text: async () => JSON.stringify({ checkoutToken: 'ct-s', secretToken: 'st-s' })
})
const event = createMockEvent({
method: 'POST',
path: '/api/helcim/initialize-payment',
body
})
const result = await initPaymentHandler(event)
expect(mockFetch).toHaveBeenCalledTimes(1)
const [, init] = mockFetch.mock.calls[0]
const sentBody = JSON.parse(init.body)
expect(sentBody.amount).toBe(7500)
expect(sentBody.paymentType).toBe('purchase')
expect(result.amount).toBe(7500)
expect(Series.findOne).toHaveBeenCalled()
})
it('uses member pricing when metadata.email matches an active member', async () => {
const body = {
amount: 5000,
metadata: { type: 'event_ticket', eventId: 'evt-m', email: '[email protected]' }
}
globalThis.validateBody.mockResolvedValue(body)
Member.findOne.mockResolvedValue({
_id: 'm-1',
email: '[email protected]',
status: 'active',
circle: 'community'
})
loadPublicEvent.mockResolvedValue({
_id: 'evt-m',
title: 'Member Event',
tickets: {
enabled: true,
member: { available: true, isFree: true },
public: { available: true, price: 5000 }
}
})
mockFetch.mockResolvedValue({
ok: true,
text: async () => JSON.stringify({ checkoutToken: 'ct-m', secretToken: 'st-m' })
})
const event = createMockEvent({
method: 'POST',
path: '/api/helcim/initialize-payment',
body
})
const result = await initPaymentHandler(event)
expect(mockFetch).toHaveBeenCalledTimes(1)
const [, init] = mockFetch.mock.calls[0]
const sentBody = JSON.parse(init.body)
expect(sentBody.amount).toBe(0)
expect(sentBody.paymentType).toBe('verify')
expect(result.amount).toBe(0)
})
})
describe('verify-payment endpoint', () => {