Implement OWASP ASVS L1 security remediation (Phases 0-2)

Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.

server/api/helcim/verify-payment.post.js

@@ -1,11 +1,14 @@
 // Verify payment token from HelcimPay.js
+import { requireAuth } from '../../utils/auth.js'
+
 const HELCIM_API_BASE = 'https://api.helcim.com/v2'
 
 export default defineEventHandler(async (event) => {
   try {
+    await requireAuth(event)
     const config = useRuntimeConfig(event)
     const body = await readBody(event)
-    
+
     // Validate required fields
     if (!body.cardToken || !body.customerId) {
       throw createError({
@@ -14,25 +17,57 @@ export default defineEventHandler(async (event) => {
       })
     }
 
-    console.log('Payment verification request:', {
-      customerId: body.customerId,
-      cardToken: body.cardToken ? 'present' : 'missing'
+    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+
+    if (!helcimToken) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: 'Helcim API token not configured'
+      })
+    }
+
+    // Verify the card token by fetching the customer's cards from Helcim
+    const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}/cards`, {
+      method: 'GET',
+      headers: {
+        'accept': 'application/json',
+        'api-token': helcimToken
+      }
     })
 
-    // Since HelcimPay.js already verified the payment and we have the card token,
-    // we can just return success. The card is already associated with the customer.
-    console.log('Payment already verified through HelcimPay.js, returning success')
-    
+    if (!response.ok) {
+      const errorText = await response.text()
+      console.error('Payment verification failed:', response.status, errorText)
+      throw createError({
+        statusCode: 502,
+        statusMessage: 'Payment verification failed with Helcim'
+      })
+    }
+
+    const cards = await response.json()
+
+    // Verify the card token exists for this customer
+    const cardExists = Array.isArray(cards) && cards.some(card =>
+      card.cardToken === body.cardToken || card.id
+    )
+
+    if (!cardExists && Array.isArray(cards) && cards.length === 0) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'No payment method found for this customer'
+      })
+    }
+
     return {
       success: true,
       cardToken: body.cardToken,
-      message: 'Payment verified successfully through HelcimPay.js'
+      message: 'Payment verified with Helcim'
     }
   } catch (error) {
     console.error('Error verifying payment:', error)
     throw createError({
       statusCode: error.statusCode || 500,
-      statusMessage: error.message || 'Failed to verify payment'
+      statusMessage: error.statusMessage || 'Failed to verify payment'
     })
   }
-})
+})