jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(launch): simplify launch-readiness fixes

Browse source 
Follow-up to 208638e. Code review surfaced a few real issues; this
commit addresses them.

- login.post.js now uses the new sendMagicLink util instead of
  duplicating the jti/jwt/Resend/logActivity logic. Reduces 60 lines.
- sendMagicLink accepts an optional pre-loaded Member doc, skipping
  the redundant findOne when the caller already has one. customer.post.js
  passes the just-created/upgraded member, dropping signup from 3
  Mongo round-trips to 1 (lookup is gone; jti burn remains).
- sendMagicLink now lowercases the email defensively so callers don't
  have to remember.
- rateLimit.js: replaced an effectively-dead eviction line with a
  probabilistic sweep (~1% of calls scan and evict keys whose newest
  entry has aged out). Caps unbounded Map growth under random-key
  spraying.
- reconcile-payments.post.js: 401/403/404 from Helcim now bails out
  immediately instead of burning all 3 retry attempts; dry-run
  summary filters via the same RECONCILABLE_STATUSES set as apply
  mode so counts match.
- Deleted WHAT-comments and section banners per CLAUDE.md no-comment
  rule. Kept genuine WHY-comments (validateBeforeSave rationale,
  amount-IGNORED-for-tickets, sendConfirmation deliberately-omitted).

Tests: 758/760 passing (unchanged).
This commit is contained in:
Jennie Robinson Faber 2026-04-25 19:34:16 +01:00
parent 208638e374
commit 51230e5151
7 changed files with 33 additions and 98 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/utils/magicLink.js
View file

@ -15,6 +15,7 @@ const resend = new Resend(process.env.RESEND_API_KEY)
* @param {object} [options]
* @param {string} [options.subject] - Email subject (default: "Your Ghost Guild login link")
* @param {string} [options.intro] - Optional one-line intro before the link.
* @param {object} [options.member] - Pre-loaded Member doc; skips the findOne lookup.
* @returns {Promise<{ sent: boolean }>} - sent=false when no member exists for the email
* (caller can decide whether to surface that; the auth/login endpoint hides it for
* anti-enumeration, signup knows the member was just created).
@ -28,7 +29,8 @@ export async function sendMagicLink(email, options = {}) {
})
}
const member = await Member.findOne({ email })
email = email.toLowerCase()
const member = options.member || await Member.findOne({ email })
if (!member) return { sent: false }
const jti = randomUUID()