jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(events): guest accounts for public event registration

Browse source 
Non-members who register for an event now get a persistent identity:
with consent, a status:"guest" Member is upserted and an auth cookie is
set so the "You're Registered" state survives a page refresh.

Tiered auto-login matches passwordless-auth norms — auto-login is only
safe when the account holds no privileges:
- New email → create guest + cookie
- Returning guest → cookie
- Existing non-guest (active/pending/etc.) → attach ticket only, no
  cookie, confirmation email includes a sign-in link

Guests are gated on status === "guest", so admin/middleware code that
keys on status === "active" naturally excludes them. Guests are also
treated as non-members for ticket pricing/validation to prevent picking
up member-only pricing on their second registration.
This commit is contained in:
Jennie Robinson Faber 2026-04-16 21:23:31 +01:00
parent 7e7672d52b
commit 6f9e6a3d98
7 changed files with 162 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

48
server/api/events/[id]/tickets/purchase.post.js
View file

@ -43,14 +43,16 @@ export default defineEventHandler(async (event) => {
});
}
// Check if user is a member
const member = await Member.findOne({ email: body.email.toLowerCase() });
// Check if user is a member. Guests don't count as members for pricing/validation.
let member = await Member.findOne({ email: body.email.toLowerCase() });
let accountCreated = false;
const isRealMember = (m) => !!m && m.status !== "guest";
// Validate ticket purchase
const validation = validateTicketPurchase(eventData, {
email: body.email,
name: body.name,
member,
member: isRealMember(member) ? member : null,
});
if (!validation.valid) {
@ -86,15 +88,36 @@ export default defineEventHandler(async (event) => {
// For now, we trust the transaction ID from HelcimPay.js
}
// If no Member yet and the user consented, atomically create a guest Member.
// findOneAndUpdate with $setOnInsert handles concurrent registrations on the
// same email (email has a unique index).
if (!member && body.createAccount) {
member = await Member.findOneAndUpdate(
{ email: body.email.toLowerCase() },
{
$setOnInsert: {
email: body.email.toLowerCase(),
name: body.name,
circle: "community",
contributionTier: "0",
status: "guest",
},
},
{ upsert: true, new: true, setDefaultsOnInsert: true }
);
accountCreated = true;
}
// Create registration
const realMember = isRealMember(member);
const registration = {
memberId: member ? member._id : null,
name: body.name,
email: body.email.toLowerCase(),
membershipLevel: member
membershipLevel: realMember
? `${member.circle}-${member.contributionTier}`
: "non-member",
isMember: !!member,
isMember: realMember,
ticketType: ticketInfo.ticketType,
ticketPrice: ticketInfo.price,
paymentStatus: requiresPayment ? "completed" : "not_required",
@ -113,9 +136,20 @@ export default defineEventHandler(async (event) => {
// legacy location data unrelated to this write.
await eventData.save({ validateBeforeSave: false });
// Decide on auto-login: safe for new accounts and existing guests, not for
// real members (stranger could hijack by typing email into a public form).
let signedIn = false;
let requiresSignIn = false;
if (member && (accountCreated || member.status === "guest")) {
setAuthCookie(event, member);
signedIn = true;
} else if (member) {
requiresSignIn = true;
}
// Send confirmation email
try {
await sendEventRegistrationEmail(registration, eventData);
await sendEventRegistrationEmail(registration, eventData, { requiresSignIn });
} catch (emailError) {
console.error("Failed to send confirmation email:", emailError);
// Don't fail the registration if email fails
@ -131,6 +165,8 @@ export default defineEventHandler(async (event) => {
ticketType: registration.ticketType,
amountPaid: registration.amountPaid,
},
accountCreated,
signedIn,
payment: transactionId
? {
transactionId: transactionId,