feat(events): guest accounts for public event registration
Non-members who register for an event now get a persistent identity: with consent, a status:"guest" Member is upserted and an auth cookie is set so the "You're Registered" state survives a page refresh. Tiered auto-login matches passwordless-auth norms — auto-login is only safe when the account holds no privileges: - New email → create guest + cookie - Returning guest → cookie - Existing non-guest (active/pending/etc.) → attach ticket only, no cookie, confirmation email includes a sign-in link Guests are gated on status === "guest", so admin/middleware code that keys on status === "active" naturally excludes them. Guests are also treated as non-members for ticket pricing/validation to prevent picking up member-only pricing on their second registration.
This commit is contained in:
parent
7e7672d52b
commit
6f9e6a3d98
7 changed files with 162 additions and 10 deletions
|
|
@ -2,6 +2,26 @@ import jwt from 'jsonwebtoken'
|
|||
import Member from '../models/member.js'
|
||||
import { connectDB } from './mongoose.js'
|
||||
|
||||
/**
|
||||
* Issue a session JWT and set the auth-token cookie for the given member.
|
||||
* Mirrors the cookie options used by verify.post.js.
|
||||
*/
|
||||
export function setAuthCookie(event, member) {
|
||||
const token = jwt.sign(
|
||||
{ memberId: member._id.toString(), email: member.email, tv: member.tokenVersion || 0 },
|
||||
useRuntimeConfig(event).jwtSecret,
|
||||
{ expiresIn: '7d' }
|
||||
)
|
||||
|
||||
setCookie(event, 'auth-token', token, {
|
||||
httpOnly: true,
|
||||
secure: process.env.NODE_ENV === 'production',
|
||||
sameSite: 'lax',
|
||||
path: '/',
|
||||
maxAge: 60 * 60 * 24 * 7
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify JWT from cookie and return the decoded member.
|
||||
* Throws 401 if token is missing or invalid.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue