feat(events): guest accounts for public event registration
Non-members who register for an event now get a persistent identity: with consent, a status:"guest" Member is upserted and an auth cookie is set so the "You're Registered" state survives a page refresh. Tiered auto-login matches passwordless-auth norms — auto-login is only safe when the account holds no privileges: - New email → create guest + cookie - Returning guest → cookie - Existing non-guest (active/pending/etc.) → attach ticket only, no cookie, confirmation email includes a sign-in link Guests are gated on status === "guest", so admin/middleware code that keys on status === "active" naturally excludes them. Guests are also treated as non-members for ticket pricing/validation to prevent picking up member-only pricing on their second registration.
This commit is contained in:
parent
7e7672d52b
commit
6f9e6a3d98
7 changed files with 162 additions and 10 deletions
|
|
@ -87,3 +87,53 @@ describe('cancel-registration.post.js', () => {
|
|||
expect(source).not.toContain('requireAuth')
|
||||
})
|
||||
})
|
||||
|
||||
describe('tickets/purchase.post.js', () => {
|
||||
const source = readFileSync(resolve(eventsDir, 'tickets/purchase.post.js'), 'utf-8')
|
||||
|
||||
it('uses validateBody for input validation', () => {
|
||||
expect(source).toContain('validateBody(event, ticketPurchaseSchema)')
|
||||
})
|
||||
|
||||
it('upserts a guest Member when consent given and no existing Member', () => {
|
||||
expect(source).toContain('body.createAccount')
|
||||
expect(source).toContain('findOneAndUpdate')
|
||||
expect(source).toContain('$setOnInsert')
|
||||
expect(source).toContain('status: "guest"')
|
||||
expect(source).toContain('upsert: true')
|
||||
})
|
||||
|
||||
it('treats guest Members as non-members for pricing and validation', () => {
|
||||
// Guests must not receive member pricing — plan §2
|
||||
expect(source).toContain('isRealMember')
|
||||
expect(source).toContain('!== "guest"')
|
||||
})
|
||||
|
||||
it('sets an auth cookie for new guests and returning guests', () => {
|
||||
expect(source).toContain('setAuthCookie(event, member)')
|
||||
expect(source).toContain('accountCreated || member.status === "guest"')
|
||||
})
|
||||
|
||||
it('does not auto-login existing non-guest members (hijack prevention)', () => {
|
||||
// Requires sign-in flag for existing real members — plan §2
|
||||
expect(source).toContain('requiresSignIn = true')
|
||||
})
|
||||
|
||||
it('passes requiresSignIn to confirmation email', () => {
|
||||
expect(source).toContain('sendEventRegistrationEmail(registration, eventData, { requiresSignIn })')
|
||||
})
|
||||
|
||||
it('includes accountCreated and signedIn in response', () => {
|
||||
expect(source).toContain('accountCreated,')
|
||||
expect(source).toContain('signedIn,')
|
||||
})
|
||||
|
||||
it('does not block registration when email fails', () => {
|
||||
const emailCallIndex = source.indexOf('await sendEventRegistrationEmail')
|
||||
expect(emailCallIndex).toBeGreaterThan(-1)
|
||||
const afterEmail = source.slice(emailCallIndex)
|
||||
const catchBlock = afterEmail.match(/catch\s*\(\w+\)\s*\{[^}]*\}/s)
|
||||
expect(catchBlock).not.toBeNull()
|
||||
expect(catchBlock[0]).toContain('console.error')
|
||||
})
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue