feat(events): guest accounts for public event registration

Non-members who register for an event now get a persistent identity:
with consent, a status:"guest" Member is upserted and an auth cookie is
set so the "You're Registered" state survives a page refresh.

Tiered auto-login matches passwordless-auth norms — auto-login is only
safe when the account holds no privileges:
- New email → create guest + cookie
- Returning guest → cookie
- Existing non-guest (active/pending/etc.) → attach ticket only, no
  cookie, confirmation email includes a sign-in link

Guests are gated on status === "guest", so admin/middleware code that
keys on status === "active" naturally excludes them. Guests are also
treated as non-members for ticket pricing/validation to prevent picking
up member-only pricing on their second registration.

app/components/EventTicketPurchase.vue

@@ -154,6 +154,18 @@
             securely
           </p>
 
+          <label class="consent-field">
+            <input
+              v-model="form.createAccount"
+              type="checkbox"
+              :disabled="processing"
+            >
+            <span>Create a free guest account so I can manage my registration</span>
+          </label>
+          <p class="field-hint consent-hint">
+            Guest accounts let you view your tickets and register faster next time. We won't add you to member communications.
+          </p>
+
           <button
             type="submit"
             class="btn btn-primary"
@@ -241,6 +253,7 @@ const ticketInfo = ref(null);
 const form = ref({
   name: props.userName || "",
   email: props.userEmail || "",
+  createAccount: true,
 });
 
 const isLoggedIn = computed(() => !!props.userEmail);
@@ -337,6 +350,7 @@ const handleSubmit = async () => {
     const body = {
       name: form.value.name,
       email: form.value.email,
+      createAccount: form.value.createAccount,
     };
     if (transactionId) body.transactionId = transactionId;
 
@@ -357,6 +371,13 @@ const handleSubmit = async () => {
     });
 
     emit("success", response);
+
+    if (response?.signedIn) {
+      // New guest account or returning guest — refresh client auth state so the
+      // rest of the app sees them as logged in.
+      await useAuth().checkMemberStatus();
+    }
+
     await fetchTicketInfo(form.value.email);
   } catch (err) {
     console.error("Error purchasing ticket:", err);
@@ -429,4 +450,22 @@ const formatEventDate = (date) => {
   color: var(--text-faint);
   margin-top: 2px;
 }
+
+.consent-field {
+  display: flex;
+  align-items: flex-start;
+  gap: 8px;
+  font-size: 12px;
+  color: var(--text);
+  margin-bottom: 4px;
+  cursor: pointer;
+}
+.consent-field input[type="checkbox"] {
+  margin-top: 3px;
+  flex-shrink: 0;
+}
+.consent-hint {
+  margin-bottom: 14px;
+  padding-left: 24px;
+}
 </style>

server/api/events/[id]/tickets/purchase.post.js

@@ -43,14 +43,16 @@ export default defineEventHandler(async (event) => {
       });
     }
 
-    // Check if user is a member
+    // Check if user is a member. Guests don't count as members for pricing/validation.
-    const member = await Member.findOne({ email: body.email.toLowerCase() });
+    let member = await Member.findOne({ email: body.email.toLowerCase() });
+    let accountCreated = false;
+    const isRealMember = (m) => !!m && m.status !== "guest";
 
     // Validate ticket purchase
     const validation = validateTicketPurchase(eventData, {
       email: body.email,
       name: body.name,
-      member,
+      member: isRealMember(member) ? member : null,
     });
 
     if (!validation.valid) {
@@ -86,15 +88,36 @@ export default defineEventHandler(async (event) => {
       // For now, we trust the transaction ID from HelcimPay.js
     }
 
+    // If no Member yet and the user consented, atomically create a guest Member.
+    // findOneAndUpdate with $setOnInsert handles concurrent registrations on the
+    // same email (email has a unique index).
+    if (!member && body.createAccount) {
+      member = await Member.findOneAndUpdate(
+        { email: body.email.toLowerCase() },
+        {
+          $setOnInsert: {
+            email: body.email.toLowerCase(),
+            name: body.name,
+            circle: "community",
+            contributionTier: "0",
+            status: "guest",
+          },
+        },
+        { upsert: true, new: true, setDefaultsOnInsert: true }
+      );
+      accountCreated = true;
+    }
+
     // Create registration
+    const realMember = isRealMember(member);
     const registration = {
       memberId: member ? member._id : null,
       name: body.name,
       email: body.email.toLowerCase(),
-      membershipLevel: member
+      membershipLevel: realMember
         ? `${member.circle}-${member.contributionTier}`
         : "non-member",
-      isMember: !!member,
+      isMember: realMember,
       ticketType: ticketInfo.ticketType,
       ticketPrice: ticketInfo.price,
       paymentStatus: requiresPayment ? "completed" : "not_required",
@@ -113,9 +136,20 @@ export default defineEventHandler(async (event) => {
     // legacy location data unrelated to this write.
     await eventData.save({ validateBeforeSave: false });
 
+    // Decide on auto-login: safe for new accounts and existing guests, not for
+    // real members (stranger could hijack by typing email into a public form).
+    let signedIn = false;
+    let requiresSignIn = false;
+    if (member && (accountCreated || member.status === "guest")) {
+      setAuthCookie(event, member);
+      signedIn = true;
+    } else if (member) {
+      requiresSignIn = true;
+    }
+
     // Send confirmation email
     try {
-      await sendEventRegistrationEmail(registration, eventData);
+      await sendEventRegistrationEmail(registration, eventData, { requiresSignIn });
     } catch (emailError) {
       console.error("Failed to send confirmation email:", emailError);
       // Don't fail the registration if email fails
@@ -131,6 +165,8 @@ export default defineEventHandler(async (event) => {
         ticketType: registration.ticketType,
         amountPaid: registration.amountPaid,
       },
+      accountCreated,
+      signedIn,
       payment: transactionId
         ? {
             transactionId: transactionId,

server/models/member.js

@@ -35,7 +35,7 @@ const memberSchema = new mongoose.Schema({
   },
   status: {
     type: String,
-    enum: ["pending_payment", "active", "suspended", "cancelled"],
+    enum: ["pending_payment", "active", "suspended", "cancelled", "guest"],
     default: "pending_payment",
   },
   helcimCustomerId: String,

server/utils/auth.js

@@ -2,6 +2,26 @@ import jwt from 'jsonwebtoken'
 import Member from '../models/member.js'
 import { connectDB } from './mongoose.js'
 
+/**
+ * Issue a session JWT and set the auth-token cookie for the given member.
+ * Mirrors the cookie options used by verify.post.js.
+ */
+export function setAuthCookie(event, member) {
+  const token = jwt.sign(
+    { memberId: member._id.toString(), email: member.email, tv: member.tokenVersion || 0 },
+    useRuntimeConfig(event).jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7
+  })
+}
+
 /**
  * Verify JWT from cookie and return the decoded member.
  * Throws 401 if token is missing or invalid.

server/utils/resend.js

@@ -4,8 +4,11 @@ const resend = new Resend(process.env.RESEND_API_KEY);
 
 /**
  * Send event registration confirmation email
+ * @param {Object} options - { requiresSignIn?: boolean } — when true, appends a
+ *   "sign in to view your ticket" paragraph for existing non-guest members who
+ *   registered via the public form and did not receive an auto-login cookie.
  */
-export async function sendEventRegistrationEmail(registration, eventData) {
+export async function sendEventRegistrationEmail(registration, eventData, options = {}) {
   const formatDate = (dateString) => {
     const date = new Date(dateString);
     return new Intl.DateTimeFormat("en-US", {
@@ -31,6 +34,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
 
   const baseUrl = process.env.BASE_URL || "https://ghostguild.org";
   const eventUrl = `${baseUrl}/events/${eventData.slug || eventData._id}`;
+  const signInSection = options.requiresSignIn
+    ? `\nSign in to view your ticket: ${baseUrl}/login\n`
+    : "";
 
   let ticketSection = "";
   if (
@@ -63,7 +69,7 @@ You're registered for ${eventData.title}.
 Date: ${formatDate(eventData.startDate)}
 Time: ${formatTime(eventData.startDate, eventData.endDate)}
 Location: ${eventData.location}
-${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}
+${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}${signInSection}
 View event: ${eventUrl}
 
 To cancel, visit the event page and click "Cancel Registration."`,

server/utils/schemas.js

@@ -95,7 +95,8 @@ export const helcimUpdateBillingSchema = z.object({
 export const ticketPurchaseSchema = z.object({
   name: z.string().min(1).max(200),
   email: z.string().trim().toLowerCase().email(),
-  transactionId: z.string().max(500).optional()
+  transactionId: z.string().max(500).optional(),
+  createAccount: z.boolean().optional().default(true)
 })
 
 export const ticketReserveSchema = z.object({

tests/server/api/event-registration.test.js

@@ -87,3 +87,53 @@ describe('cancel-registration.post.js', () => {
     expect(source).not.toContain('requireAuth')
   })
 })
+
+describe('tickets/purchase.post.js', () => {
+  const source = readFileSync(resolve(eventsDir, 'tickets/purchase.post.js'), 'utf-8')
+
+  it('uses validateBody for input validation', () => {
+    expect(source).toContain('validateBody(event, ticketPurchaseSchema)')
+  })
+
+  it('upserts a guest Member when consent given and no existing Member', () => {
+    expect(source).toContain('body.createAccount')
+    expect(source).toContain('findOneAndUpdate')
+    expect(source).toContain('$setOnInsert')
+    expect(source).toContain('status: "guest"')
+    expect(source).toContain('upsert: true')
+  })
+
+  it('treats guest Members as non-members for pricing and validation', () => {
+    // Guests must not receive member pricing — plan §2
+    expect(source).toContain('isRealMember')
+    expect(source).toContain('!== "guest"')
+  })
+
+  it('sets an auth cookie for new guests and returning guests', () => {
+    expect(source).toContain('setAuthCookie(event, member)')
+    expect(source).toContain('accountCreated || member.status === "guest"')
+  })
+
+  it('does not auto-login existing non-guest members (hijack prevention)', () => {
+    // Requires sign-in flag for existing real members — plan §2
+    expect(source).toContain('requiresSignIn = true')
+  })
+
+  it('passes requiresSignIn to confirmation email', () => {
+    expect(source).toContain('sendEventRegistrationEmail(registration, eventData, { requiresSignIn })')
+  })
+
+  it('includes accountCreated and signedIn in response', () => {
+    expect(source).toContain('accountCreated,')
+    expect(source).toContain('signedIn,')
+  })
+
+  it('does not block registration when email fails', () => {
+    const emailCallIndex = source.indexOf('await sendEventRegistrationEmail')
+    expect(emailCallIndex).toBeGreaterThan(-1)
+    const afterEmail = source.slice(emailCallIndex)
+    const catchBlock = afterEmail.match(/catch\s*\(\w+\)\s*\{[^}]*\}/s)
+    expect(catchBlock).not.toBeNull()
+    expect(catchBlock[0]).toContain('console.error')
+  })
+})