refactor(launch): collapse helcim-pay duplication and use setAuthCookie helper

Follow-up to 51230e5. /simplify review surfaced residual duplication and a timer leak. - useHelcimPay: extract _initializeTicket(metadata, errorPrefix) to collapse initializeTicketPayment + initializeSeriesTicketPayment (95% identical bodies). Drop the dead `amount` arg from initialize- TicketPayment — server re-derives ticket amounts in initialize- payment.post.js and never reads body.amount for ticket types. Capture timer ids and clearTimeout on resolve/reject so the 10-min payment timer and 5-second observer timer stop leaking after every payment. - EventTicketPurchase: caller updated for the dropped arg. - verify.post.js: replace inline jwt.sign + setCookie block with the setAuthCookie(event, member) helper. verify was the last hand-rolled caller after the helper was extracted in 208638e. - LAUNCH_READINESS: add simplify-pass-followups bullet pointing to the six deferred items in docs/TODO.md. Tests: 758 passing, 2 skipped, 0 failing.
2026-04-25 22:13:24 +01:00 · 2026-04-25 22:13:24 +01:00 · 8e76ce9366
commit 8e76ce9366
parent 51230e5151
4 changed files with 24 additions and 70 deletions
--- a/server/api/auth/verify.post.js
+++ b/server/api/auth/verify.post.js
@ -3,6 +3,7 @@ import jwt from 'jsonwebtoken'
 import Member from '../../models/member.js'
 import { validateBody } from '../../utils/validateBody.js'
 import { verifyMagicLinkSchema } from '../../utils/schemas.js'
+import { setAuthCookie } from '../../utils/auth.js'

 export default defineEventHandler(async (event) => {
  const { token } = await validateBody(event, verifyMagicLinkSchema)
@ -57,20 +58,7 @@ export default defineEventHandler(async (event) => {
    { runValidators: false }
  )

-  // Issue session token with tokenVersion claim for revocation support
-  const sessionToken = jwt.sign(
-    { memberId: member._id, email: member.email, tv: member.tokenVersion },
-    config.jwtSecret,
-    { expiresIn: '7d' },
-  )
-
-  setCookie(event, 'auth-token', sessionToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'lax',
-    path: '/',
-    maxAge: 60 * 60 * 24 * 7, // 7 days
-  })
+  setAuthCookie(event, member)

  const redirectUrl = member.role === 'admin' ? '/admin' : '/member/dashboard'
  return { success: true, redirectUrl }