Add Zod validation, fix mass assignment, remove test endpoints and dead code
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
This commit is contained in:
parent
26c300c357
commit
b7279f57d1
41 changed files with 467 additions and 321 deletions
|
|
@ -1,20 +1,14 @@
|
|||
import Event from "../../models/event.js";
|
||||
import { connectDB } from "../../utils/mongoose.js";
|
||||
import { requireAdmin } from "../../utils/auth.js";
|
||||
import { validateBody } from "../../utils/validateBody.js";
|
||||
import { adminEventCreateSchema } from "../../utils/schemas.js";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
try {
|
||||
const admin = await requireAdmin(event);
|
||||
|
||||
const body = await readBody(event);
|
||||
|
||||
// Validate required fields
|
||||
if (!body.title || !body.description || !body.startDate || !body.endDate) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "Missing required fields",
|
||||
});
|
||||
}
|
||||
const body = await validateBody(event, adminEventCreateSchema);
|
||||
|
||||
await connectDB();
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue