Add Zod validation, fix mass assignment, remove test endpoints and dead code
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
This commit is contained in:
parent
26c300c357
commit
b7279f57d1
41 changed files with 467 additions and 321 deletions
|
|
@ -2,6 +2,8 @@ import Event from "../../../models/event.js";
|
|||
import Member from "../../../models/member.js";
|
||||
import { connectDB } from "../../../utils/mongoose.js";
|
||||
import { sendEventRegistrationEmail } from "../../../utils/resend.js";
|
||||
import { validateBody } from "../../../utils/validateBody.js";
|
||||
import { eventRegistrationSchema } from "../../../utils/schemas.js";
|
||||
import mongoose from "mongoose";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
|
|
@ -9,7 +11,7 @@ export default defineEventHandler(async (event) => {
|
|||
// Ensure database connection
|
||||
await connectDB();
|
||||
const identifier = getRouterParam(event, "id");
|
||||
const body = await readBody(event);
|
||||
const body = await validateBody(event, eventRegistrationSchema);
|
||||
|
||||
if (!identifier) {
|
||||
throw createError({
|
||||
|
|
@ -18,14 +20,6 @@ export default defineEventHandler(async (event) => {
|
|||
});
|
||||
}
|
||||
|
||||
// Validate required fields
|
||||
if (!body.name || !body.email) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: "Name and email are required",
|
||||
});
|
||||
}
|
||||
|
||||
// Fetch the event - try by slug first, then by ID
|
||||
let eventData;
|
||||
|
||||
|
|
|
|||
|
|
@ -92,7 +92,6 @@ export default defineEventHandler(async (event) => {
|
|||
// Optional: Verify the transaction with Helcim API
|
||||
// This adds extra security to ensure the transaction is legitimate
|
||||
// For now, we trust the transaction ID from HelcimPay.js
|
||||
console.log("Payment completed with transaction ID:", transactionId);
|
||||
}
|
||||
|
||||
// Create registration
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue