jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add Zod validation, fix mass assignment, remove test endpoints and dead code

Browse source 
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
  utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
  passed to new Member(), only validated fields (email, name, circle,
  contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
  updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
  conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
  test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
  endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)
This commit is contained in:
Jennie Robinson Faber 2026-03-01 14:02:46 +00:00
parent 26c300c357
commit b7279f57d1
41 changed files with 467 additions and 321 deletions
Download patch file Download diff file Expand all files Collapse all files

12
server/api/events/[id]/register.post.js
View file

@ -2,6 +2,8 @@ import Event from "../../../models/event.js";
import Member from "../../../models/member.js";
import { connectDB } from "../../../utils/mongoose.js";
import { sendEventRegistrationEmail } from "../../../utils/resend.js";
import { validateBody } from "../../../utils/validateBody.js";
import { eventRegistrationSchema } from "../../../utils/schemas.js";
import mongoose from "mongoose";
export default defineEventHandler(async (event) => {
@ -9,7 +11,7 @@ export default defineEventHandler(async (event) => {
// Ensure database connection
await connectDB();
const identifier = getRouterParam(event, "id");
const body = await readBody(event);
const body = await validateBody(event, eventRegistrationSchema);
if (!identifier) {
throw createError({
@ -18,14 +20,6 @@ export default defineEventHandler(async (event) => {
});
}
// Validate required fields
if (!body.name || !body.email) {
throw createError({
statusCode: 400,
statusMessage: "Name and email are required",
});
}
// Fetch the event - try by slug first, then by ID
let eventData;