Add Zod validation, fix mass assignment, remove test endpoints and dead code
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
This commit is contained in:
parent
26c300c357
commit
b7279f57d1
41 changed files with 467 additions and 321 deletions
|
|
@ -1,5 +1,7 @@
|
|||
// Verify payment token from HelcimPay.js
|
||||
import { requireAuth } from '../../utils/auth.js'
|
||||
import { validateBody } from '../../utils/validateBody.js'
|
||||
import { paymentVerifySchema } from '../../utils/schemas.js'
|
||||
|
||||
const HELCIM_API_BASE = 'https://api.helcim.com/v2'
|
||||
|
||||
|
|
@ -7,15 +9,7 @@ export default defineEventHandler(async (event) => {
|
|||
try {
|
||||
await requireAuth(event)
|
||||
const config = useRuntimeConfig(event)
|
||||
const body = await readBody(event)
|
||||
|
||||
// Validate required fields
|
||||
if (!body.cardToken || !body.customerId) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'Card token and customer ID are required'
|
||||
})
|
||||
}
|
||||
const body = await validateBody(event, paymentVerifySchema)
|
||||
|
||||
const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
|
||||
|
||||
|
|
@ -48,13 +42,13 @@ export default defineEventHandler(async (event) => {
|
|||
|
||||
// Verify the card token exists for this customer
|
||||
const cardExists = Array.isArray(cards) && cards.some(card =>
|
||||
card.cardToken === body.cardToken || card.id
|
||||
card.cardToken === body.cardToken
|
||||
)
|
||||
|
||||
if (!cardExists && Array.isArray(cards) && cards.length === 0) {
|
||||
if (!cardExists) {
|
||||
throw createError({
|
||||
statusCode: 400,
|
||||
statusMessage: 'No payment method found for this customer'
|
||||
statusMessage: 'Payment method not found or does not belong to this customer'
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue