Add Zod validation, fix mass assignment, remove test endpoints and dead code
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
This commit is contained in:
parent
26c300c357
commit
b7279f57d1
41 changed files with 467 additions and 321 deletions
|
|
@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
|
|||
// Decode JWT token
|
||||
let decoded;
|
||||
try {
|
||||
decoded = jwt.verify(token, process.env.JWT_SECRET);
|
||||
decoded = jwt.verify(token, config.jwtSecret);
|
||||
} catch (err) {
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
import Member from '../../models/member.js'
|
||||
import { connectDB } from '../../utils/mongoose.js'
|
||||
import { getSlackService } from '../../utils/slack.ts'
|
||||
import { validateBody } from '../../utils/validateBody.js'
|
||||
import { memberCreateSchema } from '../../utils/schemas.js'
|
||||
// Simple payment check function to avoid import issues
|
||||
const requiresPayment = (contributionValue) => contributionValue !== '0'
|
||||
|
||||
|
|
@ -14,7 +16,7 @@ async function inviteToSlack(member) {
|
|||
return
|
||||
}
|
||||
|
||||
console.log(`Processing Slack invitation for ${member.email}...`)
|
||||
console.warn(`Processing Slack invitation for member`)
|
||||
|
||||
const inviteResult = await slackService.inviteUserToSlack(
|
||||
member.email,
|
||||
|
|
@ -45,13 +47,13 @@ async function inviteToSlack(member) {
|
|||
inviteResult.status
|
||||
)
|
||||
|
||||
console.log(`Successfully processed Slack invitation for ${member.email}: ${inviteResult.status}`)
|
||||
console.warn(`Slack invitation processed: ${inviteResult.status}`)
|
||||
} else {
|
||||
// Update member record to reflect failed invitation
|
||||
member.slackInviteStatus = 'failed'
|
||||
await member.save()
|
||||
|
||||
console.error(`Failed to process Slack invitation for ${member.email}: ${inviteResult.error}`)
|
||||
console.error(`Failed to process Slack invitation: ${inviteResult.error}`)
|
||||
// Don't throw error - member creation should still succeed
|
||||
}
|
||||
} catch (error) {
|
||||
|
|
@ -73,32 +75,30 @@ export default defineEventHandler(async (event) => {
|
|||
// Ensure database is connected
|
||||
await connectDB()
|
||||
|
||||
const body = await readBody(event)
|
||||
|
||||
const validatedData = await validateBody(event, memberCreateSchema)
|
||||
|
||||
try {
|
||||
// Check if member already exists
|
||||
const existingMember = await Member.findOne({ email: body.email })
|
||||
const existingMember = await Member.findOne({ email: validatedData.email })
|
||||
if (existingMember) {
|
||||
throw createError({
|
||||
statusCode: 409,
|
||||
statusMessage: 'A member with this email already exists'
|
||||
throw createError({
|
||||
statusCode: 409,
|
||||
statusMessage: 'A member with this email already exists'
|
||||
})
|
||||
}
|
||||
|
||||
const member = new Member(body)
|
||||
|
||||
const member = new Member(validatedData)
|
||||
await member.save()
|
||||
|
||||
// Send Slack invitation for new members
|
||||
await inviteToSlack(member)
|
||||
|
||||
// TODO: Process payment with Helcim if not free tier
|
||||
if (requiresPayment(body.contributionTier)) {
|
||||
if (requiresPayment(validatedData.contributionTier)) {
|
||||
// Payment processing will be added here
|
||||
console.log('Payment processing needed for tier:', body.contributionTier)
|
||||
}
|
||||
|
||||
|
||||
// TODO: Send welcome email
|
||||
console.log('Welcome email should be sent to:', body.email)
|
||||
|
||||
return { success: true, member }
|
||||
} catch (error) {
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ export default defineEventHandler(async (event) => {
|
|||
|
||||
if (token) {
|
||||
try {
|
||||
const decoded = jwt.verify(token, process.env.JWT_SECRET);
|
||||
const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
|
||||
currentMemberId = decoded.memberId;
|
||||
isAuthenticated = true;
|
||||
} catch (err) {
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
|
|||
|
||||
let memberId;
|
||||
try {
|
||||
const decoded = jwt.verify(token, process.env.JWT_SECRET);
|
||||
const decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
|
||||
memberId = decoded.memberId;
|
||||
} catch (err) {
|
||||
throw createError({
|
||||
|
|
|
|||
|
|
@ -1,14 +1,16 @@
|
|||
import Member from "../../models/member.js";
|
||||
import { requireAuth } from "../../utils/auth.js";
|
||||
import { validateBody } from "../../utils/validateBody.js";
|
||||
import { memberProfileUpdateSchema } from "../../utils/schemas.js";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const authedMember = await requireAuth(event);
|
||||
const memberId = authedMember._id;
|
||||
|
||||
const body = await readBody(event);
|
||||
const body = await validateBody(event, memberProfileUpdateSchema);
|
||||
|
||||
// Define allowed profile fields
|
||||
const allowedFields = [
|
||||
// Profile fields from validated body
|
||||
const profileFields = [
|
||||
"pronouns",
|
||||
"timeZone",
|
||||
"avatar",
|
||||
|
|
@ -19,7 +21,7 @@ export default defineEventHandler(async (event) => {
|
|||
"showInDirectory",
|
||||
];
|
||||
|
||||
// Define privacy fields
|
||||
// Privacy fields from validated body
|
||||
const privacyFields = [
|
||||
"pronounsPrivacy",
|
||||
"timeZonePrivacy",
|
||||
|
|
@ -32,10 +34,10 @@ export default defineEventHandler(async (event) => {
|
|||
"lookingForPrivacy",
|
||||
];
|
||||
|
||||
// Build update object
|
||||
// Build update object from validated data
|
||||
const updateData = {};
|
||||
|
||||
allowedFields.forEach((field) => {
|
||||
profileFields.forEach((field) => {
|
||||
if (body[field] !== undefined) {
|
||||
updateData[field] = body[field];
|
||||
}
|
||||
|
|
@ -73,7 +75,7 @@ export default defineEventHandler(async (event) => {
|
|||
if (!member) {
|
||||
throw createError({
|
||||
statusCode: 404,
|
||||
message: "Member not found",
|
||||
statusMessage: "Member not found",
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -99,7 +101,7 @@ export default defineEventHandler(async (event) => {
|
|||
console.error("Profile update error:", error);
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
message: "Failed to update profile",
|
||||
statusMessage: "Failed to update profile",
|
||||
});
|
||||
}
|
||||
});
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ export default defineEventHandler(async (event) => {
|
|||
// Decode JWT token
|
||||
let decoded;
|
||||
try {
|
||||
decoded = jwt.verify(token, process.env.JWT_SECRET);
|
||||
decoded = jwt.verify(token, useRuntimeConfig().jwtSecret);
|
||||
} catch (err) {
|
||||
throw createError({
|
||||
statusCode: 401,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue