Add Zod validation, fix mass assignment, remove test endpoints and dead code
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
This commit is contained in:
parent
26c300c357
commit
b7279f57d1
41 changed files with 467 additions and 321 deletions
|
|
@ -1,14 +1,16 @@
|
|||
import Member from "../../models/member.js";
|
||||
import { requireAuth } from "../../utils/auth.js";
|
||||
import { validateBody } from "../../utils/validateBody.js";
|
||||
import { memberProfileUpdateSchema } from "../../utils/schemas.js";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const authedMember = await requireAuth(event);
|
||||
const memberId = authedMember._id;
|
||||
|
||||
const body = await readBody(event);
|
||||
const body = await validateBody(event, memberProfileUpdateSchema);
|
||||
|
||||
// Define allowed profile fields
|
||||
const allowedFields = [
|
||||
// Profile fields from validated body
|
||||
const profileFields = [
|
||||
"pronouns",
|
||||
"timeZone",
|
||||
"avatar",
|
||||
|
|
@ -19,7 +21,7 @@ export default defineEventHandler(async (event) => {
|
|||
"showInDirectory",
|
||||
];
|
||||
|
||||
// Define privacy fields
|
||||
// Privacy fields from validated body
|
||||
const privacyFields = [
|
||||
"pronounsPrivacy",
|
||||
"timeZonePrivacy",
|
||||
|
|
@ -32,10 +34,10 @@ export default defineEventHandler(async (event) => {
|
|||
"lookingForPrivacy",
|
||||
];
|
||||
|
||||
// Build update object
|
||||
// Build update object from validated data
|
||||
const updateData = {};
|
||||
|
||||
allowedFields.forEach((field) => {
|
||||
profileFields.forEach((field) => {
|
||||
if (body[field] !== undefined) {
|
||||
updateData[field] = body[field];
|
||||
}
|
||||
|
|
@ -73,7 +75,7 @@ export default defineEventHandler(async (event) => {
|
|||
if (!member) {
|
||||
throw createError({
|
||||
statusCode: 404,
|
||||
message: "Member not found",
|
||||
statusMessage: "Member not found",
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -99,7 +101,7 @@ export default defineEventHandler(async (event) => {
|
|||
console.error("Profile update error:", error);
|
||||
throw createError({
|
||||
statusCode: 500,
|
||||
message: "Failed to update profile",
|
||||
statusMessage: "Failed to update profile",
|
||||
});
|
||||
}
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue