Add Zod validation, fix mass assignment, remove test endpoints and dead code

- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
2026-03-01 14:02:46 +00:00 · 2026-03-01 14:02:46 +00:00 · b7279f57d1
commit b7279f57d1
parent 26c300c357
41 changed files with 467 additions and 321 deletions
--- a/tests/server/api/auth-login.test.js
+++ b/tests/server/api/auth-login.test.js
@ -107,7 +107,7 @@ describe('auth login endpoint', () => {

    await expect(loginHandler(event)).rejects.toMatchObject({
      statusCode: 400,
-      statusMessage: 'Email is required'
+      statusMessage: 'Validation failed'
    })
  })
 })