From bbe94f0efbc45d57a3fd45e7ce558bade234d38b Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sat, 4 Apr 2026 12:26:56 +0100
Subject: [PATCH] fix: replace member.save() with atomic update in
 cancel-subscription

---
 .../api/members/cancel-subscription.post.js   | 59 +++++++------------
 1 file changed, 20 insertions(+), 39 deletions(-)

diff --git a/server/api/members/cancel-subscription.post.js b/server/api/members/cancel-subscription.post.js
index 34e82cb..1b7068f 100644
--- a/server/api/members/cancel-subscription.post.js
+++ b/server/api/members/cancel-subscription.post.js
@@ -1,49 +1,22 @@
 // Cancel member subscription
-import jwt from "jsonwebtoken";
-import Member from "../../models/member.js";
 import { connectDB } from "../../utils/mongoose.js";
+import Member from "../../models/member.js";
 
 const HELCIM_API_BASE = "https://api.helcim.com/v2";
 
 export default defineEventHandler(async (event) => {
   try {
+    const member = await requireAuth(event);
     await connectDB();
     const config = useRuntimeConfig(event);
-    const token = getCookie(event, "auth-token");
-
-    if (!token) {
-      throw createError({
-        statusCode: 401,
-        statusMessage: "Not authenticated",
-      });
-    }
-
-    // Decode JWT token
-    let decoded;
-    try {
-      decoded = jwt.verify(token, config.jwtSecret);
-    } catch (err) {
-      throw createError({
-        statusCode: 401,
-        statusMessage: "Invalid or expired token",
-      });
-    }
-
-    // Get member
-    const member = await Member.findById(decoded.memberId);
-    if (!member) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Member not found",
-      });
-    }
 
     // If already on free tier, nothing to cancel
     if (member.contributionTier === "0" || !member.helcimSubscriptionId) {
       return {
         success: true,
         message: "No active subscription to cancel",
-        member,
+        status: member.status,
+        contributionTier: member.contributionTier,
       };
     }
 
@@ -77,18 +50,26 @@ export default defineEventHandler(async (event) => {
       // Continue anyway - we'll update the member record
     }
 
-    // Update member status
-    member.status = "cancelled";
-    member.contributionTier = "0";
-    member.helcimSubscriptionId = null;
-    member.paymentMethod = "none";
-    member.subscriptionEndDate = new Date();
-    await member.save();
+    // Update member status — pending_payment (not cancelled) so member can re-subscribe
+    await Member.findByIdAndUpdate(
+      member._id,
+      {
+        $set: {
+          status: 'pending_payment',
+          contributionTier: '0',
+          helcimSubscriptionId: null,
+          paymentMethod: 'none',
+          subscriptionEndDate: new Date(),
+        },
+      },
+      { runValidators: false }
+    );
 
     return {
       success: true,
       message: "Subscription cancelled successfully",
-      member,
+      status: 'pending_payment',
+      contributionTier: '0',
     };
   } catch (error) {
     console.error("Error cancelling subscription:", error);