fix: use private helcimApiToken for all server-side Helcim API calls

2026-04-04 13:37:34 +01:00 · 2026-04-04 13:37:34 +01:00 · d31b5b4dac
commit d31b5b4dac
parent ccd1d0783a
53 changed files with 1755 additions and 572 deletions
--- a/server/api/auth/member.get.js
+++ b/server/api/auth/member.get.js
@ -8,6 +8,7 @@ export default defineEventHandler(async (event) => {
    id: member._id,
    email: member.email,
    name: member.name,
+    status: member.status,
    role: member.role || 'member',
    circle: member.circle,
    contributionTier: member.contributionTier,
@ -23,8 +24,11 @@ export default defineEventHandler(async (event) => {
    offering: member.offering,
    lookingFor: member.lookingFor,
    showInDirectory: member.showInDirectory,
+    notifications: member.notifications,
    privacy: member.privacy,
    // Peer support
    peerSupport: member.peerSupport,
+    // Timestamps
+    createdAt: member.createdAt,
  };
 });
--- a/server/api/auth/refresh.post.js
+++ b/server/api/auth/refresh.post.js
@ -40,9 +40,16 @@ export default defineEventHandler(async (event) => {
    })
  }

-  // Issue a fresh token
+  if (decoded.tv !== member.tokenVersion) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Session has been revoked'
+    })
+  }
+
+  // Issue a fresh token with current tokenVersion
  const newToken = jwt.sign(
-    { memberId: member._id, email: member.email },
+    { memberId: member._id, email: member.email, tv: member.tokenVersion },
    useRuntimeConfig().jwtSecret,
    { expiresIn: '7d' }
  )
@ -51,7 +58,8 @@ export default defineEventHandler(async (event) => {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'lax',
-    maxAge: 60 * 60 * 24 * 7 // 7 days
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7, // 7 days
  })

  return { success: true }
--- a/server/api/auth/status.get.js
+++ b/server/api/auth/status.get.js
@ -19,7 +19,7 @@ export default defineEventHandler(async (event) => {
    }

    if (member.status === 'suspended' || member.status === 'cancelled') {
-      return { authenticated: false, member: null, reason: 'account_' + member.status }
+      return { authenticated: false, member: null }
    }

    return { 
@ -29,6 +29,7 @@ export default defineEventHandler(async (event) => {
        email: member.email,
        name: member.name,
        circle: member.circle,
+        status: member.status,
        contributionTier: member.contributionTier,
        membershipLevel: `${member.circle}-${member.contributionTier}`
      }