fix: use private helcimApiToken for all server-side Helcim API calls

2026-04-04 13:37:34 +01:00 · 2026-04-04 13:37:34 +01:00 · d31b5b4dac
commit d31b5b4dac
parent ccd1d0783a
53 changed files with 1755 additions and 572 deletions
--- a/server/api/dev/member-login.get.js
+++ b/server/api/dev/member-login.get.js
@ -0,0 +1,41 @@
+import jwt from 'jsonwebtoken'
+import Member from '../../models/member.js'
+import { connectDB } from '../../utils/mongoose.js'
+
+export default defineEventHandler(async (event) => {
+  // Only allow in development
+  if (process.env.NODE_ENV === 'production') {
+    throw createError({ statusCode: 404, statusMessage: 'Not found' })
+  }
+
+  const query = getQuery(event)
+  const email = query.email
+
+  if (!email) {
+    throw createError({ statusCode: 400, statusMessage: 'email query param required' })
+  }
+
+  await connectDB()
+
+  const member = await Member.findOne({ email: email.toLowerCase() })
+
+  if (!member) {
+    throw createError({ statusCode: 404, statusMessage: `No member found with email: ${email}` })
+  }
+
+  const config = useRuntimeConfig(event)
+  const token = jwt.sign(
+    { memberId: member._id, email: member.email },
+    config.jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', token, {
+    httpOnly: true,
+    secure: false,
+    sameSite: 'lax',
+    maxAge: 60 * 60 * 24 * 7,
+  })
+
+  await sendRedirect(event, '/member/account', 302)
+})