fix: use private helcimApiToken for all server-side Helcim API calls

2026-04-04 13:37:34 +01:00 · 2026-04-04 13:37:34 +01:00 · d31b5b4dac
commit d31b5b4dac
parent ccd1d0783a
53 changed files with 1755 additions and 572 deletions
--- a/server/api/events/[id]/cancel-registration.post.js
+++ b/server/api/events/[id]/cancel-registration.post.js
@ -3,12 +3,15 @@ import {
  sendEventCancellationEmail,
  sendWaitlistNotificationEmail,
 } from "../../../utils/resend.js";
+import { connectDB } from "../../../utils/mongoose.js";

 export default defineEventHandler(async (event) => {
  const id = getRouterParam(event, "id");
  const body = await validateBody(event, cancelRegistrationSchema);
  const { email } = body;

+  await connectDB();
+
  try {
    // Check if id is a valid ObjectId or treat as slug
    const isObjectId = /^[0-9a-fA-F]{24}$/.test(id);
@ -46,13 +49,15 @@ export default defineEventHandler(async (event) => {
        eventDoc.registrations[registrationIndex].membershipLevel,
    };

-    // Remove the registration
-    eventDoc.registrations.splice(registrationIndex, 1);
-
-    // Update registered count
-    eventDoc.registeredCount = eventDoc.registrations.length;
-
-    await eventDoc.save();
+    // Use $pull to avoid re-validating the whole document (e.g. legacy location formats)
+    await Event.findByIdAndUpdate(
+      eventDoc._id,
+      {
+        $pull: { registrations: { email: registration.email } },
+        $inc: { registeredCount: -1 },
+      },
+      { runValidators: false }
+    );

    // Send cancellation confirmation email
    try {
@ -90,9 +95,13 @@ export default defineEventHandler(async (event) => {
        if (waitlistEntry) {
          await sendWaitlistNotificationEmail(waitlistEntry, eventData);

-          // Mark as notified
-          waitlistEntry.notified = true;
-          await eventDoc.save();
+          // Mark as notified using findByIdAndUpdate to avoid re-validating the document
+          const entryIndex = eventDoc.tickets.waitlist.entries.indexOf(waitlistEntry);
+          await Event.findByIdAndUpdate(
+            eventDoc._id,
+            { $set: { [`tickets.waitlist.entries.${entryIndex}.notified`]: true } },
+            { runValidators: false }
+          );
        }
      } catch (waitlistError) {
        // Log error but don't fail the cancellation
--- a/server/api/events/[id]/register.post.js
+++ b/server/api/events/[id]/register.post.js
@ -76,8 +76,8 @@ export default defineEventHandler(async (event) => {

    // If event requires payment and user is not a member, redirect to payment flow
    if (
-      eventData.pricing.paymentRequired &&
-      !eventData.pricing.isFree &&
+      eventData.pricing?.paymentRequired &&
+      !eventData.pricing?.isFree &&
      !member
    ) {
      throw createError({
@ -109,10 +109,13 @@ export default defineEventHandler(async (event) => {
      registeredAt: new Date(),
    };

-    eventData.registrations.push(registration);
-
-    // Save the updated event
-    await eventData.save();
+    // Use $push to avoid re-validating the whole document (e.g. legacy location formats)
+    const result = await Event.findByIdAndUpdate(
+      eventData._id,
+      { $push: { registrations: registration } },
+      { new: true, runValidators: false }
+    );
+    const newRegistration = result.registrations[result.registrations.length - 1];

    // Send confirmation email using Resend
    try {
@ -125,8 +128,7 @@ export default defineEventHandler(async (event) => {
    return {
      success: true,
      message: "Successfully registered for the event",
-      registrationId:
-        eventData.registrations[eventData.registrations.length - 1]._id,
+      registrationId: newRegistration._id,
    };
  } catch (error) {
    console.error("Error registering for event:", error);