jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'feature/guest-event-accounts'

Browse source
This commit is contained in:
Jennie Robinson Faber 2026-04-17 09:36:11 +01:00
commit e96d493024
7 changed files with 162 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

39
app/components/EventTicketPurchase.vue
View file

@ -154,6 +154,18 @@
securely
</p>
<label class="consent-field">
<input
v-model="form.createAccount"
type="checkbox"
:disabled="processing"
>
<span>Create a free guest account so I can manage my registration</span>
</label>
<p class="field-hint consent-hint">
Guest accounts let you view your tickets and register faster next time. We won't add you to member communications.
</p>
<button
type="submit"
class="btn btn-primary"
@ -241,6 +253,7 @@ const ticketInfo = ref(null);
const form = ref({
name: props.userName || "",
email: props.userEmail || "",
createAccount: true,
});
const isLoggedIn = computed(() => !!props.userEmail);
@ -337,6 +350,7 @@ const handleSubmit = async () => {
const body = {
name: form.value.name,
email: form.value.email,
createAccount: form.value.createAccount,
};
if (transactionId) body.transactionId = transactionId;
@ -357,6 +371,13 @@ const handleSubmit = async () => {
});
emit("success", response);
if (response?.signedIn) {
// New guest account or returning guest refresh client auth state so the
// rest of the app sees them as logged in.
await useAuth().checkMemberStatus();
}
await fetchTicketInfo(form.value.email);
} catch (err) {
console.error("Error purchasing ticket:", err);
@ -429,4 +450,22 @@ const formatEventDate = (date) => {
color: var(--text-faint);
margin-top: 2px;
}
.consent-field {
display: flex;
align-items: flex-start;
gap: 8px;
font-size: 12px;
color: var(--text);
margin-bottom: 4px;
cursor: pointer;
}
.consent-field input[type="checkbox"] {
margin-top: 3px;
flex-shrink: 0;
}
.consent-hint {
margin-bottom: 14px;
padding-left: 24px;
}
</style>

48
server/api/events/[id]/tickets/purchase.post.js
View file

@ -43,14 +43,16 @@ export default defineEventHandler(async (event) => {
});
}
// Check if user is a member
const member = await Member.findOne({ email: body.email.toLowerCase() });
// Check if user is a member. Guests don't count as members for pricing/validation.
let member = await Member.findOne({ email: body.email.toLowerCase() });
let accountCreated = false;
const isRealMember = (m) => !!m && m.status !== "guest";
// Validate ticket purchase
const validation = validateTicketPurchase(eventData, {
email: body.email,
name: body.name,
member,
member: isRealMember(member) ? member : null,
});
if (!validation.valid) {
@ -86,15 +88,36 @@ export default defineEventHandler(async (event) => {
// For now, we trust the transaction ID from HelcimPay.js
}
// If no Member yet and the user consented, atomically create a guest Member.
// findOneAndUpdate with $setOnInsert handles concurrent registrations on the
// same email (email has a unique index).
if (!member && body.createAccount) {
member = await Member.findOneAndUpdate(
{ email: body.email.toLowerCase() },
{
$setOnInsert: {
email: body.email.toLowerCase(),
name: body.name,
circle: "community",
contributionTier: "0",
status: "guest",
},
},
{ upsert: true, new: true, setDefaultsOnInsert: true }
);
accountCreated = true;
}
// Create registration
const realMember = isRealMember(member);
const registration = {
memberId: member ? member._id : null,
name: body.name,
email: body.email.toLowerCase(),
membershipLevel: member
membershipLevel: realMember
? `${member.circle}-${member.contributionTier}`
: "non-member",
isMember: !!member,
isMember: realMember,
ticketType: ticketInfo.ticketType,
ticketPrice: ticketInfo.price,
paymentStatus: requiresPayment ? "completed" : "not_required",
@ -113,9 +136,20 @@ export default defineEventHandler(async (event) => {
// legacy location data unrelated to this write.
await eventData.save({ validateBeforeSave: false });
// Decide on auto-login: safe for new accounts and existing guests, not for
// real members (stranger could hijack by typing email into a public form).
let signedIn = false;
let requiresSignIn = false;
if (member && (accountCreated || member.status === "guest")) {
setAuthCookie(event, member);
signedIn = true;
} else if (member) {
requiresSignIn = true;
}
// Send confirmation email
try {
await sendEventRegistrationEmail(registration, eventData);
await sendEventRegistrationEmail(registration, eventData, { requiresSignIn });
} catch (emailError) {
console.error("Failed to send confirmation email:", emailError);
// Don't fail the registration if email fails
@ -131,6 +165,8 @@ export default defineEventHandler(async (event) => {
ticketType: registration.ticketType,
amountPaid: registration.amountPaid,
},
accountCreated,
signedIn,
payment: transactionId
? {
transactionId: transactionId,

2
server/models/member.js
View file

@ -35,7 +35,7 @@ const memberSchema = new mongoose.Schema({
},
status: {
type: String,
enum: ["pending_payment", "active", "suspended", "cancelled"],
enum: ["pending_payment", "active", "suspended", "cancelled", "guest"],
default: "pending_payment",
},
helcimCustomerId: String,

20
server/utils/auth.js
View file

@ -2,6 +2,26 @@ import jwt from 'jsonwebtoken'
import Member from '../models/member.js'
import { connectDB } from './mongoose.js'
/**
* Issue a session JWT and set the auth-token cookie for the given member.
* Mirrors the cookie options used by verify.post.js.
*/
export function setAuthCookie(event, member) {
const token = jwt.sign(
{ memberId: member._id.toString(), email: member.email, tv: member.tokenVersion || 0 },
useRuntimeConfig(event).jwtSecret,
{ expiresIn: '7d' }
)
setCookie(event, 'auth-token', token, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: 60 * 60 * 24 * 7
})
}
/**
* Verify JWT from cookie and return the decoded member.
* Throws 401 if token is missing or invalid.

10
server/utils/resend.js
View file

@ -4,8 +4,11 @@ const resend = new Resend(process.env.RESEND_API_KEY);
/**
* Send event registration confirmation email
* @param {Object} options - { requiresSignIn?: boolean } when true, appends a
* "sign in to view your ticket" paragraph for existing non-guest members who
* registered via the public form and did not receive an auto-login cookie.
*/
export async function sendEventRegistrationEmail(registration, eventData) {
export async function sendEventRegistrationEmail(registration, eventData, options = {}) {
const formatDate = (dateString) => {
const date = new Date(dateString);
return new Intl.DateTimeFormat("en-US", {
@ -31,6 +34,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
const baseUrl = process.env.BASE_URL || "https://ghostguild.org";
const eventUrl = `${baseUrl}/events/${eventData.slug || eventData._id}`;
const signInSection = options.requiresSignIn
? `\nSign in to view your ticket: ${baseUrl}/login\n`
: "";
let ticketSection = "";
if (
@ -63,7 +69,7 @@ You're registered for ${eventData.title}.
Date: ${formatDate(eventData.startDate)}
Time: ${formatTime(eventData.startDate, eventData.endDate)}
Location: ${eventData.location}
${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}
${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}${signInSection}
View event: ${eventUrl}
To cancel, visit the event page and click "Cancel Registration."`,

3
server/utils/schemas.js
View file

@ -95,7 +95,8 @@ export const helcimUpdateBillingSchema = z.object({
export const ticketPurchaseSchema = z.object({
name: z.string().min(1).max(200),
email: z.string().trim().toLowerCase().email(),
transactionId: z.string().max(500).optional()
transactionId: z.string().max(500).optional(),
createAccount: z.boolean().optional().default(true)
})
export const ticketReserveSchema = z.object({

50
tests/server/api/event-registration.test.js
View file

@ -87,3 +87,53 @@ describe('cancel-registration.post.js', () => {
expect(source).not.toContain('requireAuth')
})
})
describe('tickets/purchase.post.js', () => {
const source = readFileSync(resolve(eventsDir, 'tickets/purchase.post.js'), 'utf-8')
it('uses validateBody for input validation', () => {
expect(source).toContain('validateBody(event, ticketPurchaseSchema)')
})
it('upserts a guest Member when consent given and no existing Member', () => {
expect(source).toContain('body.createAccount')
expect(source).toContain('findOneAndUpdate')
expect(source).toContain('$setOnInsert')
expect(source).toContain('status: "guest"')
expect(source).toContain('upsert: true')
})
it('treats guest Members as non-members for pricing and validation', () => {
// Guests must not receive member pricing — plan §2
expect(source).toContain('isRealMember')
expect(source).toContain('!== "guest"')
})
it('sets an auth cookie for new guests and returning guests', () => {
expect(source).toContain('setAuthCookie(event, member)')
expect(source).toContain('accountCreated || member.status === "guest"')
})
it('does not auto-login existing non-guest members (hijack prevention)', () => {
// Requires sign-in flag for existing real members — plan §2
expect(source).toContain('requiresSignIn = true')
})
it('passes requiresSignIn to confirmation email', () => {
expect(source).toContain('sendEventRegistrationEmail(registration, eventData, { requiresSignIn })')
})
it('includes accountCreated and signedIn in response', () => {
expect(source).toContain('accountCreated,')
expect(source).toContain('signedIn,')
})
it('does not block registration when email fails', () => {
const emailCallIndex = source.indexOf('await sendEventRegistrationEmail')
expect(emailCallIndex).toBeGreaterThan(-1)
const afterEmail = source.slice(emailCallIndex)
const catchBlock = afterEmail.match(/catch\s*\(\w+\)\s*\{[^}]*\}/s)
expect(catchBlock).not.toBeNull()
expect(catchBlock[0]).toContain('console.error')
})
})