jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(events): enforce series-pass, hidden, and deadline gates

Browse source 
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.
This commit is contained in:
Jennie Robinson Faber 2026-04-20 19:03:34 +01:00
parent 6a6c567fd5
commit f34b062f2a
11 changed files with 746 additions and 247 deletions
Download patch file Download diff file Expand all files Collapse all files

127
server/api/events/[id]/register.post.js
View file

@ -1,97 +1,70 @@
import Event from "../../../models/event.js";
import Member from "../../../models/member.js";
import { connectDB } from "../../../utils/mongoose.js";
import Series from "../../../models/series.js";
import Event from "../../../models/event.js";
import { sendEventRegistrationEmail } from "../../../utils/resend.js";
import { validateBody } from "../../../utils/validateBody.js";
import { eventRegistrationSchema } from "../../../utils/schemas.js";
import { hasMemberAccess } from "../../../utils/tickets.js";
import mongoose from "mongoose";
import { loadPublicEvent } from "../../../utils/loadEvent.js";
import {
hasMemberAccess,
validateTicketPurchase,
checkUserSeriesPass,
} from "../../../utils/tickets.js";
export default defineEventHandler(async (event) => {
try {
// Ensure database connection
await connectDB();
const identifier = getRouterParam(event, "id");
const body = await validateBody(event, eventRegistrationSchema);
if (!identifier) {
throw createError({
statusCode: 400,
statusMessage: "Event identifier is required",
});
}
const eventData = await loadPublicEvent(event, identifier);
// Fetch the event - try by slug first, then by ID
let eventData;
// Check if identifier is a valid MongoDB ObjectId
if (mongoose.Types.ObjectId.isValid(identifier)) {
eventData = await Event.findById(identifier);
}
// If not found by ID or not a valid ObjectId, try by slug
if (!eventData) {
eventData = await Event.findOne({ slug: identifier });
}
if (!eventData) {
throw createError({
statusCode: 404,
statusMessage: "Event not found",
});
}
// Check if event is full
// Series-pass gate: when an event is linked to a series and that series
// requires a pass, reject drop-in registration unless the series
// explicitly allows individual event tickets.
if (
eventData.maxAttendees &&
eventData.registrations.length >= eventData.maxAttendees
eventData.tickets?.requiresSeriesTicket &&
eventData.tickets?.seriesTicketReference
) {
throw createError({
statusCode: 400,
statusMessage: "Event is full",
});
const series = await Series.findById(
eventData.tickets.seriesTicketReference,
);
if (!series) {
throw createError({
statusCode: 500,
statusMessage: "Series referenced by this event could not be found",
});
}
if (!series.allowIndividualEventTickets) {
const { hasPass } = checkUserSeriesPass(series, body.email);
if (!hasPass) {
throw createError({
statusCode: 403,
statusMessage:
"This event requires a series pass. See the series page to purchase.",
data: { seriesSlug: series.slug },
});
}
}
}
// Check if already registered
const alreadyRegistered = eventData.registrations.some(
(reg) => reg.email.toLowerCase() === body.email.toLowerCase(),
);
if (alreadyRegistered) {
throw createError({
statusCode: 400,
statusMessage: "You are already registered for this event",
});
}
// Check member status and handle different registration scenarios.
// Member access is decoupled from payment status: active and pending_payment
// both confer access; guest, suspended, and cancelled do not.
// Look up member for pricing/access purposes. hasMemberAccess treats
// guest/suspended/cancelled as non-members.
const member = await Member.findOne({ email: body.email.toLowerCase() });
// Single gate: validateTicketPurchase covers deadline, cancelled, already
// started, already-registered, members-only, and sold-out.
const validation = validateTicketPurchase(eventData, {
email: body.email,
name: body.name,
member: hasMemberAccess(member) ? member : null,
});
if (!validation.valid) {
const statusCode = /members only/i.test(validation.reason) ? 403 : 400;
throw createError({ statusCode, statusMessage: validation.reason });
}
const memberHasAccess = hasMemberAccess(member);
if (eventData.membersOnly && !memberHasAccess) {
throw createError({
statusCode: 403,
statusMessage:
"This event is for members only. Please become a member to register.",
});
}
// If event requires payment and user is not a member, redirect to payment flow
if (
eventData.pricing?.paymentRequired &&
!eventData.pricing?.isFree &&
!memberHasAccess
) {
throw createError({
statusCode: 402, // Payment Required
statusMessage:
"This event requires payment. Please use the payment registration endpoint.",
});
}
// Set member status and membership level
let isMember = false;
let membershipLevel = "non-member";