jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(events): enforce series-pass, hidden, and deadline gates

Browse source 
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.
This commit is contained in:
Jennie Robinson Faber 2026-04-20 19:03:34 +01:00
parent 6a6c567fd5
commit f34b062f2a
11 changed files with 746 additions and 247 deletions
Download patch file Download diff file Expand all files Collapse all files

70
server/api/events/[id]/tickets/available.get.js
View file

@ -1,12 +1,10 @@
import Event from "../../../../models/event.js";
import Member from "../../../../models/member.js";
import { connectDB } from "../../../../utils/mongoose.js";
import { loadPublicEvent } from "../../../../utils/loadEvent.js";
import {
calculateTicketPrice,
checkTicketAvailability,
formatPrice,
} from "../../../../utils/tickets.js";
import mongoose from "mongoose";
/**
* GET /api/events/[id]/tickets/available
@ -15,56 +13,32 @@ import mongoose from "mongoose";
*/
export default defineEventHandler(async (event) => {
try {
await connectDB();
const identifier = getRouterParam(event, "id");
const query = getQuery(event);
const userEmail = query.email;
if (!identifier) {
throw createError({
statusCode: 400,
statusMessage: "Event identifier is required",
});
}
const eventData = await loadPublicEvent(event, identifier);
// Fetch the event
let eventData;
if (mongoose.Types.ObjectId.isValid(identifier)) {
eventData = await Event.findById(identifier);
}
if (!eventData) {
eventData = await Event.findOne({ slug: identifier });
}
if (!eventData) {
throw createError({
statusCode: 404,
statusMessage: "Event not found",
});
}
// Check if event is cancelled or past
if (eventData.isCancelled) {
return {
available: false,
reason: "Event has been cancelled",
};
return { available: false, reason: "Event has been cancelled" };
}
if (new Date(eventData.startDate) < new Date()) {
return {
available: false,
reason: "Event has already started",
};
return { available: false, reason: "Event has already started" };
}
if (
eventData.registrationDeadline &&
new Date(eventData.registrationDeadline) < new Date()
) {
return { available: false, reason: "Registration deadline has passed" };
}
// Check if user is a member (if email provided)
let member = null;
if (userEmail) {
member = await Member.findOne({ email: userEmail.toLowerCase() });
}
// Calculate ticket pricing for this user
const ticketInfo = calculateTicketPrice(eventData, member);
if (!ticketInfo) {
@ -77,13 +51,11 @@ export default defineEventHandler(async (event) => {
};
}
// Check availability
const availability = checkTicketAvailability(
eventData,
ticketInfo.ticketType
ticketInfo.ticketType,
);
// Build response
const response = {
available: availability.available,
ticketType: ticketInfo.ticketType,
@ -98,38 +70,32 @@ export default defineEventHandler(async (event) => {
waitlistAvailable: availability.waitlistAvailable,
};
// Add early bird deadline if applicable
if (
ticketInfo.isEarlyBird &&
eventData.tickets?.public?.earlyBirdDeadline
) {
if (ticketInfo.isEarlyBird && eventData.tickets?.public?.earlyBirdDeadline) {
response.earlyBirdDeadline = eventData.tickets.public.earlyBirdDeadline;
response.regularPrice = eventData.tickets.public.price;
response.formattedRegularPrice = formatPrice(
eventData.tickets.public.price,
ticketInfo.currency
ticketInfo.currency,
);
}
// Add member vs public comparison for transparency
if (member && eventData.tickets?.public?.available) {
response.publicTicket = {
price: eventData.tickets.public.price,
formattedPrice: formatPrice(
eventData.tickets.public.price,
eventData.tickets.currency
eventData.tickets.currency,
),
};
response.memberSavings =
eventData.tickets.public.price - ticketInfo.price;
}
// Check if user is already registered
if (userEmail) {
const alreadyRegistered = eventData.registrations?.some(
(reg) =>
reg.email.toLowerCase() === userEmail.toLowerCase() &&
!reg.cancelledAt
!reg.cancelledAt,
);
if (alreadyRegistered) {
@ -141,12 +107,10 @@ export default defineEventHandler(async (event) => {
return response;
} catch (error) {
console.error("Error checking ticket availability:", error);
if (error.statusCode) {
throw error;
}
console.error("Error checking ticket availability:", error);
throw createError({
statusCode: 500,
statusMessage: "Failed to check ticket availability",