jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(events): enforce series-pass, hidden, and deadline gates

Browse source 
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.
This commit is contained in:
Jennie Robinson Faber 2026-04-20 19:03:34 +01:00
parent 6a6c567fd5
commit f34b062f2a
11 changed files with 746 additions and 247 deletions
Download patch file Download diff file Expand all files Collapse all files

26
server/utils/auth.js
View file

@ -75,6 +75,32 @@ export async function requireAuth(event) {
return member
}
/**
* Return the signed-in Member without throwing.
* Returns null when no cookie, invalid token, or member not found/inactive.
* Mirrors the non-throwing JWT check in api/auth/status.get.js.
*/
export async function getOptionalMember(event) {
await connectDB()
const token = getCookie(event, 'auth-token')
if (!token) return null
let decoded
try {
decoded = jwt.verify(token, useRuntimeConfig(event).jwtSecret)
} catch {
return null
}
const member = await Member.findById(decoded.memberId)
if (!member) return null
if (member.status === 'suspended' || member.status === 'cancelled') return null
if (decoded.tv !== member.tokenVersion) return null
return member
}
/**
* Verify JWT and require admin role.
* Throws 401 if not authenticated, 403 if not admin.