jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/api/helcim/initialize-payment.post.js
Jennie Robinson Faber 208638e374 feat(launch): security and correctness fixes for 2026-05-01 launch 
Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00

117 lines
4.4 KiB
JavaScript
Raw Blame History

// Initialize HelcimPay.js session
import Member from '../../models/member.js'
import Series from '../../models/series.js'
import { loadPublicEvent } from '../../utils/loadEvent.js'
import { calculateTicketPrice, calculateSeriesTicketPrice, hasMemberAccess } from '../../utils/tickets.js'
import { requireAuth, getOptionalMember, getPaymentBridgeMember } from '../../utils/auth.js'
import { initializeHelcimPaySession } from '../../utils/helcim.js'
export default defineEventHandler(async (event) => {
try {
const body = await validateBody(event, helcimInitializePaymentSchema)
const metaType = body.metadata?.type
const isEventTicket = metaType === 'event_ticket'
const isSeriesTicket = metaType === 'series_ticket'
const isTicket = isEventTicket || isSeriesTicket
// Membership signup uses a short-lived payment-bridge cookie (set by
// /api/helcim/customer) so the user can complete checkout before clicking
// their email-verification magic link.
const isMembershipSignup = metaType === 'membership_signup'
if (!isTicket) {
if (isMembershipSignup) {
const bridgeMember = await getPaymentBridgeMember(event)
if (!bridgeMember) {
await requireAuth(event)
}
} else {
await requireAuth(event)
}
}
let amount = 0
let description = body.metadata?.eventTitle
if (isTicket) {
// Re-derive price server-side; never trust body.amount for ticket flows.
const caller = await getOptionalMember(event).catch(() => null)
const lookupEmail = body.metadata?.email?.toLowerCase()
const member = caller || (lookupEmail
? await Member.findOne({ email: lookupEmail })
: null)
const accessMember = hasMemberAccess(member) ? member : null
if (isEventTicket) {
const eventId = body.metadata?.eventId
if (!eventId) {
throw createError({ statusCode: 400, statusMessage: 'metadata.eventId is required for event_ticket' })
}
const eventDoc = await loadPublicEvent(event, eventId)
const ticketInfo = calculateTicketPrice(eventDoc, accessMember)
if (!ticketInfo) {
throw createError({ statusCode: 403, statusMessage: 'No tickets available for your membership status' })
}
amount = ticketInfo.price
description = description || eventDoc.title
} else {
const seriesId = body.metadata?.seriesId
if (!seriesId) {
throw createError({ statusCode: 400, statusMessage: 'metadata.seriesId is required for series_ticket' })
}
const isObjectId = /^[0-9a-fA-F]{24}$/.test(seriesId)
const seriesQuery = isObjectId
? { $or: [{ _id: seriesId }, { id: seriesId }, { slug: seriesId }] }
: { $or: [{ id: seriesId }, { slug: seriesId }] }
const series = await Series.findOne(seriesQuery)
if (!series) {
throw createError({ statusCode: 404, statusMessage: 'Series not found' })
}
const ticketInfo = calculateSeriesTicketPrice(series, accessMember)
if (!ticketInfo) {
throw createError({ statusCode: 403, statusMessage: 'No series passes available for your membership status' })
}
amount = ticketInfo.price
description = description || series.title
}
} else {
amount = body.amount || 0
}
const paymentType = isTicket && amount > 0 ? 'purchase' : 'verify'
const requestBody = {
paymentType,
amount: paymentType === 'purchase' ? amount : 0,
currency: 'CAD',
paymentMethod: 'cc'
}
if (body.customerCode && paymentType === 'verify') {
requestBody.customerCode = body.customerCode
}
if (description) {
requestBody.description = description
requestBody.notes = description
const orderId = body.metadata?.eventId || body.metadata?.seriesId
if (orderId) requestBody.orderNumber = `${orderId}`
}
const paymentData = await initializeHelcimPaySession(requestBody)
return {
success: true,
checkoutToken: paymentData.checkoutToken,
secretToken: paymentData.secretToken,
// Echo derived amount so the client can sanity-check before opening modal.
amount
}
} catch (error) {
if (error.statusCode) throw error
console.error('Error initializing HelcimPay:', error)
throw createError({
statusCode: 500,
statusMessage: 'An unexpected error occurred'
})
}
})
Reference in a new issue View git blame Copy permalink