jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/api/series/[id]/tickets/purchase.post.js
Jennie Robinson Faber 208638e374 feat(launch): security and correctness fixes for 2026-05-01 launch 
Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00

221 lines
6.9 KiB
JavaScript
Raw Blame History

import Series from "../../../../models/series.js";
import Event from "../../../../models/event.js";
import Member from "../../../../models/member.js";
import {
validateSeriesTicketPurchase,
calculateSeriesTicketPrice,
reserveSeriesTicket,
releaseSeriesTicket,
completeSeriesTicketPurchase,
registerForAllSeriesEvents,
hasMemberAccess,
} from "../../../../utils/tickets.js";
import { sendSeriesPassConfirmation } from "../../../../utils/resend.js";
export default defineEventHandler(async (event) => {
try {
const seriesId = getRouterParam(event, "id");
const body = await validateBody(event, seriesTicketPurchaseSchema);
const { name, email, paymentId } = body;
// Fetch series
// Build query conditions based on whether seriesId looks like ObjectId or string
const isObjectId = /^[0-9a-fA-F]{24}$/.test(seriesId);
const seriesQuery = isObjectId
? { $or: [{ _id: seriesId }, { id: seriesId }, { slug: seriesId }] }
: { $or: [{ id: seriesId }, { slug: seriesId }] };
const series = await Series.findOne(seriesQuery);
if (!series) {
throw createError({
statusCode: 404,
statusMessage: "Series not found",
});
}
// Check membership — prefer JWT auth for accurate member pricing.
// Only members with access (active or pending_payment) get member-tier
// pricing; guest, suspended, and cancelled are treated as non-members.
let member = null;
let accountCreated = false;
try {
member = await requireAuth(event);
} catch {
// Not authenticated — fall through to email lookup
}
if (!member) {
member = await Member.findOne({ email: email.toLowerCase() });
}
// Resolve canonical email: use authenticated member's email if available
const canonicalEmail = member ? member.email : email.toLowerCase();
const accessMember = hasMemberAccess(member) ? member : null;
// Validate purchase
const validation = validateSeriesTicketPurchase(series, {
email: canonicalEmail,
name,
member: accessMember,
});
if (!validation.valid) {
throw createError({
statusCode: 400,
statusMessage: validation.reason,
});
}
const { ticketInfo } = validation;
// Validate submitted ticket type matches entitlement (prevents price mismatch)
if (body.ticketType && body.ticketType !== ticketInfo.ticketType) {
throw createError({
statusCode: 422,
statusMessage: `Ticket type mismatch: you are entitled to "${ticketInfo.ticketType}" but submitted "${body.ticketType}"`,
})
}
// For paid tickets, require payment ID
if (!ticketInfo.isFree && !paymentId) {
throw createError({
statusCode: 400,
statusMessage: "Payment is required for this series pass",
});
}
// If no Member yet, atomically create a guest Member. Series passes grant
// access to a bundle of events over time — a buyer without an account
// can't view their registrations or be recognized by per-event pages,
// so we always create the guest (unlike single-event tickets which are
// opt-in). findOneAndUpdate with $setOnInsert handles concurrent
// registrations on the same email (email has a unique index).
if (!member) {
member = await Member.findOneAndUpdate(
{ email: canonicalEmail },
{
$setOnInsert: {
email: canonicalEmail,
name,
circle: "community",
contributionAmount: 0,
status: "guest",
},
},
{ upsert: true, new: true, setDefaultsOnInsert: true }
);
accountCreated = true;
}
// Create series registration
const registration = {
memberId: member?._id,
name,
email: canonicalEmail,
membershipLevel: accessMember?.circle || "non-member",
isMember: !!accessMember,
ticketType: ticketInfo.ticketType,
ticketPrice: ticketInfo.price,
paymentStatus: ticketInfo.isFree ? "not_required" : "completed",
paymentId: paymentId || null,
amountPaid: ticketInfo.price,
registeredAt: new Date(),
eventRegistrations: [],
};
series.registrations.push(registration);
await completeSeriesTicketPurchase(series, ticketInfo.ticketType);
// Decide on auto-login: safe for new accounts and existing guests, not for
// real members (stranger could hijack by typing email into a public form).
let signedIn = false;
let requiresSignIn = false;
if (member && (accountCreated || member.status === "guest")) {
setAuthCookie(event, member);
signedIn = true;
} else if (member) {
requiresSignIn = true;
}
// Get the newly created registration
const newRegistration =
series.registrations[series.registrations.length - 1];
// Fetch all events in this series
const seriesEvents = await Event.find({
"series.id": series.id,
isCancelled: false,
}).sort({ "series.position": 1, startDate: 1 });
// Register user for all events
const eventRegistrations = await registerForAllSeriesEvents(
series,
seriesEvents,
newRegistration,
);
// Send confirmation email
try {
await sendSeriesPassConfirmation({
to: canonicalEmail,
name,
series: {
title: series.title,
description: series.description,
type: series.type,
},
ticket: {
type: ticketInfo.ticketType,
price: ticketInfo.price,
currency: ticketInfo.currency,
isFree: ticketInfo.isFree,
},
events: seriesEvents.map((e) => ({
title: e.title,
startDate: e.startDate,
endDate: e.endDate,
location: e.location,
})),
paymentId,
});
if (member) {
logActivity(member._id, 'email_sent', {
emailType: 'series_pass',
subject: `Series pass: ${series.title}`
})
}
} catch (emailError) {
console.error(
"Failed to send series pass confirmation email:",
emailError,
);
// Don't fail the registration if email fails
}
return {
success: true,
message: "Series pass purchased successfully",
registration: {
id: newRegistration._id,
ticketType: newRegistration.ticketType,
amountPaid: newRegistration.amountPaid,
eventsRegistered: eventRegistrations.filter((r) => r.success).length,
totalEvents: seriesEvents.length,
},
events: eventRegistrations.map((r) => ({
eventId: r.eventId,
success: r.success,
reason: r.reason,
})),
accountCreated,
signedIn,
requiresSignIn,
};
} catch (error) {
console.error("Error purchasing series pass:", error);
throw createError({
statusCode: error.statusCode || 500,
statusMessage: error.statusMessage || "Failed to purchase series pass",
});
}
});
Reference in a new issue View git blame Copy permalink