jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/utils/magicLink.js
Jennie Robinson Faber 208638e374 feat(launch): security and correctness fixes for 2026-05-01 launch 
Day-of-launch deep-dive audit and remediation. 11 issues fixed across
security, correctness, and reliability. Tests: 698 → 758 passing
(+60), 0 failing, 2 skipped.

CRITICAL (security)

Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead
useHelcim.js deleted. Production token MUST BE ROTATED post-deploy
(was previously exposed in window.__NUXT__ payload).

Fix #2 — /api/helcim/customer gated with origin check + per-IP/email
rate limit + magic-link email verification (replaces unauthenticated
setAuthCookie). Adds payment-bridge token for paid-tier signup so
users can complete Helcim checkout before email verify. New utils:
server/utils/{magicLink,rateLimit}.js. UX: signup success copy now
prompts user to check email.

Fix #3 — /api/events/[id]/payment deleted (dead code with unauth
member-spoof bypass — processHelcimPayment was a permanent stub).
Removes processHelcimPayment export and eventPaymentSchema.

Fix #4 — /api/helcim/initialize-payment re-derives ticket amount
server-side via calculateTicketPrice and calculateSeriesTicketPrice.
Adds new series_ticket metadata type (was being shoved through
event_ticket with seriesId in metadata.eventId).

Fix #5 — /api/helcim/customer upgrades existing status:guest members
in place rather than rejecting with 409. Lowercases email at lookup;
preserves _id so prior event registrations stay linked.

HIGH (correctness / reliability)

Fix #6 — Daily reconciliation cron via Netlify scheduled function
(@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs,
server/api/internal/reconcile-payments.post.js. Shared-secret auth
via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff
on Helcim transactions API.

Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist
endpoints) to dodge legacy location validators.

Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest
Member when caller is unauthenticated, mirrors event-ticket flow
byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and
client auth refresh on signedIn:true response.

Fix #9 — /api/members/cancel-subscription leaves status active per
ratified bylaws (was pending_payment). Adds lastCancelledAt audit
field on Member model. Indirectly fixes false-positive
detectStuckPendingPayment admin alert for cancelled members.

Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema
(verifyMagicLinkSchema, max 2000 chars).

Fix #11 — 8 vitest cases for cancel-subscription handler (was
uncovered).

Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and
docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md.
LAUNCH_READINESS.md updated with new test count, 3 deploy-time
tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify
Netlify scheduled function), and Fixed-2026-04-25 fix log.
2026-04-25 18:42:36 +01:00

66 lines
2.1 KiB
JavaScript
Raw Blame History

// Send a magic-link verification email. Mirrors the token/email logic in
// server/api/auth/login.post.js so callers (signup, login, etc.) can request
// a verification link with their own subject/intro copy.
import jwt from 'jsonwebtoken'
import { randomUUID } from 'crypto'
import { Resend } from 'resend'
import Member from '../models/member.js'
const resend = new Resend(process.env.RESEND_API_KEY)
/**
* Issue a 15-minute magic-link JWT for `email` and email it.
*
* @param {string} email
* @param {object} [options]
* @param {string} [options.subject] - Email subject (default: "Your Ghost Guild login link")
* @param {string} [options.intro] - Optional one-line intro before the link.
* @returns {Promise<{ sent: boolean }>} - sent=false when no member exists for the email
* (caller can decide whether to surface that; the auth/login endpoint hides it for
* anti-enumeration, signup knows the member was just created).
*/
export async function sendMagicLink(email, options = {}) {
const baseUrl = process.env.BASE_URL
if (!baseUrl) {
throw createError({
statusCode: 500,
statusMessage: 'BASE_URL environment variable is not set'
})
}
const member = await Member.findOne({ email })
if (!member) return { sent: false }
const jti = randomUUID()
const token = jwt.sign(
{ memberId: member._id, jti },
useRuntimeConfig().jwtSecret,
{ expiresIn: '15m' }
)
await Member.findByIdAndUpdate(
member._id,
{ $set: { magicLinkJti: jti, magicLinkJtiUsed: false } },
{ runValidators: false }
)
const magicLink = `${baseUrl}/verify#${token}`
const subject = options.subject || 'Your Ghost Guild login link'
const intro = options.intro || 'Sign in to Ghost Guild:'
const text = `Hi,\n\n${intro}\n${magicLink}\n\nThis link expires in 15 minutes. If you didn't request it, ignore this email.`
await resend.emails.send({
from: 'Ghost Guild <ghostguild@babyghosts.org>',
to: email,
subject,
text
})
logActivity(member._id, 'email_sent', {
emailType: 'magic_link',
subject,
body: text
})
return { sent: true }
}
Reference in a new issue View git blame Copy permalink