Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
66 lines
2 KiB
JavaScript
66 lines
2 KiB
JavaScript
import Event from "../../models/event.js";
|
|
import { connectDB } from "../../utils/mongoose.js";
|
|
import { requireAdmin } from "../../utils/auth.js";
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
const admin = await requireAdmin(event);
|
|
|
|
const body = await readBody(event);
|
|
|
|
// Validate required fields
|
|
if (!body.title || !body.description || !body.startDate || !body.endDate) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: "Missing required fields",
|
|
});
|
|
}
|
|
|
|
await connectDB();
|
|
|
|
const eventData = {
|
|
...body,
|
|
createdBy: admin.email,
|
|
startDate: new Date(body.startDate),
|
|
endDate: new Date(body.endDate),
|
|
registrationDeadline: body.registrationDeadline
|
|
? new Date(body.registrationDeadline)
|
|
: null,
|
|
};
|
|
|
|
// Ensure slug is not included in eventData (let the model generate it)
|
|
delete eventData.slug;
|
|
|
|
// Handle ticket data
|
|
if (body.tickets) {
|
|
eventData.tickets = {
|
|
enabled: body.tickets.enabled || false,
|
|
public: {
|
|
available: body.tickets.public?.available || false,
|
|
name: body.tickets.public?.name || "Public Ticket",
|
|
description: body.tickets.public?.description || "",
|
|
price: body.tickets.public?.price || 0,
|
|
quantity: body.tickets.public?.quantity || null,
|
|
sold: 0, // Initialize sold count
|
|
earlyBirdPrice: body.tickets.public?.earlyBirdPrice || null,
|
|
earlyBirdDeadline: body.tickets.public?.earlyBirdDeadline
|
|
? new Date(body.tickets.public.earlyBirdDeadline)
|
|
: null,
|
|
},
|
|
};
|
|
}
|
|
|
|
const newEvent = new Event(eventData);
|
|
|
|
const savedEvent = await newEvent.save();
|
|
|
|
return savedEvent;
|
|
} catch (error) {
|
|
if (error.statusCode) throw error;
|
|
console.error("Error creating event:", error);
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: error.message || "Failed to create event",
|
|
});
|
|
}
|
|
});
|