Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
69 lines
2 KiB
JavaScript
69 lines
2 KiB
JavaScript
import Event from '../../../models/event.js'
|
|
import { connectDB } from '../../../utils/mongoose.js'
|
|
import { requireAdmin } from '../../../utils/auth.js'
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
await requireAdmin(event)
|
|
|
|
const eventId = getRouterParam(event, 'id')
|
|
const body = await readBody(event)
|
|
|
|
// Validate required fields
|
|
if (!body.title || !body.description || !body.startDate || !body.endDate) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Missing required fields'
|
|
})
|
|
}
|
|
|
|
await connectDB()
|
|
|
|
const updateData = {
|
|
...body,
|
|
startDate: new Date(body.startDate),
|
|
endDate: new Date(body.endDate),
|
|
registrationDeadline: body.registrationDeadline ? new Date(body.registrationDeadline) : null,
|
|
updatedAt: new Date()
|
|
}
|
|
|
|
// Handle ticket data
|
|
if (body.tickets) {
|
|
updateData.tickets = {
|
|
enabled: body.tickets.enabled || false,
|
|
public: {
|
|
available: body.tickets.public?.available || false,
|
|
name: body.tickets.public?.name || 'Public Ticket',
|
|
description: body.tickets.public?.description || '',
|
|
price: body.tickets.public?.price || 0,
|
|
quantity: body.tickets.public?.quantity || null,
|
|
sold: body.tickets.public?.sold || 0,
|
|
earlyBirdPrice: body.tickets.public?.earlyBirdPrice || null,
|
|
earlyBirdDeadline: body.tickets.public?.earlyBirdDeadline ? new Date(body.tickets.public.earlyBirdDeadline) : null
|
|
}
|
|
}
|
|
}
|
|
|
|
const updatedEvent = await Event.findByIdAndUpdate(
|
|
eventId,
|
|
updateData,
|
|
{ new: true, runValidators: true }
|
|
)
|
|
|
|
if (!updatedEvent) {
|
|
throw createError({
|
|
statusCode: 404,
|
|
statusMessage: 'Event not found'
|
|
})
|
|
}
|
|
|
|
return updatedEvent
|
|
} catch (error) {
|
|
if (error.statusCode) throw error
|
|
console.error('Error updating event:', error)
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: error.message || 'Failed to update event'
|
|
})
|
|
}
|
|
})
|