jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/api/auth/login.post.js
Jennie Robinson Faber 26c300c357 Implement OWASP ASVS L1 security remediation (Phases 0-2) 
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00

81 lines
2.4 KiB
JavaScript
Raw Blame History

// server/api/auth/login.post.js
import jwt from "jsonwebtoken";
import { Resend } from "resend";
import Member from "../../models/member.js";
import { connectDB } from "../../utils/mongoose.js";
const resend = new Resend(process.env.RESEND_API_KEY);
export default defineEventHandler(async (event) => {
// Connect to database
await connectDB();
const { email } = await readBody(event);
if (!email) {
throw createError({
statusCode: 400,
statusMessage: "Email is required",
});
}
const GENERIC_MESSAGE = "If this email is registered, we've sent a login link.";
const member = await Member.findOne({ email });
if (!member) {
// Return same response shape to prevent enumeration
return {
success: true,
message: GENERIC_MESSAGE,
};
}
// Generate magic link token
const token = jwt.sign(
{ memberId: member._id },
process.env.JWT_SECRET,
{ expiresIn: "15m" },
);
// Get the base URL for the magic link
const headers = getHeaders(event);
const baseUrl =
process.env.BASE_URL ||
`${headers.host?.includes("localhost") ? "http" : "https"}://${headers.host}`;
// Send magic link via Resend
try {
await resend.emails.send({
from: "Ghost Guild <ghostguild@babyghosts.org>",
to: email,
subject: "Your Ghost Guild login link",
html: `
<div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
<h2 style="color: #2563eb;">Welcome back to Ghost Guild!</h2>
<p>Click the button below to sign in to your account:</p>
<div style="text-align: center; margin: 30px 0;">
<a href="${baseUrl}/api/auth/verify?token=${token}"
style="background-color: #2563eb; color: white; padding: 12px 24px; text-decoration: none; border-radius: 6px; display: inline-block;">
Sign In to Ghost Guild
</a>
</div>
<p style="color: #666; font-size: 14px;">
This link will expire in 15 minutes for security. If you didn't request this login link, you can safely ignore this email.
</p>
</div>
`,
});
return {
success: true,
message: GENERIC_MESSAGE,
};
} catch (error) {
console.error("Failed to send email:", error);
throw createError({
statusCode: 500,
statusMessage: "Failed to send login email. Please try again.",
});
}
});
Reference in a new issue View git blame Copy permalink