Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
73 lines
2.1 KiB
JavaScript
73 lines
2.1 KiB
JavaScript
// Verify payment token from HelcimPay.js
|
|
import { requireAuth } from '../../utils/auth.js'
|
|
|
|
const HELCIM_API_BASE = 'https://api.helcim.com/v2'
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
await requireAuth(event)
|
|
const config = useRuntimeConfig(event)
|
|
const body = await readBody(event)
|
|
|
|
// Validate required fields
|
|
if (!body.cardToken || !body.customerId) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Card token and customer ID are required'
|
|
})
|
|
}
|
|
|
|
const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
|
|
|
|
if (!helcimToken) {
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: 'Helcim API token not configured'
|
|
})
|
|
}
|
|
|
|
// Verify the card token by fetching the customer's cards from Helcim
|
|
const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}/cards`, {
|
|
method: 'GET',
|
|
headers: {
|
|
'accept': 'application/json',
|
|
'api-token': helcimToken
|
|
}
|
|
})
|
|
|
|
if (!response.ok) {
|
|
const errorText = await response.text()
|
|
console.error('Payment verification failed:', response.status, errorText)
|
|
throw createError({
|
|
statusCode: 502,
|
|
statusMessage: 'Payment verification failed with Helcim'
|
|
})
|
|
}
|
|
|
|
const cards = await response.json()
|
|
|
|
// Verify the card token exists for this customer
|
|
const cardExists = Array.isArray(cards) && cards.some(card =>
|
|
card.cardToken === body.cardToken || card.id
|
|
)
|
|
|
|
if (!cardExists && Array.isArray(cards) && cards.length === 0) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'No payment method found for this customer'
|
|
})
|
|
}
|
|
|
|
return {
|
|
success: true,
|
|
cardToken: body.cardToken,
|
|
message: 'Payment verified with Helcim'
|
|
}
|
|
} catch (error) {
|
|
console.error('Error verifying payment:', error)
|
|
throw createError({
|
|
statusCode: error.statusCode || 500,
|
|
statusMessage: error.statusMessage || 'Failed to verify payment'
|
|
})
|
|
}
|
|
})
|