Jennie Robinson Faber
b7279f57d1
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody utility for all API endpoints - Fix critical mass assignment in member creation: raw body no longer passed to new Member(), only validated fields (email, name, circle, contributionTier) are accepted - Apply Zod validation to login, profile patch, event registration, updates, verify-payment, and admin event creation endpoints - Fix logout cookie flags to match login (httpOnly: true, secure conditional on NODE_ENV) - Delete unauthenticated test/debug endpoints (test-connection, test-subscription, test-bot) - Remove sensitive console.log statements from Helcim and member endpoints - Remove unused bcryptjs dependency - Add 10MB file size limit on image uploads - Use runtime config for JWT secret across all endpoints - Add 38 validation tests (117 total, all passing)
67 lines
2 KiB
JavaScript
67 lines
2 KiB
JavaScript
// Verify payment token from HelcimPay.js
|
|
import { requireAuth } from '../../utils/auth.js'
|
|
import { validateBody } from '../../utils/validateBody.js'
|
|
import { paymentVerifySchema } from '../../utils/schemas.js'
|
|
|
|
const HELCIM_API_BASE = 'https://api.helcim.com/v2'
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
await requireAuth(event)
|
|
const config = useRuntimeConfig(event)
|
|
const body = await validateBody(event, paymentVerifySchema)
|
|
|
|
const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
|
|
|
|
if (!helcimToken) {
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: 'Helcim API token not configured'
|
|
})
|
|
}
|
|
|
|
// Verify the card token by fetching the customer's cards from Helcim
|
|
const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}/cards`, {
|
|
method: 'GET',
|
|
headers: {
|
|
'accept': 'application/json',
|
|
'api-token': helcimToken
|
|
}
|
|
})
|
|
|
|
if (!response.ok) {
|
|
const errorText = await response.text()
|
|
console.error('Payment verification failed:', response.status, errorText)
|
|
throw createError({
|
|
statusCode: 502,
|
|
statusMessage: 'Payment verification failed with Helcim'
|
|
})
|
|
}
|
|
|
|
const cards = await response.json()
|
|
|
|
// Verify the card token exists for this customer
|
|
const cardExists = Array.isArray(cards) && cards.some(card =>
|
|
card.cardToken === body.cardToken
|
|
)
|
|
|
|
if (!cardExists) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: 'Payment method not found or does not belong to this customer'
|
|
})
|
|
}
|
|
|
|
return {
|
|
success: true,
|
|
cardToken: body.cardToken,
|
|
message: 'Payment verified with Helcim'
|
|
}
|
|
} catch (error) {
|
|
console.error('Error verifying payment:', error)
|
|
throw createError({
|
|
statusCode: error.statusCode || 500,
|
|
statusMessage: error.statusMessage || 'Failed to verify payment'
|
|
})
|
|
}
|
|
})
|