Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
141 lines
3.4 KiB
JavaScript
141 lines
3.4 KiB
JavaScript
// server/models/member.js
|
|
import mongoose from "mongoose";
|
|
import { resolve } from "path";
|
|
import { fileURLToPath } from "url";
|
|
|
|
const __dirname = fileURLToPath(new URL(".", import.meta.url));
|
|
|
|
// Import configs using dynamic imports to avoid build issues
|
|
const getValidCircleValues = () => ["community", "founder", "practitioner"];
|
|
const getValidContributionValues = () => ["0", "5", "15", "30", "50"];
|
|
|
|
const memberSchema = new mongoose.Schema({
|
|
email: { type: String, required: true, unique: true },
|
|
name: { type: String, required: true },
|
|
circle: {
|
|
type: String,
|
|
enum: getValidCircleValues(),
|
|
required: true,
|
|
},
|
|
contributionTier: {
|
|
type: String,
|
|
enum: getValidContributionValues(),
|
|
required: true,
|
|
},
|
|
role: {
|
|
type: String,
|
|
enum: ["member", "admin"],
|
|
default: "member",
|
|
},
|
|
status: {
|
|
type: String,
|
|
enum: ["pending_payment", "active", "suspended", "cancelled"],
|
|
default: "pending_payment",
|
|
},
|
|
helcimCustomerId: String,
|
|
helcimSubscriptionId: String,
|
|
paymentMethod: {
|
|
type: String,
|
|
enum: ["card", "bank", "none"],
|
|
default: "none",
|
|
},
|
|
subscriptionStartDate: Date,
|
|
subscriptionEndDate: Date,
|
|
nextBillingDate: Date,
|
|
slackInvited: { type: Boolean, default: false },
|
|
slackInviteStatus: {
|
|
type: String,
|
|
enum: ["pending", "sent", "failed", "accepted"],
|
|
default: "pending",
|
|
},
|
|
slackUserId: String,
|
|
|
|
// Profile fields
|
|
pronouns: String,
|
|
timeZone: String,
|
|
avatar: String,
|
|
studio: String,
|
|
bio: String,
|
|
location: String,
|
|
socialLinks: {
|
|
mastodon: String,
|
|
linkedin: String,
|
|
website: String,
|
|
other: String,
|
|
},
|
|
offering: {
|
|
text: String,
|
|
tags: [String],
|
|
},
|
|
lookingFor: {
|
|
text: String,
|
|
tags: [String],
|
|
},
|
|
showInDirectory: { type: Boolean, default: true },
|
|
|
|
// Peer support settings
|
|
peerSupport: {
|
|
enabled: { type: Boolean, default: false },
|
|
skillTopics: [String], // Auto-populated from offering.tags, editable
|
|
supportTopics: [String], // Curated conversational/emotional support topics
|
|
availability: String,
|
|
personalMessage: String,
|
|
slackUsername: String,
|
|
slackDMChannelId: String, // DM channel ID for direct messaging
|
|
},
|
|
|
|
// Privacy settings for profile fields
|
|
privacy: {
|
|
pronouns: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
timeZone: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
avatar: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "public",
|
|
},
|
|
studio: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
bio: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
location: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
socialLinks: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
offering: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
lookingFor: {
|
|
type: String,
|
|
enum: ["public", "members", "private"],
|
|
default: "members",
|
|
},
|
|
},
|
|
|
|
createdAt: { type: Date, default: Date.now },
|
|
lastLogin: Date,
|
|
});
|
|
|
|
// Check if model already exists to prevent re-compilation in development
|
|
export default mongoose.models.Member || mongoose.model("Member", memberSchema);
|