jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
357 commits 9 branches 0 tags 28 MiB
Find a file
Jennie Robinson Faber 7a626b0a82
Some checks failed
Test / Notify on failure (push) Blocked by required conditions
Details
Test / visual (push) Blocked by required conditions
Details
Test / vitest (push) Successful in 11m1s
Details
Test / playwright (push) Has been cancelled
Details
fix(csrf): exempt /api/internal/ from double-submit check 
The reconcile-payments cron POSTs to /api/internal/reconcile-payments with
an X-Reconcile-Token header but no csrf-token cookie/header. The CSRF
middleware was 403ing the request before the route handler could check
the shared secret — breaking Fix #6 (daily reconciliation cron).

Found while wiring the Dokploy scheduled task. The Netlify scheduled
function would have hit the same 403; nobody noticed because the site
hasn't been deployed yet.

Removing CSRF protection from /api/internal/ is safe: every route under
that prefix is machine-to-machine and gates on its own shared-secret
header. CSRF protects against browser-driven cross-origin POSTs, which
isn't the threat model for these endpoints.

Tests: 758 passing (CSRF middleware unit tests still cover the exempt
list shape).
2026-04-26 13:16:11 +01:00
.claude Readying for design 2026-03-04 18:24:20 +00:00
.forgejo/workflows Huge bunch of UI/UX improvements and tweaks! 2026-04-06 16:17:12 +01:00
.husky feat: add testing infrastructure — Vitest, Playwright, CI, git hooks 2026-04-04 16:07:21 +01:00
.serena fix: use private helcimApiToken for all server-side Helcim API calls 2026-04-04 13:37:34 +01:00
app refactor(launch): collapse helcim-pay duplication and use setAuthCookie helper 2026-04-25 22:13:24 +01:00
assets/css Redesign interface across member dashboard and events pages 2025-10-09 16:25:57 +01:00
docs chore(deploy): retarget launch checklist from Netlify to Dokploy on Hetzner 2026-04-26 12:29:48 +01:00
e2e Copy and layout improvements. 2026-04-16 21:11:05 +01:00
plugins Enhance application structure: Add runtime configuration for environment variables, integrate new dependencies for Cloudinary and UI components, and refactor member management features including improved forms and member dashboard. Update styles and layout for better user experience. 2025-08-27 16:49:51 +01:00
public feat: cleanup deprecated components and background texture 2026-04-02 21:38:50 +01:00
scripts feat(payments): add reconcile-helcim-payments script for backfill + ongoing sync 2026-04-20 13:21:56 +01:00
server fix(csrf): exempt /api/internal/ from double-submit check 2026-04-26 13:16:11 +01:00
tests feat(launch): security and correctness fixes for 2026-05-01 launch 2026-04-25 18:42:36 +01:00
.cursorignore Updates! 2026-03-31 18:18:24 +01:00
.cursorindexingignore Updates! 2026-03-31 18:18:24 +01:00
.dockerignore feat: add .dockerignore and document BASE_URL in .env.example 2026-04-04 12:41:00 +01:00
.env.example feat(helcim): add cadence-keyed plan id runtime config 2026-04-18 17:10:50 +01:00
.gitignore docs(launch): condense LAUNCH_READINESS and ignore prereg dump script 2026-04-20 19:34:38 +01:00
debug-token.js Implement multi-step registration process: Add step indicators, error handling, and payment processing for membership registration. Enhance form validation and user feedback with success and error messages. Refactor state management for improved clarity and maintainability. 2025-09-03 14:47:13 +01:00
Dockerfile fix: multi-stage Dockerfile and guard husky for Docker builds 2026-04-04 16:44:55 +01:00
eslint.config.mjs Initial commit 2025-08-26 14:17:16 +01:00
nuxt.config.ts feat(launch): security and correctness fixes for 2026-05-01 launch 2026-04-25 18:42:36 +01:00
package-lock.json merge: worktree-a11y-fixes into main 2026-04-05 22:05:00 +01:00
package.json merge: worktree-a11y-fixes into main 2026-04-05 22:05:00 +01:00
playwright.config.js test(visual): allow playwright port override and rebaseline connections-mobile 2026-04-08 16:03:48 +01:00
slack-app-manifest.yaml Adding features 2025-10-05 16:15:09 +01:00
test-helcim-direct.js Implement multi-step registration process: Add step indicators, error handling, and payment processing for membership registration. Enhance form validation and user feedback with success and error messages. Refactor state management for improved clarity and maintainability. 2025-09-03 14:47:13 +01:00
TESTING.md feat: add testing infrastructure — Vitest, Playwright, CI, git hooks 2026-04-04 16:07:21 +01:00
tsconfig.json Initial commit 2025-08-26 14:17:16 +01:00
vitest.config.js Add Vitest security test suite and update security evaluation doc 2026-03-01 12:30:06 +00:00