Jennie Robinson Faber
f34b062f2a
Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md (Findings 1, 2, 3). 1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now loads the linked Series when tickets.requiresSeriesTicket is set and rejects drop-in registration unless series.allowIndividualEventTickets is true or the user has a valid pass. Data-integrity 500 if the referenced series is missing. 2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent into server/utils/loadEvent.js. All five public event endpoints ([id].get, register, tickets/available, tickets/reserve, tickets/purchase) now go through the helper, which 404s when isVisible === false and the requester is not an admin. Admin detection uses a new non-throwing getOptionalMember() in server/utils/auth.js (extracted from the pattern already inlined in api/auth/status.get.js). 3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix E8): register.post.js and tickets/reserve.post.js delegate gating to validateTicketPurchase (which already covers deadline, cancelled, started, members-only, sold-out, and already-registered); tickets/available.get.js gets an explicit registrationDeadline check. Legacy pricing.paymentRequired 402 branch removed from register.post.js.
68 lines
2 KiB
JavaScript
68 lines
2 KiB
JavaScript
import Member from "../../../../models/member.js";
|
|
import { loadPublicEvent } from "../../../../utils/loadEvent.js";
|
|
import { validateBody } from "../../../../utils/validateBody.js";
|
|
import { ticketReserveSchema } from "../../../../utils/schemas.js";
|
|
import {
|
|
calculateTicketPrice,
|
|
hasMemberAccess,
|
|
reserveTicket,
|
|
validateTicketPurchase,
|
|
} from "../../../../utils/tickets.js";
|
|
|
|
/**
|
|
* POST /api/events/[id]/tickets/reserve
|
|
* Temporarily reserve a ticket during checkout process
|
|
* Body: { email }
|
|
*/
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
const identifier = getRouterParam(event, "id");
|
|
const body = await validateBody(event, ticketReserveSchema);
|
|
|
|
const eventData = await loadPublicEvent(event, identifier);
|
|
|
|
const member = await Member.findOne({ email: body.email.toLowerCase() });
|
|
|
|
// Gate on deadline, cancellation, start, members-only, sold-out, and
|
|
// already-registered before reserving.
|
|
const validation = validateTicketPurchase(eventData, {
|
|
email: body.email,
|
|
member: hasMemberAccess(member) ? member : null,
|
|
});
|
|
|
|
if (!validation.valid) {
|
|
const statusCode = /members only/i.test(validation.reason) ? 403 : 400;
|
|
throw createError({ statusCode, statusMessage: validation.reason });
|
|
}
|
|
|
|
const ticketInfo =
|
|
validation.ticketInfo || calculateTicketPrice(eventData, member);
|
|
|
|
const reservation = await reserveTicket(eventData, ticketInfo.ticketType);
|
|
|
|
if (!reservation.success) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: reservation.reason || "Failed to reserve ticket",
|
|
});
|
|
}
|
|
|
|
return {
|
|
success: true,
|
|
reservation: {
|
|
id: reservation.reservationId,
|
|
expiresAt: reservation.expiresAt,
|
|
ticketType: ticketInfo.ticketType,
|
|
},
|
|
};
|
|
} catch (error) {
|
|
if (error.statusCode) {
|
|
throw error;
|
|
}
|
|
console.error("Error reserving ticket:", error);
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: "Failed to reserve ticket",
|
|
});
|
|
}
|
|
});
|