jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/api/admin/series/tickets.put.js
Jennie Robinson Faber 26c300c357 Implement OWASP ASVS L1 security remediation (Phases 0-2) 
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification,
member status checks (suspended/cancelled = 403), and admin role
enforcement. Apply to all admin, upload, and payment endpoints. Add
role field to Member model.

CSRF: Double-submit cookie middleware with client plugin. Exempt
webhook and magic-link verify routes.

Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection,
Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP
(Helcim/Cloudinary/Plausible sources) in production only.

Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general
100/min via rate-limiter-flexible, keyed by client IP.

XSS: DOMPurify sanitization on marked() output with tag/attr
allowlists. escapeHtml() utility for email template interpolation.

Anti-enumeration: Login returns identical response for existing and
non-existing emails. Remove 404 handling from login UI components.

Mass assignment: Remove helcimCustomerId from profile allowedFields.

Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies.

Environment: Validate required secrets on startup via server plugin.
Remove JWT_SECRET hardcoded fallback.
2026-03-01 12:53:18 +00:00

138 lines
4.1 KiB
JavaScript
Raw Blame History

import Series from '../../../models/series.js'
import Event from '../../../models/event.js'
import { connectDB } from '../../../utils/mongoose.js'
import { requireAdmin } from '../../../utils/auth.js'
export default defineEventHandler(async (event) => {
try {
await requireAdmin(event)
await connectDB()
const body = await readBody(event)
const { id, tickets } = body
if (!id) {
throw createError({
statusCode: 400,
statusMessage: 'Series ID is required'
})
}
if (!tickets) {
throw createError({
statusCode: 400,
statusMessage: 'Tickets configuration is required'
})
}
// Find the series
const series = await Series.findOne({ id })
if (!series) {
throw createError({
statusCode: 404,
statusMessage: 'Series not found'
})
}
// Update the series with new ticketing configuration
const updatedSeries = await Series.findOneAndUpdate(
{ id },
{
$set: {
tickets: {
enabled: tickets.enabled || false,
requiresSeriesTicket: tickets.requiresSeriesTicket || false,
allowIndividualEventTickets: tickets.allowIndividualEventTickets !== false,
currency: tickets.currency || 'CAD',
member: {
available: tickets.member?.available !== false,
isFree: tickets.member?.isFree !== false,
price: tickets.member?.price || 0,
name: tickets.member?.name || 'Member Series Pass',
description: tickets.member?.description || '',
circleOverrides: tickets.member?.circleOverrides || {}
},
public: {
available: tickets.public?.available || false,
name: tickets.public?.name || 'Series Pass',
description: tickets.public?.description || '',
price: tickets.public?.price || 0,
quantity: tickets.public?.quantity || null,
sold: tickets.public?.sold || 0,
reserved: tickets.public?.reserved || 0,
earlyBirdPrice: tickets.public?.earlyBirdPrice || null,
earlyBirdDeadline: tickets.public?.earlyBirdDeadline || null
},
capacity: {
total: tickets.capacity?.total || null,
reserved: tickets.capacity?.reserved || 0
},
waitlist: {
enabled: tickets.waitlist?.enabled || false,
maxSize: tickets.waitlist?.maxSize || null,
entries: tickets.waitlist?.entries || []
}
},
updatedAt: new Date()
}
},
{ new: true }
)
// If requiresSeriesTicket is enabled, update all events in the series
if (tickets.enabled && tickets.requiresSeriesTicket) {
await Event.updateMany(
{
'series.id': id,
'series.isSeriesEvent': true
},
{
$set: {
'tickets.enabled': true,
'tickets.requiresSeriesTicket': true,
'tickets.seriesTicketReference': updatedSeries._id
}
}
)
} else if (tickets.enabled && !tickets.requiresSeriesTicket) {
// If series tickets are optional, just mark the reference
await Event.updateMany(
{
'series.id': id,
'series.isSeriesEvent': true
},
{
$set: {
'tickets.seriesTicketReference': updatedSeries._id
}
}
)
} else {
// If series tickets are disabled, remove the requirement from events
await Event.updateMany(
{
'series.id': id,
'series.isSeriesEvent': true
},
{
$set: {
'tickets.requiresSeriesTicket': false,
'tickets.seriesTicketReference': null
}
}
)
}
return {
success: true,
data: updatedSeries
}
} catch (error) {
console.error('Error updating series ticketing:', error)
throw createError({
statusCode: error.statusCode || 500,
statusMessage: error.statusMessage || 'Failed to update series ticketing'
})
}
})
Reference in a new issue View git blame Copy permalink