jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server/api/auth/verify.get.js
Jennie Robinson Faber b7279f57d1 Add Zod validation, fix mass assignment, remove test endpoints and dead code 
- Add centralized Zod schemas (server/utils/schemas.js) and validateBody
  utility for all API endpoints
- Fix critical mass assignment in member creation: raw body no longer
  passed to new Member(), only validated fields (email, name, circle,
  contributionTier) are accepted
- Apply Zod validation to login, profile patch, event registration,
  updates, verify-payment, and admin event creation endpoints
- Fix logout cookie flags to match login (httpOnly: true, secure
  conditional on NODE_ENV)
- Delete unauthenticated test/debug endpoints (test-connection,
  test-subscription, test-bot)
- Remove sensitive console.log statements from Helcim and member
  endpoints
- Remove unused bcryptjs dependency
- Add 10MB file size limit on image uploads
- Use runtime config for JWT secret across all endpoints
- Add 38 validation tests (117 total, all passing)
2026-03-01 14:02:46 +00:00

57 lines
No EOL
1.5 KiB
JavaScript
Raw Blame History

// server/api/auth/verify.get.js
import jwt from 'jsonwebtoken'
import Member from '../../models/member.js'
import { connectDB } from '../../utils/mongoose.js'
export default defineEventHandler(async (event) => {
// Connect to database
await connectDB()
const query = getQuery(event)
const { token } = query
if (!token) {
throw createError({
statusCode: 400,
statusMessage: 'Token is required'
})
}
try {
// Verify the JWT token (use runtime config for consistency with login/requireAuth)
const config = useRuntimeConfig(event)
const decoded = jwt.verify(token, config.jwtSecret)
const member = await Member.findById(decoded.memberId)
if (!member) {
throw createError({
statusCode: 404,
statusMessage: 'Member not found'
})
}
// Create a new session token for the authenticated user
const sessionToken = jwt.sign(
{ memberId: member._id, email: member.email },
config.jwtSecret,
{ expiresIn: '7d' }
)
// Set the session cookie
setCookie(event, 'auth-token', sessionToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
maxAge: 60 * 60 * 24 * 7 // 7 days
})
// Redirect to the members dashboard or home page
await sendRedirect(event, '/members', 302)
} catch (err) {
throw createError({
statusCode: 401,
statusMessage: 'Invalid or expired token'
})
}
})
Reference in a new issue View git blame Copy permalink