ghostguild-org/server/api/helcim/verify-payment.post.js

// Verify payment token from HelcimPay.js
import { requireAuth, getSignupBridgeMember } from '../../utils/auth.js'
import { validateBody } from '../../utils/validateBody.js'
import { paymentVerifySchema } from '../../utils/schemas.js'
import { listHelcimCustomerCards } from '../../utils/helcim.js'

export default defineEventHandler(async (event) => {
  try {
    // Membership signup verifies the card before email verify; allow the
    // signup-bridge cookie set by /api/helcim/customer to satisfy auth here.
    const bridgeMember = await getSignupBridgeMember(event)
    if (!bridgeMember) {
      await requireAuth(event)
    }
    const body = await validateBody(event, paymentVerifySchema)

    // Verify the card token by fetching the customer's cards from Helcim
    const cards = await listHelcimCustomerCards(body.customerId)

    // Verify the card token exists for this customer
    const cardExists = cards.some(card =>
      card.cardToken === body.cardToken
    )

    if (!cardExists) {
      throw createError({
        statusCode: 400,
        statusMessage: 'Payment method not found or does not belong to this customer'
      })
    }

    return {
      success: true,
      cardToken: body.cardToken,
      message: 'Payment verified with Helcim'
    }
  } catch (error) {
    console.error('Error verifying payment:', error)
    throw createError({
      statusCode: error.statusCode || 500,
      statusMessage: error.statusMessage || 'Failed to verify payment'
    })
  }
})