Jennie Robinson Faber
26c300c357
Auth: Add requireAuth/requireAdmin guards with JWT cookie verification, member status checks (suspended/cancelled = 403), and admin role enforcement. Apply to all admin, upload, and payment endpoints. Add role field to Member model. CSRF: Double-submit cookie middleware with client plugin. Exempt webhook and magic-link verify routes. Headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy on all responses. HSTS and CSP (Helcim/Cloudinary/Plausible sources) in production only. Rate limiting: Auth 5/5min, payment 10/min, upload 10/min, general 100/min via rate-limiter-flexible, keyed by client IP. XSS: DOMPurify sanitization on marked() output with tag/attr allowlists. escapeHtml() utility for email template interpolation. Anti-enumeration: Login returns identical response for existing and non-existing emails. Remove 404 handling from login UI components. Mass assignment: Remove helcimCustomerId from profile allowedFields. Session: 7-day token expiry, refresh endpoint, httpOnly+secure cookies. Environment: Validate required secrets on startup via server plugin. Remove JWT_SECRET hardcoded fallback.
85 lines
2.7 KiB
JavaScript
85 lines
2.7 KiB
JavaScript
// Initialize HelcimPay.js session
|
|
import { requireAuth } from "../../utils/auth.js";
|
|
|
|
const HELCIM_API_BASE = "https://api.helcim.com/v2";
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
await requireAuth(event);
|
|
const config = useRuntimeConfig(event);
|
|
const body = await readBody(event);
|
|
|
|
|
|
const helcimToken =
|
|
config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
|
|
|
|
// Determine payment type based on whether this is for a subscription or one-time payment
|
|
const isEventTicket = body.metadata?.type === "event_ticket";
|
|
const amount = body.amount || 0;
|
|
|
|
// For event tickets with amount > 0, we do a purchase
|
|
// For subscriptions or card verification, we do verify
|
|
const paymentType = isEventTicket && amount > 0 ? "purchase" : "verify";
|
|
|
|
const requestBody = {
|
|
paymentType,
|
|
amount: paymentType === "purchase" ? amount : 0,
|
|
currency: "CAD",
|
|
paymentMethod: "cc",
|
|
};
|
|
|
|
// For subscription setup (verify mode), include customer code if provided
|
|
// For one-time purchases (event tickets), don't include customer code
|
|
// as the customer may not exist in Helcim yet
|
|
if (body.customerCode && paymentType === "verify") {
|
|
requestBody.customerCode = body.customerCode;
|
|
}
|
|
|
|
// Add product/event information for better display in Helcim modal
|
|
if (body.metadata?.eventTitle) {
|
|
// Some Helcim accounts don't support invoice numbers in initialization
|
|
// Try multiple fields that might display in the modal
|
|
requestBody.description = body.metadata.eventTitle;
|
|
requestBody.notes = body.metadata.eventTitle;
|
|
requestBody.orderNumber = `${body.metadata.eventId}`;
|
|
}
|
|
|
|
// Initialize HelcimPay.js session
|
|
const response = await fetch(`${HELCIM_API_BASE}/helcim-pay/initialize`, {
|
|
method: "POST",
|
|
headers: {
|
|
accept: "application/json",
|
|
"content-type": "application/json",
|
|
"api-token": helcimToken,
|
|
},
|
|
body: JSON.stringify(requestBody),
|
|
});
|
|
|
|
if (!response.ok) {
|
|
const errorText = await response.text();
|
|
console.error(
|
|
"HelcimPay initialization failed:",
|
|
response.status,
|
|
errorText,
|
|
);
|
|
throw createError({
|
|
statusCode: response.status,
|
|
statusMessage: `Failed to initialize payment: ${errorText}`,
|
|
});
|
|
}
|
|
|
|
const paymentData = await response.json();
|
|
|
|
return {
|
|
success: true,
|
|
checkoutToken: paymentData.checkoutToken,
|
|
secretToken: paymentData.secretToken,
|
|
};
|
|
} catch (error) {
|
|
console.error("Error initializing HelcimPay:", error);
|
|
throw createError({
|
|
statusCode: error.statusCode || 500,
|
|
statusMessage: error.message || "Failed to initialize payment",
|
|
});
|
|
}
|
|
});
|