Jennie Robinson Faber
208638e374
Day-of-launch deep-dive audit and remediation. 11 issues fixed across security, correctness, and reliability. Tests: 698 → 758 passing (+60), 0 failing, 2 skipped. CRITICAL (security) Fix #1 — HELCIM_API_TOKEN removed from runtimeConfig.public; dead useHelcim.js deleted. Production token MUST BE ROTATED post-deploy (was previously exposed in window.__NUXT__ payload). Fix #2 — /api/helcim/customer gated with origin check + per-IP/email rate limit + magic-link email verification (replaces unauthenticated setAuthCookie). Adds payment-bridge token for paid-tier signup so users can complete Helcim checkout before email verify. New utils: server/utils/{magicLink,rateLimit}.js. UX: signup success copy now prompts user to check email. Fix #3 — /api/events/[id]/payment deleted (dead code with unauth member-spoof bypass — processHelcimPayment was a permanent stub). Removes processHelcimPayment export and eventPaymentSchema. Fix #4 — /api/helcim/initialize-payment re-derives ticket amount server-side via calculateTicketPrice and calculateSeriesTicketPrice. Adds new series_ticket metadata type (was being shoved through event_ticket with seriesId in metadata.eventId). Fix #5 — /api/helcim/customer upgrades existing status:guest members in place rather than rejecting with 409. Lowercases email at lookup; preserves _id so prior event registrations stay linked. HIGH (correctness / reliability) Fix #6 — Daily reconciliation cron via Netlify scheduled function (@daily). New: netlify.toml, netlify/functions/reconcile-payments.mjs, server/api/internal/reconcile-payments.post.js. Shared-secret auth via NUXT_RECONCILE_TOKEN env var. Inline 3-retry exponential backoff on Helcim transactions API. Fix #7 — validateBeforeSave: false on event subdoc saves (waitlist endpoints) to dodge legacy location validators. Fix #8 — /api/series/[id]/tickets/purchase always upserts a guest Member when caller is unauthenticated, mirrors event-ticket flow byte-for-byte. SeriesPassPurchase.vue adds guest-account hint and client auth refresh on signedIn:true response. Fix #9 — /api/members/cancel-subscription leaves status active per ratified bylaws (was pending_payment). Adds lastCancelledAt audit field on Member model. Indirectly fixes false-positive detectStuckPendingPayment admin alert for cancelled members. Fix #10 — /api/auth/verify uses validateBody with strict() Zod schema (verifyMagicLinkSchema, max 2000 chars). Fix #11 — 8 vitest cases for cancel-subscription handler (was uncovered). Specs and audit at docs/superpowers/specs/2026-04-25-fix-*.md and docs/superpowers/plans/2026-04-25-launch-readiness-fixes.md. LAUNCH_READINESS.md updated with new test count, 3 deploy-time tasks (rotate Helcim token, set NUXT_RECONCILE_TOKEN, verify Netlify scheduled function), and Fixed-2026-04-25 fix log.
305 lines
8.7 KiB
JavaScript
305 lines
8.7 KiB
JavaScript
import { describe, it, expect, vi, beforeEach } from 'vitest'
|
|
|
|
import jwt from 'jsonwebtoken'
|
|
import Member from '../../../server/models/member.js'
|
|
import verifyHandler from '../../../server/api/auth/verify.post.js'
|
|
import { createMockEvent } from '../helpers/createMockEvent.js'
|
|
|
|
vi.mock('../../../server/models/member.js', () => ({
|
|
default: { findById: vi.fn(), findByIdAndUpdate: vi.fn() }
|
|
}))
|
|
|
|
vi.mock('../../../server/utils/mongoose.js', () => ({
|
|
connectDB: vi.fn()
|
|
}))
|
|
|
|
vi.mock('jsonwebtoken', () => ({
|
|
default: {
|
|
verify: vi.fn(),
|
|
sign: vi.fn().mockReturnValue('mock-session-token')
|
|
}
|
|
}))
|
|
|
|
const baseMember = {
|
|
_id: 'member-123',
|
|
email: 'test@example.com',
|
|
status: 'active',
|
|
role: 'member',
|
|
magicLinkJti: 'jti-abc',
|
|
magicLinkJtiUsed: false,
|
|
tokenVersion: 1
|
|
}
|
|
|
|
describe('auth verify endpoint', () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks()
|
|
})
|
|
|
|
it('rejects missing token with 400', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: {}
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
})
|
|
|
|
it('rejects non-string number token with 400 before jwt.verify', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 123 }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects non-string boolean token with 400 before jwt.verify', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: true }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects empty string token with 400 before jwt.verify', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: '' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects oversized token (>2000 chars) with 400 before jwt.verify', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'x'.repeat(2001) }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects null body with 400 before jwt.verify', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: null
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects unknown extra keys with 400 before jwt.verify (strict mode)', async () => {
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token', email: 'extra@example.com' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 400,
|
|
statusMessage: 'Validation failed'
|
|
})
|
|
expect(jwt.verify).not.toHaveBeenCalled()
|
|
})
|
|
|
|
it('rejects invalid JWT with 401', async () => {
|
|
jwt.verify.mockImplementation(() => { throw new Error('invalid') })
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'bad-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token'
|
|
})
|
|
})
|
|
|
|
it('rejects when member not found with 401', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'nonexistent', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue(null)
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token'
|
|
})
|
|
})
|
|
|
|
it('rejects suspended member with 403', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember, status: 'suspended' })
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 403,
|
|
statusMessage: 'Account is suspended'
|
|
})
|
|
})
|
|
|
|
it('rejects cancelled member with 403', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember, status: 'cancelled' })
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 403,
|
|
statusMessage: 'Account is cancelled'
|
|
})
|
|
})
|
|
|
|
it('rejects JTI mismatch with 401', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'wrong-jti' })
|
|
Member.findById.mockResolvedValue({ ...baseMember })
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token'
|
|
})
|
|
})
|
|
|
|
it('rejects already-used JTI with 401', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember, magicLinkJtiUsed: true })
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await expect(verifyHandler(event)).rejects.toMatchObject({
|
|
statusCode: 401,
|
|
statusMessage: 'Invalid or expired token'
|
|
})
|
|
})
|
|
|
|
it('burns token atomically via findByIdAndUpdate', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember })
|
|
Member.findByIdAndUpdate.mockResolvedValue({})
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await verifyHandler(event)
|
|
|
|
expect(Member.findByIdAndUpdate).toHaveBeenCalledWith(
|
|
'member-123',
|
|
{ $set: { magicLinkJtiUsed: true, lastLogin: expect.any(Date) } },
|
|
{ runValidators: false }
|
|
)
|
|
})
|
|
|
|
it('sets httpOnly session cookie with correct attributes', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember })
|
|
Member.findByIdAndUpdate.mockResolvedValue({})
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
await verifyHandler(event)
|
|
|
|
const setCookieHeader = event._testSetHeaders['set-cookie']
|
|
expect(setCookieHeader).toBeDefined()
|
|
|
|
const cookie = Array.isArray(setCookieHeader) ? setCookieHeader.join('; ') : setCookieHeader
|
|
expect(cookie).toContain('auth-token=mock-session-token')
|
|
expect(cookie).toContain('HttpOnly')
|
|
expect(cookie).toContain('SameSite=Lax')
|
|
expect(cookie).toContain('Path=/')
|
|
expect(cookie).toContain('Max-Age=604800')
|
|
})
|
|
|
|
it('returns admin redirect for admin role', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember, role: 'admin' })
|
|
Member.findByIdAndUpdate.mockResolvedValue({})
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
const result = await verifyHandler(event)
|
|
|
|
expect(result).toEqual({ success: true, redirectUrl: '/admin' })
|
|
})
|
|
|
|
it('returns member redirect for non-admin role', async () => {
|
|
jwt.verify.mockReturnValue({ memberId: 'member-123', jti: 'jti-abc' })
|
|
Member.findById.mockResolvedValue({ ...baseMember })
|
|
Member.findByIdAndUpdate.mockResolvedValue({})
|
|
|
|
const event = createMockEvent({
|
|
method: 'POST',
|
|
path: '/api/auth/verify',
|
|
body: { token: 'valid-token' }
|
|
})
|
|
|
|
const result = await verifyHandler(event)
|
|
|
|
expect(result).toEqual({ success: true, redirectUrl: '/member/dashboard' })
|
|
})
|
|
})
|