Added missing dependencies that were installed on server but not in repo:
- axios: ^1.14.0
- connect-pg-simple: ^10.0.0
- date-fns: ^4.1.0
This caused deploy script to fail with MODULE_NOT_FOUND errors.
Chronicler #69
Package was manually installed but not in package.json
Deploy script runs npm install which removed it every time
Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
Added CORS middleware to allow website (firefrostgaming.com) to call
Trinity Console's /stripe/create-checkout-session endpoint.
WHAT WAS DONE:
- Installed cors package (npm install cors)
- Added cors import to src/index.js
- Configured CORS middleware for /stripe/create-checkout-session route
- Restricted to POST method only from firefrostgaming.com origin
- Positioned after body parsers, before session middleware
WHY:
- Gemini consultation verdict: Option 2 (JavaScript checkout) required
- Prevents double-click danger (users creating multiple checkout sessions)
- Enables instant button disable + loading state for better UX
- Industry standard for payment flows per Stripe documentation
FILES MODIFIED:
- services/arbiter-3.0/package.json (+cors dependency)
- services/arbiter-3.0/package-lock.json (dependency tree)
- services/arbiter-3.0/src/index.js (CORS middleware, 8 lines added)
RELATED TASKS:
- Soft launch blocker: Website subscribe button integration
- Next step: Update subscribe.njk with JavaScript checkout handler
Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
WHAT WAS DONE:
- Created src/routes/stripe.js with 3 endpoints:
* POST /stripe/create-checkout-session (dynamic mode: subscription or payment)
* POST /stripe/webhook (signature verified, transaction-safe, idempotent)
* POST /stripe/create-portal-session (Stripe Customer Portal access)
- Updated package.json to add stripe@^14.14.0 dependency
- Updated src/index.js to register Stripe routes (webhook BEFORE body parsers - critical!)
- Updated .env.example with STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, BASE_URL
WHY:
- Eliminates Paymenter dependency (Gemini-approved architecture)
- Handles both recurring subscriptions (tiers 2-9) and one-time payments (Awakened, Sovereign)
- Webhook processes 8 event types with full transaction safety
- Grace period system for failed payments (3-day countdown, auto-downgrade to Awakened)
- Chargeback = immediate permanent ban
- Idempotency protection via webhook_events_processed table
TECHNICAL DETAILS:
- Checkout dynamically switches mode based on billing_type (recurring vs one-time)
- Webhook uses BEGIN/COMMIT/ROLLBACK for all database operations
- Raw body parser for webhook signature verification (must come before express.json())
- Supports Stripe Customer Portal for self-service subscription management
- Handles both stripe_subscription_id and stripe_payment_intent_id correctly
- Grace period logic excludes lifetime users (is_lifetime = TRUE)
FILES CHANGED:
- services/arbiter-3.0/src/routes/stripe.js (new, 421 lines)
- services/arbiter-3.0/package.json (added stripe dependency)
- services/arbiter-3.0/src/index.js (registered stripe routes, webhook ordering)
- services/arbiter-3.0/.env.example (added Stripe env vars)
NEXT STEPS:
- Deploy to Command Center
- Add STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET to production .env
- Configure Stripe webhook endpoint in Dashboard
- Test end-to-end in test mode
- Switch to live mode for launch
Signed-off-by: Claude (Chronicler #57) <claude@firefrostgaming.com>
CRITICAL SECURITY FIX - Prevents Cross-Site Request Forgery attacks
Changes:
- Installed csurf middleware (session-based tokens)
- Added CSRF middleware to all /admin routes in src/index.js
- Configured admin router to pass csrfToken to all views
- Updated layout.ejs to send CSRF token with htmx requests
- Added EJS view engine configuration
- Added body parsing middleware (json + urlencoded)
Security Impact:
- Prevents malicious sites from executing admin actions using cookies
- All POST requests now require valid CSRF token
- Invalid tokens return 403 Forbidden
- Session-based tokens (no cookies needed)
Protected Routes:
- /admin/servers/:id/sync (force whitelist sync)
- /admin/servers/:id/toggle-whitelist (whitelist toggle)
- /admin/grace/:id/extend (grace period extension)
- /admin/grace/:id/manual (manual payment override)
- /admin/roles/resync/:id (role assignment)
Attack Scenario Prevented:
User visits malicious site while logged into Trinity Console
→ Site tries to submit form to admin endpoint
→ Request includes session cookie but NO CSRF token
→ Server rejects with 403 Forbidden
→ Attack failed!
Note: csurf is deprecated but still functional. For future refactor,
consider csrf-csrf or Express 5 built-in protection.
Refs: TRINITY-CONSOLE-PRE-LAUNCH-CHECKLIST.md - Fix#1
Chronicler: #51
Signed-off-by: Claude (Chronicler #51) <claude@firefrostgaming.com>
