Commit Graph

7 Commits

Author SHA1 Message Date
Ryan Chen d005080aca Add attendee cap with required login for capped events
Hosts can optionally cap total attendance (RSVPs + plus-ones) when
creating an event. Capped events require guests to log in via the
existing email code flow; RSVPs are tied to accounts and deduped per
user. The event page shows spots left and replaces the form with a
full notice when the cap is reached; the server rejects over-cap
RSVPs and edits with 409 as a race backstop.

Also threads a safeNext-validated ?next= param through the login and
name-setup flow so guests land back on the event after signing in.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:36:57 -04:00
Ryan Chen 4915af0665 Fix login on legacy DBs: drop NOT NULL phone/email from verification_codes
Old prod DBs had verification_codes.phone (or email) as NOT NULL with no
default, so inserting a code via identifier-only failed silently — users
received an emailed code that was never stored, and verify always said
"Invalid or expired code." Drop the legacy columns in a migration and
stop swallowing the CreateVerificationCode error.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:07:18 -04:00
Ryan Chen 780a214c7d Refactor login to email-only, remove phone/SMS auth
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-09 17:40:37 -04:00
Ryan Chen 0719269bce Add SMS consent logging for Twilio compliance
Log phone, IP, and user agent to sms_consents table before sending
verification SMS. Add disclosure text to login form.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-29 09:46:43 -04:00
Ryan Chen d68a6629ac Gate admin routes behind auth and add copy guest link button
When auth is enabled, admin pages require the logged-in user to be
the event owner — unauthorized visitors get redirected to the guest
view, and admin actions return 403. Also adds a copy-to-clipboard
button in the admin bar and a Makefile for common commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 09:06:16 -04:00
Ryan Chen a0c4b28d1e Support both email and phone login
Auto-detect whether the user entered an email or phone number.
Email sends via Resend, phone sends via Twilio SMS. Users table
has nullable phone and email columns; verification_codes uses a
generic identifier field.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 08:53:29 -04:00
Ryan Chen 471cc3ad8c Switch to phone auth via Twilio SMS and add feature flag system
Replace email-based auth (Resend) with phone-based auth (Twilio SMS).
Add BBQ_FEATURES env var for toggling features at deploy time — when
auth is disabled, no login routes are registered and the app works
as before.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 08:45:15 -04:00