--- issue: 044 title: "POST /api/marketplace/purchase-requests/:id/final-approval creates dummy payment for testing if no real payment exists — testing backdoor in production code" severity: major domain: Purchase Request labels: [security, bug, backend, major, escrow, bypass] status: resolved resolved: 2026-05-29 fix: "Wrapped dummy payment creation in process.env.NODE_ENV !== 'production' guard in marketplace/routes.ts — in production the route returns 404 when no real payment exists." status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 POST /api/marketplace/purchase-requests/:id/final-approval creates dummy payment for testing if no real payment exists — testing backdoor in production code **Severity:** major **Domain:** Purchase Request **Labels:** security, bug, backend, major, escrow, bypass ## Description The final-approval endpoint in routes.ts (lines 1561-1592) contains logic that creates a dummy Payment document when no real payment is found and the request is in 'delivered' or 'delivery' status. This testing backdoor is undocumented and bypasses the payment integrity check in production. ## Current Behavior Any request in delivered/delivery status can be final-approved without a real payment by triggering this code path, effectively releasing escrow for unpaid orders. ## Expected Behavior The dummy payment creation should be guarded by NODE_ENV !== 'production' or removed entirely from production code. ## Affected Files - `backend/src/routes/routes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)