--- issue: 056 title: "Backend: verifyPayment and paymentCallback routes unauthenticated — payment completion exploitable" severity: critical domain: Payment labels: [security, backend, authentication, webhook] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: verifyPayment and paymentCallback routes unauthenticated — payment completion exploitable **Severity:** critical **Domain:** Payment **Labels:** security, backend, authentication, webhook ## Description `POST /payments/verify` and `POST /payments/callback` are registered without `authenticateToken` middleware. Additionally, a non-web3 bypass path (`isWeb3Payment === false`) allows marking a payment completed without any verifiable on-chain or provider proof. An unauthenticated actor can call `/payments/verify` for any payment ID and trigger the completion side-effects (status change, offer acceptance, escrow release) without owning that payment. The callback endpoint is similarly unguarded, allowing fake webhook injection. ## Options 1. Require `authenticateToken` + ownership check on `/verify`; enforce HMAC signature verification on `/callback` as a provider webhook; remove the `isWeb3Payment=false` bypass so completion always requires verifiable proof. 2. Treat `/callback` as a provider webhook with HMAC only; add auth+ownership for `/verify`. 3. Remove the non-web3 bypass so payments without a verifiable tx cannot be marked completed. ## Recommendation Add `authenticateToken` + ownership to `/verify`, enforce HMAC/on-chain verification on `/callback` as a webhook endpoint, and remove the `isWeb3Payment=false` bypass so completion always requires verifiable proof. ## Affected Files - `backend/src/services/payment/paymentControllerRoutes.ts` — lines 20–21 ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-23