--- issue: "030" title: "PATCH /confirm-delivery has no ownership check — any authenticated user can confirm delivery" severity: major domain: delivery labels: [backend, security, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 PATCH /confirm-delivery has no ownership check — any authenticated user can confirm delivery **Severity:** major **Domain:** delivery **Labels:** backend, security, bug ## Description `PATCH /api/marketplace/purchase-requests/:id/confirm-delivery` (the buyer fast-track path to `'delivered'` status) has no ownership or role check. Any authenticated user who knows a purchase request ID can mark it as delivered without possessing the delivery code. ## Current Behavior `PATCH /purchase-requests/{anyId}/confirm-delivery` with any valid JWT → 200, status set to `'delivered'`. ## Expected Behavior Should verify `req.user.id === request.buyerId` — only the buyer of that specific request should be able to confirm delivery via this fast-track path. ## Affected Files - `backend/src/routes/controllerRoutes.ts` or `routes.ts` — `confirm-delivery` handler missing ownership guard ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)