--- issue: 022 title: "GET /api/payment/payments/:id/debug has no authentication — full payment data exposed without credentials" severity: major domain: Payment labels: [security, bug, backend, major, missing-auth] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 GET /api/payment/payments/:id/debug has no authentication — full payment data exposed without credentials **Severity:** major **Domain:** Payment **Labels:** security, bug, backend, major, missing-auth ## Description GET /api/payment/payments/:id/debug returns payment document plus walletMonitor status without any authentication middleware. Backend code explicitly flags this as a security issue. ## Current Behavior Any unauthenticated caller can read full payment data including blockchain metadata. ## Expected Behavior Should require authenticateToken + authorizeRoles('admin'). ## Affected Files - `backend/src/routes/paymentRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)