--- issue: 030 title: "POST /api/payment/payments/cleanup-pending admin check is inside handler only — no middleware-level enforcement" severity: major domain: Admin labels: [security, bug, backend, major, missing-auth] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 POST /api/payment/payments/cleanup-pending admin check is inside handler only — no middleware-level enforcement **Severity:** major **Domain:** Admin **Labels:** security, bug, backend, major, missing-auth ## Description POST /api/payment/payments/cleanup-pending registers only authenticateToken at the route level. Admin check is inside the handler. Any authenticated non-admin who discovers this endpoint can attempt to call it; the in-handler check is the only defense against unauthorized bulk deletion of pending payments. ## Current Behavior Non-admin authenticated users can call the endpoint; admin gate fires inside handler code rather than at middleware level. ## Expected Behavior Apply authorizeRoles('admin') middleware at the route level before the handler runs. ## Affected Files - `backend/src/routes/paymentRoutes.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)