Files
nick-doc/Issues/ISSUE-005-post-api-payment-payments-id-fetch-tx-post-api-payment-payme.md
Siavash Sameni eab1d77582 docs(issues): mark ISSUE-003 through ISSUE-006 resolved, update index
Index: 47 open (8 critical, 39 major), 6 resolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.6 KiB

issue, title, severity, domain, labels, status, resolved, fix, created, source
issue title severity domain labels status resolved fix created source
005 POST /api/payment/payments/:id/fetch-tx, POST /api/payment/payments/auto-fetch-missing, and GET /api/payment/payments/:id/debug have no authentication middleware critical Payment
security
bug
backend
critical
missing-auth
resolved 2026-05-29 Added authenticateToken + authorizeRoles('admin') to /payments/:id/debug, /payments/:id/fetch-tx, and /payments/auto-fetch-missing in paymentRoutes.ts 2026-05-29 Doc vs Code Audit 2026-05-29

🔴 POST /api/payment/payments/:id/fetch-tx, POST /api/payment/payments/auto-fetch-missing, and GET /api/payment/payments/:id/debug have no authentication middleware

Severity: critical Domain: Payment Labels: security, bug, backend, critical, missing-auth

Description

Three payment utility/debug endpoints are mounted with zero authentication. Any unauthenticated caller can read full payment internals (including blockchain metadata and wallet monitor state) or trigger on-chain fetches and state writes. These are exploitable without credentials in production.

Current Behavior

All three return 200 with full data when called without any Authorization header.

Expected Behavior

All three endpoints should require at minimum authenticateToken, and ideally authorizeRoles('admin').

Reproduction Steps

curl -X POST https://api.example.com/api/payment/payments/test123/fetch-tx — expect 401, currently returns 200.

Affected Files

  • backend/src/routes/paymentRoutes.ts

References