Flow docs updated (11 files): - Delivery Confirmation: reversed actor roles (buyer generates, seller verifies), fixed endpoint paths (/delivery-code/generate, /delivery-code/verify) - Passkey (WebAuthn): removed stub/simulated-key claims; real @simplewebauthn/server attestation is implemented; refresh tokens are persisted - Dispute: corrected resolve schema (action enum), removed non-existent statuses, documented security gaps (no role guards on status/resolve/assign), route shadowing, all socket events are TODO stubs - Seller Offer: corrected all endpoint paths, removed 'active' status, documented withdraw dead code, missing seller history page, select-offer notification gap - Notification: corrected mark-all-read method+path, fixed GET /:id broken lookup, added unread-count-update socket event - Authentication: corrected rate limiter (counts all attempts), axios 403 not handled, deleteAccount wrong endpoint bug, changePassword no UI - Password Reset: corrected 6-digit code (not 8), documented no-complexity gap on reset-with-code vs token reset - Payment Flow DePay: /create→/save, removed phantom sub-routes, SIM_ bypass risk, PaymentProvider type gap, getProviderIntentEndpoint routing bug - Payment Flow SHKeeper: removed phantom polling endpoint, fixed release/refund paths - Purchase Request: added pending_payment/active statuses, fixed sellers/attachments endpoints, corrected socket events, PUT→PATCH bug - Escrow: documented dispute resolve does not touch escrow, route shadowing, confirm-delivery auth gap Issues created (35 files in Issues/): - 9 security issues (critical) including: dispute privilege escalation ×4, unauthenticated payment/scanner endpoints ×2, SIM_ production bypass, confirm-delivery ownership gap - 26 additional major/critical bugs covering broken endpoints, missing features, data integrity gaps, and frontend-backend mismatches Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.8 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | ||
|---|---|---|---|---|---|---|---|---|---|
| 015 | Seller offer withdraw has no HTTP route — withdrawOffer() service method is dead code | major | seller-offer |
|
open | 2026-05-29 | Doc vs Code Audit 2026-05-29 |
🟠 Seller offer withdraw has no HTTP route — withdrawOffer() service method is dead code
Severity: major Domain: seller-offer Labels: backend, missing-feature
Description
SellerOfferService.withdrawOffer() (SellerOfferService.ts lines ~427-443) exists and implements withdrawal logic, but no HTTP route calls it. The documented POST /api/marketplace/offers/:id/withdraw endpoint does not exist in routes.ts or marketplaceController.ts.
There is also no frontend withdrawOffer() action, no withdraw button in any seller step component, and no seller offers history page at /dashboard/seller/marketplace/offers.
The only workaround is PUT /api/marketplace/offers/:id/status with { status: 'withdrawn' }, which has no guard ensuring the requester is the offer's seller.
Current Behavior
Sellers cannot withdraw their pending offers through any UI path. Withdrawing via PUT /offers/:id/status is the only API path and has no ownership guard.
Expected Behavior
- Wire a
POST /api/marketplace/offers/:id/withdrawroute toSellerOfferService.withdrawOffer() - Add an ownership guard (only the offer's seller can withdraw)
- Add a frontend withdraw button and action
Affected Files
backend/src/routes/routes.ts— missingPOST /offers/:id/withdrawroutefrontend/src/actions/marketplace.ts— missingwithdrawOfferaction- Frontend seller dashboard — missing offers list page
References
- Doc vs Code Audit Report — Findings C9, M26