Files
nick-doc/Issues/ISSUE-044-post-api-marketplace-purchase-requests-id-final-approval-cre.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.6 KiB

issue, title, severity, domain, labels, status, resolved, fix, status, created, source
issue title severity domain labels status resolved fix status created source
044 POST /api/marketplace/purchase-requests/:id/final-approval creates dummy payment for testing if no real payment exists — testing backdoor in production code major Purchase Request
security
bug
backend
major
escrow
bypass
resolved 2026-05-29 Wrapped dummy payment creation in process.env.NODE_ENV !== 'production' guard in marketplace/routes.ts — in production the route returns 404 when no real payment exists. open 2026-05-29 Doc vs Code Audit 2026-05-29

🟠 POST /api/marketplace/purchase-requests/:id/final-approval creates dummy payment for testing if no real payment exists — testing backdoor in production code

Severity: major Domain: Purchase Request Labels: security, bug, backend, major, escrow, bypass

Description

The final-approval endpoint in routes.ts (lines 1561-1592) contains logic that creates a dummy Payment document when no real payment is found and the request is in 'delivered' or 'delivery' status. This testing backdoor is undocumented and bypasses the payment integrity check in production.

Current Behavior

Any request in delivered/delivery status can be final-approved without a real payment by triggering this code path, effectively releasing escrow for unpaid orders.

Expected Behavior

The dummy payment creation should be guarded by NODE_ENV !== 'production' or removed entirely from production code.

Affected Files

  • backend/src/routes/routes.ts

References