Files
nick-doc/Issues/ISSUE-094-backend-selectoffer-does-not-verify-buyer-owns-purchase-request.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.1 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
094 Backend: selectOffer does not verify buyer owns the purchase request medium Marketplace
security
backend
idor
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: selectOffer does not verify buyer owns the purchase request

Severity: medium Domain: Marketplace Labels: security, backend, idor

Description

src/services/marketplace/marketplaceController.ts:1029 handles selectOffer without checking that req.user.id matches the purchaseRequest.buyerId. Any authenticated user who knows the purchase request ID can select an offer on someone else's request.

Options

  1. Reject when req.user.id !== purchaseRequest.buyerId.
  2. Allow buyer-owner or admin only.
  3. Atomic findOneAndUpdate scoped by buyerId.

Recommendation

Enforce req.user.id === purchaseRequest.buyerId (admin override allowed). This changes who can accept offers.

Affected Files

  • backend/src/services/marketplace/marketplaceController.ts:1029

References