Index: 47 open (8 critical, 39 major), 6 resolved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.6 KiB
1.6 KiB
issue, title, severity, domain, labels, status, resolved, fix, created, source
| issue | title | severity | domain | labels | status | resolved | fix | created | source | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 005 | POST /api/payment/payments/:id/fetch-tx, POST /api/payment/payments/auto-fetch-missing, and GET /api/payment/payments/:id/debug have no authentication middleware | critical | Payment |
|
resolved | 2026-05-29 | Added authenticateToken + authorizeRoles('admin') to /payments/:id/debug, /payments/:id/fetch-tx, and /payments/auto-fetch-missing in paymentRoutes.ts | 2026-05-29 | Doc vs Code Audit 2026-05-29 |
🔴 POST /api/payment/payments/:id/fetch-tx, POST /api/payment/payments/auto-fetch-missing, and GET /api/payment/payments/:id/debug have no authentication middleware
Severity: critical Domain: Payment Labels: security, bug, backend, critical, missing-auth
Description
Three payment utility/debug endpoints are mounted with zero authentication. Any unauthenticated caller can read full payment internals (including blockchain metadata and wallet monitor state) or trigger on-chain fetches and state writes. These are exploitable without credentials in production.
Current Behavior
All three return 200 with full data when called without any Authorization header.
Expected Behavior
All three endpoints should require at minimum authenticateToken, and ideally authorizeRoles('admin').
Reproduction Steps
curl -X POST https://api.example.com/api/payment/payments/test123/fetch-tx — expect 401, currently returns 200.
Affected Files
backend/src/routes/paymentRoutes.ts