POST /api/payments currently reaches createPayment without authMiddleware. That allows anonymous callers to create payment-intent responses.
Current behavior:
- POST /api/payments accepts unauthenticated requests.
- The route calls createPayment with req.body directly.
Expected behavior:
- Anonymous POST /api/payments requests should return 401 Unauthorized.
- Authenticated POST /api/payments requests should keep the existing 201 success path.
Verification target:
- Add API route coverage for anonymous rejection.
- Add API route coverage proving a valid bearer token can still create a payment intent.
- Protect the payment route with the existing authMiddleware.
Parent bounty: #743
This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
POST /api/payments currently reaches createPayment without authMiddleware. That allows anonymous callers to create payment-intent responses.
Current behavior:
Expected behavior:
Verification target:
Parent bounty: #743
This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.