Security Vulnerability: User ID Passed from Client Side in Stripe Connect Integration

[heyitsadityaa]

Description

There is a critical security vulnerability in the Stripe Connect integration where the user._id is being passed from the client-side component to the server action, which could allow for user impersonation attacks.

Current Implementation

In components/seller-dashboard.tsx (line 129), the client component is passing user?._id directly to the server action:

await createStripeConnectCustomer(user?._id as Id<"users">);

The server action actions/createStripeConnectCustomer.ts accepts this userId parameter and uses it to create Stripe Connect accounts.

Security Issues

1. Client-side data manipulation: Users can modify the userId in browser dev tools or network requests
2. Impersonation attacks: Malicious users could potentially create Stripe Connect accounts for other users
3. No server-side authentication verification: The server action trusts client-provided user identification
4. Violation of security best practices: Sensitive operations should never rely on client-provided user identifiers

Expected Behavior

The server action should:

• Authenticate the user server-side using session/auth tokens
• Retrieve the user ID from authenticated context
• Never trust client-provided user identification for sensitive operations

Proposed Solution

1. Remove the userId parameter from createStripeConnectCustomer server action
2. Implement server-side authentication to get the current user's ID
3. Update the client component to call the server action without passing user ID
4. Ensure proper authentication context is available in server actions

Impact

• Severity: High
• Risk: User impersonation, unauthorized Stripe account creation
• Affected Files:
  • components/seller-dashboard.tsx
  • actions/createStripeConnectCustomer.ts

Environment

• Framework: Next.js with Convex
• Authentication: Convex Auth
• Payment Processing: Stripe Connect