Skip to content

Fix: prevent IDOR in store invoice endpoint#17

Open
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/store-invoice-idor
Open

Fix: prevent IDOR in store invoice endpoint#17
FuturMix wants to merge 1 commit into
profullstack:masterfrom
FuturMix:fix/store-invoice-idor

Conversation

@FuturMix

@FuturMix FuturMix commented Jun 14, 2026

Copy link
Copy Markdown

Summary

Fixes #16

The invoice endpoint queries by ID without user_id filtering, leaking invoice existence via different status codes.

Changes

  • apps/web/src/app/api/store/invoices/[id]/route.ts:
    • Add .eq('user_id', auth.userId) to query
    • Replace raw error.message with generic error
    • Remove now-redundant post-query ownership check

Test plan

  • Fetch own invoice: returns invoice data normally
  • Fetch another user's invoice: returns 404 (not 403)
  • Fetch non-existent invoice: returns 404

🤖 Generated with Claude Code

@FuturMix @claude
fix: prevent IDOR in store invoice endpoint
94021e2 
The invoice GET endpoint queries by ID without filtering by user_id,
then checks ownership after retrieval. This leaks invoice existence
(404 vs 403 status codes) and relies on application-level checks
instead of query-level filtering.

Move the user_id filter into the query itself, and replace the raw
error.message with a generic error to prevent information disclosure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Store invoice endpoint IDOR leaks invoice existence

1 participant

@FuturMix