Skip to content

fix(payments-next): Prevent unauthorized users from viewing a cart #19755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
david1alvarez wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(payments-next): Prevent unauthorized users from viewing a cart #19755

david1alvarez wants to merge 1 commit into from
+69 −42

Conversation

@david1alvarez
Copy link
Contributor

@david1alvarez david1alvarez commented Dec 5, 2025

Because:

  • Users can currently view any cart by pasting the link to the cart in the URL

This commit:

  • Adds in a requirement for fetching the cart where if the cart has an associated uid, the correct user must be logged in
  • Unauthorized users are shown the subplat 404 page, which allows for them to restart the checkout process

Closes #PAY-3155

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

@david1alvarez
fix(payments-next): Prevent unauthorized users from viewing a cart
c6b9953 
Because:

* Users can currently view any cart by pasting the link to the cart in the URL

This commit:

* Adds in a requirement for fetching the cart where if the cart has an associated uid, the correct user must be logged in

Closes #PAY-3155
@david1alvarez david1alvarez requested a review from a team as a code owner December 5, 2025 00:31
julianpoy
julianpoy reviewed Dec 9, 2025
View reviewed changes
libs/payments/ui/src/lib/actions/getCartOrRedirect.ts
Comment on lines 58 to +62
async function getCartOrRedirectAction(
cartId: string,
page: SupportedPages,
searchParams?: Record<string, string | string[]>
searchParams?: Record<string, string | string[]>,
uid?: string
Copy link
Member

@julianpoy julianpoy Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK someone can call this action with any UID they want as the last param, nullifying the security of this endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianpoy julianpoy julianpoy left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@david1alvarez @julianpoy