Fix audit #14 (body size limits), #17 (duplicate session_id), #22 (unused import)
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m53s
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 2m53s
This commit is contained in:
OpenClaw
parent
6cc30db5c6
commit
09c6feb06e
9 changed files with 36 additions and 10 deletions
5
dist/index.js
vendored
5
dist/index.js
vendored
|
|
@ -86,8 +86,9 @@ app.use("/v1/signup", signupRouter);
|
|||
app.use("/v1/recover", recoverRouter);
|
||||
app.use("/v1/billing", billingRouter);
|
||||
app.use("/v1/email-change", emailChangeRouter);
|
||||
// Authenticated routes
|
||||
app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
|
||||
// Authenticated routes — conversion routes get tighter body limits (500KB)
|
||||
const convertBodyLimit = express.json({ limit: "500kb" });
|
||||
app.use("/v1/convert", convertBodyLimit, authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
|
||||
app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter);
|
||||
// Admin: usage stats (admin key required)
|
||||
const adminAuth = (req, res, next) => {
|
||||
|
|
|
|||
9
dist/routes/billing.js
vendored
9
dist/routes/billing.js
vendored
|
|
@ -16,6 +16,8 @@ function getStripe() {
|
|||
return _stripe;
|
||||
}
|
||||
const router = Router();
|
||||
// Track provisioned session IDs to prevent duplicate key creation
|
||||
const provisionedSessions = new Set();
|
||||
// Create a Stripe Checkout session for Pro subscription
|
||||
router.post("/checkout", async (_req, res) => {
|
||||
try {
|
||||
|
|
@ -41,6 +43,11 @@ router.get("/success", async (req, res) => {
|
|||
res.status(400).json({ error: "Missing session_id" });
|
||||
return;
|
||||
}
|
||||
// Prevent duplicate provisioning from same session
|
||||
if (provisionedSessions.has(sessionId)) {
|
||||
res.status(409).send("This checkout session has already been used to provision a key. If you lost your key, use the key recovery feature.");
|
||||
return;
|
||||
}
|
||||
try {
|
||||
const session = await getStripe().checkout.sessions.retrieve(sessionId);
|
||||
const customerId = session.customer;
|
||||
|
|
@ -50,6 +57,7 @@ router.get("/success", async (req, res) => {
|
|||
return;
|
||||
}
|
||||
const keyInfo = await createProKey(email, customerId);
|
||||
provisionedSessions.add(session.id);
|
||||
// Return a nice HTML page instead of raw JSON
|
||||
res.send(`<!DOCTYPE html>
|
||||
<html><head><title>Welcome to DocFast Pro!</title>
|
||||
|
|
@ -131,6 +139,7 @@ router.post("/webhook", async (req, res) => {
|
|||
break;
|
||||
}
|
||||
const keyInfo = await createProKey(email, customerId);
|
||||
provisionedSessions.add(session.id);
|
||||
logger.info({ email, customerId }, "checkout.session.completed: provisioned pro key");
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue