Fix audit #14 (body size limits), #17 (duplicate session_id), #22 (unused import)

2026-02-16 19:51:24 +00:00 · 2026-02-16 19:51:24 +00:00 · 09c6feb06e
commit 09c6feb06e
parent 6cc30db5c6
9 changed files with 36 additions and 10 deletions
--- a/dist/routes/billing.js
+++ b/dist/routes/billing.js
@ -16,6 +16,8 @@ function getStripe() {
    return _stripe;
 }
 const router = Router();
+// Track provisioned session IDs to prevent duplicate key creation
+const provisionedSessions = new Set();
 // Create a Stripe Checkout session for Pro subscription
 router.post("/checkout", async (_req, res) => {
    try {
@ -41,6 +43,11 @@ router.get("/success", async (req, res) => {
        res.status(400).json({ error: "Missing session_id" });
        return;
    }
+    // Prevent duplicate provisioning from same session
+    if (provisionedSessions.has(sessionId)) {
+        res.status(409).send("This checkout session has already been used to provision a key. If you lost your key, use the key recovery feature.");
+        return;
+    }
    try {
        const session = await getStripe().checkout.sessions.retrieve(sessionId);
        const customerId = session.customer;
@ -50,6 +57,7 @@ router.get("/success", async (req, res) => {
            return;
        }
        const keyInfo = await createProKey(email, customerId);
+        provisionedSessions.add(session.id);
        // Return a nice HTML page instead of raw JSON
        res.send(`<!DOCTYPE html>
 <html><head><title>Welcome to DocFast Pro!</title>
@ -131,6 +139,7 @@ router.post("/webhook", async (req, res) => {
                break;
            }
            const keyInfo = await createProKey(email, customerId);
+            provisionedSessions.add(session.id);
            logger.info({ email, customerId }, "checkout.session.completed: provisioned pro key");
            break;
        }