andras/perfect-postcode
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions

Security

Browse source
This commit is contained in:
Andras Schmelczer 2026-03-20 07:52:06 +00:00
parent f32a552f46
commit 05b8ee06c1
5 changed files with 28 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server-rs/src/routes/stripe_webhook.rs
View file

@ -105,6 +105,10 @@ pub async fn post_stripe_webhook(
warn!("checkout.session.completed missing client_reference_id");
return StatusCode::OK.into_response();
}
if !user_id.bytes().all(|b| b.is_ascii_alphanumeric()) || user_id.len() > 20 {
warn!(user_id, "Invalid client_reference_id format in webhook");
return StatusCode::BAD_REQUEST.into_response();
}
// Update user subscription to "licensed" via PocketBase superuser auth
let token = match get_superuser_token(&state).await {