d31f5733d6
Some checks failed
Veza CI / Backend (Go) (push) Failing after 0s
Veza CI / Frontend (Web) (push) Failing after 0s
Veza CI / Rust (Stream Server) (push) Failing after 0s
Security Scan / Secret Scanning (gitleaks) (push) Failing after 0s
Veza CI / Notify on failure (push) Failing after 0s
Closes a bypass surfaced by the 2026-04 audit probe (axis-1 Q2): any authenticated user could POST /api/v1/subscriptions/subscribe on a paid plan and receive 201 active without the payment provider ever being invoked. The resulting row satisfied `checkEligibility()` in the distribution service via `can_sell_on_marketplace=true` on the Creator plan — effectively free access to /api/v1/distribution/submit, which dispatches to external partners. Fix is centralised in `GetUserSubscription` so there is no code path that can grant subscription-gated access without routing through the payment check. Effective-payment = free plan OR unexpired trial OR invoice with non-empty hyperswitch_payment_id. Migration 980 sweeps pre-existing fantôme rows into `expired`, preserving the tuple in a dated audit table for support outreach. Subscribe and subscribeToFreePlan treat the new ErrSubscriptionNoPayment as equivalent to ErrNoActiveSubscription so re-subscription works cleanly post-cleanup. GET /me/subscription surfaces needs_payment=true with a support-contact message rather than a misleading "you're on free" or an opaque 500. TODO(v1.0.7-item-G) annotation marks where the `if s.paymentProvider != nil` short-circuit needs to become a mandatory pending_payment state. Probe script `scripts/probes/subscription-unpaid-activation.sh` kept as a versioned regression test — dry-run by default, --destructive logs in and attempts the exploit against a live backend with automatic cleanup. 8-case unit test matrix covers the full hasEffectivePayment predicate. Smoke validated end-to-end against local v1.0.6.2: POST /subscribe returns 201 (by design — item G closes the creation path), but GET /me/subscription returns subscription=null + needs_payment=true, distribution eligibility returns false. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| 076_create_gear_items_down.sql | ||
| 077_create_live_streams_down.sql | ||
| 078_add_missing_indexes_down.sql | ||
| 082_create_api_keys_down.sql | ||
| 125_follow_counts_triggers_down.sql | ||
| 129_playlist_editorial_down.sql | ||
| 132_quiet_hours_down.sql | ||
| 133_notification_grouping_down.sql | ||
| 134_weekly_digest_prefs_down.sql | ||
| 900_triggers_and_functions_down.sql | ||
| 910_create_audit_logs_down.sql | ||
| 920_add_performance_indexes_down.sql | ||
| 930_add_missing_foreign_keys_down.sql | ||
| 931_add_refresh_tokens_updated_at_down.sql | ||
| 940_performance_indexes_v0951_down.sql | ||
| 941_notification_prefs_defaults_v0105_down.sql | ||
| 942_create_co_listening_sessions_down.sql | ||
| 943_create_track_stems_down.sql | ||
| 944_create_data_exports_down.sql | ||
| 945_creator_analytics_v0110_down.sql | ||
| 946_advanced_analytics_v0111_down.sql | ||
| 947_moderation_advanced_v0112_down.sql | ||
| 948_marketplace_complete_v0120_down.sql | ||
| 949_subscription_plans_v0121_down.sql | ||
| 950_distribution_platforms_v0122_down.sql | ||
| 951_education_courses_v0123_down.sql | ||
| 960_performance_indexes_v0124_down.sql | ||
| 970_password_login_history_v0130_down.sql | ||
| 971_security_advanced_v0133_down.sql | ||
| 972_seller_kyc_v0135_down.sql | ||
| 973_support_tickets_v0135_down.sql | ||
| 980_void_unpaid_subscriptions_down.sql | ||