Skip to content

Harden /api/checkout/report-failure against alert-flood abuse #150

Description

@kilbot

Discovered during PR #149 review (CodeRabbit, Major).

The /api/checkout/report-failure alert bridge is necessarily reachable by the browser beacon, so it is unauthenticated. Because wcpos.store.sale bypasses the Discord rate limit, a malicious client could POST {"kind":"order_pending"} repeatedly to flood Discord/Sentry.

Done in #149 (cheap mitigations):

  • Sanitize the attacker-controlled reference before logging (strip to WCPOS charset + cap length) — prevents Discord/log injection.
  • Reject oversized request bodies (content-length > 2KB).

Deferred to this issue (needs design):

  • Authenticity: mint a short-lived signed token server-side on the checkout page and verify it on the beacon (a browser beacon can't hold a static server secret, so HMAC-with-shared-secret isn't viable client-side).
  • Server-side throttle + per-reference dedupe on the sale-critical bypass path so a flood can't drown real alerts.

Low-moderate severity: logs/alerts only, no data exposure and no money path. Pairs with the Phase 4 (Medusa-side webhooks) work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions