neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Fix duplicate Stripe customers and attestation plan bypass #136

Merged
will.anderson merged 1 commits from fix/stripe-dedup-attestation into dev 2026-05-12 19:23:36 +00:00
Conversation 0 Commits 1 Files Changed 1
+6 -3
will.anderson commented 2026-05-12 19:10:18 +00:00
Owner
Copy Link
Copy Source

Two bugs fixed:

1. Duplicate Stripe customers (double-Bearer auth)
Both checkout paths passed 'Bearer sk_...' to http_get_auth() which prepends another 'Bearer ', producing 'Bearer Bearer sk_...'. Stripe returns 401 on every customer lookup, so a new customer was always created on each checkout page visit. Fixed: pass raw key to http_get_auth().

2. /api/attest founding bypass
The attestation endpoint wrote whatever plan the client submitted — so anyone could POST plan=founding and get founding member access without paying $199. Fixed: server ignores the submitted plan and always writes plan=waitlist. Founding access requires Stripe payment.

Data fix applied: Silas Shellenbarger's waitlist row downgraded from founding to waitlist (created via attestation today without payment).

Two bugs fixed: **1. Duplicate Stripe customers (double-Bearer auth)** Both checkout paths passed `'Bearer sk_...'` to `http_get_auth()` which prepends another `'Bearer '`, producing `'Bearer Bearer sk_...'`. Stripe returns 401 on every customer lookup, so a new customer was always created on each checkout page visit. Fixed: pass raw key to `http_get_auth()`. **2. /api/attest founding bypass** The attestation endpoint wrote whatever `plan` the client submitted — so anyone could POST `plan=founding` and get founding member access without paying $199. Fixed: server ignores the submitted plan and always writes `plan=waitlist`. Founding access requires Stripe payment. **Data fix applied:** Silas Shellenbarger's waitlist row downgraded from `founding` to `waitlist` (created via attestation today without payment).
will.anderson added 1 commit 2026-05-12 19:10:21 +00:00
Fix duplicate Stripe customers and attestation plan bypass
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m29s
Details
0fdbba82e0 
Two bugs:

1. Double-Bearer auth on Stripe customer search. Both checkout paths
   were passing "Bearer sk_..." to http_get_auth(), which prepends
   another "Bearer " — producing "Bearer Bearer sk_..." which Stripe
   rejects as 401. Customer lookup always failed, so a new Stripe
   customer was created on every checkout page load. Fix: pass the
   raw key to http_get_auth(), letting it handle the prefix.

2. /api/attest blindly wrote whatever plan the client submitted to
   the waitlist, letting anyone POST plan=founding and get founding
   member access without paying. Fix: server ignores the client-
   submitted plan and always writes plan=waitlist. Founding access
   requires Stripe payment — the attestation form is waitlist-only.
will.anderson merged commit bb98f76179 into dev 2026-05-12 19:23:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No labels
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
Clear assignees
tim.lingo (Tim Lingo) will.anderson (Will Anderson)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#136
Delete Branch "fix/stripe-dedup-attestation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?