Deploy dev to stage — Stripe dedup + attestation bypass fix #137

2026-05-12T19:23:45Z

will.anderson commented

2026-05-12 19:23:45 +00:00

Merges dev into stage. Includes PR #136 fixes:

Fix duplicate Stripe customers (double-Bearer auth bug)
Lock down /api/attest to prevent founding access without payment

Merges dev into stage. Includes PR #136 fixes: - Fix duplicate Stripe customers (double-Bearer auth bug) - Lock down /api/attest to prevent founding access without payment

will.anderson added 2 commits 2026-05-12 19:23:48 +00:00

Fix duplicate Stripe customers and attestation plan bypass

Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m29s

Details

0fdbba82e0

Two bugs:

1. Double-Bearer auth on Stripe customer search. Both checkout paths
   were passing "Bearer sk_..." to http_get_auth(), which prepends
   another "Bearer " — producing "Bearer Bearer sk_..." which Stripe
   rejects as 401. Customer lookup always failed, so a new Stripe
   customer was created on every checkout page load. Fix: pass the
   raw key to http_get_auth(), letting it handle the prefix.

2. /api/attest blindly wrote whatever plan the client submitted to
   the waitlist, letting anyone POST plan=founding and get founding
   member access without paying. Fix: server ignores the client-
   submitted plan and always writes plan=waitlist. Founding access
   requires Stripe payment — the attestation form is waitlist-only.

Merge pull request 'Fix duplicate Stripe customers and attestation plan bypass' (#136 ) from fix/stripe-dedup-attestation into dev

Dev — Build & local smoke test / build-smoke (push) Successful in 2m4s

Details

bb98f76179

will.anderson merged commit 3c19f4cf73 into stage

2026-05-12 19:23:57 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#137