will.anderson
0fdbba82e0
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m29s
Two bugs: 1. Double-Bearer auth on Stripe customer search. Both checkout paths were passing "Bearer sk_..." to http_get_auth(), which prepends another "Bearer " — producing "Bearer Bearer sk_..." which Stripe rejects as 401. Customer lookup always failed, so a new Stripe customer was created on every checkout page load. Fix: pass the raw key to http_get_auth(), letting it handle the prefix. 2. /api/attest blindly wrote whatever plan the client submitted to the waitlist, letting anyone POST plan=founding and get founding member access without paying. Fix: server ignores the client- submitted plan and always writes plan=waitlist. Founding access requires Stripe payment — the attestation form is waitlist-only.