Made sure Apple receipts can't be re-used with different accounts.

2025-03-14 07:00:01 -04:00 · 2014-11-21 10:34:30 -08:00 · 2014-11-21 10:34:30 -08:00 · c77d38d59f
commit c77d38d59f
parent 16a717aec1
2 changed files with 10 additions and 1 deletions
--- a/server/payments/payment_handler.coffee
+++ b/server/payments/payment_handler.coffee
@ -88,10 +88,13 @@ PaymentHandler = class PaymentHandler extends Handler
        
      #- Check existence
      transactionID = transaction.transaction_id
-      criteria = { recipient: req.user._id, 'ios.transactionID': transactionID }
+      criteria = { 'ios.transactionID': transactionID }
      Payment.findOne(criteria).exec((err, payment) =>
        
        if payment
+          unless payment.get('recipient').equals(req.user._id)
+            return @sendForbiddenError(res)
+
          @recalculateGemsFor(req.user, (err) =>
            return @sendDatabaseError(res, err) if err
            @sendSuccess(res, @formatEntity(req, payment))
--- a/test/server/functional/payment.spec.coffee
+++ b/test/server/functional/payment.spec.coffee
@ -52,6 +52,12 @@ describe '/db/payment', ->
            done()
          )

+    it 'prevents other users from reusing payment receipts', (done) ->
+      loginSam ->
+        request.post {uri: paymentURL, json: firstApplePayment}, (err, res, body) ->
+          expect(res.statusCode).toBe 403
+          done()
+
    it 'processes only the transactionID that is given', (done) ->
      loginJoe ->
        request.post {uri: paymentURL, json: secondApplePayment}, (err, res, body) ->