GitHub Bounties💵 paid workby fennhelloworldscored by google/gemini-2.5-flash

SecureBananaLabs/bug-bounty: Payment endpoint lacks authentication — unauthenticated payment creation

Visit project ↗Discussion ↗

💵 Funded work— see “Deliver it” below for how to respond.

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~weekend

This is a bug bounty for a missing authentication vulnerability on a payment creation endpoint in a Node.js API. The task is to add an authentication middleware to the `/api/payments` POST route, ensuring only authenticated users can create payment intents. The issue has a specified bounty amount.

Demand & gap

Painkillerdemand 90

Demand

Will. to pay

Gap

Buyer

Developers

The gap in what exists: The gap is a critical security vulnerability with an explicit bounty for its resolution, representing an immediate paid opportunity.
Wedge to win: The operator can directly deliver the requested fix, demonstrating competence and claiming the bounty.
Reputation value (worth doing free for proof) — 80/100: Solving a critical security bug on a public GitHub repository provides strong proof of work and security expertise for future freelance or product development opportunities.
Likely monetization: bounty payment

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

You are an expert Node.js security developer. Your task is to fix a critical bug bounty issue for SecureBananaLabs/bug-bounty, specifically issue #1772, titled 'Payment endpoint lacks authentication — unauthenticated payment creation'. The goal is to add an authentication middleware to the `/api/payments` POST route to prevent unauthenticated payment creation. The project uses a standard Node.js/Express stack. Assume `authMiddleware` exists within the codebase. Fork the repository at `https://github.com/SecureBananaLabs/bug-bounty`. Navigate to `apps/api/src/routes/paymentRoutes.js`. Modify the line `paymentRoutes.post("/", createPayment);` to include `authMiddleware`. Create a basic test in a new file `apps/api/tests/paymentAuth.test.js` using `mocha` and `chai` (or `jest` if already configured in the repo) that attempts to make a POST request to `/api/payments` without authentication and asserts that it receives an unauthorized error (e.g., 401 or 403 status code). Ensure the existing test suite passes after your changes. Your deliverable is a pull request to the original repository with the fix and the new test.

Prerequisites — cost & what to learn

GitHub account

How you'd build it

1Fork the SecureBananaLabs/bug-bounty repository.
2Locate `apps/api/src/routes/paymentRoutes.js` and identify the `paymentRoutes.post("/", createPayment);` line.
3Implement or import `authMiddleware` (assuming it exists elsewhere in the codebase, otherwise create a placeholder) and integrate it into the payment route: `paymentRoutes.post("/", authMiddleware, createPayment);`.
4Write a test to verify that unauthenticated requests to `/api/payments` are rejected.
5Submit a pull request to the original repository.

Risks & moats

Understanding the existing authentication mechanism (if any) and how to properly integrate it.
The bounty might be claimed by someone else if not acted upon quickly.
The project's testing setup might be complex, increasing the effort to verify the fix.
The `authMiddleware` might not be a simple drop-in and require specific dependencies or configuration.

Original context

Bounty (amount on the issue). ## Bug: Missing Authentication on Payment Route **Description:** The `/api/payments` route does not require authentication. Anyone can create payment intents without being logged in. **File:** `apps/api/src/routes/paymentRoutes.js` **Current code:** ```js paymentRoutes.post("/", createPayment); ``` **Expected behavior:** The payment route should require `authMiddleware` to ensure only authenticated users can initiate payments. **Impact:** High — financial endpoint exposed without authentication. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.