This is a bounty to fix a security bug in a payment API. The task involves applying existing authentication middleware to the `/api/payments` route and adding API tests to verify the authentication behavior for both unauthenticated and authenticated requests. The payment service logic itself should remain unchanged for authenticated users.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert full-stack developer. I need you to implement a security fix for a payment API as described in a GitHub bounty. The project uses a standard Node.js/Express-like backend with existing authentication middleware. Fork the repository `SecureBananaLabs/bug-bounty`. Locate the `/api/payments` route and apply the `authMiddleware` to it, ensuring unauthenticated requests are rejected with a `401` status. Then, create new API integration tests. One test should confirm that `POST /api/payments` without authentication returns a `401`. Another test should confirm that `POST /api/payments` with a valid bearer token successfully creates a payment intent (assume a mock authenticated user if needed and that the payment service behavior itself remains unchanged for valid requests). Use Jest or whatever testing framework is already present in the repository. Provide the steps to set up the project, implement the fix, and add the tests. Focus on correctness and adherence to the issue description. What specific files should I look for to implement the middleware and add tests?
Bounty (amount on the issue). ## Bug The `/api/payments` route currently allows unauthenticated callers to create payment intent records. Payment creation is account-scoped and should require the same bearer-token authentication middleware already used by protected API routes. ## Impact - Anonymous callers can create arbitrary payment intent payloads. - Payment creation is not tied to an authenticated account boundary. - This weakens the API security boundary around billing/payment workflows. ## Expected behavior `POST /api/payments` should reject missing or invalid bearer tokens with `401`, and should continue creating payment intents for valid signed access tokens. ## Scope - Apply the existing `authMiddleware` to payment routes. - Add focused API tests for unauthenticated rejection and valid-token payment creation. - Keep payment service behavior unchanged for authenticated requests. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information. Parent bounty: #743
Standard for any GitHub-based development.
Standard for JavaScript/TypeScript development.
Standard for version control.
Operator's core competency.
Standard for API development.
Reply directly in the GitHub issue #2757, indicating readiness to work and providing an estimate, since the issue is limited to its author. If not the author, you'd create a new issue and refer to #743.
“I've reviewed the issue #2757 and can implement the required authentication middleware for `/api/payments` and add the specific API tests. I have a strong background in API security and Node.js. My proposed solution would involve [briefly mention specific files/approach if clear]. Let me know if you'd like me to proceed.”
Open the original ↗