Skip to content

fix: prevent crypto payment transaction replay#83

Open
ianalloway wants to merge 1 commit into
mainfrom
codex/fix-replay-vulnerability-in-crypto-payments
Open

fix: prevent crypto payment transaction replay#83
ianalloway wants to merge 1 commit into
mainfrom
codex/fix-replay-vulnerability-in-crypto-payments

Conversation

@ianalloway

Copy link
Copy Markdown
Owner

Motivation

  • The on-chain verifier previously accepted public txHash and walletAddress values and upserted entitlements without binding or one-time consumption, allowing replay attacks that grant paid access to arbitrary emails/devices.

Description

  • Add claimCryptoEntitlement (replaces the prior upsert behavior) to normalize inputs, check for an existing crypto:<txHash> record, and reject reuse if the existing claim does not match the same email, wallet, and tier.
  • Preserve first-time entitlement creation by creating a transaction-scoped record with normalized cryptoTxHash, walletAddress, and email when no prior claim exists.
  • Update the server verifier in api/verify-crypto-payment.ts to call claimCryptoEntitlement for both ETH and stablecoin paths and to set the entitlement session cookie before returning success.
  • Return a clear 409 response when a transaction hash has already been claimed by a different claimant, and propagate other verification errors with 502 as before.

Testing

  • Ran npm run lint; lint completed with warnings only and no errors.
  • Ran npm run build; the production build and prerender succeeded.

Codex Task

Copilot AI review requested due to automatic review settings July 14, 2026 18:17
@cursor

cursor Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@netlify

netlify Bot commented Jul 14, 2026

Copy link
Copy Markdown

Deploy Preview for aiadvantagea ready!

Name Link
🔨 Latest commit 3644b1f
🔍 Latest deploy log https://app.netlify.com/projects/aiadvantagea/deploys/6a567d3900c9170008525a6b
😎 Deploy Preview https://deploy-preview-83--aiadvantagea.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants