mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-14 11:08:51 +08:00
c34f2aac8d
This PR combines two security fixes for the discourse-subscriptions plugin. ## Commits ### 1. [`8f0a8e98e9`](8f0a8e98e9) — SECURITY: Fix unauthorized group access via subscription finalize The `/s/finalize` endpoint accepted client-supplied `plan` and `transaction` parameters that determined which group a user would be added to after completing a Stripe payment. During the 3D Secure authentication flow, an authenticated user could complete a cheap subscription in `SubscribeController#create` but supply a premium plan ID when calling `#finalize`, granting themselves access to a higher-tier group they never paid for. This commit fixes the vulnerability by linking the two endpoints server-side using `server_session`. When `#create` produces a transaction requiring 3D Secure authentication (`incomplete` or `open` status), it stores the transaction ID and plan ID in the server session. `#finalize` then reads exclusively from the session instead of accepting client parameters, and clears the entry after successful finalization. On the frontend, `Transaction.finalize()` no longer sends any parameters to the server. (from #434) --- ### 2. [`dcf80dda61`](dcf80dda61) — SECURITY: Use per-request Stripe API key instead of global state Replace `set_api_key` (which mutated global `::Stripe.api_key`) with `set_stripe_api_key` (which stores the key in an instance variable). All Stripe API calls now receive `{ api_key: @stripe_api_key }` as the per-request opts parameter, following the stripe gem's documented per-request configuration pattern. This prevents API key leakage across concurrent requests in multi-threaded environments. (from #590) --- **Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv --- **Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh
124 lines
3.9 KiB
Ruby
124 lines
3.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module DiscourseSubscriptions
|
|
module User
|
|
class SubscriptionsController < ::ApplicationController
|
|
include DiscourseSubscriptions::Stripe
|
|
include DiscourseSubscriptions::Group
|
|
|
|
requires_plugin PLUGIN_NAME
|
|
|
|
before_action :find_subscription, only: %i[update destroy]
|
|
requires_login
|
|
|
|
def index
|
|
begin
|
|
customer = Customer.where(user_id: current_user.id)
|
|
customer_ids = customer.map { |c| c.id } if customer
|
|
stripe_customer_ids = customer.map { |c| c.customer_id }.uniq if customer
|
|
subscription_ids =
|
|
Subscription.where("customer_id in (?)", customer_ids).pluck(
|
|
:external_id,
|
|
) if customer_ids
|
|
|
|
subscriptions = []
|
|
|
|
if subscription_ids
|
|
prices = []
|
|
price_params = { limit: 100, expand: ["data.product"] }
|
|
loop do
|
|
response = ::Stripe::Price.list(price_params, stripe_request_opts)
|
|
prices.concat(response[:data])
|
|
break unless response[:has_more]
|
|
price_params[:starting_after] = response[:data].last.id
|
|
end
|
|
all_subscriptions = []
|
|
|
|
stripe_customer_ids.each do |stripe_customer_id|
|
|
customer_subscriptions =
|
|
::Stripe::Subscription.list(
|
|
{ customer: stripe_customer_id, status: "all" },
|
|
stripe_request_opts,
|
|
)
|
|
all_subscriptions.concat(customer_subscriptions[:data])
|
|
end
|
|
|
|
subscriptions = all_subscriptions.select { |sub| subscription_ids.include?(sub[:id]) }
|
|
subscriptions.map! do |subscription|
|
|
plan = prices.find { |p| p[:id] == subscription[:items][:data][0][:price][:id] }
|
|
subscription.to_h.except!(:plan)
|
|
subscription.to_h.merge(plan: plan, product: plan[:product].to_h.slice(:id, :name))
|
|
end
|
|
end
|
|
|
|
render_json_dump subscriptions
|
|
rescue ::Stripe::InvalidRequestError => e
|
|
render_json_error e.message
|
|
end
|
|
end
|
|
|
|
def destroy
|
|
# we cancel but don't remove until the end of the period
|
|
# full removal is done via webhooks
|
|
begin
|
|
subscription =
|
|
::Stripe::Subscription.update(
|
|
params[:id],
|
|
{ cancel_at_period_end: true },
|
|
stripe_request_opts,
|
|
)
|
|
|
|
if subscription
|
|
render_json_dump subscription
|
|
else
|
|
render_json_error I18n.t("discourse_subscriptions.customer_not_found")
|
|
end
|
|
rescue ::Stripe::InvalidRequestError => e
|
|
render_json_error e.message
|
|
end
|
|
end
|
|
|
|
def update
|
|
params.require(:payment_method)
|
|
|
|
begin
|
|
attach_method_to_customer(@subscription.customer_id, params[:payment_method])
|
|
::Stripe::Subscription.update(
|
|
params[:id],
|
|
{ default_payment_method: params[:payment_method] },
|
|
stripe_request_opts,
|
|
)
|
|
render json: success_json
|
|
rescue ::Stripe::InvalidRequestError
|
|
render_json_error I18n.t("discourse_subscriptions.card.invalid")
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def attach_method_to_customer(customer_id, method)
|
|
customer = Customer.find(customer_id)
|
|
::Stripe::PaymentMethod.attach(
|
|
method,
|
|
{ customer: customer.customer_id },
|
|
stripe_request_opts,
|
|
)
|
|
end
|
|
|
|
def find_subscription
|
|
@subscription ||=
|
|
Subscription.joins(:customer).find_by(
|
|
external_id: params[:id],
|
|
customer: {
|
|
user_id: current_user.id,
|
|
},
|
|
)
|
|
|
|
if @subscription.nil?
|
|
render_json_error I18n.t("discourse_subscriptions.subscription_not_found"),
|
|
status: 404 and return
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
