This PR combines two security fixes for the discourse-subscriptions plugin.
## Commits
### 1. [`8f0a8e98e9`](8f0a8e98e9) — SECURITY: Fix unauthorized group access via subscription finalize
The `/s/finalize` endpoint accepted client-supplied `plan` and
`transaction` parameters that determined which group a user would be
added to after completing a Stripe payment. During the 3D Secure
authentication flow, an authenticated user could complete a cheap
subscription in `SubscribeController#create` but supply a premium plan
ID when calling `#finalize`, granting themselves access to a higher-tier
group they never paid for.
This commit fixes the vulnerability by linking the two endpoints
server-side using `server_session`. When `#create` produces a
transaction requiring 3D Secure authentication (`incomplete` or `open`
status), it stores the transaction ID and plan ID in the server session.
`#finalize` then reads exclusively from the session instead of accepting
client parameters, and clears the entry after successful finalization.
On the frontend, `Transaction.finalize()` no longer sends any
parameters to the server.
(from #434)
---
### 2. [`dcf80dda61`](dcf80dda61) — SECURITY: Use per-request Stripe API key instead of global state
Replace `set_api_key` (which mutated global `::Stripe.api_key`) with
`set_stripe_api_key` (which stores the key in an instance variable).
All Stripe API calls now receive `{ api_key: @stripe_api_key }` as
the per-request opts parameter, following the stripe gem's documented
per-request configuration pattern. This prevents API key leakage
across concurrent requests in multi-threaded environments.
(from #590)
---
**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv
---
**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh
c34f2aac8d
