[Bug] IDOR / Information Disclosure in Payment Checkout Status Retrieval

[anshul23102]

Description

The endpoint GET /api/payment/checkout-status/:sessionId is used to check the status of a Dodo Payments checkout session. However, it does not verify whether the retrieved checkout session belongs to the requesting authenticated user.

An authenticated user can query details of any other user's checkout session by calling this route with a valid Dodo Payments session ID. The Dodo Payments API response contains sensitive customer details including name, email, product purchased, metadata, and status, leading to insecure direct object reference (IDOR) and information disclosure.

Source Code Location

• File: server/src/module/payment/payment.controller.ts
• File: server/src/module/payment/payment.service.ts

Reproduction Steps

1. Authenticate as User A.
2. Initiate a checkout session. Dodo Payments returns a session ID.
3. Authenticate as User B.
4. Send a request to GET /api/payment/checkout-status/<SessionId_from_User_A> as User B.
5. The server returns the session details of User A, exposing their personal details and transaction details to User B.

Proposed Fix

When Dodo Payments returns the checkout session, verify that the metadata userId field matches the authenticated user's ID before sending the response:

const status = await this.paymentService.getCheckoutStatus(sessionId);
if (status.metadata?.userId !== String(req.user.id)) {
  res.status(403).json({ message: "Access denied" });
  return;
}

[anshul23102]

I would like to work on this issue. I am contributing under GSSoC '26. Please assign this to me.

[taneesha-reyyi]

I would like to work on this issue. I am contributing under GSSoC '26. Please assign this to me.