Bug

POST /api/payments accepts invalid payment amounts because the controller passes req.body directly into createPaymentIntent without request validation.

Reproduction payloads:

{ "amount": -100, "currency": "usd" }

{ "currency": "usd" }

Observed behavior from current origin/main:

HTTP 201
{ "success": true, "data": { "paymentId": "pay_...", "amount": -100, "currency": "usd", "provider": "stripe" } }

HTTP 201
{ "success": true, "data": { "paymentId": "pay_...", "currency": "usd", "provider": "stripe" } }

Impact

• Negative payment amounts can be accepted as successful payment intents.
• Missing amount values can produce incomplete payment responses.
• The API behavior is inconsistent with expected payment validation before handing payloads to a payment provider integration.

Expected behavior

Payment creation should require a positive numeric amount. Invalid or missing amounts should return HTTP 400 using the API failure envelope, while valid payment creation should continue to return HTTP 201.

Proposed fix

• Add a payment request validator requiring amount to be a positive number.
• Keep currency optional with the existing usd default.
• Return HTTP 400 for invalid payment payloads.
• Add endpoint regression tests for negative, missing, and valid payment payloads.

This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.

Parent bounty: #743.