mickasmt next-saas-stripe-starter Authorization Bypass Vulnerability in Stripe API

A vulnerability allowing authorization bypass has been identified in mickasmt next-saas-stripe-starter version 1.0.0. The issue arises in the openCustomerPortal function within the actions/open-customer-portal.ts file, part of the Stripe API component. This vulnerability allows remote exploitation, although it is considered to have a high attack complexity.

Impact

Exploitation of this vulnerability allows attackers to bypass authorization controls, enabling them to access and manipulate another user's billing information through the Stripe Customer Portal. This includes viewing and modifying subscription details, payment methods, and billing history.

Reproduction

To reproduce this vulnerability, intercept a call to the openCustomerPortal function, which is triggered by the CustomerPortalButton component. The function receives a userStripeId parameter that is not properly validated. By replacing this parameter with a valid but unauthorized Stripe customer ID, the function can be exploited to gain access to the victim's billing portal.

Remediation

The vulnerability can be addressed by modifying the openCustomerPortal function to verify that the userStripeId belongs to the authenticated user, rather than accepting it directly from the client. This can be done by looking up the user's Stripe customer ID in the database based on their authenticated session.