Closed Eli-Nathan closed 1 year ago
@Eli-Nathan we are working on securing all the API-endpoint, soon these bugs will be fixed in latest release.
@Eli-Nathan We have updated the routes authentication. To install the updated version of strapi-stripe https://www.npmjs.com/package/strapi-stripe
Just a question around security...
It seems that the
/strapi-stripe/getSubscriptionStatus/<user-email>
endpoint is a public endpoint for the plugin.This means anyone can hit that endpoint with someone else's email address and get all the data about their subscription.
Is this the way Stripe's API works? I'm guessing the data returned is all non-sensitive?
Or should this be locked down?
Ideally, I'd like a custom endpoint that I can handle the check the user is authenticated and using their token I'd make an internal request to getSubscriptionStatus to ensure logged in users can only get their own subscription information.