moov-io / customers

Customer registry supporting Know Your Customer (KYC), Customer Identification Program (CIP), and OFAC checks
https://moov.io
Apache License 2.0
69 stars 19 forks source link

accounts: GET /accounts/:id does not validate organization #249

Closed adamdecaf closed 4 years ago

adamdecaf commented 4 years ago

Customers Version: v0.5.0-dev23

What were you trying to do? When loading GET /customers/{customerID}/accounts the X-Organization header is not checked such that Customer (for the Account(s)) belongs to the Organization.

The same applies on other Account related endpoints.

There's no check in the endpoint currently

https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L46-L62 https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L168-L199

What did you expect to see? The X-Organization header is used to filter Accounts returned - often by authentication systems.