Suppose UserA and UserB are both fully authenticated users which
have purchased and sold (aka they have set up payment methods stored
in the db).
Given that we have full api and listing access because the API is only
secured at the border via bearer token, we can repeatedly call
/userlistings/create + /createOrder to drain either user's bank account.
We need to turn off payments 100% until we know it's secure.
Suppose UserA and UserB are both fully authenticated users which have purchased and sold (aka they have set up payment methods stored in the db).
Given that we have full api and listing access because the API is only secured at the border via bearer token, we can repeatedly call /userlistings/create + /createOrder to drain either user's bank account.
We need to turn off payments 100% until we know it's secure.
@jordanharris to merge.