Security Vulnerability: User ID Passed from Client Side in Stripe Connect Integration #7
Description
Description
There is a critical security vulnerability in the Stripe Connect integration where the user._id is being passed from the client-side component to the server action, which could allow for user impersonation attacks.
Current Implementation
In components/seller-dashboard.tsx (line 129), the client component is passing user?._id directly to the server action:
await createStripeConnectCustomer(user?._id as Id<"users">);The server action actions/createStripeConnectCustomer.ts accepts this userId parameter and uses it to create Stripe Connect accounts.
Security Issues
- Client-side data manipulation: Users can modify the
userIdin browser dev tools or network requests - Impersonation attacks: Malicious users could potentially create Stripe Connect accounts for other users
- No server-side authentication verification: The server action trusts client-provided user identification
- Violation of security best practices: Sensitive operations should never rely on client-provided user identifiers
Expected Behavior
The server action should:
- Authenticate the user server-side using session/auth tokens
- Retrieve the user ID from authenticated context
- Never trust client-provided user identification for sensitive operations
Proposed Solution
- Remove the
userIdparameter fromcreateStripeConnectCustomerserver action - Implement server-side authentication to get the current user's ID
- Update the client component to call the server action without passing user ID
- Ensure proper authentication context is available in server actions
Impact
- Severity: High
- Risk: User impersonation, unauthorized Stripe account creation
- Affected Files:
components/seller-dashboard.tsxactions/createStripeConnectCustomer.ts
Environment
- Framework: Next.js with Convex
- Authentication: Convex Auth
- Payment Processing: Stripe Connect