fix(payments): add organization membership check to top-up checkout

Verify the authenticated user belongs to the organization before
creating or reusing its Stripe customer on the top-up path.

Author: evanjacobson

src/app/payments/topup/route.ts

@@ -6,6 +6,7 @@ import { MAXIMUM_TOP_UP_AMOUNT, MINIMUM_TOP_UP_AMOUNT } from '@/lib/constants';
 import { isValidReturnUrl } from '@/lib/payment-return-url';
 import { captureException } from '@sentry/nextjs';
 import { getOrCreateStripeCustomerIdForOrganization } from '@/lib/organizations/organization-billing';
+import { getAuthorizedOrgContext } from '@/lib/organizations/organization-auth';
 
 /**
  * NOTE: Crypto payment support (Coinbase Commerce) was removed in January 2026.
@@ -63,10 +64,16 @@ export async function POST(request: NextRequest): Promise<NextResponse<unknown>>
     return NextResponse.json({ error: 'Invalid org id' }, { status: 400 });
   }
 
-  const stripeCustomerId = organizationId
-    ? // TODO(bmc): should we check user permission to organization here?
-      await getOrCreateStripeCustomerIdForOrganization(organizationId)
-    : currentUser.stripe_customer_id;
+  let stripeCustomerId: string | null | undefined;
+  if (organizationId) {
+    const orgContext = await getAuthorizedOrgContext(organizationId);
+    if (!orgContext.success) {
+      return orgContext.nextResponse;
+    }
+    stripeCustomerId = await getOrCreateStripeCustomerIdForOrganization(organizationId);
+  } else {
+    stripeCustomerId = currentUser.stripe_customer_id;
+  }
 
   const cancelPathRaw = searchParams.get('cancel-path');
   const cancelPath = cancelPathRaw && isValidReturnUrl(cancelPathRaw) ? cancelPathRaw : null;