fix product route access

apps/backend/src/app/api/latest/payments/items/[customer_type]/[customer_id]/[item_id]/route.ts

@@ -1,4 +1,4 @@
-import { ensureCustomerExists, getItemQuantityForCustomer } from "@/lib/payments";
+import { ensureClientCanAccessCustomer, ensureCustomerExists, getItemQuantityForCustomer } from "@/lib/payments";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
@@ -64,7 +64,16 @@ export const GET = createSmartRouteHandler({
       }),
     }).defined(),
   }),
-  handler: async (req) => {
+  handler: async (req, fullReq) => {
+    if (req.auth.type === "client") {
+      await ensureClientCanAccessCustomer({
+        customerType: req.params.customer_type,
+        customerId: req.params.customer_id,
+        user: fullReq.auth?.user,
+        tenancy: req.auth.tenancy,
+        forbiddenMessage: "Clients can only access their own user or team items.",
+      });
+    }
     const { tenancy } = req.auth;
     const paymentsConfig = tenancy.config.payments;
 
@@ -100,5 +109,3 @@ export const GET = createSmartRouteHandler({
     };
   },
 });
-
-

apps/backend/src/app/api/latest/payments/products/[customer_type]/[customer_id]/route.ts

@@ -1,4 +1,4 @@
-import { ensureProductIdOrInlineProduct, getOwnedProductsForCustomer, grantProductToCustomer, productToInlineProduct } from "@/lib/payments";
+import { ensureClientCanAccessCustomer, ensureProductIdOrInlineProduct, getOwnedProductsForCustomer, grantProductToCustomer, productToInlineProduct } from "@/lib/payments";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { adaptSchema, clientOrHigherAuthTypeSchema, inlineProductSchema, serverOrHigherAuthTypeSchema, yupBoolean, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
@@ -32,7 +32,16 @@ export const GET = createSmartRouteHandler({
     bodyType: yupString().oneOf(["json"]).defined(),
     body: customerProductsListResponseSchema,
   }),
-  handler: async ({ auth, params, query }) => {
+  handler: async ({ auth, params, query }, fullReq) => {
+    if (auth.type === "client") {
+      await ensureClientCanAccessCustomer({
+        customerType: params.customer_type,
+        customerId: params.customer_id,
+        user: fullReq.auth?.user,
+        tenancy: auth.tenancy,
+        forbiddenMessage: "Clients can only access their own user or team products.",
+      });
+    }
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     const ownedProducts = await getOwnedProductsForCustomer({
       prisma,
@@ -191,4 +200,3 @@ export const POST = createSmartRouteHandler({
     };
   },
 });
-

apps/backend/src/lib/payments.tsx

@@ -26,7 +26,7 @@ type ProductWithMetadata = yup.InferType<typeof productSchemaWithMetadata>;
 type SelectedPrice = Exclude<Product["prices"], "include-by-default">[string];
 
 export async function ensureClientCanAccessCustomer(options: {
-  customerType: "user" | "team",
+  customerType: "user" | "team" | "custom",
   customerId: string,
   user: UsersCrud["Admin"]["Read"] | undefined,
   tenancy: Tenancy,
@@ -36,6 +36,9 @@ export async function ensureClientCanAccessCustomer(options: {
   if (!currentUser) {
     throw new KnownErrors.UserAuthenticationRequired();
   }
+  if (options.customerType === "custom") {
+    throw new StatusError(StatusError.Forbidden, options.forbiddenMessage);
+  }
   if (options.customerType === "user") {
     if (options.customerId !== currentUser.id) {
       throw new StatusError(StatusError.Forbidden, options.forbiddenMessage);