fix(background-checks): security hardening across payment flow, validation, and logging

P1: Restructure requestForMember to create DB record before charging
Stripe, preventing orphaned payments on DB failure and eliminating the
TOCTOU race condition on concurrent requests via unique constraint catch.

P2: Add @maxlength to base64 fileData field (50MB limit), add @isurl
validation to billing redirect DTOs, remove env var names from error
messages, and add session metadata org check in handleSetupSuccess.

P3: Enhance refund failure logging with structured context for manual
intervention.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: carhartlewis

apps/api/src/attachments/upload-attachment.dto.ts

@@ -35,6 +35,7 @@ export class UploadAttachmentDto {
   })
   @IsString()
   @IsNotEmpty()
+  @MaxLength(67_108_864)
   @IsBase64()
   fileData: string;
 

apps/api/src/background-checks/background-check-billing.service.ts

@@ -82,6 +82,10 @@ export class BackgroundCheckBillingService {
       throw new BadRequestException('Checkout session is not complete.');
     }
 
+    if (session.metadata?.organizationId && session.metadata.organizationId !== organizationId) {
+      throw new BadRequestException('Checkout session does not belong to this organization.');
+    }
+
     const stripeCustomerId = this.extractStripeId(session.customer);
     if (!stripeCustomerId) {
       throw new BadRequestException('Checkout session is missing a customer.');
@@ -191,13 +195,13 @@ export class BackgroundCheckBillingService {
   async getBackgroundCheckPrice(): Promise<{ id: string; unitAmount: number; currency: string }> {
     const priceId = process.env.STRIPE_BACKGROUND_CHECK_PRICE_ID;
     if (!priceId) {
-      throw new BadRequestException('STRIPE_BACKGROUND_CHECK_PRICE_ID is not configured.');
+      throw new BadRequestException('Background check pricing is not configured. Contact support.');
     }
 
     const stripe = this.stripeService.getClient();
     const price = await stripe.prices.retrieve(priceId);
     if (price.unit_amount === null || price.unit_amount === undefined) {
-      throw new BadRequestException('Background check price has no unit amount.');
+      throw new BadRequestException('Background check pricing is not configured. Contact support.');
     }
 
     return {

apps/api/src/background-checks/background-check-identity.client.ts

@@ -17,7 +17,7 @@ export class BackgroundCheckIdentityClient {
   }): Promise<IdentityCreateResponse> {
     const apiKey = process.env.BACKGROUND_CHECK_API_KEY;
     if (!apiKey) {
-      throw new BadRequestException('BACKGROUND_CHECK_API_KEY is not configured.');
+      throw new BadRequestException('Background check service is not configured. Contact support.');
     }
 
     const baseUrl = this.baseUrl();

apps/api/src/background-checks/background-check-payment.service.ts

@@ -97,7 +97,15 @@ export class BackgroundCheckPaymentService {
       );
       return refund.id;
     } catch (error) {
-      this.logger.error('Failed to refund background check payment', error);
+      this.logger.error(
+        'Failed to refund background check payment — manual refund required.',
+        {
+          organizationId: params.organizationId,
+          memberId: params.memberId,
+          paymentIntentId: params.paymentIntentId,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        },
+      );
       return null;
     }
   }

apps/api/src/background-checks/background-checks.service.spec.ts

@@ -27,6 +27,7 @@ jest.mock('@db', () => {
       backgroundCheckRequest: {
         findUnique: jest.fn(),
         findFirst: jest.fn(),
+        create: jest.fn(),
         upsert: jest.fn(),
         update: jest.fn(),
       },
@@ -219,17 +220,23 @@ describe('background checks', () => {
       id: 'mem_1',
       organizationId: 'org_1',
     } as Awaited<ReturnType<typeof db.member.findFirst>>);
-    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>>(
-      mockedDb.backgroundCheckRequest.upsert,
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.create>>>(
+      mockedDb.backgroundCheckRequest.create,
+    ).mockResolvedValueOnce({
+      id: 'bcr_1',
+      status: 'invited',
+    } as Awaited<ReturnType<typeof db.backgroundCheckRequest.create>>);
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>>(
+      mockedDb.backgroundCheckRequest.update,
     )
       .mockResolvedValueOnce({
         id: 'bcr_1',
         status: 'invited',
-      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>)
+      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>)
       .mockResolvedValueOnce({
         id: 'bcr_1',
         status: 'failed',
-      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>);
+      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>);
 
     const identityClient = {
       createBackgroundCheck: jest.fn().mockRejectedValue(new Error('identity down')),
@@ -263,9 +270,9 @@ describe('background checks', () => {
       memberId: 'mem_1',
       paymentIntentId: 'pi_1',
     });
-    expect(mockedDb.backgroundCheckRequest.upsert).toHaveBeenCalledWith(
+    expect(mockedDb.backgroundCheckRequest.update).toHaveBeenCalledWith(
       expect.objectContaining({
-        create: expect.objectContaining({
+        data: expect.objectContaining({
           status: 'failed',
           stripeRefundId: 're_1',
         }),
@@ -283,17 +290,23 @@ describe('background checks', () => {
       id: 'mem_1',
       organizationId: 'org_1',
     } as Awaited<ReturnType<typeof db.member.findFirst>>);
-    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>>(
-      mockedDb.backgroundCheckRequest.upsert,
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.create>>>(
+      mockedDb.backgroundCheckRequest.create,
+    ).mockResolvedValueOnce({
+      id: 'bcr_1',
+      status: 'invited',
+    } as Awaited<ReturnType<typeof db.backgroundCheckRequest.create>>);
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>>(
+      mockedDb.backgroundCheckRequest.update,
     )
       .mockResolvedValueOnce({
         id: 'bcr_1',
         status: 'invited',
-      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>)
+      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>)
       .mockResolvedValueOnce({
         id: 'bcr_1',
         status: 'invited',
-      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.upsert>>);
+      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.update>>);
 
     const identityClient = {
       createBackgroundCheck: jest.fn().mockResolvedValue({
@@ -325,32 +338,34 @@ describe('background checks', () => {
       requesterNotes: 'Expedite this check.',
     });
 
-    expect(mockedDb.backgroundCheckRequest.upsert).toHaveBeenCalledWith(
+    // Record is created with requester notes before charging
+    expect(mockedDb.backgroundCheckRequest.create).toHaveBeenCalledWith(
       expect.objectContaining({
-        create: expect.objectContaining({
+        data: expect.objectContaining({
           requesterNotes: 'Expedite this check.',
+          status: 'invited',
         }),
       }),
     );
-    expect(mockedDb.backgroundCheckRequest.upsert).toHaveBeenNthCalledWith(
-      1,
+    // Payment info is persisted via update
+    expect(mockedDb.backgroundCheckRequest.update).toHaveBeenCalledWith(
       expect.objectContaining({
-        create: expect.objectContaining({
-          status: 'invited',
+        data: expect.objectContaining({
           stripePaymentIntentId: 'pi_1',
         }),
       }),
     );
-    expect(mockedDb.backgroundCheckRequest.upsert).toHaveBeenNthCalledWith(
-      2,
+    // Identity result is persisted via update
+    expect(mockedDb.backgroundCheckRequest.update).toHaveBeenCalledWith(
       expect.objectContaining({
-        update: expect.objectContaining({
+        data: expect.objectContaining({
           identityBackgroundCheckId: 'check_1',
           candidateUrl: 'https://identity.trycomp.ai/cand_1',
         }),
       }),
     );
-    expect(invocationOrder(mockedDb.backgroundCheckRequest.upsert)).toBeLessThan(
+    // Record is created before Identity API is called
+    expect(invocationOrder(mockedDb.backgroundCheckRequest.create)).toBeLessThan(
       invocationOrder(identityClient.createBackgroundCheck),
     );
     expect(identityClient.createBackgroundCheck).toHaveBeenCalledWith(
@@ -360,6 +375,51 @@ describe('background checks', () => {
     );
   });
 
+  it('handles concurrent requests by returning existing record on unique constraint', async () => {
+    const { Prisma } = jest.requireMock<typeof import('@db')>('@db');
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.findUnique>>>(
+      mockedDb.backgroundCheckRequest.findUnique,
+    )
+      .mockResolvedValueOnce(null)
+      .mockResolvedValueOnce({
+        id: 'bcr_1',
+        status: 'invited',
+      } as Awaited<ReturnType<typeof db.backgroundCheckRequest.findUnique>>);
+    mockAsync<Awaited<ReturnType<typeof db.member.findFirst>>>(
+      mockedDb.member.findFirst,
+    ).mockResolvedValueOnce({
+      id: 'mem_1',
+      organizationId: 'org_1',
+    } as Awaited<ReturnType<typeof db.member.findFirst>>);
+    mockAsync<Awaited<ReturnType<typeof db.backgroundCheckRequest.create>>>(
+      mockedDb.backgroundCheckRequest.create,
+    ).mockRejectedValueOnce(
+      new Prisma.PrismaClientKnownRequestError('duplicate', {
+        code: 'P2002',
+        clientVersion: 'test',
+      }),
+    );
+
+    const paymentService = { charge: jest.fn(), refund: jest.fn() };
+    const identityClient = { createBackgroundCheck: jest.fn() };
+    const service = new BackgroundChecksService(
+      identityClient as unknown as BackgroundCheckIdentityClient,
+      paymentService as unknown as BackgroundCheckPaymentService,
+    );
+
+    const result = await service.requestForMember({
+      organizationId: 'org_1',
+      memberId: 'mem_1',
+      employeeName: 'Ada Lovelace',
+      employeeEmail: 'ada@example.com',
+      requesterEmail: 'admin@example.com',
+    });
+
+    expect(result).toEqual(expect.objectContaining({ id: 'bcr_1' }));
+    expect(paymentService.charge).not.toHaveBeenCalled();
+    expect(identityClient.createBackgroundCheck).not.toHaveBeenCalled();
+  });
+
   it('uses BETTER_AUTH_URL as the local app URL fallback for setup redirects', async () => {
     process.env = {
       ...process.env,

apps/api/src/background-checks/background-checks.service.ts

@@ -65,38 +65,56 @@ export class BackgroundChecksService {
       throw new NotFoundException('Member not found.');
     }
 
+    // Step 1: Claim the record slot before charging. Catches the TOCTOU race
+    // where two concurrent requests both pass the getForMember check.
+    try {
+      await db.backgroundCheckRequest.create({
+        data: {
+          organizationId,
+          memberId,
+          employeeName,
+          employeeEmail,
+          requesterNotes,
+          status: BackgroundCheckStatus.invited,
+          lastSyncedAt: new Date(),
+        },
+      });
+    } catch (error) {
+      if (this.isUniqueConstraintError(error)) {
+        const raced = await this.getForMember({ organizationId, memberId });
+        if (raced) return raced;
+      }
+      throw error;
+    }
+
+    // Step 2: Charge — record exists so a failure here is recoverable
     const payment = await this.paymentService.charge({
       organizationId,
       memberId,
     });
 
-    await db.backgroundCheckRequest.upsert({
-      where: { organizationId_memberId: { organizationId, memberId } },
-      create: {
+    // Step 3: Persist payment info. Refund if this write fails.
+    try {
+      await db.backgroundCheckRequest.update({
+        where: { organizationId_memberId: { organizationId, memberId } },
+        data: {
+          stripePaymentIntentId: payment.paymentIntentId,
+          stripePaymentStatus: payment.status,
+          stripeAmountCents: payment.amount,
+          stripeCurrency: payment.currency,
+          lastSyncedAt: new Date(),
+        },
+      });
+    } catch (error) {
+      await this.paymentService.refund({
         organizationId,
         memberId,
-        employeeName,
-        employeeEmail,
-        requesterNotes,
-        status: BackgroundCheckStatus.invited,
-        stripePaymentIntentId: payment.paymentIntentId,
-        stripePaymentStatus: payment.status,
-        stripeAmountCents: payment.amount,
-        stripeCurrency: payment.currency,
-        lastSyncedAt: new Date(),
-      },
-      update: {
-        employeeName,
-        employeeEmail,
-        requesterNotes,
-        stripePaymentIntentId: payment.paymentIntentId,
-        stripePaymentStatus: payment.status,
-        stripeAmountCents: payment.amount,
-        stripeCurrency: payment.currency,
-        lastSyncedAt: new Date(),
-      },
-    });
+        paymentIntentId: payment.paymentIntentId,
+      });
+      throw error;
+    }
 
+    // Step 4: Call Identity API — refund on failure
     let identityResult;
     try {
       identityResult = await this.identityClient.createBackgroundCheck({
@@ -107,30 +125,15 @@ export class BackgroundChecksService {
         requesterEmail,
       });
     } catch (error) {
-      // Only refund when the identity API call itself fails — not on DB errors
       const refundId = await this.paymentService.refund({
         organizationId,
         memberId,
         paymentIntentId: payment.paymentIntentId,
       });
 
-      await db.backgroundCheckRequest.upsert({
+      await db.backgroundCheckRequest.update({
         where: { organizationId_memberId: { organizationId, memberId } },
-        create: {
-          organizationId,
-          memberId,
-          employeeName,
-          employeeEmail,
-          requesterNotes,
-          status: BackgroundCheckStatus.failed,
-          stripePaymentIntentId: payment.paymentIntentId,
-          stripePaymentStatus: payment.status,
-          stripeRefundId: refundId,
-          stripeAmountCents: payment.amount,
-          stripeCurrency: payment.currency,
-          lastSyncedAt: new Date(),
-        },
-        update: {
+        data: {
           status: BackgroundCheckStatus.failed,
           stripeRefundId: refundId,
           lastSyncedAt: new Date(),
@@ -140,34 +143,13 @@ export class BackgroundChecksService {
       throw error;
     }
 
-    return db.backgroundCheckRequest.upsert({
+    // Step 5: Persist Identity result
+    return db.backgroundCheckRequest.update({
       where: { organizationId_memberId: { organizationId, memberId } },
-      create: {
-        organizationId,
-        memberId,
-        employeeName,
-        employeeEmail,
-        requesterNotes,
-        identityBackgroundCheckId: identityResult.id,
-        candidateUrl: identityResult.candidateUrl ?? null,
-        status: identityResult.status,
-        stripePaymentIntentId: payment.paymentIntentId,
-        stripePaymentStatus: payment.status,
-        stripeAmountCents: payment.amount,
-        stripeCurrency: payment.currency,
-        lastSyncedAt: new Date(),
-      },
-      update: {
-        employeeName,
-        employeeEmail,
-        requesterNotes,
+      data: {
         identityBackgroundCheckId: identityResult.id,
         candidateUrl: identityResult.candidateUrl ?? null,
         status: identityResult.status,
-        stripePaymentIntentId: payment.paymentIntentId,
-        stripePaymentStatus: payment.status,
-        stripeAmountCents: payment.amount,
-        stripeCurrency: payment.currency,
         lastSyncedAt: new Date(),
       },
     });