Spaces:
Sleeping
Sleeping
credit abuse fix
Browse files- routers/payments.py +18 -0
routers/payments.py
CHANGED
|
@@ -353,6 +353,24 @@ async def verify_payment(
|
|
| 353 |
credits_added=0,
|
| 354 |
new_balance=user.credits
|
| 355 |
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 356 |
|
| 357 |
# Verify signature
|
| 358 |
is_valid = razorpay_service.verify_payment_signature(
|
|
|
|
| 353 |
credits_added=0,
|
| 354 |
new_balance=user.credits
|
| 355 |
)
|
| 356 |
+
|
| 357 |
+
# Security Check: Ensure payment_id hasn't been used for another transaction
|
| 358 |
+
# This prevents replay attacks where a valid payment_id is used for multiple orders
|
| 359 |
+
existing_usage = await db.execute(
|
| 360 |
+
select(PaymentTransaction).where(
|
| 361 |
+
PaymentTransaction.gateway_payment_id == request.razorpay_payment_id,
|
| 362 |
+
PaymentTransaction.status == "paid"
|
| 363 |
+
)
|
| 364 |
+
)
|
| 365 |
+
if existing_usage.scalar_one_or_none():
|
| 366 |
+
logger.warning(
|
| 367 |
+
f"Payment replay attempt: Payment ID {request.razorpay_payment_id} "
|
| 368 |
+
f"already used for another transaction. User: {user.user_id}"
|
| 369 |
+
)
|
| 370 |
+
raise HTTPException(
|
| 371 |
+
status_code=status.HTTP_409_CONFLICT,
|
| 372 |
+
detail="Payment ID already used"
|
| 373 |
+
)
|
| 374 |
|
| 375 |
# Verify signature
|
| 376 |
is_valid = razorpay_service.verify_payment_signature(
|