Plan ID is not validated, enabling billing bypass and paid-feature drift #18

New Issue

2026-04-16T12:10:49Z

userAdityaa commented

2026-04-16 12:10:49 +00:00

Summary

The API accepts any arbitrary string as a relay plan ID without validation, enabling requests to sidestep billing logic and cause product state inconsistency. Unknown plans silently bypass Stripe subscription-item sync, leaving relays with invalid billing configurations.

What’s actually happening

We have a plan field coming from the client, and:

It is treated as free-form input (no strict validation).
The backend logic:
- Only explicitly checks for "free" in a couple of places.
- For anything else, it assumes “paid-like behavior”.
Later, billing logic:
- Doesn’t recognize unknown plan values → silently skips billing.

### Summary The API accepts any arbitrary string as a relay plan ID without validation, enabling requests to sidestep billing logic and cause product state inconsistency. Unknown plans silently bypass Stripe subscription-item sync, leaving relays with invalid billing configurations. ### What’s actually happening We have a `plan` field coming from the client, and: * It is treated as **free-form input** (no strict validation). * The backend logic: * Only explicitly checks for `"free"` in a couple of places. * For anything else, it assumes “paid-like behavior”. * Later, billing logic: * Doesn’t recognize unknown plan values → silently skips billing.

userAdityaa referenced a pull request that will close this issue

2026-04-16 19:33:22 +00:00

chore: harden relay plan validation to prevent billing bypass and plan-state drift #20

hodlbod closed this issue

2026-04-16 21:35:44 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/caravel#18