Skip to content

fix(payments): add org membership check to top-up checkout#1414

Merged
evanjacobson merged 2 commits into
mainfrom
fix/billing-org-validation
Mar 23, 2026
Merged

fix(payments): add org membership check to top-up checkout#1414
evanjacobson merged 2 commits into
mainfrom
fix/billing-org-validation

Conversation

@evanjacobson
Copy link
Copy Markdown
Contributor

@evanjacobson evanjacobson commented Mar 23, 2026

Summary

  • Adds an organization authorization check to the top-up checkout route (/payments/topup)
  • Previously, any authenticated user could initiate a checkout for any organization by passing an arbitrary organization-id query param
  • Now uses getAuthorizedOrgContext to verify the user is a member of the org (or an admin) before creating/reusing the org's Stripe customer

Test plan

  • Verify top-up works normally for a user's own account (no organization-id)
  • Verify top-up works for an org the user belongs to
  • Verify top-up returns 404 when organization-id belongs to an org the user is not a member of
  • Verify admin users can still top up any org

@evanjacobson
fix(payments): add organization membership check to top-up checkout
97c8a7c 
Verify the authenticated user belongs to the organization before
creating or reusing its Stripe customer on the top-up path.
@evanjacobson evanjacobson marked this pull request as ready for review March 23, 2026 16:57
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Mar 23, 2026
View reviewed changes
Comment thread src/app/payments/topup/route.ts Outdated
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot Bot commented Mar 23, 2026
edited
Loading

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

Previous warning in src/app/payments/topup/route.ts is resolved in the latest commit. No new issues found in the incremental diff.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
src/components/organizations/OrganizationPaymentDetails.tsx 122 The payment-details page currently renders CreditPurchaseOptions for any org member, so regular members will now see billing controls that the updated server-side route rejects.
Files Reviewed (1 files)
  • src/app/payments/topup/route.ts - previous warning resolved

Reviewed by gpt-5.4-20260305 · 198,364 tokens

@evanjacobson @kilo-code-bot
Update src/app/payments/topup/route.ts
07d5fe8 
Co-authored-by: kilo-code-bot[bot] <240665456+kilo-code-bot[bot]@users.noreply.github.com>
@evanjacobson evanjacobson merged commit 232d735 into main Mar 23, 2026
18 checks passed
@evanjacobson evanjacobson deleted the fix/billing-org-validation branch March 23, 2026 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@jeanduplessis jeanduplessis jeanduplessis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@evanjacobson @jeanduplessis