groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-05-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
2c2a69f20b06e9b245c808974b751e0ae533e76d
app/apps
T
History
Chris Farhood 2c2a69f20b fix(GRO-1036): secure /api/invoices/stats/summary and refund endpoint 
- Add requireRole('manager') auth middleware to /stats/summary handler
  (was completely unauthenticated, exposing revenue/PII stats)
- Restore stripePaymentIntentId pre-condition check on refund: return 422
  when invoice has no Stripe payment intent (prevents manual_ refund abuse)
- Remove groomer from refund role check (CTO ruling: manager-only)
- Remove manual refund branch since precondition now guarantees Stripe ID
- Move processRefund import to top of file

Fixes GRO-1036/GRO-1035 security findings.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 22:37:23 +00:00
..
api
fix(GRO-1036): secure /api/invoices/stats/summary and refund endpoint
2026-05-04 22:37:23 +00:00
e2e
fix(E2E): add missing API mocks for invoices stats and portal billing (#349)
2026-05-04 15:05:39 +00:00
groombook/overlays/uat
fix(GRO-451): re-seal UAT secrets with correct cluster certificate
2026-04-04 12:27:23 +00:00
web
fix(GRO-818): refund button for all paid invoices, inline cardLast4, manual refund for non-Stripe
2026-04-24 16:18:48 +00:00