Introduce text IDs for everything (esp user), to avoid security and accounting issues

2025-06-27 06:40:36 +02:00 · 2023-01-21 23:15:22 -05:00 · 2023-01-21 23:15:22 -05:00 · 9c082a8331
commit 9c082a8331
parent 88abd8872d
13 changed files with 160 additions and 108 deletions
--- a/server/server_payments.go
+++ b/server/server_payments.go
@ -128,7 +128,7 @@ func (s *Server) handleAccountBillingSubscriptionCreate(w http.ResponseWriter, r
 	successURL := s.config.BaseURL + apiAccountBillingSubscriptionCheckoutSuccessTemplate
 	params := &stripe.CheckoutSessionParams{
 		Customer:            stripeCustomerID, // A user may have previously deleted their subscription
-		ClientReferenceID:   &v.user.Name,
+		ClientReferenceID:   &v.user.ID,
 		SuccessURL:          &successURL,
 		Mode:                stripe.String(string(stripe.CheckoutSessionModeSubscription)),
 		AllowPromotionCodes: stripe.Bool(true),
@ -178,7 +178,7 @@ func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWr
 	if err != nil {
 		return err
 	}
-	u, err := s.userManager.User(sess.ClientReferenceID)
+	u, err := s.userManager.UserByID(sess.ClientReferenceID)
 	if err != nil {
 		return err
 	}