memberships endpoint dont have any subscription checks / validation. user can subscribe to the same memberships more than once. the stripe subscription not cancelled, payment doubled (recurring)
one-time payment cant subscribe to the same memberships. expecting they can subscribe to the same membership but extend the subscription interval
can PUT user subscription status and expired date (user can update their expired date to 10 years from now)
reactivating the inactive memberships (with auto renewal payment) not adding subscription to stripe (still cancelled)
cancel membership subscription not cancelling the stripe subscription (works)
Attacker can use another cc to do a subscription spam, creators account can be banned since we detected spam activity
can caused misleading information. supporter will subscribe to the same memberships and expecting to get another benefits. meanwhile theres no another benefits. user will got double stripe subscription
User can change their expired date and make it longer
Attacker can change another user’s membership expired
HOW TO FIX IT????
add validation. IF user already subscribe to one membership and using cc/paypal, then the previous subscription should be cancelled and the button disabled.