Skip to content
Gallery
QA Documentation
Quality Assurance 101
V2 MIGRATION
QA Gank Global
Master Data
Product Documentation
Rules Quality Assurance
Tasking
Penetration Testing
MEMBERSHIPS
More
Share
Explore

MEMBERSHIPS


issue:
memberships endpoint dont have any subscription checks / validation. user can subscribe to the same memberships more than once. the stripe subscription not cancelled, payment doubled (recurring)
one-time payment cant subscribe to the same memberships. expecting they can subscribe to the same membership but extend the subscription interval
can PUT user subscription status and expired date (user can update their expired date to 10 years from now)
reactivating the inactive memberships (with auto renewal payment) not adding subscription to stripe (still cancelled)
cancel membership subscription not cancelling the stripe subscription (works)

side effects:
Attacker can use another cc to do a subscription spam, creators account can be banned since we detected spam activity
can caused misleading information. supporter will subscribe to the same memberships and expecting to get another benefits. meanwhile theres no another benefits. user will got double stripe subscription
User can change their expired date and make it longer
Attacker can change another user’s membership expired

HOW TO FIX IT????
add validation. IF user already subscribe to one membership and using cc/paypal, then the previous subscription should be cancelled and the button disabled.
Enable button to extend expired date
Add Validation at Membership API


curl --location --request PUT 'https://api-staging.gamepal.gg/v1/users/subscription/4bdceb6c-9d9a-4616-8788-36203dc65ca9' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkRGV2aWNlIjoiTW96aWxsYS81LjAgKE1hY2ludG9zaDsgSW50ZWwgTWFjIE9TIFggMTBfMTVfNykgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNS4wLjAuMCBTYWZhcmkvNTM3LjM2IiwiYXV0aG9yaXplZElwdjQiOiIxNjIuMTU4LjEwNi45NSwgMTI3LjAuMC4xIiwiZXhwIjoxNzIzODkzNTk3LCJleHBpcmVkQXQiOiIyMDI0LTA4LTE3VDExOjE5OjU3LjUxMTE0NTc1NVoiLCJpc0xvbmdMaXZlIjp0cnVlLCJsYXN0RW1haWxVcGRhdGUiOjE2ODMwMjg5MzEsImxhc3RQYXNzd29yZFVwZGF0ZSI6MTY3OTI5Mzk2Niwicm9sZSI6InVzZXJzLUV1VzJPbS1jQUlUaXQiLCJ0b2tlbklEIjoiMmVjZWU5ODYtNGM2OC00YWUzLThjZWItYzc1NmNmOTcyZDU5IiwidXNlcklEIjoiMTg0MzliOWUtM2Q3My00MzdjLThlOTQtZGRkYjQxYWI2MjcxIn0.Ab_0kl4uiVlhl9tWcUB_X-uS34WBWv5pSH01wi0XfZk' \ --data '{ "isActive": false, "isCancelled": false, "isPaid": true, "isRenewal": true, "paymentMethod": "stripe", "subscriptionEnd": "2023-08-24T08:54:52.88964Z", "subscriptionStart": "2023-08-23T08:54:52.88964Z" }'

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.