stripe-stack

No signs of deliberate malware or obfuscated malicious code. However, the code contains a serious security/design issue: the checkout endpoint accepts userId/userEmail from the client and stores that value in Stripe session metadata; webhook handlers trust that metadata to assign subscriptions in the database without verifying ownership. This allows an attacker to create checkout sessions that link subscriptions to arbitrary internal users (possible account/billing hijack and data leakage to Stripe). Fix by authenticating the requester on the checkout endpoint, deriving userId from the server-side session (not client input), and mapping Stripe customers/subscriptions to internal users via server-controlled records rather than trusting metadata. Also avoid sending internal IDs to third parties if not necessary.