Potential paywall bypass: protected authenticate route redirects to unprotected video content
Hi, I noticed a possible payment-flow issue in the current repository state. This is a conservative report based on the visible code path, and I may be missing deployment-specific guards outside this repository.
Repository: https://github.com/Benjamin-cup/Coinbase-x402
Reviewed HEAD: d790c60
What I observed
The x402 middleware protects GET /authenticate, but the actual video page is served by /video-content and the app also serves the full public directory as static files before the payment middleware. After payment, /authenticate only redirects to /video-content.
Relevant code excerpts:
api/index.js:17-35
17 // Serve static files from the public directory
18 app.use(express.static(path.join(process.cwd(), "public")));
...
22 // x402 payment middleware configuration
23 app.use(
24 paymentMiddleware(
...
27 // Protected endpoint for authentication
28 "GET /authenticate": {
29 price: "$0.10", // Set your desired price
30 network: network,
31 },
api/index.js:49-56
49 // Authentication endpoint - just redirects to the authenticated content
50 app.get("/authenticate", (req, res) => {
51 log("Payment successful, redirecting to video content");
52 res.redirect("/video-content");
53 });
54
55 // Video content endpoint - serves the authenticated content
56 app.get("/video-content", videoAccessHandler);
handlers/videoAccessHandler.js:4-10
4 export function videoAccessHandler(req, res) {
...
9 // Send the video content page
10 res.sendFile(path.join(process.cwd(), "public", "video-content.html"));
Why this may matter
The protected route is only a redirect step. A caller can request /video-content or the static public/video-content.html directly, bypassing the payment middleware that only covers /authenticate.
Suggested check
Consider protecting the actual content route and static asset paths, or serve the paid file only from inside the payment-protected handler after verification. Redirect targets should not be directly accessible without the same payment context.
Conservative caveat
This looks like a small demo app, but the visible route layout currently places the paid content outside the protected route.
Potential paywall bypass: protected authenticate route redirects to unprotected video content
Hi, I noticed a possible payment-flow issue in the current repository state. This is a conservative report based on the visible code path, and I may be missing deployment-specific guards outside this repository.
Repository:
https://github.com/Benjamin-cup/Coinbase-x402Reviewed HEAD:
d790c60What I observed
The x402 middleware protects
GET /authenticate, but the actual video page is served by/video-contentand the app also serves the fullpublicdirectory as static files before the payment middleware. After payment,/authenticateonly redirects to/video-content.Relevant code excerpts:
api/index.js:17-35api/index.js:49-56handlers/videoAccessHandler.js:4-10Why this may matter
The protected route is only a redirect step. A caller can request
/video-contentor the staticpublic/video-content.htmldirectly, bypassing the payment middleware that only covers/authenticate.Suggested check
Consider protecting the actual content route and static asset paths, or serve the paid file only from inside the payment-protected handler after verification. Redirect targets should not be directly accessible without the same payment context.
Conservative caveat
This looks like a small demo app, but the visible route layout currently places the paid content outside the protected route.