You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Return the existing 403 status for unauthenticated Stripe REST proxy requests.
Validate Stripe method paths before binding and keep valid resource context binding.
Avoid exposing unexpected internal error details to REST clients.
Correct the REST proxy method example in the Stripe plugin documentation.
Add focused unit coverage for route and proxy behavior.
Why?
Unknown method paths currently throw a bind TypeError before the intended validation can run. The REST handler also converts expected authorization failures into 500 responses and includes serialized unexpected errors in the public message. These behaviors make client responses misleading and can expose unnecessary implementation details.
How?
The proxy now checks that the resolved path is a function before binding it. The REST handler preserves Payload Forbidden errors, logs unexpected failures with structured { err, msg } context, and returns a stable generic 500 message. The tests cover successful proxying, resource binding, invalid methods, invalid arguments, forbidden requests, and unexpected errors.
Validation
pnpm exec vitest run --project unit packages/plugin-stripe/src/routes/rest.spec.ts packages/plugin-stripe/src/utilities/stripeProxy.spec.ts
pnpm run build:plugin-stripe
pnpm --filter @payloadcms/plugin-stripe lint
Prettier check
git diff --check
Related issue
No existing issue; this is a maintenance fix discovered during repository review.
CI note after rebasing onto current main to trigger the previously approval-blocked full workflow: build, lint, and all completed non-Lexical checks are passing.
The failing LexicalListsFeature job failed during Payload initialization with the same transient MongoDB catalog-change error (payload._array-fields_versions, payloadInitError: true). The editor was then absent on every retry, before the suite logic could exercise this plugin-stripe patch. The same initialization signature is occurring concurrently across #17354, #17355, #17371, and #17372, whose diffs are unrelated.
No patch change is indicated by these logs. Some long-running Lexical jobs are still in progress; once they finish, a maintainer rerun of the failed E2E jobs would be appreciated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
Why?
Unknown method paths currently throw a bind TypeError before the intended validation can run. The REST handler also converts expected authorization failures into 500 responses and includes serialized unexpected errors in the public message. These behaviors make client responses misleading and can expose unnecessary implementation details.
How?
The proxy now checks that the resolved path is a function before binding it. The REST handler preserves Payload Forbidden errors, logs unexpected failures with structured
{ err, msg }context, and returns a stable generic 500 message. The tests cover successful proxying, resource binding, invalid methods, invalid arguments, forbidden requests, and unexpected errors.Validation
pnpm exec vitest run --project unit packages/plugin-stripe/src/routes/rest.spec.ts packages/plugin-stripe/src/utilities/stripeProxy.spec.tspnpm run build:plugin-stripepnpm --filter @payloadcms/plugin-stripe lintgit diff --checkRelated issue
No existing issue; this is a maintenance fix discovered during repository review.