rc 1.0

app/api/payments/create-invoice/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { cookies } from 'next/headers'
 import pool from '@/lib/db'
 import { getNowPaymentsConfig } from '@/lib/nowpayments'
+import { ALLOWED_PAYMENT_CURRENCIES, isAllowedCurrency } from '@/lib/payment-currencies'
 
 // POST /api/payments/create-invoice - Create a NOWPayments payment
 // Note: Endpoint name kept as "create-invoice" for backward compatibility
@@ -32,6 +33,15 @@ export async function POST(request: NextRequest) {
       )
     }
 
+    // Validate pay_currency against allowed list
+    const normalizedPayCurrency = pay_currency ? String(pay_currency).trim().toLowerCase() : null
+    if (normalizedPayCurrency && !isAllowedCurrency(normalizedPayCurrency)) {
+      return NextResponse.json(
+        { error: `Invalid payment currency. Allowed currencies: ${ALLOWED_PAYMENT_CURRENCIES.join(', ').toUpperCase()}` },
+        { status: 400 }
+      )
+    }
+
     // Verify buyer_data_id exists and belongs to the buyer
     const [buyerDataRows] = await pool.execute(
       'SELECT id FROM buyer_data WHERE id = ? AND buyer_id = ?',
@@ -154,8 +164,9 @@ export async function POST(request: NextRequest) {
 
       // Create NOWPayments payment
       // Note: Payment API requires pay_currency (crypto currency)
-      // Use currency from request, or fall back to env/default
-      const payCurrency = pay_currency || process.env.NOWPAYMENTS_PAY_CURRENCY || 'btc'
+      // Use currency from request (already validated), or fall back to env/default (must be in allowed list)
+      const defaultCurrency = process.env.NOWPAYMENTS_PAY_CURRENCY?.toLowerCase() || 'btc'
+      const payCurrency = normalizedPayCurrency || (isAllowedCurrency(defaultCurrency) ? defaultCurrency : 'btc')
       
       // Optional: Use fixed rate for 20 minutes (prevents rate changes during checkout)
       // If is_fixed_rate is true, payment expires after 20 minutes if not paid

app/api/payments/currencies/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { getNowPaymentsConfig } from '@/lib/nowpayments'
+import { ALLOWED_PAYMENT_CURRENCIES } from '@/lib/payment-currencies'
 
 // GET /api/payments/currencies - Get available payment currencies from NOWPayments
 export async function GET() {
@@ -27,10 +28,27 @@ export async function GET() {
     }
 
     const data = await response.json()
+    
+    // Filter currencies to only include the selected list
+    const currencies = (data.currencies || []).filter((c: any) => {
+      let currencyCode: string | null = null
+      
+      // Handle object format (when fixed_rate=true)
+      if (typeof c === 'object' && c !== null && c.currency) {
+        currencyCode = String(c.currency).trim().toLowerCase()
+      }
+      // Handle string format (when fixed_rate=false)
+      else if (typeof c === 'string') {
+        currencyCode = c.trim().toLowerCase()
+      }
+      
+      // Check if currency is in the allowed list
+      return currencyCode && ALLOWED_PAYMENT_CURRENCIES.includes(currencyCode as any)
+    })
 
-    // Return the currencies array
+    // Return the filtered currencies array
     return NextResponse.json({
-      currencies: data.currencies || [],
+      currencies: currencies,
     })
   } catch (error) {
     console.error('Error fetching currencies:', error)