rc 1.0

app/api/payments/create-invoice/route.ts

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { cookies } from 'next/headers'
 import pool from '@/lib/db'
 import { getNowPaymentsConfig } from '@/lib/nowpayments'
+import { ALLOWED_PAYMENT_CURRENCIES, isAllowedCurrency } from '@/lib/payment-currencies'
 
 // POST /api/payments/create-invoice - Create a NOWPayments payment
 // Note: Endpoint name kept as "create-invoice" for backward compatibility
@@ -32,6 +33,15 @@ export async function POST(request: NextRequest) {
       )
     }
 
+    // Validate pay_currency against allowed list
+    const normalizedPayCurrency = pay_currency ? String(pay_currency).trim().toLowerCase() : null
+    if (normalizedPayCurrency && !isAllowedCurrency(normalizedPayCurrency)) {
+      return NextResponse.json(
+        { error: `Invalid payment currency. Allowed currencies: ${ALLOWED_PAYMENT_CURRENCIES.join(', ').toUpperCase()}` },
+        { status: 400 }
+      )
+    }
+
     // Verify buyer_data_id exists and belongs to the buyer
     const [buyerDataRows] = await pool.execute(
       'SELECT id FROM buyer_data WHERE id = ? AND buyer_id = ?',
@@ -154,8 +164,9 @@ export async function POST(request: NextRequest) {
 
       // Create NOWPayments payment
       // Note: Payment API requires pay_currency (crypto currency)
-      // Use currency from request, or fall back to env/default
-      const payCurrency = pay_currency || process.env.NOWPAYMENTS_PAY_CURRENCY || 'btc'
+      // Use currency from request (already validated), or fall back to env/default (must be in allowed list)
+      const defaultCurrency = process.env.NOWPAYMENTS_PAY_CURRENCY?.toLowerCase() || 'btc'
+      const payCurrency = normalizedPayCurrency || (isAllowedCurrency(defaultCurrency) ? defaultCurrency : 'btc')
       
       // Optional: Use fixed rate for 20 minutes (prevents rate changes during checkout)
       // If is_fixed_rate is true, payment expires after 20 minutes if not paid