Description
StakeBody.user_id and ClaimBody.user_id in staking_handler.rs come from the JSON request body. Any authenticated user can stake or claim rewards on behalf of any other user by supplying a different UUID. There is no verification that the calling user owns the user_id in the payload.
// staking_handler.rs — current (INSECURE)
pub struct StakeBody {
pub user_id: String, // ← client-controlled
pub stellar_address: String,
pub amount: i64,
}Acceptance Criteria
Technical Notes
Follow the pattern in reputation_handler::get_my_reputation which already uses web::ReqData<Uuid> correctly.
Description
StakeBody.user_idandClaimBody.user_idinstaking_handler.rscome from the JSON request body. Any authenticated user can stake or claim rewards on behalf of any other user by supplying a different UUID. There is no verification that the calling user owns theuser_idin the payload.Acceptance Criteria
user_idis extracted from JWT claims (viaClaimsExtorweb::ReqData<Uuid>), never from the request bodystellar_addressis validated against the authenticated user's registered Stellar account in the database403 Forbiddenunstake/{user_id}path parameter is also validated against JWT identityTechnical Notes
Follow the pattern in
reputation_handler::get_my_reputationwhich already usesweb::ReqData<Uuid>correctly.