From 53100e4d6cbcbc2cb5398d8e9510c99bb7179389 Mon Sep 17 00:00:00 2001
From: JEAN REGIS <240509606@firat.edu.tr>
Date: Tue, 31 Mar 2026 21:43:04 +0300
Subject: [PATCH] fix(finstripe): validate invoice ownership against vendor_id
 before transfer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause:
create_transfer passed caller-supplied vendor_id and invoice_id directly to
repo.create_transaction without verifying invoice.vendor_id == vendor_id,
allowing cross-vendor invoice pairing.

Solution:
Fetch invoice before transaction creation; return error dict if invoice is
not found or vendor_id does not match invoice.vendor_id. No write occurs on
mismatch.

Impact:
No breaking changes. Matching vendor/invoice pairs unaffected. Early return
before any DB write on mismatch — deterministic and zero side-effect.

Signed-off-by: JEAN REGIS <240509606@firat.edu.tr>
---
 finbot/mcp/servers/finstripe/server.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/finbot/mcp/servers/finstripe/server.py b/finbot/mcp/servers/finstripe/server.py
index 4b17a228..9592c944 100644
--- a/finbot/mcp/servers/finstripe/server.py
+++ b/finbot/mcp/servers/finstripe/server.py
@@ -63,6 +63,11 @@ def create_transfer(
 
         with db_session() as db:
             repo = PaymentTransactionRepository(db, session_context)
+            invoice = repo.get_invoice_by_id(invoice_id)
+            if not invoice:
+                return {"error": f"Invoice {invoice_id} not found"}
+            if invoice.vendor_id != vendor_id:
+                return {"error": f"Invoice {invoice_id} does not belong to vendor {vendor_id}"}
             txn = repo.create_transaction(
                 invoice_id=invoice_id,
                 vendor_id=vendor_id,