Invitation Decline/Upgrade Use GET for State Changes

[thehabes]

Files:

• project/memberDeclineInviteRouter.js:16
• project/memberUpgradeRouter.js:23

Severity: HIGH

Issue: Both endpoints use HTTP GET method for operations that modify state (delete users, update groups). This violates REST principles and HTTP specifications.

router.route("/:projectId/collaborator/:collaboratorId/decline").get(async (req, res) => {
  // Deletes user from database!

Impact:

• GET requests can be triggered by browser prefetch, crawlers, or link previews
• Operations not idempotent (clicking link twice causes errors)
• Violates HTTP specification (GET should be safe operations)
• Security risk: CSRF attacks possible

Fix: Change to POST or DELETE method:

router.route("/:projectId/collaborator/:collaboratorId/decline").post(async (req, res) => {
  // Or .delete() for decline

Note: Frontend code will also need updating to use POST instead of GET.

[thehabes]

The reason it is a GET is because we thought we may want to give users a direct link to it. However, it seems like we have since developed a little interface loop that fires the endpoint. If we do not want to give them direct API links they can click to use to decline we probably should change the HTTP method to POST