Sentinel Exposes Critical IDOR Flaw in Order-Validate Endpoint, Enabling User Spoofing

A critical security vulnerability was discovered and patched in the `order-validate` endpoint, exposing a severe authentication bypass. The flaw was an Insecure Direct Object Reference (IDOR) combined with missing authentication, where the endpoint read the `userId` directly from the request body. This design allowed any user, including potential attackers, to spoof requests by impersonating any other user's identity, as the system failed to validate the actual caller against the provided user ID.

The impact was significant: an attacker could spoof order validation requests on behalf of any other user. This could have led to unauthorized access to sensitive user-specific data, such as personal price lists, or the ability to validate shopping carts that the attacker did not own. The vulnerability leveraged the service role, highlighting a critical breakdown in the principle of least privilege and proper identity verification.

The fix involved a fundamental restructuring of the endpoint's authentication flow. Developers extracted and validated the `Authorization` header, explicitly initialized the `createClient` using the secure `SUPABASE_ANON_KEY`, and called `auth.getUser()` to obtain a verified user identity. The endpoint now uses this securely verified `user.id` and returns a strict HTTP 401 status code for any missing or invalid authentication tokens. Post-fix verification, including linting, type-checking, and test suites, completed successfully, confirming the remediation.