From df369e43c7d49e6bc366da20b2cba1ba96893043 Mon Sep 17 00:00:00 2001
From: Bounty Bot <gordonzhaomwrf@gmail.com>
Date: Mon, 1 Jun 2026 10:59:05 +0800
Subject: [PATCH] fix: require authentication for /api/payments routes (#2757)

---
 apps/api/src/routes/paymentRoutes.js | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/routes/paymentRoutes.js b/apps/api/src/routes/paymentRoutes.js
index e6cebed50b..ec1ef9537c 100644
--- a/apps/api/src/routes/paymentRoutes.js
+++ b/apps/api/src/routes/paymentRoutes.js
@@ -1,6 +1,13 @@
-import { Router } from "express";
-import { createPayment } from "../controllers/paymentController.js";
+import { Router } from 'express';
+import { authenticate } from '../middleware/auth.js';
+import { createPaymentIntent, getPaymentMethods } from '../controllers/paymentController.js';
 
-export const paymentRoutes = Router();
+const router = Router();
 
-paymentRoutes.post("/", createPayment);
+// Require authentication for all payment routes
+router.use(authenticate);
+
+router.post('/', createPaymentIntent);
+router.get('/methods', getPaymentMethods);
+
+export { router as paymentRoutes };