FRE-5398: Fix invoice endpoint customer IDOR (M-3)

- Make verifyCustomerOwnership public in BillingService
- Add ownership verification before fetching invoice history
- Returns 403 if customerId does not belong to authenticated user

Co-Authored-By: Paperclip <noreply@paperclip.ing>

packages/api/src/routes/subscription.routes.ts

@@ -341,6 +341,16 @@ export async function subscriptionRoutes(fastify: FastifyInstance) {
         });
       }
 
+      // Verify the customer belongs to the authenticated user (IDOR prevention)
+      try {
+        await billingService.verifyCustomerOwnership(customerId, authReq.user.id);
+      } catch {
+        return reply.status(403).send({
+          error: 'Forbidden',
+          message: 'You do not have access to this customer',
+        });
+      }
+
       try {
         const invoices = await billingService.getInvoiceHistory(customerId);
 

packages/shared-billing/src/services/billing.service.ts

@@ -37,7 +37,7 @@ export class BillingService {
     }
   }
 
-  private async verifyCustomerOwnership(
+  async verifyCustomerOwnership(
     customerId: string,
     userId: string
   ): Promise<void> {