fix(api): enhance sendAccountRouter to validate user and tag ownership for setting main tag, improving error handling and security (#1620)

0xBigBoss · web-flow · commit 2e6f23ab37cb · 2025-06-11T22:05:27.000-05:00
diff --git a/packages/api/src/routers/sendAccount.ts b/packages/api/src/routers/sendAccount.ts
@@ -459,36 +459,55 @@ export const sendAccountRouter = createTRPCRouter({
       })
     )
     .mutation(async ({ ctx: { supabase }, input: { tagId } }) => {
-      // Leverage RLS - just try to update and let the database constraints and triggers handle validation
-      const { data: result, error } = await supabase
+      const { data: profile } = await supabase.auth.getUser()
+      if (!profile.user) throw new TRPCError({ code: 'UNAUTHORIZED' })
+
+      // Get user's send account
+      const { data: sendAccount, error: sendAccountError } = await supabase
         .from('send_accounts')
-        .update({ main_tag_id: tagId })
-        .select()
+        .select('id')
+        .eq('user_id', profile.user.id)
         .single()
 
-      if (error) {
-        // Handle specific database errors with meaningful messages
-        if (error.code === 'PGRST116') {
-          throw new TRPCError({
-            code: 'NOT_FOUND',
-            message: 'Send account not found',
-          })
-        }
+      if (sendAccountError || !sendAccount) {
+        throw new TRPCError({
+          code: 'NOT_FOUND',
+          message: 'Send account not found',
+        })
+      }
 
-        if (
-          error.message?.includes('foreign key constraint') ||
-          error.message?.includes('main_tag')
-        ) {
-          throw new TRPCError({
-            code: 'BAD_REQUEST',
-            message: 'Tag not found or not confirmed for this account',
-          })
-        }
+      // Validate tag exists and belongs to user
+      const { data: tagOwnership, error: tagError } = await supabase
+        .from('send_account_tags')
+        .select(`
+          send_account_tags!inner(*),
+          tags!inner(id, status)
+        `)
+        .eq('send_account_id', sendAccount.id)
+        .eq('tag_id', tagId)
+        .eq('tags.status', 'confirmed') // Must be confirmed
+        .single()
+
+      if (tagError || !tagOwnership) {
+        throw new TRPCError({
+          code: 'BAD_REQUEST',
+          message: 'Tag not found or not confirmed for this send account',
+        })
+      }
+
+      // Update main tag
+      const { data: result, error: updateError } = await supabase
+        .from('send_accounts')
+        .update({ main_tag_id: tagId })
+        .eq('id', sendAccount.id)
+        .select()
+        .single()
 
-        console.error('Error updating main tag:', error)
+      if (updateError) {
+        console.error('Error updating main tag:', updateError)
         throw new TRPCError({
           code: 'INTERNAL_SERVER_ERROR',
-          message: error.message,
+          message: updateError.message,
         })
       }
 
