Skip to content

[Send Account Tags] Add validation to updateMainTag endpoint #1519

New issue
New issue
Open
Open
[Send Account Tags] Add validation to updateMainTag endpoint#1519
Labels
bugSomething isn't working
@0xBigBoss

Description

@0xBigBoss
0xBigBoss
opened on May 24, 2025

Parent Issue: #1515

Priority: HIGH 🟠

Description

The updateMainTag procedure lacks proper validation, allowing users to potentially set main_tag_id to invalid values (tags they don't own, non-existent tags, or pending tags).

Current Implementation

  • Location: packages/api/src/routers/sendAccount.ts (updateMainTag procedure)
  • Currently only updates the main_tag_id without any validation
  • No checks for tag ownership, existence, or status

Required Validation

The endpoint needs to validate that:

  1. Tag exists - The provided tagId corresponds to an actual tag
  2. Tag belongs to user - The tag is linked to the user's send account via send_account_tags
  3. Tag is confirmed - The tag status is 'confirmed', not 'pending' or 'available'

Suggested Implementation

updateMainTag: protectedProcedure
  .input(
    z.object({
      tagId: z.number(),
    })
  )
  .mutation(async ({ ctx, input }) => {
    const { tagId } = input
    const { supabase, session } = ctx

    // Validate tag belongs to user and is confirmed
    const { data: validTag, error: validationError } = await supabase
      .from('tags')
      .select(`
        id,
        status,
        send_account_tags\!inner(
          send_account_id,
          send_accounts\!inner(
            user_id
          )
        )
      `)
      .eq('id', tagId)
      .eq('status', 'confirmed')
      .eq('send_account_tags.send_accounts.user_id', session.user.id)
      .single()

    if (validationError || \!validTag) {
      throw new TRPCError({
        code: 'BAD_REQUEST',
        message: 'Invalid tag selection. Tag must exist, be confirmed, and belong to your account.',
      })
    }

    // Update main_tag_id
    const { error } = await supabase
      .from('send_accounts')
      .update({ main_tag_id: tagId })
      .eq('user_id', session.user.id)

    if (error) {
      throw new TRPCError({
        code: 'INTERNAL_SERVER_ERROR',
        message: 'Failed to update main tag',
      })
    }
  }),

Testing Requirements

  • Test with non-existent tag ID
  • Test with tag not owned by user
  • Test with pending tag
  • Test with valid confirmed tag
  • Verify database constraint still works as fallback

Definition of Done

  • Validation implemented for tag existence
  • Validation implemented for tag ownership
  • Validation implemented for tag status
  • Appropriate error messages returned
  • Tests written and passing

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions