Fix missing session ownership and round-active checks in transaction confirm endpoint

[Copilot]

The PUT /api/sessions/[id]/transactions/[transactionId]/confirm endpoint never validated that the transaction belonged to the session in the URL, allowing any valid transactionId to be confirmed/rejected regardless of session context. Additionally, there was no guard against confirming transactions on ended rounds.

Changes

• Session ownership check: After fetching the transaction, verify tx.session_id === params.id. Returns 404 (not 403) to avoid leaking cross-session transaction existence.
• Active round guard: Query rounds table and reject with 400 Round is not active if the round has ended or doesn't exist — preventing mutations after round close.

if (tx.session_id !== id)
  return NextResponse.json({ error: 'Transaction not found' }, { status: 404 });

const rounds = await sql`SELECT * FROM rounds WHERE id = ${tx.round_id}`;
if (rounds.length === 0 || rounds[0].status !== 'active')
  return NextResponse.json({ error: 'Round is not active' }, { status: 400 });

Both checks are applied before the existing partner_id authorization check.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
live-game	Error		Mar 10, 2026 5:40am