Fix cross-session round hijacking and idempotent end-round penalties

[Copilot]

The end-round route authenticated against session.id but mutated rounds using only roundId, allowing a valid teacher passphrase for any session to end rounds in other sessions. Repeated calls also re-applied no-trade penalties to player totals on already-ended rounds.

Changes

• Cross-session guard: fetch round with WHERE id = roundId AND session_id = id before any mutation; return 404 if mismatch
• Idempotency: if round.status === 'ended', return the existing summary immediately — no penalty re-application
• Scoped UPDATE: UPDATE rounds ... WHERE id = roundId AND session_id = id as defense-in-depth

// Verify round belongs to this session
const round = await sql`SELECT id, status FROM rounds WHERE id = ${roundId} AND session_id = ${id}`;
if (round.length === 0) return NextResponse.json({ error: 'Round not found' }, { status: 404 });

// Idempotent: if round already ended, return summary without re-applying penalties
if (round[0].status === 'ended') {
  // ... return existing summary
}

// End round — scoped to this session
await sql`UPDATE rounds SET status = 'ended', ended_at = NOW() WHERE id = ${roundId} AND session_id = ${id}`;

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
live-game	Error		Mar 10, 2026 5:47am