fix(segurança): endurecer autenticação e rotas privadas

2026-05-10 11:21:45 +00:00 · 2026-04-03 18:10:23 +00:00
parent ba369e8a83
commit e4c6a91350
12 changed files with 357 additions and 28 deletions
--- a/src/features/transactions/anticipation-actions.ts
+++ b/src/features/transactions/anticipation-actions.ts
@@ -131,6 +131,46 @@ export async function createInstallmentAnticipationAction(
 		const user = await getUser();
 		const data = createAnticipationSchema.parse(input);

+		if (data.payerId || data.categoryId) {
+			const [payer, category] = await Promise.all([
+				data.payerId
+					? db
+							.select({ id: payers.id })
+							.from(payers)
+							.where(
+								and(eq(payers.id, data.payerId), eq(payers.userId, user.id)),
+							)
+							.limit(1)
+					: Promise.resolve([]),
+				data.categoryId
+					? db
+							.select({ id: categories.id })
+							.from(categories)
+							.where(
+								and(
+									eq(categories.id, data.categoryId),
+									eq(categories.userId, user.id),
+								),
+							)
+							.limit(1)
+					: Promise.resolve([]),
+			]);
+
+			if (data.payerId && payer.length === 0) {
+				return {
+					success: false,
+					error: "Pagador inválido para esta conta.",
+				};
+			}
+
+			if (data.categoryId && category.length === 0) {
+				return {
+					success: false,
+					error: "Categoria inválida para esta conta.",
+				};
+			}
+		}
+
 		// 1. Validar parcelas selecionadas
 		const installments = await db.query.transactions.findMany({
 			where: and(