fix(security): sanitize API pagination parameters

[Shreyassp002]

Category: Security
Priority: P0
What: Fixed pagination security in API routes (src/app/api/v1/payment-links/route.ts, src/app/api/v1/transactions/route.ts, src/app/api/transactions/route.ts, src/app/api/transactions/history/route.ts) by properly sanitizing limit and offset query parameters.
Why: Previous implementation used parseInt without checking for NaN. Providing non-numeric or negative values could result in NaN or negative boundaries being passed directly to Supabase .range() and .limit(), causing runtime errors or unexpected behavior.
Impact: Prevents potential DoS or runtime database exceptions from maliciously crafted query parameters.
Verification: Ran npm run lint and NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID=dummy npm run build successfully. Verified that default safe boundaries are applied when NaN or negative values are provided.

---

PR created automatically by Jules for task 6495204142204813755 started by @Shreyassp002

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
flash-protocol	Error		Apr 25, 2026 6:14am

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[github-actions]

⚡ Flash Review

Metric	Value
Files Reviewed	2
Risk Level	🔴 High
Issues Found	🚨 2 Critical · ⚠️ 0 Warnings · 💡 0 Suggestions

---

🚨 Critical (must fix before merge)

• src/app/api/transactions/history/route.ts:L24 — Security: For critical API routes, all user-provided query parameters should be validated using a robust schema library (e.g., Zod) for comprehensive type safety and error handling.
• src/app/api/v1/transactions/route.ts:L19 — Security: Explicit isNaN and bounds checks for the limit parameter are crucial, preventing NaN from malformed input and hardening the API against invalid requests.

---

✅ What's good: The PR correctly identifies and addresses a critical security vulnerability by adding explicit validation for pagination parameters, significantly improving API robustness.

---

_{⚡ Powered by Flash Review · Report Issue}

[github-actions]

⚡ Flash Review

🚨 Security: While the manual parsing and clamping of the limit parameter is an improvement, for critical API routes handling real money, all user-provided query parameters should be validated using a robust schema library like Zod. This ensures comprehensive type safety, consistency, and better error handling for invalid inputs, preventing potential edge-case vulnerabilities.

Fix: Define a Zod schema for the query parameters and parse them, e.g., z.object({ limit: z.coerce.number().int().min(1).max(100).default(50) }).

[github-actions]

⚡ Flash Review

🚨 Security: This added validation for the limit parameter is crucial. Previously, malformed input (e.g., limit=abc) would result in NaN being passed to downstream logic, potentially leading to unexpected database query behavior or errors. The explicit isNaN and bounds checks now ensure limit is always a valid, positive integer, significantly hardening the API against invalid requests and preventing potential service disruption.