fix(security): sanitize api pagination parameters

[Shreyassp002]

Category: Security
Priority: P1
What: Added explicit isNaN validation and lower bound checks for limit and offset query parameters across transaction and payment link API endpoints (/api/v1/payment-links, /api/v1/transactions, /api/transactions, /api/transactions/history).
Why: Passing unvalidated NaN or negative values to Supabase .range() or .limit() caused unhandled errors, crashing the route and creating DoS vulnerability vectors.
Impact: Improved API resilience by safely falling back to defaults (limit 10/50, offset 0) and preventing database crashes from malformed inputs.
Verification: Evaluated npm run lint and npm run build which passed successfully.

---

PR created automatically by Jules for task 14301886515865622520 started by @Shreyassp002

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
flash-protocol	Error		May 7, 2026 6:13am

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[github-actions]

⚡ Flash Review

Metric	Value
Files Reviewed	4
Risk Level	🔴 High
Issues Found	🚨 1 Critical · ⚠️ 0 Warnings · 💡 0 Suggestions

---

🚨 Critical (must fix before merge)

• src/app/api/transactions/route.ts:L22 — Relying on manual parseInt and isNaN for API query parameters is less robust than a dedicated validation library.

---

✅ What's good: The robust input validation for limit in src/app/api/v1/payment-links/route.ts significantly improves API resilience against malformed requests.

---

_{⚡ Powered by Flash Review · Report Issue}

[github-actions]

⚡ Flash Review

🚨 Security: The previous logic for limit could result in NaN if a non-numeric string was provided, potentially leading to unexpected database query behavior or errors. This robust input validation, including isNaN checks and clamping limit to a minimum of 1 and maximum of 100, significantly improves the API's resilience against malformed requests.

Fix: No further fix needed, this change correctly addresses the potential issue.

[github-actions]

⚡ Flash Review

🚨 Security: While the limit parsing logic is improved to handle NaN and negative values, relying on manual parseInt and isNaN checks for API query parameters can be less robust and consistent than using a dedicated validation library.

Fix: Implement a Zod schema to validate all incoming query parameters for this API route, including payment_link_id and limit. This ensures consistent, declarative validation, better type safety, and prevents unexpected values from reaching the database.

import { z } from 'zod'

const querySchema = z.object({
  payment_link_id: z.string().uuid('Invalid payment link ID format'),
  limit: z.preprocess(
    (val) => parseInt(z.string().parse(val), 10),
    z.number().int().min(1).max(100)
  ).default(50).optional()
})

const { payment_link_id, limit } = querySchema.parse(Object.fromEntries(searchParams))

[Shreyassp002]

Closing as duplicate of #31 which has been merged.

[google-labs-jules]

Closing as duplicate of #31 which has been merged.

Understood. Acknowledging that this work is now obsolete as an identical fix was already merged in PR #31, and stopping work on this task.