circlefin · memosr · Apr 11, 2026 · May 21, 2026
diff --git a/app/api/transactions/[id]/route.ts b/app/api/transactions/[id]/route.ts
@@ -48,11 +48,11 @@ export async function GET(
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }
 
-    // Fetch transaction (RLS will ensure user can only see their own)
     const { data: transaction, error: txError } = await supabase
       .from("transactions")
       .select("*")
       .eq("id", id)
+      .eq("user_id", user.id)
       .single();
 
     if (txError) {

diff --git a/app/api/transactions/route.ts b/app/api/transactions/route.ts
@@ -130,6 +130,7 @@ export async function POST(req: NextRequest) {
           .from("transactions")
           .select("*")
           .eq("idempotency_key", idempotencyKey)
+          .eq("user_id", user.id)
           .single();
 
         if (existingTx) {
@@ -218,6 +219,7 @@ export async function GET(req: NextRequest) {
       .from("transactions")
       .select("*")
       .eq("transaction_type", "USER")
+      .eq("user_id", user.id)
       .order("created_at", { ascending: false });
 
     if (txError) {

diff --git a/app/dashboard/[txHash]/page.tsx b/app/dashboard/[txHash]/page.tsx
@@ -70,11 +70,11 @@ export default async function TransactionDetailsPage(
     redirect("/auth/login");
   }
 
-  // Fetch the real transaction by tx_hash
   const { data: transaction, error: txError } = await supabase
     .from("transactions")
     .select("*")
     .eq("tx_hash", txHash)
+    .eq("user_id", data.user.id)
     .single();
 
   if (txError || !transaction) {