nisshchayarathi · Abhishek2005-ard · Jun 5, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/app/api/annotations/route.ts b/app/api/annotations/route.ts
@@ -14,6 +14,18 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: "repositoryId is required" }, { status: 400 });
     }
 
+    // Verify user has access to the repository to prevent IDOR
+    const repo = await prisma.repository.findFirst({
+      where: {
+        id: parseInt(repositoryId),
+        userId: user.userId,
+      }
+    });
+
+    if (!repo) {
+      return NextResponse.json({ error: "Repository not found or access denied" }, { status: 403 });
+    }
+
     const annotations = await prisma.mapAnnotation.findMany({
       where: {
         repositoryId: parseInt(repositoryId),

diff --git a/next.config.js b/next.config.js
@@ -10,8 +10,13 @@ const nextConfig = {
   },
 }
 
-const withBundleAnalyzer = require('@next/bundle-analyzer')({
-  enabled: process.env.ANALYZE === 'true',
-})
+let withBundleAnalyzer;
+try {
+  withBundleAnalyzer = require('@next/bundle-analyzer')({
+    enabled: process.env.ANALYZE === 'true',
+  });
+} catch {
+  withBundleAnalyzer = (config) => config;
+}
 
 module.exports = withBundleAnalyzer(nextConfig)