fix(wallet): clamp transaction limit

[Jorel97]

Summary

• normalize wallet transaction limit before building the LNbits payments request URL
• clamp negative values to 1, non-numeric/missing values to 50, and large values to 100
• add route tests covering auth and all limit boundaries

Fixes #328.

Testing

• Not run locally: this workspace has Node but no npm/pnpm/npx/corepack available to install or invoke Vitest.

[greptile-apps]

Greptile Summary

This PR fixes a gap in the wallet transactions route where negative limit values were not clamped, and NaN (from non-numeric input) could be forwarded directly to LNbits. The fix extracts a parseLimit helper with explicit lower/upper bounds and NaN/empty handling, and adds a full test suite covering the auth guard and all boundary conditions.

• route.ts: Replaces Math.min(parseInt(...), 100) with parseLimit, which normalises null/empty to 50, coerces non-finite values (NaN, Infinity) to 50, truncates floats, and clamps the result to [1, 100].
• route.test.ts: New test file covering 401 when unauthenticated, negative clamping, non-numeric default, missing-param default, valid passthrough, and large-value cap.

Confidence Score: 5/5

Safe to merge — the change is tightly scoped to query-parameter normalisation and the new logic is fully covered by the accompanying tests.

The parseLimit helper correctly handles every edge case: null/empty → 50, non-numeric (NaN, 'abc') → 50, negatives → 1, zero → 1, floats → truncated, oversized → 100. All paths are exercised by the test suite, and the rest of the route handler is unchanged.

No files require special attention.

Important Files Changed

Filename	Overview
src/app/api/wallet/transactions/route.ts	Replaces the old unbounded parseInt call with a dedicated parseLimit helper that correctly clamps negatives to 1, defaults non-numeric/missing to 50, and caps large values at 100.
src/app/api/wallet/transactions/route.test.ts	New test file covering the 401 auth path and all four limit boundary conditions (negative, non-numeric, missing, large), plus a valid in-range passthrough case.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["GET /api/wallet/transactions\n?limit=<value>"] --> B{Auth valid?}
    B -- No --> C["401 Unauthorized"]
    B -- Yes --> D["parseLimit(value)"]
    D --> E{value null or\nwhitespace-only?}
    E -- Yes --> F["use 50 as input"]
    E -- No --> G["Number(value)"]
    F --> H["Number(50) = 50"]
    G --> I{isFinite?}
    I -- No --> J["use 50"]
    I -- Yes --> K["Math.trunc(parsed)"]
    H --> K
    J --> K
    K --> L["Math.max(truncated, 1) clamp >= 1"]
    L --> M["Math.min(result, 100) clamp <= 100"]
    M --> N["fetch LNbits /api/v1/payments?limit=N"]
    N --> O{lnWallet found?}
    O -- No --> P["Return empty list"]
    O -- Yes --> Q{LNbits ok?}
    Q -- No --> P
    Q -- Yes --> R["Filter + map payments Return 200"]

Loading

_{Reviews (2): Last reviewed commit: "test(wallet): cover transaction limit pa..." | Re-trigger Greptile}