From 07bb149dd8a4a688927c2f54b71e914530ca2f5c Mon Sep 17 00:00:00 2001
From: Mannu <manohar6839@gmail.com>
Date: Sun, 17 May 2026 11:57:57 +0530
Subject: [PATCH] =?UTF-8?q?fix:=20notifications=20IDOR=20=E2=80=94=20verif?=
 =?UTF-8?q?y=20child=20belongs=20to=20caller's=20family?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/app/api/notifications/route.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/app/api/notifications/route.ts b/src/app/api/notifications/route.ts
index 4d45ba0..61625fa 100644
--- a/src/app/api/notifications/route.ts
+++ b/src/app/api/notifications/route.ts
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { sql } from "@/db";
+import { requireFamily, requireOwnership } from "@/lib/auth";
 
 // IAP Vaccination Schedule (weeks from birth)
 const IAP_SCHEDULE = [
@@ -33,6 +34,9 @@ const IAP_SCHEDULE = [
 
 export async function GET(request: Request) {
   try {
+    const auth = await requireFamily();
+    if (!auth.success) return NextResponse.json({ error: auth.error }, { status: auth.status });
+
     const { searchParams } = new URL(request.url);
     const childId = searchParams.get("childId");
 
@@ -40,6 +44,9 @@ export async function GET(request: Request) {
       return NextResponse.json({ error: "childId required" }, { status: 400 });
     }
 
+    const ownership = await requireOwnership(childId, "children", "Child");
+    if (!ownership.success) return NextResponse.json({ error: ownership.error }, { status: ownership.status });
+
     // Get child's birth date
     const children = await sql`
       SELECT id, name, birth_date FROM children WHERE id = ${childId}