fix(quantity): enforce claim limits on backend, fix quantity field in admin form

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/api/public/items/[id]/claim/route.ts

@@ -26,44 +26,69 @@ export async function POST(
     if (wl.length === 0) return NextResponse.json({ error: 'Wishlist not found' }, { status: 404 });
     if (!wl[0].isPublic) return NextResponse.json({ error: 'This wishlist is private' }, { status: 403 });
 
-    // Sum quantities reserved by OTHER guests
-    const otherSumRow = await db
-      .select({ total: sql<number>`COALESCE(SUM(${itemClaims.quantity}), 0)` })
-      .from(itemClaims)
-      .where(and(eq(itemClaims.itemId, id), ne(itemClaims.guestId, guest.id)));
-    const otherSum = Number(otherSumRow[0]?.total ?? 0);
+    // Atomically check remaining quantity and upsert the claim inside a synchronous
+    // transaction to prevent race conditions (better-sqlite3 is synchronous).
+    type TxResult = { ok: true } | { ok: false; remaining: number };
 
-    if (otherSum + requestedQty > item.quantity) {
-      const remaining = Math.max(0, item.quantity - otherSum);
+    const txResult: TxResult = db.transaction((tx) => {
+      // Re-read item quantity inside the transaction for an accurate snapshot
+      const itemSnap = tx
+        .select({ quantity: wishlistItems.quantity })
+        .from(wishlistItems)
+        .where(eq(wishlistItems.id, id))
+        .limit(1)
+        .all();
+
+      if (itemSnap.length === 0) return { ok: false, remaining: 0 };
+      const itemQty = itemSnap[0].quantity;
+
+      // Sum quantities reserved by OTHER guests
+      const otherSumRow = tx
+        .select({ total: sql<number>`COALESCE(SUM(${itemClaims.quantity}), 0)` })
+        .from(itemClaims)
+        .where(and(eq(itemClaims.itemId, id), ne(itemClaims.guestId, guest.id)))
+        .all();
+      const otherSum = Number(otherSumRow[0]?.total ?? 0);
+
+      if (otherSum + requestedQty > itemQty) {
+        const remaining = Math.max(0, itemQty - otherSum);
+        return { ok: false, remaining };
+      }
+
+      // Upsert: replace existing claim for this (item, guest)
+      const existing = tx
+        .select({ id: itemClaims.id })
+        .from(itemClaims)
+        .where(and(eq(itemClaims.itemId, id), eq(itemClaims.guestId, guest.id)))
+        .limit(1)
+        .all();
+
+      if (existing.length > 0) {
+        tx.update(itemClaims)
+          .set({ quantity: requestedQty, note, updatedAt: new Date() })
+          .where(eq(itemClaims.id, existing[0].id))
+          .run();
+      } else {
+        tx.insert(itemClaims)
+          .values({ itemId: id, guestId: guest.id, quantity: requestedQty, note })
+          .run();
+      }
+
+      tx.update(wishlistItems)
+        .set({ updatedAt: new Date() })
+        .where(eq(wishlistItems.id, id))
+        .run();
+
+      return { ok: true };
+    });
+
+    if (!txResult.ok) {
       return NextResponse.json(
-        { error: `Apenas ${remaining} disponível(is)`, remaining },
+        { error: `Apenas ${txResult.remaining} disponível(is)`, remaining: txResult.remaining },
         { status: 409 }
       );
     }
 
-    // Upsert: replace existing claim for this (item, guest)
-    const existing = await db
-      .select()
-      .from(itemClaims)
-      .where(and(eq(itemClaims.itemId, id), eq(itemClaims.guestId, guest.id)))
-      .limit(1);
-
-    if (existing.length > 0) {
-      await db
-        .update(itemClaims)
-        .set({ quantity: requestedQty, note, updatedAt: new Date() })
-        .where(eq(itemClaims.id, existing[0].id));
-    } else {
-      await db.insert(itemClaims).values({
-        itemId: id,
-        guestId: guest.id,
-        quantity: requestedQty,
-        note,
-      });
-    }
-
-    await db.update(wishlistItems).set({ updatedAt: new Date() }).where(eq(wishlistItems.id, id));
-
     const updated = await fetchItemWithClaims(id);
     return NextResponse.json({ success: true, item: updated }, { status: 201 });
   } catch (err) {