fix: validate swipe restaurant ids against room candidates

src/app/api/room/[id]/swipe/route.test.ts

@@ -113,6 +113,21 @@ describe("POST /api/room/[id]/swipe", () => {
     expect(res.status).toBe(400);
   });
 
+  it("returns 400 when restaurantId is not in room candidates", async () => {
+    mockAtomicUpdate.mockImplementation(async (_id, updater) => {
+      const data = structuredClone(TEST_ROOM_DATA);
+      return updater(data);
+    });
+
+    const req = createRequest("/api/room/ROOM01/swipe", {
+      method: "POST",
+      body: { userId: "user-1", restaurantId: "unknown-id", action: "like" },
+    });
+    const ctx = createRouteContext({ id: "ROOM01" });
+    const res = await POST(req, ctx);
+    expect(res.status).toBe(400);
+  });
+
   it("returns 404 when room not found", async () => {
     mockAtomicUpdate.mockResolvedValue(null);
 

src/app/api/room/[id]/swipe/route.ts

@@ -23,8 +23,10 @@ export const POST = apiHandler(async (req, { params }) => {
     }
 
     const restaurantIndex = data.restaurants.findIndex((r) => r.id === rid);
+    if (restaurantIndex < 0) {
+      throw new ApiError("restaurantId 不存在于该房间候选列表", 400);
+    }
     const alreadySwiped =
-      restaurantIndex >= 0 &&
       restaurantIndex < (data.swipeCounts[userId] ?? 0);
 
     if (alreadySwiped) return data;