Threshold Validation Supabase Edge Function
Component Detail
Description
Server-authoritative Supabase Edge Function that re-executes the same threshold evaluation logic as the client-side ThresholdEvaluationService before finalising a claim submission. Prevents client-side bypass by ensuring the auto-approval decision is always confirmed server-side before persisting the approved status.
threshold-validation-edge-function
Summaries
The Threshold Validation Edge Function is a critical security control that prevents fraudulent or erroneous auto-approval of expense claims by ensuring that the auto-approval decision is always verified on the server before it is recorded. Without this component, a technically sophisticated user could manipulate the mobile client to misrepresent a claim as below-threshold and trigger automatic approval for a claim that should require coordinator review. By running authoritative threshold evaluation server-side, the organisation protects the integrity of its expense management process, reduces financial risk from unauthorised reimbursements, and demonstrates a robust internal control environment that supports compliance with funding body requirements such as Bufdir accountability standards.
Medium complexity, this component is a Supabase Edge Function written in TypeScript (Deno runtime) and depends on the `threshold-evaluation-service` logic being available in a form that can be imported or replicated server-side. The key delivery risk is the shared threshold logic: if the client uses Dart and the server uses TypeScript, ensuring both implementations produce identical results for all edge cases requires careful parity testing and is a potential source of regression bugs. This must be flagged as a cross-platform logic synchronisation risk in the project plan. The edge function must be deployed and integration-tested in the Supabase staging environment before the claim submission flow can be signed off as production-ready.
Any future changes to threshold configuration logic must be applied to both the client-side service and this edge function simultaneously, which introduces a change management dependency.
This Supabase Edge Function (Deno/TypeScript) is invoked via `POST /functions/v1/validate-expense-threshold` during the claim submission flow, receiving `claimId` and `organisationId` in the request body. It fetches all `expense_lines` for the claim directly from the database using the Supabase service role client (bypassing RLS to ensure complete data access) and fetches the organisation's threshold configuration from the appropriate settings table. It then executes the same threshold evaluation algorithm as the client-side `ThresholdEvaluationService` — this logic must be maintained as a shared TypeScript module importable by both the edge function and any server-side services. The function returns a structured response indicating the server-determined approval path (`auto` or `manual`).
The calling service must compare this against the client-submitted path and abort with a 422 error if they diverge. Input validation, database error handling, and request authentication via JWT verification must all be implemented before deployment.
Responsibilities
- Receive claim submission request and fetch all expense lines from database
- Execute threshold evaluation using shared Dart/TypeScript threshold logic
- Return approval path decision (auto or manual) to calling service
- Reject requests where client-computed approval path does not match server result
Interfaces
POST /functions/v1/validate-expense-threshold
validateThreshold(claimId, organisationId)
fetchExpenseLines(claimId)
fetchThresholdConfig(organisationId)
Relationships
Related Data Entities (2)
Data entities managed by this component
Used Integrations (1)
External integrations and APIs this component relies on