fix(billing): gate subscription transfer noop behind membership check

Previously the 'already belongs to this organization' early return fired
before the org/member lookups, letting any authenticated caller probe
sub-to-org pairings without being a member of the target org. Move the
noop check after the admin/owner verification so unauthorized callers
hit the 403 first.

Author: waleedlatif1

apps/sim/app/api/users/me/subscription/[id]/transfer/route.test.ts

@@ -83,9 +83,12 @@ describe('POST /api/users/me/subscription/[id]/transfer', () => {
   })
 
   it('treats an already-transferred organization subscription as a successful no-op', async () => {
-    dbChainMockFns.for.mockResolvedValueOnce([
-      { id: 'sub-1', referenceId: 'org-1', plan: 'team', status: 'active' },
-    ])
+    dbChainMockFns.for
+      .mockResolvedValueOnce([
+        { id: 'sub-1', referenceId: 'org-1', plan: 'team', status: 'active' },
+      ])
+      .mockResolvedValueOnce([{ id: 'org-1' }])
+    dbChainMockFns.limit.mockResolvedValueOnce([{ role: 'owner' }])
 
     const response = await makeRequest({ organizationId: 'org-1' })
 
@@ -97,6 +100,23 @@ describe('POST /api/users/me/subscription/[id]/transfer', () => {
     expect(dbChainMockFns.update).not.toHaveBeenCalled()
   })
 
+  it('rejects the noop probe when the requester is not a member of the target organization', async () => {
+    dbChainMockFns.for
+      .mockResolvedValueOnce([
+        { id: 'sub-1', referenceId: 'org-1', plan: 'team', status: 'active' },
+      ])
+      .mockResolvedValueOnce([{ id: 'org-1' }])
+    dbChainMockFns.limit.mockResolvedValueOnce([])
+
+    const response = await makeRequest({ organizationId: 'org-1' })
+
+    expect(response.status).toBe(403)
+    await expect(response.json()).resolves.toEqual({
+      error: 'Unauthorized - user is not admin of organization',
+    })
+    expect(dbChainMockFns.update).not.toHaveBeenCalled()
+  })
+
   it('rejects the transfer when the target organization already has an active subscription', async () => {
     dbChainMockFns.for
       .mockResolvedValueOnce([

apps/sim/app/api/users/me/subscription/[id]/transfer/route.ts

@@ -80,18 +80,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
         }
       }
 
-      if (sub.referenceId === organizationId) {
-        return { kind: 'noop', message: 'Subscription already belongs to this organization' }
-      }
-
-      if (sub.referenceId !== userId) {
-        return {
-          kind: 'error',
-          status: 403,
-          error: 'Unauthorized - subscription does not belong to user',
-        }
-      }
-
       const [org] = await tx
         .select({ id: organization.id })
         .from(organization)
@@ -116,6 +104,18 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
         }
       }
 
+      if (sub.referenceId === organizationId) {
+        return { kind: 'noop', message: 'Subscription already belongs to this organization' }
+      }
+
+      if (sub.referenceId !== userId) {
+        return {
+          kind: 'error',
+          status: 403,
+          error: 'Unauthorized - subscription does not belong to user',
+        }
+      }
+
       const [existingOrgSub] = await tx
         .select({ id: subscription.id })
         .from(subscription)