don't allow banned users to buy credits

Author: jahooma

web/src/app/api/orgs/[orgId]/credits/route.ts

@@ -41,6 +41,23 @@ export async function POST(request: NextRequest, { params }: RouteParams) {
       )
     }
 
+    // Check if user is banned
+    const user = await db.query.user.findFirst({
+      where: eq(schema.user.id, session.user.id),
+      columns: { banned: true },
+    })
+
+    if (user?.banned) {
+      logger.warn(
+        { userId: session.user.id, orgId },
+        'Banned user attempted to purchase organization credits',
+      )
+      return NextResponse.json(
+        { error: 'Your account has been suspended. Please contact support.' },
+        { status: 403 },
+      )
+    }
+
     // Verify user has permission to purchase credits for this organization
     const membership = await db.query.orgMember.findFirst({
       where: and(

web/src/app/api/stripe/buy-credits/route.ts

@@ -50,9 +50,17 @@ export async function POST(req: NextRequest) {
   try {
     const user = await db.query.user.findFirst({
       where: eq(schema.user.id, userId),
-      columns: { stripe_customer_id: true },
+      columns: { stripe_customer_id: true, banned: true },
     })
 
+    if (user?.banned) {
+      logger.warn({ userId }, 'Banned user attempted to purchase credits')
+      return NextResponse.json(
+        { error: 'Your account has been suspended. Please contact support.' },
+        { status: 403 },
+      )
+    }
+
     if (!user?.stripe_customer_id) {
       logger.error(
         { userId },