Validate allowed_emails on discount code lookup

The /api/v1/discount/:code endpoint now checks allowed_emails when an email is provided. If the email isn't in the allowed list, returns valid:false so the frontend doesn't show a fake discount. The promo field is cleared and unlocked if validation fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-22 01:08:51 -05:00 · 2026-05-22 01:08:51 -05:00 · b81e102d39
commit b81e102d39
parent 7bb08f3493
2 changed files with 20 additions and 1 deletions
--- a/api/src/routes/discounts.ts
+++ b/api/src/routes/discounts.ts
@ -81,6 +81,25 @@ router.get("/api/v1/discount/:code", async (req, res) => {
      return;
    }

+    // Check allowed_emails restriction
+    if (dc.allowed_emails && dc.allowed_emails.length > 0) {
+      if (!email) {
+        res.status(400).json({
+          valid: false,
+          error: "This code requires an email address to validate.",
+        });
+        return;
+      }
+      const allowed = dc.allowed_emails.map((e: string) => e.toLowerCase());
+      if (!allowed.includes(email.toLowerCase().trim())) {
+        res.status(403).json({
+          valid: false,
+          error: "This discount code is not valid for your email address.",
+        });
+        return;
+      }
+    }
+
    // Check per-email limit
    if (email && dc.max_uses_per_email > 0) {
      const emailUsage = await pool.query(
--- a/site/public/order/fcc-compliance/index.html
+++ b/site/public/order/fcc-compliance/index.html
@ -195,7 +195,7 @@ var entityBar=document.getElementById("pw-entity-bar");
 var bundleTip=document.getElementById("pw-bundle-tip");

 // Fetch promo code info from API if present
-if(promoFromUrl){fetch(API+"/api/v1/discount/"+encodeURIComponent(promoFromUrl)).then(function(r){return r.json()}).then(function(d){if(d.valid){window._promoInfo=d;var cb=document.querySelector(".svc-cb:checked");if(cb)cb.dispatchEvent(new Event("change",{bubbles:true}));}}).catch(function(){});}
+if(promoFromUrl){var discUrl=API+"/api/v1/discount/"+encodeURIComponent(promoFromUrl)+(emailFromUrl?"?email="+encodeURIComponent(emailFromUrl):"");fetch(discUrl).then(function(r){return r.json()}).then(function(d){if(d.valid){window._promoInfo=d;var cb=document.querySelector(".svc-cb:checked");if(cb)cb.dispatchEvent(new Event("change",{bubbles:true}));}else{window._promoInfo=null;promoFromUrl="";var pe=document.getElementById("pw-promo");if(pe){pe.value="";pe.readOnly=false;pe.style.background="";pe.style.borderColor="";}}}).catch(function(){});}

 if(frn){
  fetch(API+"/api/v1/fcc/lookup?frn="+frn+"&quick=1").then(function(r){return r.json()}).then(function(d){