Validate allowed_emails on discount code lookup
The /api/v1/discount/:code endpoint now checks allowed_emails when an email is provided. If the email isn't in the allowed list, returns valid:false so the frontend doesn't show a fake discount. The promo field is cleared and unlocked if validation fails. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
7bb08f3493
commit
b81e102d39
2 changed files with 20 additions and 1 deletions
|
|
@ -81,6 +81,25 @@ router.get("/api/v1/discount/:code", async (req, res) => {
|
|||
return;
|
||||
}
|
||||
|
||||
// Check allowed_emails restriction
|
||||
if (dc.allowed_emails && dc.allowed_emails.length > 0) {
|
||||
if (!email) {
|
||||
res.status(400).json({
|
||||
valid: false,
|
||||
error: "This code requires an email address to validate.",
|
||||
});
|
||||
return;
|
||||
}
|
||||
const allowed = dc.allowed_emails.map((e: string) => e.toLowerCase());
|
||||
if (!allowed.includes(email.toLowerCase().trim())) {
|
||||
res.status(403).json({
|
||||
valid: false,
|
||||
error: "This discount code is not valid for your email address.",
|
||||
});
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Check per-email limit
|
||||
if (email && dc.max_uses_per_email > 0) {
|
||||
const emailUsage = await pool.query(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue