Validate allowed_emails on discount code lookup

The /api/v1/discount/:code endpoint now checks allowed_emails when
an email is provided. If the email isn't in the allowed list, returns
valid:false so the frontend doesn't show a fake discount. The promo
field is cleared and unlocked if validation fails.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
justin 2026-05-22 01:08:51 -05:00
parent 7bb08f3493
commit b81e102d39
2 changed files with 20 additions and 1 deletions

View file

@ -81,6 +81,25 @@ router.get("/api/v1/discount/:code", async (req, res) => {
return;
}
// Check allowed_emails restriction
if (dc.allowed_emails && dc.allowed_emails.length > 0) {
if (!email) {
res.status(400).json({
valid: false,
error: "This code requires an email address to validate.",
});
return;
}
const allowed = dc.allowed_emails.map((e: string) => e.toLowerCase());
if (!allowed.includes(email.toLowerCase().trim())) {
res.status(403).json({
valid: false,
error: "This discount code is not valid for your email address.",
});
return;
}
}
// Check per-email limit
if (email && dc.max_uses_per_email > 0) {
const emailUsage = await pool.query(