fix(bounties): validate claimed coupon matches the bounty store & block reuse#38
Open
eltociear wants to merge 1 commit into
Open
fix(bounties): validate claimed coupon matches the bounty store & block reuse#38eltociear wants to merge 1 commit into
eltociear wants to merge 1 commit into
Conversation
The claim route only checked that the submitted coupon_id EXISTS, never that it matches the bounty. Any pre-existing coupon (e.g. id 1, for an unrelated store) satisfied the claim and triggered a real merchant payout of reward_usd. A single coupon could also be reused to claim every bounty. Add two checks before marking the bounty claimed: - the coupon's store must match the bounty's store_id (or store_name) - the coupon must not already be used to claim another bounty
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #37.
POST /api/bounties/[id]/claimonly verified that the submittedcoupon_idexisted — never that the coupon was for the store the bounty targets, and never that the coupon hadn't already been used elsewhere. So any pre-existing coupon (e.g. a seeded Amazon coupon) could claim an unrelated funded bounty and trigger a realreward_usdpayout, and a single coupon could be reused to drain every bounty for that store.This adds two guards right after the coupon-exists check, before the bounty is marked
claimed:store_idmust equal the bounty'sstore_id; for free-textstore_namebounties, the coupon's resolved store name must match (case-insensitive).coupon_idon another bounty is rejected (409).Legitimate claims (a coupon for the correct store, not previously used) are unaffected. Complements #35/#36 (funded-status gate) — this closes the coupon-relevance hole that applies even to correctly-funded bounties.