Skip to content

fix(bounties): validate claimed coupon matches the bounty store & block reuse#38

Open
eltociear wants to merge 1 commit into
profullstack:masterfrom
eltociear:fix/claim-validate-coupon-store
Open

fix(bounties): validate claimed coupon matches the bounty store & block reuse#38
eltociear wants to merge 1 commit into
profullstack:masterfrom
eltociear:fix/claim-validate-coupon-store

Conversation

@eltociear

Copy link
Copy Markdown

Fixes #37.

POST /api/bounties/[id]/claim only verified that the submitted coupon_id existed — never that the coupon was for the store the bounty targets, and never that the coupon hadn't already been used elsewhere. So any pre-existing coupon (e.g. a seeded Amazon coupon) could claim an unrelated funded bounty and trigger a real reward_usd payout, and a single coupon could be reused to drain every bounty for that store.

This adds two guards right after the coupon-exists check, before the bounty is marked claimed:

  1. Store match — the coupon's store_id must equal the bounty's store_id; for free-text store_name bounties, the coupon's resolved store name must match (case-insensitive).
  2. No reuse — a coupon already recorded as coupon_id on another bounty is rejected (409).

Legitimate claims (a coupon for the correct store, not previously used) are unaffected. Complements #35/#36 (funded-status gate) — this closes the coupon-relevance hole that applies even to correctly-funded bounties.

The claim route only checked that the submitted coupon_id EXISTS, never
that it matches the bounty. Any pre-existing coupon (e.g. id 1, for an
unrelated store) satisfied the claim and triggered a real merchant payout
of reward_usd. A single coupon could also be reused to claim every bounty.

Add two checks before marking the bounty claimed:
- the coupon's store must match the bounty's store_id (or store_name)
- the coupon must not already be used to claim another bounty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bounty payout fires for a coupon that doesn't match the bounty's store (missing coupon↔bounty validation)

1 participant