Skip to content

Br/add referral get route #697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zdql merged 4 commits into from
Nov 25, 2025
Merged

Br/add referral get route #697

zdql merged 4 commits into from
Nov 25, 2025

Conversation

@zdql
Copy link
Contributor

@zdql zdql commented Nov 25, 2025

No description provided.

@railway-app
Copy link

railway-app bot commented Nov 25, 2025
edited
Loading

🚅 Deployed to the echo-pr-697 environment in echo

Service Status Web Updated (UTC)
echo ✅ Success (View Logs) Web Nov 25, 2025 at 7:55 pm

@vercel
Copy link
Contributor

vercel bot commented Nov 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
assistant-ui-template Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-control Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-next-boilerplate Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-next-image Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-next-sdk-example Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-video-template Ready Ready Preview Comment Nov 25, 2025 9:11pm
echo-vite-sdk-example Ready Ready Preview Comment Nov 25, 2025 9:11pm
next-chat-template Ready Ready Preview Comment Nov 25, 2025 9:11pm
react-boilerplate Ready Ready Preview Comment Nov 25, 2025 9:11pm
react-chat Ready Ready Preview Comment Nov 25, 2025 9:11pm
react-image Ready Ready Preview Comment Nov 25, 2025 9:11pm
1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
component-registry Skipped Skipped Nov 25, 2025 9:11pm

@railway-app railway-app bot temporarily deployed to echo (echo / echo-pr-697) November 25, 2025 19:47 Destroyed
@vercel vercel bot temporarily deployed to Preview – component-registry November 25, 2025 20:50 Inactive
@vercel vercel bot temporarily deployed to Preview – component-registry November 25, 2025 21:07 Inactive
vercel[bot]
vercel bot reviewed Nov 25, 2025
View reviewed changes
packages/app/control/src/services/db/apps/membership.ts
return false;
}

// Validate the referral code exists
Copy link
Contributor

@vercel vercel bot Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The setAppMembershipReferrer function doesn't validate whether a referral code has expired, allowing expired codes to be applied to memberships.

View Details
📝 Patch Details 
diff --git a/packages/app/control/src/services/db/apps/membership.ts b/packages/app/control/src/services/db/apps/membership.ts
index 192c1992..2db42c68 100644
--- a/packages/app/control/src/services/db/apps/membership.ts
+++ b/packages/app/control/src/services/db/apps/membership.ts
@@ -186,14 +186,14 @@ export async function setAppMembershipReferrer(
     return false;
   }
 
-  // Validate the referral code exists
+  // Validate the referral code exists and hasn't expired
   const referralCode = await db.referralCode.findUnique({
     where: {
       code,
     },
   });
 
-  if (!referralCode) {
+  if (!referralCode || referralCode.expiresAt < new Date()) {
     return false;
   }

Analysis

Missing expiration validation in setAppMembershipReferrer allows expired referral codes to be applied

What fails: The setAppMembershipReferrer() function in packages/app/control/src/services/db/apps/membership.ts does not validate whether a referral code has expired before applying it to a membership.

How to reproduce:

  1. Create a referral code with an expiresAt date in the past (code schema supports this via optional expiresAt parameter, defaulting to 1 year in future)
  2. Call setAppMembershipReferrer(userId, echoAppId, expiredCode)
  3. The function returns true and applies the expired code to the membership

Result: Expired referral codes are accepted and applied. The function succeeds even when referralCode.expiresAt < new Date().

Expected: Function should return false for expired codes, matching the pattern used in other similar functions and the error message which states codes "may be invalid, expired, or you may already have a referrer for this app"

Verification: The same expiration validation pattern is correctly implemented in:

  • getCreditGrantCode() in packages/app/control/src/services/db/credits/grant.ts - uses expiresAt: { gt: new Date() } in WHERE clause
  • findRefreshToken() in packages/app/control/src/services/db/auth/refresh.ts - uses expiresAt: { gt: new Date() } in WHERE clause

The fix adds the missing expiration check: if (!referralCode || referralCode.expiresAt < new Date())

@zdql zdql merged commit 293fa6f into master Nov 25, 2025
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vercel vercel[bot] vercel[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zdql