(SP: 1)[SHOP] enforce explicit no-discount checkout contract for launch

Author: liudmylasovetovs

frontend/app/api/shop/checkout/route.ts

@@ -59,6 +59,7 @@ type CheckoutRequestedProvider = 'stripe' | 'monobank';
 const EXPECTED_BUSINESS_ERROR_CODES = new Set([
   'IDEMPOTENCY_CONFLICT',
   'INVALID_PAYLOAD',
+  'DISCOUNTS_NOT_SUPPORTED',
   'INVALID_VARIANT',
   'INSUFFICIENT_STOCK',
   'CHECKOUT_PRICE_CHANGED',
@@ -94,6 +95,15 @@ const STATUS_TOKEN_SCOPES_PAYMENT_INIT: readonly StatusTokenScope[] = [
   'status_lite',
   'order_payment_init',
 ];
+const UNSUPPORTED_DISCOUNT_FIELDS = new Set([
+  'discountCode',
+  'couponCode',
+  'promoCode',
+  'discountAmount',
+  'discountAmountMinor',
+  'totalDiscountAmount',
+  'totalDiscountMinor',
+]);
 
 function resolveCheckoutTokenScopes(args: {
   paymentProvider: PaymentProvider;
@@ -342,6 +352,18 @@ function errorResponse(
   return res;
 }
 
+function collectUnsupportedDiscountFields(
+  value: unknown
+): string[] {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return [];
+  }
+
+  return Object.keys(value).filter(field =>
+    UNSUPPORTED_DISCOUNT_FIELDS.has(field)
+  );
+}
+
 function getIdempotencyKey(request: NextRequest) {
   const headerKey = request.headers.get('Idempotency-Key');
   if (headerKey === null || headerKey === undefined) return null;
@@ -998,6 +1020,24 @@ export async function POST(request: NextRequest) {
     };
   }
 
+  const unsupportedDiscountFields =
+    collectUnsupportedDiscountFields(payloadForValidation);
+
+  if (unsupportedDiscountFields.length > 0) {
+    logWarn('checkout_discount_not_supported', {
+      ...meta,
+      code: 'DISCOUNTS_NOT_SUPPORTED',
+      fields: unsupportedDiscountFields,
+    });
+
+    return errorResponse(
+      'DISCOUNTS_NOT_SUPPORTED',
+      'Discounts are not available at checkout.',
+      400,
+      { fields: unsupportedDiscountFields }
+    );
+  }
+
   const parsedPayload = checkoutPayloadSchema.safeParse(payloadForValidation);
 
   if (!parsedPayload.success) {

frontend/lib/tests/shop/checkout-shipping-authoritative-total.test.ts

@@ -480,4 +480,49 @@ describe('checkout authoritative shipping totals', () => {
 
     expect(orderRow).toBeFalsy();
   });
+
+  it('rejects client-supplied discount input under the launch no-discount contract', async () => {
+    const seed = await seedShippingCheckoutData();
+    const quote = await rehydrateCartItems(
+      [{ productId: seed.productId, quantity: 1 }],
+      'UAH'
+    );
+    const warehouseMethod = await fetchWarehouseMethodQuote();
+    const pricingFingerprint = quote.summary.pricingFingerprint;
+    const idempotencyKey = crypto.randomUUID();
+
+    expect(typeof pricingFingerprint).toBe('string');
+    expect(pricingFingerprint).toHaveLength(64);
+
+    const response = await POST(
+      makeCheckoutRequest({
+        idempotencyKey,
+        productId: seed.productId,
+        pricingFingerprint: pricingFingerprint!,
+        cityRef: seed.cityRef,
+        warehouseRef: seed.warehouseRef,
+        shippingQuoteFingerprint: warehouseMethod.quoteFingerprint,
+        extraBody: {
+          discountCode: 'SPRING10',
+          discountAmountMinor: 1000,
+        },
+      })
+    );
+
+    expect(response.status).toBe(400);
+    const json = await response.json();
+    expect(json.code).toBe('DISCOUNTS_NOT_SUPPORTED');
+    expect(json.message).toBe('Discounts are not available at checkout.');
+    expect(json.details?.fields).toEqual(
+      expect.arrayContaining(['discountCode', 'discountAmountMinor'])
+    );
+
+    const [orderRow] = await db
+      .select({ id: orders.id })
+      .from(orders)
+      .where(eq(orders.idempotencyKey, idempotencyKey))
+      .limit(1);
+
+    expect(orderRow).toBeFalsy();
+  });
 });