fix: use INSERT OR IGNORE to prevent vote race condition (#26)

The vote handler uses SELECT to check for duplicates, then INSERT. Two
concurrent requests can both pass the SELECT check. The UNIQUE
constraint on (coupon_id, voter_did) catches this at the DB level, but
the resulting constraint violation error returns a generic 500 instead
of the expected 409 response.

Use INSERT OR IGNORE so concurrent duplicate inserts are silently
ignored instead of throwing errors, while keeping the SELECT check for
user-friendly feedback on normal duplicate attempts.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: FuturMix

apps/web/app/api/coupons/vote/route.ts

@@ -15,15 +15,18 @@ export async function POST(req: NextRequest) {
   try {
     const db = getDb();
 
-    // Check for duplicate
+    // Check for existing vote first (fast path for user feedback)
     const existing = await db.sql`
       SELECT id FROM coupon_votes WHERE coupon_id = ${id} AND voter_did = ${did}
     `;
     if (existing.length > 0) {
       return NextResponse.json({ error: 'already_voted' }, { status: 409 });
     }
 
-    await db.sql`INSERT INTO coupon_votes (coupon_id, voter_did) VALUES (${id}, ${did})`;
+    // Atomic insert — UNIQUE(coupon_id, voter_did) constraint prevents
+    // duplicates from concurrent requests; OR IGNORE handles the race
+    // gracefully instead of throwing a constraint violation error
+    await db.sql`INSERT OR IGNORE INTO coupon_votes (coupon_id, voter_did) VALUES (${id}, ${did})`;
     await db.sql`UPDATE coupons SET votes = votes + 1 WHERE id = ${id}`;
 
     const rows = await db.sql`SELECT votes FROM coupons WHERE id = ${id}`;