Bug
When GET /api/affiliates/click receives a missing or invalid ugig_ref param, the fallback redirect goes to https://localhost:8080/affiliates instead of https://ugig.net/affiliates.
Steps to Reproduce
curl -si "https://ugig.net/api/affiliates/click"
# → 307 Location: https://localhost:8080/affiliates ❌
curl -si "https://ugig.net/api/affiliates/click?ugig_ref=invalid-code"
# → 307 Location: https://localhost:8080/affiliates ❌
Root Cause
src/app/api/affiliates/click/route.ts uses new URL("/affiliates", request.url) for fallback redirects. Behind Railway's reverse proxy, request.url contains the internal server URL (http://localhost:8080/...) rather than the public-facing URL.
// Affected lines:
return NextResponse.redirect(new URL("/affiliates", request.url));Fix
Use NEXT_PUBLIC_APP_URL (already used elsewhere in the same file) for the base:
const appUrl = process.env.NEXT_PUBLIC_APP_URL || "https://ugig.net";
return NextResponse.redirect(new URL("/affiliates", appUrl));Severity: High — any invalid/expired affiliate link strands users on an unreachable localhost URL. Breaks the entire fallback flow.
Reported via nullref QA audit.
Bug
When
GET /api/affiliates/clickreceives a missing or invalidugig_refparam, the fallback redirect goes tohttps://localhost:8080/affiliatesinstead ofhttps://ugig.net/affiliates.Steps to Reproduce
Root Cause
src/app/api/affiliates/click/route.tsusesnew URL("/affiliates", request.url)for fallback redirects. Behind Railway's reverse proxy,request.urlcontains the internal server URL (http://localhost:8080/...) rather than the public-facing URL.Fix
Use
NEXT_PUBLIC_APP_URL(already used elsewhere in the same file) for the base:Severity: High — any invalid/expired affiliate link strands users on an unreachable localhost URL. Breaks the entire fallback flow.
Reported via nullref QA audit.