Bug
Affiliate click tracking always passes visitorId: undefined, so the same visitor clicking the same affiliate link multiple times is counted as separate clicks. There is no deduplication.
Location
src/app/api/affiliates/click/route.ts:
await recordClick(admin, {
trackingCode: ref,
visitorId: undefined, // Set via cookie on client side
ip,
userAgent: ...,
referer: ...,
landedUrl: request.url,
});The comment "Set via cookie on client side" suggests this was planned but never implemented.
Impact
- Click counts are inflated (every page refresh / bot crawl = new click)
- Sellers see misleading conversion rate metrics
- Potential for click fraud by affiliates
Fix
Read the visitor ID from the aff_ref cookie or a separate ugig_visitor cookie set on first visit:
// Read existing visitor cookie for dedup
const visitorId = request.cookies.get("ugig_visitor")?.value;
await recordClick(admin, {
trackingCode: ref,
visitorId,
// ...
});
// Set visitor cookie if not present
if (!visitorId) {
response.cookies.set("ugig_visitor", crypto.randomUUID(), {
httpOnly: true, secure: true, sameSite: "lax",
maxAge: 365 * 24 * 60 * 60,
path: "/",
});
}Reported via nullref QA audit.
Bug
Affiliate click tracking always passes
visitorId: undefined, so the same visitor clicking the same affiliate link multiple times is counted as separate clicks. There is no deduplication.Location
src/app/api/affiliates/click/route.ts:The comment "Set via cookie on client side" suggests this was planned but never implemented.
Impact
Fix
Read the visitor ID from the
aff_refcookie or a separateugig_visitorcookie set on first visit:Reported via nullref QA audit.