chore: split out refcode and reflinks into separate tables

Author: haritabh-z01

apps/api/src/routes/v1/widget/init.ts

@@ -206,7 +206,6 @@ export default async function widgetInitRoutes(fastify: FastifyInstance) {
                   participantId: participantRecord.id,
                   programId: activeProgram.id,
                   productId: productId,
-                  global: true,
                 })
                 .onConflictDoNothing()
                 .returning();
@@ -266,26 +265,8 @@ export default async function widgetInitRoutes(fastify: FastifyInstance) {
           });
         }
 
-        // Build referral URL based on code type
-        let referralUrl: string;
-        if (refcodeRecord.global) {
-          // Global code: /:code
-          referralUrl = `${referralHostUrl}/${refcodeRecord.code}`;
-        } else {
-          // Local code: /:productSlug/:code (need product slug)
-          const productData = await request.db.query.product.findFirst({
-            where: (product, { eq }) => eq(product.id, productId),
-          });
-
-          if (!productData?.slug) {
-            return reply.code(500).send({
-              error: "Internal Server Error",
-              message: "Product slug not configured for local refcode",
-            });
-          }
-
-          referralUrl = `${referralHostUrl}/${productData.slug}/${refcodeRecord.code}`;
-        }
+        // Build referral URL (all refcodes now use the direct /:code pattern)
+        const referralUrl = `${referralHostUrl}/${refcodeRecord.code}`;
 
         // Return the widget configuration
         const response: WidgetInitResponseType = {

apps/api/test/unit/referral-attribution.test.ts

@@ -15,7 +15,6 @@ describe("Referral Attribution Logic", () => {
         participantId: referrerId,
         programId: "prg_1",
         productId: "prd_1",
-        global: true,
       };
 
       const mockNewReferral = {
@@ -124,7 +123,6 @@ describe("Referral Attribution Logic", () => {
         participantId: "participant_referrer",
         programId: "prg_1",
         productId: "prd_1",
-        global: true,
       };
 
       expect(refcode.code).toBe("abc123");
@@ -172,8 +170,8 @@ describe("Referral Attribution Logic", () => {
   });
 
   describe("Product boundary enforcement (P1 Security Fix)", () => {
-    it("should NOT allow cross-product attribution with global codes", async () => {
-      // Scenario: Product A creates a global code, Product B tries to use it
+    it("should NOT allow cross-product attribution with refcodes", async () => {
+      // Scenario: Product A creates a refcode, Product B tries to use it
       const productA = "prd_AAA";
       const productB = "prd_BBB";
       const globalCode = "abc1234";
@@ -185,7 +183,6 @@ describe("Referral Attribution Logic", () => {
         participantId: "participant_A",
         programId: "prg_A",
         productId: productA, // Belongs to Product A
-        global: true,
       };
 
       // When Product B's widget init is called with this code
@@ -216,26 +213,25 @@ describe("Referral Attribution Logic", () => {
       expect(resultForProductA?.productId).toBe(productA);
     });
 
-    it("should enforce product boundary even when global flag is true", () => {
-      // The global flag only means:
-      // 1. The code uses 7-character format
-      // 2. The code is globally unique
+    it("should enforce product boundary for all refcodes", () => {
+      // All refcodes are:
+      // 1. Auto-generated 7-character format
+      // 2. Globally unique
       //
-      // It does NOT mean:
-      // 1. The code can be used across products
-      // 2. Attribution should ignore productId
+      // But they are STILL:
+      // 1. Bound to a specific product
+      // 2. Can only be used for attribution within that product
 
-      const globalRefcode = {
+      const refcodeData = {
         code: "xyz9876",
         productId: "prd_A",
-        global: true, // Global format, but still belongs to a specific product
       };
 
       // The query should ALWAYS check productId
-      expect(globalRefcode.productId).toBeDefined();
-      expect(globalRefcode.productId).toBe("prd_A");
+      expect(refcodeData.productId).toBeDefined();
+      expect(refcodeData.productId).toBe("prd_A");
 
-      // Even though it's global, it can only attribute within Product A
+      // Refcodes can only attribute within their assigned Product
     });
 
     it("should prevent referral creation across product boundaries", async () => {
@@ -252,7 +248,6 @@ describe("Referral Attribution Logic", () => {
         code: "abc1234",
         participantId: participantA.id,
         productId: productA,
-        global: true,
       };
 
       // Product B's new user trying to sign up with Product A's code
@@ -292,20 +287,20 @@ describe("Referral Attribution Logic", () => {
       // Solution: Always enforce product boundary
       // Result: No cross-product attribution
 
-      const vulnerableQuery = {
-        before: "WHERE code = ? AND (global = true OR productId = ?)",
-        problem: "global=true bypasses productId check",
-        vulnerability: "Cross-product attribution",
-      };
-
-      const fixedQuery = {
-        after: "WHERE code = ? AND productId = ?",
+      const correctQuery = {
+        query: "WHERE code = ? AND productId = ?",
         solution: "Always enforce product boundary",
         result: "Multi-tenancy isolation maintained",
       };
 
-      expect(vulnerableQuery.problem).toContain("bypasses productId");
-      expect(fixedQuery.solution).toContain("enforce product boundary");
+      const incorrectQuery = {
+        query: "WHERE code = ? WITHOUT productId check",
+        problem: "Could allow cross-product attribution",
+        vulnerability: "Multi-tenancy breach",
+      };
+
+      expect(incorrectQuery.problem).toContain("cross-product");
+      expect(correctQuery.solution).toContain("enforce product boundary");
     });
   });
 });

apps/refer/src/routes/r.ts

@@ -1,6 +1,6 @@
 import { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
 import { schema } from "@refref/coredb";
-const { refcode, product } = schema;
+const { refcode, product, reflink } = schema;
 import { eq, and } from "drizzle-orm";
 import { normalizeCode } from "@refref/utils";
 import type { ProgramConfigV1Type } from "@refref/types";
@@ -16,10 +16,10 @@ interface LocalCodeParams {
 
 export default async function referralRedirectRoutes(fastify: FastifyInstance) {
   /**
-   * Handles GET requests to /r/:code (global codes)
+   * Handles GET requests to /r/:code (auto-generated refcodes)
    * Example: /r/abc1234
    *
-   * Global codes are unique across the entire system and don't require product context.
+   * Auto-generated codes are unique across the entire system and don't require product context.
    */
   fastify.get<{ Params: GlobalCodeParams }>(
     "/:code",
@@ -42,10 +42,7 @@ export default async function referralRedirectRoutes(fastify: FastifyInstance) {
         // Single optimized query using relations
         // This does a JOIN under the hood: refcode → participant → program
         const result = await request.db.query.refcode.findFirst({
-          where: and(
-            eq(refcode.code, normalizedCode),
-            eq(refcode.global, true),
-          ),
+          where: eq(refcode.code, normalizedCode),
           with: {
             participant: true,
             program: true,
@@ -103,10 +100,10 @@ export default async function referralRedirectRoutes(fastify: FastifyInstance) {
   );
 
   /**
-   * Handles GET requests to /r/:productSlug/:code (local/product-scoped codes)
+   * Handles GET requests to /r/:productSlug/:code (vanity links via reflink table)
    * Example: /r/acme/john-doe
    *
-   * Local codes are unique within a product and require the product slug for disambiguation.
+   * Vanity links are unique within a product and require the product slug for disambiguation.
    * This allows for vanity URLs like /r/acme/ceo or /r/startup/founder
    */
   fastify.get<{ Params: LocalCodeParams }>(
@@ -136,24 +133,28 @@ export default async function referralRedirectRoutes(fastify: FastifyInstance) {
           return reply.code(404).send({ error: "Product not found" });
         }
 
-        // Single optimized query using relations
-        // This does a JOIN under the hood: refcode → participant → program
-        const result = await request.db.query.refcode.findFirst({
+        // Look up the vanity link in the reflink table
+        const reflinkResult = await request.db.query.reflink.findFirst({
           where: and(
-            eq(refcode.code, normalizedCode),
-            eq(refcode.productId, productRecord.id),
-            eq(refcode.global, false),
+            eq(reflink.slug, normalizedCode),
+            eq(reflink.productId, productRecord.id),
           ),
           with: {
-            participant: true,
-            program: true,
+            refcode: {
+              with: {
+                participant: true,
+                program: true,
+              },
+            },
           },
         });
 
-        if (!result || !result.participant) {
-          return reply.code(404).send({ error: "Referral code not found" });
+        if (!reflinkResult || !reflinkResult.refcode || !reflinkResult.refcode.participant) {
+          return reply.code(404).send({ error: "Referral link not found" });
         }
 
+        const result = reflinkResult.refcode;
+
         // Type assertion needed due to Drizzle's type inference limitations with nested relations
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const participantRecord = result.participant as any;
@@ -187,7 +188,7 @@ export default async function referralRedirectRoutes(fastify: FastifyInstance) {
         Object.entries(paramsObj).forEach(([key, value]) => {
           if (value) searchParams.set(key, value);
         });
-        searchParams.set("refcode", normalizedCode);
+        searchParams.set("refcode", result.code);
 
         // Redirect with 307 to the product URL with encoded params
         return reply