--- issue: 051 title: "Self-referral prevention is absent — users can refer themselves for points" severity: major domain: Points labels: [security, bug, backend, major, points] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 Self-referral prevention is absent — users can refer themselves for points **Severity:** major **Domain:** Points **Labels:** security, bug, backend, major, points ## Description authController.ts referral attribution logic at lines 704 and 1132 has no self-referral check. Any user who obtains their own referral code and uses it during sign-up will receive a referral reward on their own account. ## Current Behavior Self-referral is possible. Users can earn referral rewards by using their own code. ## Expected Behavior Before applying referral attribution, verify that the referrer's userId !== the new user's userId. If they match, skip the reward. ## Affected Files - `backend/src/controllers/authController.ts` ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md)