Sale prices are validated to be less than base prices

Why it matters

A sale price equal to or greater than the base price (salePrice >= basePrice) is a deceptive pricing display: the customer sees a crossed-out "original" price that is lower than or equal to the "sale" price. The FTC Act prohibits deceptive pricing, and several state consumer protection statutes specifically require that a reference price must reflect a genuine prior offer. CWE-20 (Improper Input Validation) covers this at the technical layer — the API accepts a logically invalid price relationship with no rejection. Even without legal exposure, a visible sale price of $60 crossed out next to a regular price of $50 destroys customer trust immediately.

Remediation

Add a validation guard in src/app/api/products/route.ts that rejects product updates where salePrice >= basePrice.

if (salePrice !== undefined && salePrice >= basePrice) {
  return Response.json(
    { error: 'Sale price must be strictly less than base price' },
    { status: 400 }
  )
}

Also add a database-level check constraint if your Postgres version supports it:

ALTER TABLE products
  ADD CONSTRAINT sale_price_less_than_base
  CHECK (sale_price IS NULL OR sale_price < price);

Detection

ID: ecommerce-catalog.variant-pricing.sale-price-valid
Severity: medium
What to look for: Count all sale price or discount price fields in the product and variant schemas (salePrice, discountedPrice, compareAtPrice). Enumerate all product update paths in src/app/api/products/ that accept sale price values. For each path, check whether validation exists to ensure salePrice < basePrice.
Pass criteria: If sale prices exist in the schema, at least 1 validation path ensures salePrice < basePrice and rejects or errors when the constraint is violated. Count all product update paths and report: "X of Y update paths validate sale price < base price."
Fail criteria: Products can be created or updated with salePrice >= basePrice, or no validation prevents this logical error in any code path.
Skip (N/A) when: The project has no sale price functionality — confirmed by finding no salePrice, discountedPrice, or compareAtPrice fields in the schema.
Cross-reference: For pricing display on promotional pages, the Marketing Content Quality audit covers promotional accuracy.
Cross-reference: For sale price compliance in app stores, the App Store IAP & Subscriptions audit covers pricing rule enforcement.
Cross-reference: For consumer protection around sale pricing, the FTC Consumer Protection audit covers deceptive pricing practices.
Detail on fail: "No validation in src/app/api/products/route.ts — 3 products have salePrice greater than or equal to basePrice (e.g., base=$50, sale=$60 in prisma/seed.ts)"

Remediation: Add validation in src/app/api/products/route.ts when updating product prices:

if (salePrice && salePrice >= basePrice) {
  throw new Error('Sale price must be less than base price')
}

Why it matters

Remediation

Add a validation guard in src/app/api/products/route.ts that rejects product updates where salePrice >= basePrice.

if (salePrice !== undefined && salePrice >= basePrice) {
  return Response.json(
    { error: 'Sale price must be strictly less than base price' },
    { status: 400 }
  )
}

Also add a database-level check constraint if your Postgres version supports it:

ALTER TABLE products
  ADD CONSTRAINT sale_price_less_than_base
  CHECK (sale_price IS NULL OR sale_price < price);

Detection

ID: ecommerce-catalog.variant-pricing.sale-price-valid
Severity: medium
What to look for: Count all sale price or discount price fields in the product and variant schemas (salePrice, discountedPrice, compareAtPrice). Enumerate all product update paths in src/app/api/products/ that accept sale price values. For each path, check whether validation exists to ensure salePrice < basePrice.
Pass criteria: If sale prices exist in the schema, at least 1 validation path ensures salePrice < basePrice and rejects or errors when the constraint is violated. Count all product update paths and report: "X of Y update paths validate sale price < base price."
Fail criteria: Products can be created or updated with salePrice >= basePrice, or no validation prevents this logical error in any code path.
Skip (N/A) when: The project has no sale price functionality — confirmed by finding no salePrice, discountedPrice, or compareAtPrice fields in the schema.
Cross-reference: For pricing display on promotional pages, the Marketing Content Quality audit covers promotional accuracy.
Cross-reference: For sale price compliance in app stores, the App Store IAP & Subscriptions audit covers pricing rule enforcement.
Cross-reference: For consumer protection around sale pricing, the FTC Consumer Protection audit covers deceptive pricing practices.
Detail on fail: "No validation in src/app/api/products/route.ts — 3 products have salePrice greater than or equal to basePrice (e.g., base=$50, sale=$60 in prisma/seed.ts)"

Remediation: Add validation in src/app/api/products/route.ts when updating product prices:

if (salePrice && salePrice >= basePrice) {
  throw new Error('Sale price must be less than base price')
}

Sale prices are validated to be less than base prices

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Sale prices are validated to be less than base prices

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History