Bug
When an affiliate clicks a referral link for an offer with an external product_url (e.g. Mercury), the redirect appends ?ugig_ref=<code> to the third-party URL:
GET /api/affiliates/click?ugig_ref=nullref-9fd38c
→ 307 Location: https://mercury.com/r/profullstack?ugig_ref=nullref-9fd38c
Problem
The ugig_ref param is meaningless on external domains — the aff_ref cookie is only set on ugig.net, so client-side tracking cannot work on mercury.com. The param:
- Leaks internal tracking codes to third-party analytics
- May break the third party's own attribution (extra unexpected query param)
- Provides no tracking value since the cookie domain is
ugig.net
Root Cause
src/app/api/affiliates/click/route.ts:
// This appends ugig_ref to ALL destination URLs, including external ones
const dest = new URL(redirectUrl);
dest.searchParams.set("ugig_ref", ref);Fix
Only append ugig_ref when redirecting to ugig.net internal URLs. For external product_url destinations, rely solely on the aff_ref cookie:
const appUrl = process.env.NEXT_PUBLIC_APP_URL || "https://ugig.net";
const dest = new URL(redirectUrl);
if (dest.origin === appUrl) {
dest.searchParams.set("ugig_ref", ref);
}Reported via nullref QA audit.
Bug
When an affiliate clicks a referral link for an offer with an external
product_url(e.g. Mercury), the redirect appends?ugig_ref=<code>to the third-party URL:Problem
The
ugig_refparam is meaningless on external domains — theaff_refcookie is only set onugig.net, so client-side tracking cannot work onmercury.com. The param:ugig.netRoot Cause
src/app/api/affiliates/click/route.ts:Fix
Only append
ugig_refwhen redirecting to ugig.net internal URLs. For externalproduct_urldestinations, rely solely on theaff_refcookie:Reported via nullref QA audit.