Example 1 - Feature endpoint Review summary: This PR adds a coupon validation endpoint, which is useful for checkout flows. The main risk is that the current query construction uses user input directly, and the new endpoint also needs clearer validation and error handling. I would treat the SQL injection issue as a blocker before merge. BLOCKERS: - Location: src/api/coupons.js, validate endpoint Issue: The SQL query is built by concatenating req.body.code directly into the query string. Why it matters: A user-controlled coupon code could alter the SQL query and expose or modify data. Suggested fix: Use a parameterized query instead of string concatenation. Test to add: Add an integration test with a coupon code containing quotes or SQL syntax and assert it is rejected or handled safely. IMPORTANT: - Location: src/api/coupons.js, request handling Issue: The endpoint does not validate whether code is present, non-empty, or a string. Why it matters: Invalid input can produce confusing errors or inconsistent API responses. Suggested fix: Validate code before querying and return a 400 response for invalid input. Test to add: Add tests for missing, empty, and non-string coupon codes. OPTIONAL: - Location: src/api/coupons.js Issue: The endpoint response could include a consistent error shape. Suggested fix: Match the existing API error response format if one exists. Suggested test plan: - Valid coupon returns expected discount. - Invalid coupon returns valid: false. - Malformed coupon input returns 400. - SQL-like input does not alter query behavior.