I deleted my affiliate coupon three days ago and re-enabled it from DevTools with a single PATCH — the Supabase RLS WITH CHECK gap

Lucas (31), affiliate marketer in Antwerp, re-enabled his deleted coupon via a single `PATCH /rest/v1/affiliate_coupons` from DevTools Console. He reported it privately. Forensic uncovered four exploit shapes: soft-delete bypass, affiliate_id reassign (coupon theft), stripe_promotion_code_id hijack, code swap. The same sweep found `affiliate_profiles.postback_secret/url/prev/rotated_at` was also missing from the PR #524 GG trigger — bypasses PR #609 CCC-B dual-secret rotation OCC + HMAC forge vector. PR #616 batch EEE F1+F2: new `affiliate_coupons_block_privileged_update` trigger + `affiliate_profiles` trigger CREATE OR REPLACE extend. Pattern: USING alone is a footgun.

Related articles