Issue
In `src/pages/questions/[id].tsx`, the hint system does all coin logic client-side:
```tsx
const HINT_COST = 10;
// Coins are deducted via Firestore from the browser
```
Problem
Since this is entirely client-side:
- Open DevTools -> set `HINT_COST = 0`
- Get unlimited hints for free
- Can use Firebase SDK to directly modify coin balance
Fix
Move coin operations to a server-side endpoint (Firebase Cloud Function or API server):
```typescript
// Client sends request
const response = await fetch('/api/hints', {
method: 'POST',
body: JSON.stringify({ questionId, hintLevel })
});
// Server handles:
// 1. Verify auth token
// 2. Read user's current coins from Firestore
// 3. Check coins >= HINT_COST
// 4. Atomically deduct coins and return hint
// 5. Prevent client from specifying the cost
```
Also audit all Firestore write operations in `potd.tsx` and `questions/[id].tsx` — any state change (streak updates, solve counts, leaderboard positions) should be validated server-side.
Issue
In `src/pages/questions/[id].tsx`, the hint system does all coin logic client-side:
```tsx
const HINT_COST = 10;
// Coins are deducted via Firestore from the browser
```
Problem
Since this is entirely client-side:
Fix
Move coin operations to a server-side endpoint (Firebase Cloud Function or API server):
```typescript
// Client sends request
const response = await fetch('/api/hints', {
method: 'POST',
body: JSON.stringify({ questionId, hintLevel })
});
// Server handles:
// 1. Verify auth token
// 2. Read user's current coins from Firestore
// 3. Check coins >= HINT_COST
// 4. Atomically deduct coins and return hint
// 5. Prevent client from specifying the cost
```
Also audit all Firestore write operations in `potd.tsx` and `questions/[id].tsx` — any state change (streak updates, solve counts, leaderboard positions) should be validated server-side.