Designing anonymous registration website

Question

I am developing a website where customers can register products they bought in order to receive a benefit in the form of e.g. a cashback, a discount or promotional goods. In the future, we also plan on developing more of these websites in the future.

The website includes the following several registration steps:

• One of the steps gathers customer details, including what we need to provide the benefit (e.g. Address or IBAN number).
• One of the steps gathers a proof of purchase, often in the form of a product code or receipt.

For each of these steps, validation is done to ensure that the data is legitimate input before continuing. At the end of the registration, there is a 'register now' kind of button to officially register.

I want to split the implementation between an API and a frontend. Now I want to make sure that the customer doesn't bypass registration steps in the frontend (that include validation) and calls the final API call by itself to get the benefit without having bought the product.

I imagine this may be doable with some kind of session, or by keeping all data around and re-submit it in the final request and then validating it again in the backend. However, I am unsure which would be better, and if there is some option that I am missing which would be better than both.

For this question I want to focus on the web design aspect, so defending against forged purchase proofs is out of scope of this question.

Answer 1

This is a data validation issue, not an architectural one.

Each call to any of the API end points must validate that prerequisite actions or events have already taken place. If they haven't, reject that request and pass back some error codes/messages so the client can display them to the end user.

Calling the API directly should be no different than calling it from the web front end.