Bug Reports

Description of the issue: The subscription activation flow does not properly validate email ownership. It is possible to register an account and activate an educational subscription using a non-existent or unverified email address. Steps to reproduce: Open the subscription or registration page. Enter an email address that is syntactically valid but not owned or accessible (e.g., a non-existent inbox). Complete the registration/subscription process. The subscription becomes active without any email verification or ownership confirmation. Expected behavior: The system should require verification of email ownership (e.g., confirmation link or code) before activating the subscription or granting access to educational resources. Actual behavior: The subscription is activated immediately without verifying that the provided email address belongs to the user. Impact / severity: This issue allows unauthorized access to subscription-based educational content and may lead to financial loss, abuse of the service, and inaccurate user data. It can be exploited at scale and therefore should be treated as a high-priority issue. Additional notes: This issue was identified during security testing. No automated exploitation or mass registration was performed. I discovered this issue unintentionally and will not use the accounts created in the process. I decided to report the problem responsibly instead of exploiting it. You may ban and delete these accounts or simply cancel the subscription associated with them. I did not intentionally attempt to bypass any restrictions, and the vulnerability was found accidentally.

First time trying to use the service. I signed up, purchased the starter plan, and tried to load the tutorials, examples, and start my own project. Nothing would load, the loading screen just spins over and over. Tried different browsers. Then I noticed my profile said I didn't have a plan selected. I also noticed I still needed to verify my email. Thinking that perhaps the purchase didn't complete because of that, I verified my email and tried to re-purchase. It said it was successful but going back to my home screen it still says no plan selected and nothing will load.

Attempting to sign in with the email field left blank will display the message: "Email can't sbe blank!" The presence of 'sbe' instead of 'be' appears to be a grammatical error in the message.

While signing up for a new account, the Intercom-controlled welcome flow interrupts the NUX. It actually defocused my keyboard input while I was typing in my name.

issues: clicking on any of the paid plans dismisses NUX back navigation from stripe checkout doesn't bring the user back to the nux dialog

New EDU users don't receive unlimited projects after account creation. They are limited to 5 private projects Steps to reproduce: Goto flux.ai/signup Register with a supported EDU email Select Education from the NUX onboarding dialog Note that after selecting the EDU option from the dialog, the "Flux Educational Program" shows up quickly then is replaced by "0/5 Private Projects" Once the user is created, if you look at the Users firebase record, there is no activeProductUid created. It seems like the call to update the userData with activeProductUid gets dropped or overwritten in the transition This is happening in prod and all other environments

After going through the onboarding dialog, I got an empty profile page. Example projects only showed up after a page reload

https://www.loom.com/share/697f49ac1a6a4b1784cc3f3ad6fcb739

takes too long to load should reveal one input after another should not show the "next" button until all inputs are revealed and filled whole screen flickers twice on first load of NUX