E11-F3: Blacklist Check Service

Epic: E11: Blacklist & Security

Size: S (Small)

Problem / Outcome

Real-time blacklist validation during purchase.

Scope

In-Scope:

• OIB lookup API
• Returns boolean + message
• Called at checkout and transfers
• Blocked attempt logging

Out-of-Scope:

• Batch checking

Acceptance Criteria

• AC1: Given blacklisted OIB, service returns blocked=true with MUP message
• AC2: Given non-blacklisted OIB, service returns blocked=false
• AC3: Blocked attempts logged with user/IP/session details

Data Model Impact

ViolationLog table:
- id (UUID, PK)
- oib (VARCHAR(11))
- blacklist_id (UUID, FK)
- action_type (ENUM: purchase_attempt, transfer_attempt)
- match_id (UUID, FK)
- user_id (UUID, FK, nullable)
- session_id (VARCHAR)
- ip_address (VARCHAR)
- user_agent (VARCHAR)
- blocked_at (TIMESTAMP)

API Response:
{
  "blocked": boolean,
  "message": string (MUP referral message if blocked)
}

Permissions/Roles

• Internal service

How to Verify

npm test -- --grep "blacklist check"

Expected: Correct response for blacklisted/non-blacklisted.

Dependencies

• E11-F1: Blacklist Data Model

Implementation Tasks

See E11: Blacklist ## Doc References Security Tasks

Doc References

• Admin Blacklist Management Flow
• Standard Ticket Purchase Flow

---

Last Updated: January 2026