Alert removal rules
- The alert must exist in the database
- It must belong to the current store
- The alert email must match the logged-in account email or a session-verified guest email
Guest access rules
- Guest alerts are never exposed by alert ID alone
- OTP verification is required first
- Verification state is session-based, not URL-based
OTP validation rules
- Invalid email format is rejected immediately
- A logged-in user cannot verify their own account email through the guest flow
- Wrong or expired OTP returns a JSON error without exposing alert data
Alert deletion is authorized server-side on every request. The session email map is read at the time of the delete action, not cached at page load. This means removing a verified email from the session or logging out immediately revokes delete access for those alerts.