Timestamp and registration checking

src/app/api/register/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { registerCustomer } from "@/lib/zitadel";
 import { rateLimit } from "@/lib/rate-limit";
+import { checkDuplicateDomain } from "@/lib/db";
 import type { RegistrationInput } from "@/types";
 import { z } from "zod";
 
@@ -53,6 +54,28 @@ export async function POST(request: NextRequest) {
 
     const input: RegistrationInput = parsed.data;
 
+    // --- Duplicate-domain check ---
+    //
+    // Block if another active tenant_request or ZITADEL org already exists
+    // for this corporate email domain. Public domains (gmail, gmx, etc.)
+    // are exempted by checkDuplicateDomain.
+    //
+    // We return a structured `code: "duplicate_domain"` with the matched
+    // domain so the client can render the localized message via
+    // register.duplicateDomain (with {domain} interpolation). The fallback
+    // English string is included for non-i18n clients (curl, monitoring).
+    const dup = await checkDuplicateDomain(input.email);
+    if (dup.blocked && dup.domain) {
+      return NextResponse.json(
+        {
+          error: `An account for the email domain ${dup.domain} is already registered. Please contact your company administrator or PieCed IT support.`,
+          code: "duplicate_domain",
+          domain: dup.domain,
+        },
+        { status: 409 },
+      );
+    }
+
     const result = await registerCustomer({
       companyName: input.companyName,
       email: input.email,