To solve the Duplicate issue, you will need to create a record set that filters based on the email address. And then you will need to change the trigger for the insert server behavior only if the total rows of that record set is to 0. You can use the code that is generated from the Show If Server behaviors from DW.
In regard to validating the code. I think the only validation you can do is the length of the code, so you can use Security Assist Randome Number Generator to generate the code with a specific length, and then you can validate the length. another thing you might want to do is make sure that the code is only used once, so you might want to use another table to store already used codes and do a look up based on the user id and the code to make sure the code have not been used before.