Add mutex and INSERT ON CONFLICT to CreateUser to prevent TOCTOU race where concurrent requests could create multiple admin users. Changes: - Add sync.Mutex to auth.Service to serialize CreateUser calls - Add models.CreateUserAtomic using INSERT ... ON CONFLICT(username) DO NOTHING - Check RowsAffected to detect conflicts at the DB level (defense-in-depth) - Add concurrent race condition test (10 goroutines, only 1 succeeds) The existing UNIQUE constraint on users.username was already in place. This fix adds the application-level protection (items 1 & 2 from #26). |
||
|---|---|---|
| .. | ||
| config | ||
| database | ||
| docker | ||
| globals | ||
| handlers | ||
| healthcheck | ||
| logger | ||
| middleware | ||
| models | ||
| server | ||
| service | ||
| ssh | ||