sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
763e722607
upaas/internal
History
clawbot 763e722607 fix: prevent setup endpoint race condition (closes #26) 
Add mutex and INSERT ON CONFLICT to CreateUser to prevent TOCTOU race
where concurrent requests could create multiple admin users.

Changes:
- Add sync.Mutex to auth.Service to serialize CreateUser calls
- Add models.CreateUserAtomic using INSERT ... ON CONFLICT(username) DO NOTHING
- Check RowsAffected to detect conflicts at the DB level (defense-in-depth)
- Add concurrent race condition test (10 goroutines, only 1 succeeds)

The existing UNIQUE constraint on users.username was already in place.
This fix adds the application-level protection (items 1 & 2 from #26).
2026-02-15 21:35:16 -08:00
..
config Add deployment improvements and UI enhancements 2025-12-30 15:05:26 +07:00
database fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00
docker Add build log file storage and download functionality 2026-01-01 06:08:00 -08:00
globals Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
handlers fix: add ownership verification on env var, label, volume, and port deletion 2026-02-15 21:02:46 -08:00
healthcheck Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
logger Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
middleware fix: extract real client IP from proxy headers (X-Real-IP / X-Forwarded-For) 2026-02-15 21:14:12 -08:00
models fix: prevent setup endpoint race condition (closes #26) 2026-02-15 21:35:16 -08:00
server fix: add ownership verification on env var, label, volume, and port deletion 2026-02-15 21:02:46 -08:00
service fix: prevent setup endpoint race condition (closes #26) 2026-02-15 21:35:16 -08:00
ssh Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00