sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity
763e722607
upaas/internal/service
History
clawbot 763e722607 fix: prevent setup endpoint race condition (closes #26) 
Add mutex and INSERT ON CONFLICT to CreateUser to prevent TOCTOU race
where concurrent requests could create multiple admin users.

Changes:
- Add sync.Mutex to auth.Service to serialize CreateUser calls
- Add models.CreateUserAtomic using INSERT ... ON CONFLICT(username) DO NOTHING
- Check RowsAffected to detect conflicts at the DB level (defense-in-depth)
- Add concurrent race condition test (10 goroutines, only 1 succeeds)

The existing UNIQUE constraint on users.username was already in place.
This fix adds the application-level protection (items 1 & 2 from #26).
2026-02-15 21:35:16 -08:00
..
app fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00
auth fix: prevent setup endpoint race condition (closes #26) 2026-02-15 21:35:16 -08:00
deploy fix: wait for final log flush before closing deploymentLogWriter (closes #4) 2026-02-08 12:04:37 -08:00
notify Add commit URL to Slack notifications with link and backtick formatting 2025-12-31 16:29:22 -08:00
webhook fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00