groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): add FOR UPDATE lock to super user claim transaction

Browse Source 
CRITICAL race condition: two concurrent POST /api/setup requests could both
read "no super user exists" before either acquired a lock, allowing two
super users to be created.

Added .for("update") to the staff SELECT query inside the transaction.
PostgreSQL FOR UPDATE serializes concurrent claims — the second transaction
blocks on the lock until the first commits, then sees the existing super user
and returns 409.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
groombook-ci[bot]
2026-03-29 00:37:38 +00:00
committed by Flea Flicker
parent 30b49e82e8
commit 1e417eccb1
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/api/src/routes/setup.ts
+3 -1
View File
@@ -38,11 +38,13 @@ setupRouter.post("/", zValidator("json", setupSchema), async (c) => {
.from(businessSettings)
.limit(1);
// Check if any super user already exists (race condition guard)
// Lock super user rows to prevent concurrent claims
// FOR UPDATE serializes concurrent claims: second transaction blocks until first commits
const [existingSuperUser] = await tx
.select({ id: staff.id })
.from(staff)
.where(eq(staff.isSuperUser, true))
.for("update")
.limit(1);
if (existingSuperUser) {