--- issue: "027" title: "GET /api/notifications/:id always 404s for non-latest notifications — broken in-memory lookup" severity: major domain: notification labels: [backend, bug] status: open created: 2026-05-29 source: Doc vs Code Audit 2026-05-29 --- # 🟠 GET /api/notifications/:id always 404s for non-latest notifications — broken in-memory lookup **Severity:** major **Domain:** notification **Labels:** backend, bug ## Description The `getNotificationById` controller does NOT perform a direct MongoDB `findById` lookup. Instead it calls `getUserNotifications(userId, 1, 1)` — fetching only the user's single most-recent notification — and then does an **in-memory `_id` string comparison**. Any notification that is not the user's absolute latest record returns `404`, regardless of ownership. This makes the endpoint completely unreliable for any consumer that tries to fetch a specific notification by ID. ## Current Behavior `GET /api/notifications/abc123` returns the notification only if `abc123` happens to be the user's most recently created notification. For all others: 404. ## Expected Behavior `getNotificationById` should do a direct `Notification.findOne({ _id: id, userId })` query. ## Affected Files - `backend/src/services/notification/notificationService.ts` (or controller) — `getNotificationById` / `getUserNotifications` call ## References - [Doc vs Code Audit Report](../09%20-%20Audits/Doc%20vs%20Code%20Audit%20Report%20-%202026-05-29.md) — Finding C22