--- issue: 126 title: "Backend: getUserPoints writes full User document on read when points fields missing" severity: low domain: Points labels: [bug, backend, performance] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: getUserPoints writes full User document on read when points fields missing **Severity:** low **Domain:** Points **Labels:** bug, backend, performance ## Description `PointsService.ts:202` lazy-initializes `points`, `referralCode`, and `referralStats` fields by calling `user.save()` if they are missing. This means every `GET /points` call for a user without these fields triggers a full document write, risking concurrent update conflicts and inflating write load. ## Options 1. Initialize these fields at user creation (migration + signup default) so reads never write. 2. Use a targeted `$set` update instead of full `save` when missing. 3. Leave lazy init but guard against the referralCode generation loop. ## Recommendation Initialize `points`/`referralCode`/`referralStats` at signup (plus a one-time backfill migration) so GETs never trigger writes. ## Affected Files - `backend/src/services/points/PointsService.ts:202` - `backend/src/services/auth/authService.ts` — user creation path ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-48