Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | |||
|---|---|---|---|---|---|---|---|---|---|---|
| 098 | Backend: in-memory seenDeliveryIds resets on restart — webhook dedup lost | medium | Payment |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Backend: in-memory seenDeliveryIds resets on restart — webhook dedup lost
Severity: medium Domain: Payment Labels: bug, backend, idempotency
Description
requestNetworkRoutes.ts:16 maintains webhook deduplication via an in-memory Set of delivery IDs. This Set is lost on every server restart or pod restart. A redelivered webhook that arrived before the restart will be processed twice, potentially triggering double payment completion.
Options
- Persist processed delivery IDs in MongoDB (unique index) with TTL.
- Use Redis SET with TTL for delivery-id dedup.
- Make webhook handlers idempotent by keying state transitions on payment status guards.
Recommendation
Persist delivery IDs (Mongo unique index or Redis) AND make handlers idempotent via status guards. This is an infra/state decision.
Affected Files
backend/src/services/payment/requestNetwork/requestNetworkRoutes.ts:16
References
- Full Codebase Audit 2026-05-30 — DEC-36