Files
nick-doc/Issues/ISSUE-100-backend-updatepurchaserequest-does-findbyid-then-findbyidandupd.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.2 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
100 Backend: updatePurchaseRequest does findById then findByIdAndUpdate — non-atomic race medium Marketplace
bug
backend
concurrency
open 2026-05-30 Full Codebase Audit 2026-05-30

Backend: updatePurchaseRequest does findById then findByIdAndUpdate — non-atomic race

Severity: medium Domain: Marketplace Labels: bug, backend, concurrency

Description

PurchaseRequestService.ts:413 reads the document first (findById) to check allowed status transitions, then writes it (findByIdAndUpdate). Between the read and the write, another request can change the status, defeating the transition guard.

Options

  1. Use findOneAndUpdate with status:{$in:allowedCurrentStatuses} condition — atomic.
  2. Keep two queries but wrap in a transaction.
  3. Leave as-is.

Recommendation

Use a single conditional findOneAndUpdate to make the transition atomic and halve round-trips.

Affected Files

  • backend/src/services/marketplace/PurchaseRequestService.ts:413

References