[CONSISTENCY] Concurrent first-card creation may allow multiple default cards per user

[udaycodespace]

Summary

Prevent possible race conditions during concurrent first-card creation where multiple cards may temporarily or permanently become isDefault: true for the same user.

Contexts

Current first-card initialization logic in apps/backend/src/routes/cards.ts relies on a standalone count() query before card creation:

const cardCount = await app.prisma.card.count({
  where: { userId }
});

isDefault: cardCount === 0

Under concurrent request conditions:

• two create-card requests may execute simultaneously
• both requests may observe cardCount === 0
• both requests may create cards with isDefault: true

The current implementation already improves transactional consistency for:

• card link replacement
• default-card switching

However, first-card initialization still appears vulnerable to concurrent state inconsistencies depending on DB isolation behavior and request timing.

Tasks

• Reproduce concurrent create-card race scenario
• Investigate Prisma transaction/isolation behavior during simultaneous requests
• Add concurrency-safe default-card assignment handling
• Add regression tests covering concurrent card creation
• Verify existing default-card flows remain unaffected

Acceptance Criteria

• Only one default card can exist per user during concurrent creation requests
• Concurrent create requests behave deterministically
• Regression tests added for race-condition scenarios
• Existing card CRUD flows continue functioning correctly

Proposed Approach

Initial investigation suggests the issue originates from relying on a non-atomic count() check before insert creation.

A possible direction is to move first-card initialization into a transaction-safe flow so concurrent requests cannot independently decide they should both become the default card.

Potential implementation strategies to investigate:

• wrap default-card initialization inside a Prisma transaction with stronger isolation guarantees
• replace the current count()-based approach with existence checks that execute atomically with creation logic
• enforce a database-level consistency guarantee so only one isDefault: true card can exist per user
• handle transactional conflicts/retries gracefully during simultaneous create requests

Possible DB-level approaches may include:

• partial unique index/constraint scoped to (userId, isDefault=true)
• transactional update/create sequencing
• optimistic retry handling on unique constraint violations

The implementation should preserve existing behavior for:

• manual default-card switching
• card updates/deletion flows
• card link replacement logic

Regression testing should simulate concurrent create-card requests to verify deterministic behavior under race conditions.

Area

backend

Difficulty

advanced

[udaycodespace]

@Harxhit While reviewing the current cards.ts flow, I noticed a possible concurrency edge case around first-card default assignment under simultaneous create requests.
Would like to work on reproducing and hardening this flow if the issue looks valid 👍

[VIDYANKSHINI]

Hi @Harxhit,

I’d like to work on this issue.

I reviewed the current cards.ts flow and agree that the first-card initialization logic using a standalone count() check can lead to race conditions under concurrent requests, potentially resulting in multiple isDefault: true cards for the same user.

My approach would be to:

• reproduce the concurrent create-card scenario locally with parallel requests
• investigate Prisma transaction and isolation behavior for simultaneous inserts
• refactor the first-card default assignment into a concurrency-safe transactional flow
• explore DB-level guarantees such as unique constraints/partial indexes for enforcing a single default card per user
• add deterministic regression tests for concurrent card creation
• verify that existing flows like manual default switching, deletion, updates, and card-link replacement continue functioning correctly

I’ll keep the implementation backward compatible while ensuring only one default card can exist per user even under concurrent request conditions.

Please assign this issue to me if it’s available. Thanks!

[udaycodespace]

@Harxhit I had raised this issue after investigating the current "cards.ts" flow and reproducing the possible concurrent default-card edge case around the standalone "count()" check.

I’ve already started exploring transaction-safe handling and regression coverage for the concurrent create flow, so I’d like to continue working on this one if possible 👍

[Harxhit]

@udaycodespace I have assigned this issue to you.

[github-actions]

Hey @ShantKhatri (Project Admin) and @Harxhit (Maintainer),

This issue (previously assigned to @udaycodespace) has been automatically unassigned because no linked pull request was found after the scheduled check.

If work is in progress, please open a PR and link it to this issue to keep the assignment.

[udaycodespace]

Hi @Harxhit & @ShantKhatri I am currently working on this issue.

1. I've reproduced the race condition and am implementing the fix and tests.
2. Planning to raise a PR by around 8:00 PM !

[udaycodespace]

Hi @Harxhit,

Following up on my earlier update, I've completed the implementation and opened PR #385 for review.

1. The PR includes the fix and regression tests for the concurrent default-card creation race condition.
2. Since the issue was automatically unassigned before the PR was linked, could you please reassign it if needed?

Thank you for your time and review.

[udaycodespace]

Hi @Harxhit,

I noticed the issue was briefly assigned and then unassigned after some time . Just wanted to check whether any action is needed from my side, or if everything is fine and I should simply wait for review.

Thank you.