lock otp db row #99
lock otp db row #99
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| return { error: otpResponse }; | ||
| } | ||
| } catch (error) { | ||
| if (error.code === 'P2010' && error.meta?.code === '55P03') { |
There was a problem hiding this comment.
[maintainability]
Consider using a more specific error type or class for the thrown error instead of a generic Error. This can improve error handling and make it easier to distinguish different error types in the codebase.
| } catch (error) { | ||
| if (error.code === 'P2010' && error.meta?.code === '55P03') { | ||
| this.logger.error( | ||
| 'Payment request denied because payment row was locked previously!', |
There was a problem hiding this comment.
[❗❗ security]
Logging the error object directly might expose sensitive information. Consider sanitizing the error details before logging to ensure no sensitive data is exposed.
| }; | ||
| } | ||
| return await this.prisma.$transaction(async (tx) => { | ||
| const records = await tx.$queryRaw<otp>` |
There was a problem hiding this comment.
[❗❗ security]
Using tx.$queryRaw with raw SQL queries can expose the application to SQL injection vulnerabilities if the input is not properly sanitized. Ensure that hashOtp(otpCode) is sanitized or consider using parameterized queries to prevent SQL injection.
| WHERE otp_hash=${hashOtp(otpCode)} | ||
| ORDER BY expiration_time DESC | ||
| LIMIT 1 | ||
| FOR UPDATE NOWAIT; |
There was a problem hiding this comment.
[correctness]
The use of FOR UPDATE NOWAIT can lead to exceptions if the row is locked by another transaction. Consider handling potential exceptions to ensure the application can gracefully handle such scenarios.
When withdrawing, add a "for udpate" lock on the otp db entry. this way we prevent parallel readings form db.