fix(webpush): use transaction for race condition prevention

Signed-off-by: 0xsysr3ll <0xsysr3ll@pm.me>
2025-12-24 02:39:18 -05:00 · 2025-12-06 23:33:20 +01:00
parent 2fb742e2a3
commit 37cc665706
1 changed files with 56 additions and 31 deletions
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -4,7 +4,7 @@ import TautulliAPI from '@server/api/tautulli';
 import { MediaType } from '@server/constants/media';
 import { MediaServerType } from '@server/constants/server';
 import { UserType } from '@server/constants/user';
-import { getRepository } from '@server/datasource';
+import dataSource, { getRepository } from '@server/datasource';
 import Media from '@server/entity/Media';
 import { MediaRequest } from '@server/entity/MediaRequest';
 import { User } from '@server/entity/User';
@@ -25,6 +25,7 @@ import { getHostname } from '@server/utils/getHostname';
 import { Router } from 'express';
 import gravatarUrl from 'gravatar-url';
 import { findIndex, sortBy } from 'lodash';
+import type { EntityManager } from 'typeorm';
 import { In, Not } from 'typeorm';
 import userSettingsRoutes from './usersettings';

@@ -224,11 +225,33 @@ router.post<
      return res.status(204).send();
    }

+    // This prevents race conditions where two requests both pass the checks
+    await dataSource.transaction(
+      async (transactionalEntityManager: EntityManager) => {
+        const transactionalRepo =
+          transactionalEntityManager.getRepository(UserPushSubscription);
+
+        const finalCheck = await transactionalRepo.findOne({
+          relations: { user: true },
+          where: [
+            { auth: req.body.auth, user: { id: req.user?.id } },
+            { endpoint: req.body.endpoint, user: { id: req.user?.id } },
+          ],
+        });
+
+        if (finalCheck) {
+          logger.debug(
+            'Duplicate subscription detected. Skipping registration.',
+            { label: 'API' }
+          );
+          return;
+        }
+
        // Clean up old subscriptions from the same device (userAgent) for this user
        // iOS can silently refresh endpoints, leaving stale subscriptions in the database
        // Only clean up if we're creating a new subscription (not updating an existing one)
        if (req.body.userAgent) {
-      const staleSubscriptions = await userPushSubRepository.find({
+          const staleSubscriptions = await transactionalRepo.find({
            relations: { user: true },
            where: {
              userAgent: req.body.userAgent,
@@ -240,7 +263,7 @@ router.post<
          });

          if (staleSubscriptions.length > 0) {
-        await userPushSubRepository.remove(staleSubscriptions);
+            await transactionalRepo.remove(staleSubscriptions);
            logger.debug(
              `Removed ${staleSubscriptions.length} stale push subscription(s) from same device.`,
              { label: 'API' }
@@ -256,7 +279,9 @@ router.post<
          user: req.user,
        });

-    await userPushSubRepository.save(userPushSubscription);
+        await transactionalRepo.save(userPushSubscription);
+      }
+    );

    return res.status(204).send();
  } catch (e) {