session 190: BUG-112 global error handler + recover/email-change try/catch
This commit is contained in:
Hoid
parent
dbf7251df8
commit
0cf1d85d16
7 changed files with 207 additions and 12 deletions
|
|
@ -1,3 +1,11 @@
|
|||
## BUG-112: No global Express error handler + unprotected async routes in recover & email-change
|
||||
- **Date:** 2026-03-17
|
||||
- **Severity:** MEDIUM
|
||||
- **Issue:** The Express app has no global error-handling middleware (`(err, req, res, next)` 4-arg handler). Additionally, `src/routes/recover.ts` and `src/routes/email-change.ts` have async handlers with multiple `await` calls but zero try/catch blocks. If `queryWithRetry`, `verifyCode`, or `createPendingVerification` throws unexpectedly, the error propagates unhandled — Express may send its default HTML error page (leaking stack traces) or the request hangs.
|
||||
- **Impact:** In DB failure scenarios, users see ugly error pages instead of clean JSON errors. Potential stack trace leakage.
|
||||
- **Fix:** Add global Express error-handling middleware + wrap recover and email-change handlers in try/catch.
|
||||
- **Status:** ✅ FIXED — pushed to main (a3bba8f), 788 tests passing, staging deployment pending CI
|
||||
|
||||
## BUG-111: CORS blocks all frontend modals on staging — hardcoded production origin
|
||||
- **Date:** 2026-03-09
|
||||
- **Severity:** MEDIUM
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue