issues Search Results · language:Dune language:JavaScript language:JavaScript linked:pr language:JavaScript linked:pr
Filter by
1.7M results
controllers/wage.js getUserMetricsAllTodayWages loads all of a user s wages with Wage.find({ userId }) and filters them
in JavaScript by year/month/day.
Problems:
- Does not scale — fetches the entire ...
backend
bug
performance
dev-miro26
The API authenticates via the x-auth-token header and a JWT containing { user: { id } }. This is fragile and
undocumented. Document the auth contract (header name, token payload, expiry) in the README ...
backend
documentation
utils/auth.js exports createJWT(email, userId, duration) producing a payload { email, userId, duration }, but
controllers/auth.js signs its own token with payload { user: { id } } and the middleware reads ...
backend
bug
cleanup
In controllers/auth.js register, there is a stray line Metrics.insertM between hashing the password and await
user.save(). It references a non-existent method, is not called, and has no effect. It looks ...
backend
bug
cleanup
The error handler in server.js responds with res.json({ error: err }) for every error, and controllers return raw
err.message via console.error. In production this can leak stack traces, internal paths, ...
backend
security
express-validator is a dependency and validationResult is used in metrics/group/wage controllers, but routes/auth.js
wires register and login with no validators. There is no enforcement of email format, ...
backend
enhancement
security
controllers/auth.js passes req.body.email directly into User.findOne({ email }) with no validation or type checking. A
JSON body like { email : { $gt : } } can match arbitrary users. The same untyped input ...
backend
bug
security
The auth routes have no rate limiting or account lockout, allowing unlimited password-guessing and registration spam.
Add express-rate-limit (stricter limits on login/register) and consider exponential ...
backend
security
server.js and config/express.js both call app.use(cors()) with no options, which reflects/allows any origin. For an
authenticated API this should be restricted to the known frontend origin(s) via an allowlist, ...
backend
security
config/express.js imports helmet and contains a commented-out helmet.contentSecurityPolicy(...) block, but
app.use(helmet()) is commented out. The app ships with no security headers (CSP, HSTS, X-Frame-Options, ...
backend
security
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.