upvote

points

by hakanshehu4 days ago |
comments
upvoteby mdaniel3 days ago|
[-]
I tried booting it up and two things:

- this is just evil. Pure. evil. https://github.com/colanode/colanode/blob/v0.1.3/apps/deskto...

If that's the kind of error handling that you believe in, one should have religious backups of any data placed into this

- It seems to actually puke if one doesn't provide it a live, TLS enabled, SMTP server[2] which (a) WTF (b) isn't present in the docker-compose

Thankfully replacing .verify with return new Promise(() => true) at least let the server start

2: https://github.com/colanode/colanode/blob/v0.1.3/apps/server...

reply
upvoteby hakanshehu3 days ago|
parent|
next
[-]
Thank you for taking the time to test it and call these issues out. Both points slipped through our refactor/cleanup checklist.

- We’ll replace the current error handling for server sync with something safer and more graceful.

- We’ll make SMTP optional, expose TLS verification as a configurable setting and update the docker-compose.

We’ll make these improvements soon, thanks again for the heads-up.

reply
upvoteby yencabulator2 days ago|
parent|
prev|
next
[-]
Here an example of it taking arbitrary input and blindly casting it to a type; anything after this point can blow up. There seems to be no input validation anywhere.

  const input = req.body as SyncMutationsInput;
https://github.com/colanode/colanode/blob/9e69f29858a2ced6b1...

And the database use looks racy, sometimes not using transactions at all but having a read-modify-write cycle, no GET FOR UPDATE seen anywhere in transactions. Somebody is going to figure out how to do nasty things to the data.

reply
upvoteby salahuddin_dev3 days ago|
parent|
prev|
[-]
[flagged]
reply