Thank you for taking the time to test it and call these issues out. Both points slipped through our refactor/cleanup checklist.
reply- We’ll replace the current error handling for server sync with something safer and more graceful.
- We’ll make SMTP optional, expose TLS verification as a configurable setting and update the docker-compose.
We’ll make these improvements soon, thanks again for the heads-up.
Here an example of it taking arbitrary input and blindly casting it to a type; anything after this point can blow up. There seems to be no input validation anywhere.
reply const input = req.body as SyncMutationsInput;
And the database use looks racy, sometimes not using transactions at all but having a read-modify-write cycle, no GET FOR UPDATE seen anywhere in transactions. Somebody is going to figure out how to do nasty things to the data.
[flagged]
reply