Bug Description
createSession (backend/controllers/sessionController.js) checks the session count via Session.countDocuments({ user: userId }) against MAX_SESSIONS, then creates a new Session afterward. There is no atomicity between the count check and the create, so concurrent requests can each read the same pre-creation count and independently pass the check.
Steps to Reproduce
- Authenticate as a user sitting at MAX_SESSIONS - 1 sessions.
- Fire several concurrent POST requests to /api/sessions/create (e.g. via Promise.all).
- Check the user's total session count via GET /api/sessions/my-sessions afterward.
Expected Behavior
At most one of the concurrent requests should succeed once the user reaches MAX_SESSIONS; all others should be rejected with the session-limit error.
Actual Behavior
Multiple concurrent requests all pass the countDocuments check and all successfully create sessions, allowing the user's total session count to exceed MAX_SESSIONS.
Severity
Low
Screenshots / Screen Recording
No response
Browser
No response
Operating System
No response
Additional Context
No response
Bug Description
createSession(backend/controllers/sessionController.js) checks the session count viaSession.countDocuments({ user: userId })against MAX_SESSIONS, then creates a new Session afterward. There is no atomicity between the count check and the create, so concurrent requests can each read the same pre-creation count and independently pass the check.Steps to Reproduce
Expected Behavior
At most one of the concurrent requests should succeed once the user reaches MAX_SESSIONS; all others should be rejected with the session-limit error.
Actual Behavior
Multiple concurrent requests all pass the countDocuments check and all successfully create sessions, allowing the user's total session count to exceed MAX_SESSIONS.
Severity
Low
Screenshots / Screen Recording
No response
Browser
No response
Operating System
No response
Additional Context
No response