refactor: improve backend code quality and security

[omattsson]

Summary

Comprehensive backend improvements covering 21 issues across code quality, security, and maintainability.

Changes

• Context propagation: Added context.Context to all Repository interface methods and implementations (MySQL, Azure Table Storage)
• Structured logging: Replaced log.Printf with log/slog in middleware (Logger, Recovery)
• Optimistic locking fix: Version default changed from 0 to 1; Update() uses WHERE clause on version to detect conflicts
• CORS configuration: CORS() middleware now accepts allowedOrigins parameter; configurable via CORS_ALLOWED_ORIGINS env var
• New middleware: RequestID() (adds X-Request-ID header) and MaxBodySize() (limits request body size)
• Health check injection: Replaced package-level init() with dependency-injected health checker in SetupRoutes()
• **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead co: Generate- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Dead code- **Deadrs conso- dated into pkg/dberrors` with backward-compatible re-exports
• Error leak fix: Internal server errors return generic message instead of raw error details
• UTC timezone: MySQL DSN uses loc=UTC instead of loc=Local
• **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte-nt- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper list filte- **Proper interfaces.

[Copilot]

Pull request overview

This PR refactors the Go backend to improve reliability and security by propagating context.Context through the repository layer, tightening error-handling/logging, and enhancing middleware and health-check wiring.

Changes:

• Propagates context.Context across the models.Repository interface and MySQL/Azure implementations, updating handlers and tests accordingly.
• Replaces log.Printf usage with log/slog and injects a shared HealthChecker into route setup/handlers.
• Adds configurable CORS, request ID, and max request body size middleware; updates optimistic locking behavior and error leakage.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
backend/pkg/utils/utils.go	Switches random string generation to crypto/rand and deprecates CheckError.
backend/internal/models/validation.go	Hoists email regex compilation to package scope.
backend/internal/models/models.go	Adds context-aware repository methods and implements optimistic locking + filter/pagination logic.
backend/internal/health/health.go	Makes health checks context-aware.
backend/internal/health/health_test.go	Updates health tests to pass context.
backend/internal/database/repository.go	Uses slog for repository selection logging.
backend/internal/database/migrations.go	Uses slog for migration logging.
backend/internal/database/factory.go	Uses structured logging for DB connection retries (pool config remains applied here).
backend/internal/database/errors.go	Re-exports DB error types from pkg/dberrors.
backend/internal/database/database.go	Simplifies DB initialization and removes duplicated pool config here.
backend/internal/database/config.go	Updates DSN timezone to UTC.
backend/internal/database/config_test.go	Aligns DSN tests to loc=UTC.
backend/internal/database/database_test.go	Updates CRUD tests to use the repository interface with context.
backend/internal/database/azure/table.go	Updates Azure Table repository to use caller-provided context.
backend/internal/database/azure/table_test.go	Updates Azure Table tests to pass context.
backend/internal/database/azure/repository_test.go	Updates error propagation tests for context-aware repo methods.
backend/internal/database/azure/error_handling_test.go	Updates invalid-input tests for context-aware repo methods.
backend/internal/config/config.go	Adds CORS config to app config and reads CORS_ALLOWED_ORIGINS.
backend/internal/config/config_test.go	Aligns DSN tests to loc=UTC.
backend/internal/api/routes/routes.go	Injects health checker + config into route setup; installs new middleware.
backend/internal/api/routes/routes_test.go	Updates route tests to pass injected health checker + config.
backend/internal/api/middleware/middleware.go	Adds RequestID + MaxBodySize; makes CORS configurable; moves logging to slog.
backend/internal/api/middleware/middleware_test.go	Updates logger test to capture slog output.
backend/internal/api/middleware/cors_test.go	Updates CORS tests for new signature and header list.
backend/internal/api/handlers/items.go	Threads request context into repository calls; prevents internal error leakage.
backend/internal/api/handlers/items_test.go	Updates mock repo usage to pass context; adjusts error expectation.
backend/internal/api/handlers/mock_repository.go	Adapts mock repository to context-aware interface and version initialization.
backend/internal/api/handlers/rate_limiter.go	Adds background cleanup goroutine and stop channel; removes test-only throttling behavior.
backend/internal/api/handlers/handlers.go	Removes package-level init health checker; provides injected liveness/readiness handlers.
backend/internal/api/handlers/handlers_test.go	Removes tests for now-deleted dead handlers.
backend/api/main.go	Builds repo via factory, injects health checker + config into routes, switches to slog.
backend/api/main_test.go	Updates mock repository interface and health tests for context-aware checks.

[Copilot]

GenerateRandomString ignores the error from crypto/rand.Int. If the RNG fails, n will be nil and n.Int64() will panic, and callers get no signal that randomness failed. Consider returning (string, error) (or at least handling the error and falling back) and also validating that length is non-negative before allocating the slice.

[Copilot]

generateRequestID ignores the error from rand.Read. If entropy collection fails, the request ID may be all-zero (or otherwise predictable) and you lose traceability guarantees. Handle the error (e.g., retry, fall back to a UUID implementation, or include a timestamp + counter) and consider logging when generation fails.

[Copilot]

This test runs in parallel but temporarily replaces the global default slog logger (slog.SetDefault), which can cause cross-test interference and flakiness when other tests log concurrently. Remove t.Parallel() for this test (and any others mutating global logger state), or refactor the middleware to accept an injected logger so tests can use a local instance without touching globals.

[Copilot]

main() uses gin.Default(), which already installs Gin's built-in Logger and Recovery middleware. SetupRoutes() also adds custom Logger() and Recovery(), so requests will be logged twice and Gin's recovery may still emit stack traces/log formats you intended to replace. Prefer gin.New() here (and rely on your own middleware), or remove one of the duplicate logger/recovery middlewares to avoid double-processing.

Suggested change

	router := gin.Default()
	router := gin.New()

[Copilot]

TestItemCRUD defines a top-level ctx that isn't used (each subtest redefines its own ctx) and then suppresses the unused variable at the end. Either pass the parent ctx down into subtests or remove the outer ctx declaration entirely to avoid dead code/suppressions in tests.

Suggested change

	db := setupTestDB(t)
	require.NoError(t, db.AutoMigrate())
	ctx := context.Background()

[Copilot]

Stop() closes rl.done unconditionally; calling Stop twice will panic (close of closed channel). Since Stop is a public method, make it idempotent (e.g., guard with sync.Once or a non-blocking select on a closed channel pattern) to avoid accidental crashes in tests or future shutdown hooks.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 6 comments.

[Copilot]

The Azure Table Storage implementation doesn't handle optimistic locking via the Version field, while the MySQL implementation (GenericRepository) does. This creates inconsistent behavior between the two backends.

When using Azure Table Storage, concurrent updates could succeed even with version mismatches, breaking the optimistic locking guarantees that the Item model and GenericRepository provide.

Consider adding version checking in the Azure Table implementation, potentially using Azure Table Storage's ETag feature for optimistic concurrency control.

[Copilot]

The new CORS origin whitelist functionality (lines 22-29) is not covered by tests. The cors_test.go file only tests the wildcard ("*") case.

Consider adding test cases for:

1. A request from an allowed origin (should set Access-Control-Allow-Origin to that specific origin and add Vary: Origin header)
2. A request from a disallowed origin (should not set Access-Control-Allow-Origin header)
3. Multiple comma-separated origins in the allowedOrigins parameter

[Copilot]

The new RequestID middleware has no test coverage. Consider adding tests to verify:

1. That a new request ID is generated when the client doesn't provide one
2. That the client's X-Request-ID header is reused when provided
3. That the response includes the X-Request-ID header
4. That the request ID is stored in the Gin context under "request_id"

[Copilot]

The new MaxBodySize middleware has no test coverage. Consider adding tests to verify:

1. That requests within the size limit are processed normally
2. That requests exceeding the size limit are rejected with an appropriate error
3. That the http.MaxBytesReader properly wraps the request body

[Copilot]

The context cancel function is called twice: once explicitly on line 94 and once via defer on line 91. While calling cancel multiple times is safe (it's idempotent), the explicit call on line 94 is redundant since the defer will execute anyway when the function returns.

Consider removing line 94 to avoid confusion and rely solely on the deferred cancel.

Suggested change

cancel()

[Copilot]

The Filter.Field value is directly interpolated into SQL WHERE clauses using fmt.Sprintf without validation. This creates a SQL injection vulnerability. An attacker could pass arbitrary column names or SQL fragments through the Field parameter.

For example, with Field set to "name; DROP TABLE items--", the generated SQL would be malicious. While GORM provides some protection, directly interpolating user-controlled field names is dangerous.

Consider using a whitelist of allowed field names or using GORM's column name validation APIs.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 3 comments.

[Copilot]

The value interpolation using fmt.Sprintf("%%%v%%", c.Value) could bypass parameterization. While the field name is whitelisted, the value should be handled more carefully. Instead of fmt.Sprintf("%%%v%%", c.Value), use "%" + fmt.Sprint(c.Value) + "%" or better yet, let GORM handle the concatenation by using query.Where(fmt.Sprintf("%s LIKE ?", c.Field), "%"+fmt.Sprint(c.Value)+"%"). The current approach with %v may work for simple types, but using the parameterized placeholder ensures GORM properly escapes the value.

Suggested change

	query = query.Where(fmt.Sprintf("%s LIKE ?", c.Field), fmt.Sprintf("%%%v%%", c.Value))
	query = query.Where(fmt.Sprintf("%s LIKE ?", c.Field), "%"+fmt.Sprint(c.Value)+"%")

[Copilot]

The CheckError function is deprecated but still returns the error instead of handling it. Since it's marked as deprecated, consider removing it entirely in this refactoring rather than keeping a pass-through wrapper. If callers need explicit error handling, they should handle errors directly without this indirection.

[Copilot]

The Azure Table Storage Create method stores item.Version directly without initializing it (line 107). This is inconsistent with the MySQL implementation which uses GORM's default:1 tag and the MockRepository which explicitly sets item.Version = 1 on line 43 of mock_repository.go. If a client creates an item without setting Version, it will default to 0, breaking optimistic locking. Add if item.Version == 0 { item.Version = 1 } after line 96 to match the other implementations.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 4 comments.

[Copilot]

The rate limiter now starts a background cleanup goroutine but there's no code in the application that calls the Stop method to clean it up. This will cause a goroutine leak. The rate limiter should be stopped during graceful shutdown in main.go, or the cleanup goroutine should be managed differently (e.g., tied to the server's lifecycle).

[Copilot]

The Item model's Version field default has been changed from 0 to 1 (models.go line 28), but there is no database migration to update existing records or alter the table schema. Existing items in the database will still have Version=0, which could cause optimistic locking issues. A migration should be added to either update existing rows to Version=1 or to handle the Version=0 case specially in the Update logic.

Suggested change

	Version uint `gorm:"not null;default:1" json:"version"` // For optimistic locking (1 = initial; 0 = not provided)
	Version uint `gorm:"not null;default:0" json:"version"` // For optimistic locking

[Copilot]

The database initialization code has been removed (lines 45-50 in old code), but the migration logic that depends on it is not visible in this diff. If migrations are still needed, they should be run after the repository is created. Verify that AutoMigrate() is still being called somewhere, or document that migrations are now optional when using Azure Table Storage.

[Copilot]

The delete handler now performs a FindByID before deleting (lines 236-242). While this ensures the item exists, it introduces a race condition: another request could delete the item between the FindByID and Delete calls, causing the Delete to fail silently (since soft deletes won't error if the item is already soft-deleted). Consider handling this case explicitly or documenting this behavior.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

backend/internal/database/azure/table.go:179

• Type assertion without checking the ok value can panic if entityData["CreatedAt"] or entityData["UpdatedAt"] is nil or not a string. Consider using the comma-ok idiom and returning an appropriate error if these required fields are missing.

	createdAt, err := time.Parse(time.RFC3339, entityData["CreatedAt"].(string))
	if err != nil {
		return dberrors.NewDatabaseError("parse_time", err)
	}
	item.CreatedAt = createdAt

	updatedAt, err := time.Parse(time.RFC3339, entityData["UpdatedAt"].(string))
	if err != nil {
		return dberrors.NewDatabaseError("parse_time", err)
	}
	item.UpdatedAt = updatedAt

[Copilot]

When allowedOrigins contains a whitelist but the request Origin doesn't match any entry, no Access-Control-Allow-Origin header is set, but the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers are still sent. This could confuse browsers. Consider only setting these headers when the origin is allowed, or explicitly return early for disallowed origins during OPTIONS preflight requests.

[Copilot]

The Update method doesn't validate that item.ID is non-zero before using it. If an Item with ID=0 is passed, the GetEntity call will look for row key "0" which may not be the intended behavior. Consider adding validation to ensure item.ID is non-zero before proceeding with the update operation.

Suggested change

	if item.ID == 0 {
	return dberrors.NewDatabaseError("update", dberrors.ErrValidation)
	}

[Copilot]

The UpdateItem handler performs a double version check: first at line 198 comparing client-provided version with database version, then the repository does another check at line 207 (in models.go:121). The first check (line 198) is redundant since the repository will catch version mismatches anyway. However, this could mask repository-level concurrency issues if updateItem.Version is 0 (not provided), as the condition would be false and the repository check would be relied upon exclusively. Consider removing the handler-level check to simplify the logic and rely entirely on the repository's optimistic locking.

Suggested change

	// Version check for optimistic locking (if version was provided in request)
	if updateItem.Version > 0 && updateItem.Version != currentItem.Version {
	c.JSON(http.StatusConflict, gin.H{"error": "Item has been modified by another request"})
	return
	}

[Copilot]

The allowedFilterFields whitelist is defined at package level, meaning it's shared across all GenericRepository instances. If additional models are added that need different filter fields (e.g., User model with email, username filters), this hardcoded list won't support them. Consider making the whitelist configurable per repository instance or dynamically determining allowed fields from the model's struct tags.

[Copilot]

Type assertion without checking the ok value can panic if entityData["Name"] is nil or not a string. The same applies to entityData["Price"] at line 162. Consider using the comma-ok idiom for these type assertions and returning an error if the expected fields are missing or have unexpected types.

[Copilot]

The Delete method doesn't validate that item.ID is non-zero before attempting deletion. Consider adding validation to ensure item.ID is non-zero to prevent accidentally operating on row key "0".

Suggested change

	if item.ID == 0 {
	return dberrors.NewDatabaseError("delete", dberrors.ErrValidation)
	}

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 5 comments.

[Copilot]

The test checks err.Error() != "EOF", which is brittle because EOF comparisons should be done with errors.Is(err, io.EOF) (and io.EOF is not guaranteed to stringify exactly as "EOF" in all cases). Switching to errors.Is will make the test more robust and idiomatic.

[Copilot]

charset[n.Int64()] will not compile because string/byte indexing requires an int index, not int64. Convert the random index to int (after bounds are ensured) before indexing into charset.

[Copilot]

Changing HealthCheck to func(ctx context.Context) error means any remaining AddCheck call sites using func() error (verified in backend/api/azure_test.go) will not compile. Update those call sites to accept a context and pass it through, and update any CheckReadiness() calls to CheckReadiness(ctx).

[Copilot]

In List, several type assertions / parses ignore errors (e.g. RowKey → ParseUint, CreatedAt → time.Parse). If the Azure entity has unexpected types or malformed values, this will silently produce zero-values (ID=0 / timestamps=zero) instead of failing fast, which can corrupt API responses. Consider validating each field and returning a descriptive database error when parsing fails.

Suggested change

	rowKey, _ := entityData["RowKey"].(string)
	id, _ := strconv.ParseUint(rowKey, 10, 32)
	createdAtStr, _ := entityData["CreatedAt"].(string)
	createdAt, _ := time.Parse(time.RFC3339, createdAtStr)
	updatedAtStr, _ := entityData["UpdatedAt"].(string)
	updatedAt, _ := time.Parse(time.RFC3339, updatedAtStr)
	name, _ := entityData["Name"].(string)
	price, _ := entityData["Price"].(float64)
	rowKey, ok := entityData["RowKey"].(string)
	if !ok || rowKey == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid RowKey value: %v", entityData["RowKey"]))
	}
	id, err := strconv.ParseUint(rowKey, 10, 32)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("failed to parse RowKey %q as uint: %w", rowKey, err))
	}
	createdAtStr, ok := entityData["CreatedAt"].(string)
	if !ok || createdAtStr == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid CreatedAt value: %v", entityData["CreatedAt"]))
	}
	createdAt, err := time.Parse(time.RFC3339, createdAtStr)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("failed to parse CreatedAt %q: %w", createdAtStr, err))
	}
	updatedAtStr, ok := entityData["UpdatedAt"].(string)
	if !ok || updatedAtStr == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid UpdatedAt value: %v", entityData["UpdatedAt"]))
	}
	updatedAt, err := time.Parse(time.RFC3339, updatedAtStr)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("failed to parse UpdatedAt %q: %w", updatedAtStr, err))
	}
	name, ok := entityData["Name"].(string)
	if !ok {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid Name value: %v", entityData["Name"]))
	}
	price, ok := entityData["Price"].(float64)
	if !ok {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid Price value: %v", entityData["Price"]))
	}

[Copilot]

In List, updatedAt, name, and price are also read via unchecked type assertions (using the blank identifier for ok). This can silently yield empty name/0 price or a zero timestamp when the stored entity data is malformed. Prefer checking ok/parse errors and returning an error so callers don't get incorrect data.

Suggested change

	rowKey, _ := entityData["RowKey"].(string)
	id, _ := strconv.ParseUint(rowKey, 10, 32)
	createdAtStr, _ := entityData["CreatedAt"].(string)
	createdAt, _ := time.Parse(time.RFC3339, createdAtStr)
	updatedAtStr, _ := entityData["UpdatedAt"].(string)
	updatedAt, _ := time.Parse(time.RFC3339, updatedAtStr)
	name, _ := entityData["Name"].(string)
	price, _ := entityData["Price"].(float64)
	rowKey, ok := entityData["RowKey"].(string)
	if !ok || rowKey == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("entity missing or invalid RowKey"))
	}
	id, err := strconv.ParseUint(rowKey, 10, 32)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid RowKey %q: %w", rowKey, err))
	}
	createdAtStr, ok := entityData["CreatedAt"].(string)
	if !ok || createdAtStr == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("entity missing or invalid CreatedAt"))
	}
	createdAt, err := time.Parse(time.RFC3339, createdAtStr)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid CreatedAt %q: %w", createdAtStr, err))
	}
	updatedAtStr, ok := entityData["UpdatedAt"].(string)
	if !ok || updatedAtStr == "" {
	return dberrors.NewDatabaseError("list", fmt.Errorf("entity missing or invalid UpdatedAt"))
	}
	updatedAt, err := time.Parse(time.RFC3339, updatedAtStr)
	if err != nil {
	return dberrors.NewDatabaseError("list", fmt.Errorf("invalid UpdatedAt %q: %w", updatedAtStr, err))
	}
	name, ok := entityData["Name"].(string)
	if !ok {
	return dberrors.NewDatabaseError("list", fmt.Errorf("entity missing or invalid Name"))
	}
	price, ok := entityData["Price"].(float64)
	if !ok {
	return dberrors.NewDatabaseError("list", fmt.Errorf("entity missing or invalid Price"))
	}

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 1 comment.

[Copilot]

In Azure Table Storage, Create() stores RowKey as item.Name, but FindByID/Update/Delete/List all assume RowKey is the numeric item.ID string. As written, a created item won’t be retrievable/updatable by ID and the repository doesn’t assign item.ID on create. Make RowKey consistent across all operations (e.g., generate/assign a numeric ID and use it as RowKey) or change the interface/operations to key by Name, but it needs to be coherent end-to-end.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 4 comments.

[Copilot]

Azure Table Update() always writes CreatedAt from item.CreatedAt. If callers update an entity without first doing FindByID (or otherwise populating CreatedAt), this will overwrite the stored CreatedAt with the zero time (year 0001) due to UpdateModeMerge. Consider preserving the existing CreatedAt from the fetched entity (parse it from existing.Value) or omit CreatedAt from the update payload so it can’t be accidentally clobbered.

[Copilot]

assert.True doesn’t treat the message as a format string; passing "unexpected character: %c", c will not interpolate %c. Use assert.Truef(...) / require.Truef(...) (or build the message with fmt.Sprintf) so the failing output shows the actual rune value.

[Copilot]

CreateItem binds the full models.Item from client JSON, so a client can supply an arbitrary version value on create. Since Version is intended to be server-managed for optimistic locking (default 1), consider explicitly resetting item.Version after binding (e.g., force initial version) or excluding version from the create request schema to prevent inconsistent state.

[Copilot]

Azure Table FindByID only sets item.Version when the stored JSON contains a numeric Version; when absent/invalid, it leaves Version at 0. Elsewhere (Create/List, GORM default) the implied initial version is 1, and handler logic treats 0 as “not provided”. Consider defaulting item.Version to 1 when the Version field is missing or not parseable to keep optimistic-lock semantics consistent.

Suggested change

	if v, ok := entityData["Version"]; ok {
	if vf, ok := v.(float64); ok {
	// Default to version 1 when the Version field is missing or invalid to
	// keep optimistic-lock semantics consistent with the GORM repository.
	item.Version = 1
	if v, ok := entityData["Version"]; ok {
	if vf, ok := v.(float64); ok && vf > 0 {

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 2 comments.

[Copilot]

The handler sets item.Version = 0 before calling Create(), but this contradicts the refactoring's goal of using version 1 as the initial value. According to the PR description and the GORM model definition (line 28 of models.go), the default should be 1.

Setting version to 0 here bypasses the GORM default and will cause the repository's Create method to insert 0 instead of 1, making the first update check for WHERE version = 0 instead of WHERE version = 1. This breaks optimistic locking for newly created items.

Remove this line and let GORM apply the column default (1), or explicitly set it to 1 if you want to be defensive about client input.

Suggested change

	item.Version = 0
	item.Version = 1

[Copilot]

The existing entity's JSON is unmarshaled twice — once at line 258 for version checking, and again at line 290 for CreatedAt extraction. This is wasteful since existingData from line 257 is already available and contains the CreatedAt field.

Reuse the existingData variable from line 257 instead of creating existingData2. This eliminates the second unmarshal and simplifies the code.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 5 comments.

[Copilot]

The rate limiter has a memory leak: expired timestamps are not removed from the slice during rate limiting. While the cleanup goroutine runs periodically, timestamps within the window keep accumulating. Consider filtering expired timestamps during the count loop instead of just counting them, or ensure the slice doesn't grow unbounded between cleanup cycles.

[Copilot]

The version comparison logic has a gap: when storedVersion exists in existingData but the type assertion fails (it's neither float64 nor json.Number), the variable sv remains 0 and the comparison currentVersion != sv may incorrectly pass or fail. Consider explicitly handling the case where storedVersion has an unexpected type by returning an error, or defaulting to a known safe value with clear documentation.

[Copilot]

When UseAzureTable is true, the MySQL Database config is still validated (line 113-115) even though it won't be used. This could cause unnecessary startup failures when Azure Table is selected but MySQL credentials are incomplete. Consider adding a conditional check: only validate Database config when !c.AzureTable.UseAzureTable.

[Copilot]

The graceful shutdown timeout is hardcoded to 5 seconds (line 26, 90) but the config has a Server.ShutdownTimeout field. Use cfg.Server.ShutdownTimeout instead of the hardcoded gracefulShutdownTimeout constant to make the shutdown timeout configurable via environment variables, consistent with other server timeouts.

[Copilot]

The filter field whitelist is hardcoded to "name" and "price" in NewRepository, which only works for Item entities. If this repository is used for User or other entity types, filtering will fail with "invalid filter field" errors. Consider making the whitelist entity-aware, or document that NewRepository is specifically for Items and other entities should use NewRepositoryWithFilterFields.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

backend/internal/health/health.go:93

• CheckReadiness holds RLock() while executing dependency checks. If any check is slow (or blocks on I/O), this will block AddCheck/SetReady and can cause contention during startup/shutdown. Consider copying isReady and the dependencies map under lock, then releasing the lock before calling the check functions.

func (h *HealthChecker) CheckReadiness(ctx context.Context) HealthStatus {
	h.mu.RLock()
	defer h.mu.RUnlock()

	if !h.isReady {
		return HealthStatus{
			Status: "DOWN",
			Checks: map[string]CheckStatus{
				"ready": {Status: "DOWN", Message: "Service is not ready"},
			},
		}
	}

	status := HealthStatus{
		Status: "UP",
		Checks: make(map[string]CheckStatus),
	}

	for name, check := range h.dependencies {
		if err := check(ctx); err != nil {
			status.Status = "DOWN"
			status.Checks[name] = CheckStatus{
				Status:  "DOWN",
				Message: err.Error(),
			}
		} else {
			status.Checks[name] = CheckStatus{
				Status: "UP",
			}
		}
	}

[Copilot]

Version-mismatch handling relies on strings.Contains(err.Error(), "version mismatch"). This is brittle (message changes/better wrapping can break conflict detection) and makes it harder to handle conflicts consistently across repositories. Consider introducing a sentinel error (e.g. dberrors.ErrVersionMismatch) and using errors.Is/errors.As so handlers can detect conflicts without string matching.

[Copilot]

Repository-level Validate() failures are wrapped as NewDatabaseError("validate", err) where err is the model-specific validation error (e.g. ErrInvalidPrice). handleDBError() only treats errors as 400 when errors.Is(dbErr.Err, ErrValidation), so these validation failures will incorrectly become 500 responses. Wrap validation failures with the ErrValidation sentinel (while preserving the underlying message if desired) so handlers can reliably map them to 400.

[Copilot]

Update() uses Save(entity) in the optimistic-locking path without validating that the entity has a non-zero primary key. In GORM, Save() will INSERT when the primary key is zero, which would make Update() accidentally create new rows. Consider validating the ID (for Base models) and returning a validation/not-found error when it’s missing, and/or using an explicit Model(...).Where("id = ? AND version = ?", ...).Updates(...) pattern to ensure the UPDATE is always scoped to a single row.

[Copilot]

TableRepository.Create does not run model validation (models.Validator.Validate()), so invalid data (e.g. empty name / non-positive price) can be persisted when using the Azure Table backend. The MySQL repository validates on Create/Update, so this is an inconsistency and can lead to different behavior across backends. Consider calling Validate() (and wrapping failures as ErrValidation) before writing to Azure Table Storage.

Suggested change

	// Run model validation (consistent with GenericRepository / MySQL backend)
	if validator, ok := entity.(models.Validator); ok {
	if err := validator.Validate(); err != nil {
	// Wrap the validation error so callers can detect dberrors.ErrValidation
	return dberrors.NewDatabaseError("validate", fmt.Errorf("%w: %v", dberrors.ErrValidation, err))
	}
	}

[Copilot]

TableRepository.Update does not run model validation (models.Validator.Validate()), so invalid updates can be written to Azure Table Storage even though the MySQL repository validates on Update. Consider validating the entity before issuing the update and mapping validation failures to ErrValidation so API behavior is consistent across storage backends.

Suggested change

	// Run model validation if supported, to mirror MySQL repository behavior.
	if v, ok := entity.(models.Validator); ok {
	if err := v.Validate(); err != nil {
	return dberrors.NewDatabaseError("update", dberrors.ErrValidation)
	}
	}

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 3 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

If the stored entity lacks a Version field (e.g., existing Azure Table rows created before versioning was introduced), the version comparison is skipped and any client-supplied version will be accepted. That undermines the intended optimistic-locking semantics for legacy rows. Consider treating a missing/invalid stored version as the default (e.g., 1) and enforcing the mismatch check consistently.

Suggested change

	if storedVersion, ok := existingData["Version"]; ok {
	var sv uint
	switch v := storedVersion.(type) {
	case float64:
	sv = uint(v)
	case json.Number:
	n, err := v.Int64()
	if err != nil || n < 0 {
	return dberrors.NewDatabaseError("update", fmt.Errorf("invalid stored version value: %v", v))
	}
	sv = uint(n)
	default:
	return dberrors.NewDatabaseError("update", fmt.Errorf("unexpected version type: %T", storedVersion))
	}
	if currentVersion != sv {
	return dberrors.NewDatabaseError("update", errors.New("version mismatch"))
	}
	}
	// Default stored version if missing/invalid (aligns with model default of 0).
	storedVersionUint := uint(0)
	if storedVersion, ok := existingData["Version"]; ok {
	switch v := storedVersion.(type) {
	case float64:
	if v >= 0 {
	storedVersionUint = uint(v)
	}
	case json.Number:
	if n, err := v.Int64(); err == nil && n >= 0 {
	storedVersionUint = uint(n)
	}
	}
	}
	if currentVersion != storedVersionUint {
	return dberrors.NewDatabaseError("update", errors.New("version mismatch"))
	}

[Copilot]

MaxBodySize currently only wraps the body with http.MaxBytesReader and does not translate *http.MaxBytesError into a 413 Request Entity Too Large response. As a result, endpoints that bind JSON will typically return 400 "Invalid request format" for oversized payloads. Consider handling this error centrally (e.g., abort with 413 when the limit is hit) so clients get a correct status code.

[Copilot]

CheckReadiness holds the RWMutex read lock while executing dependency checks. Since checks can block on I/O (and now take a context), this can unnecessarily block AddCheck/SetReady and increase contention. Consider copying isReady and the dependencies map under lock, releasing the lock, and then running the checks without holding the mutex.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 4 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Azure optimistic-lock version parsing treats a stored Version value of 0 as valid (v >= 0), which can make legacy rows (or rows written with the old 0 default) fail version checks when callers use the new default semantics (1 = initial; 0 = not provided). FindByID already ignores Version <= 0 and defaults to 1, so Update should likely mirror that by only accepting Version > 0 (or explicitly mapping 0 → 1) to keep behavior consistent.

Suggested change

	if v >= 0 {
	storedVersionUint = uint(v)
	}
	case json.Number:
	if n, err := v.Int64(); err == nil && n >= 0 {
	// Only treat strictly positive values as valid stored versions.
	// Non-positive (0 or negative) values are treated as "no version"
	// and leave the default of 1 in place, matching FindByID semantics.
	if v > 0 {
	storedVersionUint = uint(v)
	}
	case json.Number:
	// Same semantics for json.Number: ignore non-positive values.
	if n, err := v.Int64(); err == nil && n > 0 {

[Copilot]

CORS middleware currently aborts with 403 when allowedOrigins is a whitelist and the request has no Origin header (or an empty one). Non-browser clients and same-origin requests commonly omit Origin, so this can unintentionally block legitimate traffic. Consider treating missing Origin as a non-CORS request: allow it through (don’t set Access-Control-Allow-Origin), and only enforce the whitelist when Origin is present.

Suggested change

	allowed := false
	for _, origin := range strings.Split(allowedOrigins, ",") {
	if strings.TrimSpace(origin) == requestOrigin {
	c.Writer.Header().Set("Access-Control-Allow-Origin", requestOrigin)
	c.Writer.Header().Set("Vary", "Origin")
	allowed = true
	break
	}
	}
	if !allowed {
	// Block requests from non-whitelisted origins as defense-in-depth;
	// browsers enforce CORS client-side, but we also enforce server-side.
	c.AbortWithStatus(http.StatusForbidden)
	return
	}
	if requestOrigin != "" {
	allowed := false
	for _, origin := range strings.Split(allowedOrigins, ",") {
	if strings.TrimSpace(origin) == requestOrigin {
	c.Writer.Header().Set("Access-Control-Allow-Origin", requestOrigin)
	c.Writer.Header().Set("Vary", "Origin")
	allowed = true
	break
	}
	}
	if !allowed {
	// Block requests from non-whitelisted origins as defense-in-depth;
	// browsers enforce CORS client-side, but we also enforce server-side.
	c.AbortWithStatus(http.StatusForbidden)
	return
	}
	}
	// If there is no Origin header, treat this as a non-CORS request:
	// allow it through without setting Access-Control-Allow-Origin.

[Copilot]

MaxBodySize tries to detect oversized bodies via c.Errors.Last() after c.Next(), but Gin won’t automatically populate c.Errors for most body-read failures (e.g., ShouldBindJSON returns an error to the handler, not via c.Error). This means the middleware often won’t translate oversize payloads into a 413 as intended, and responses may remain as handler-generated 400s. Consider handling the *http.MaxBytesError at the point of binding/reading (e.g., in handlers when ShouldBindJSON fails), or wrap the request body/reader in the middleware to capture the error deterministically before the handler writes a response.

Suggested change

	c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxBytes)
	c.Next()
	// If reading the body hit the limit, MaxBytesReader returns
	// *http.MaxBytesError. Detect this and override the status code
	// so clients receive a proper 413 instead of a generic 400.
	if c.Errors.Last() != nil {
	var maxBytesErr *http.MaxBytesError
	if errors.As(c.Errors.Last().Err, &maxBytesErr) {
	c.AbortWithStatusJSON(http.StatusRequestEntityTooLarge,
	gin.H{"error": "request body too large"})
	return
	}
	}
	// Wrap the request body with http.MaxBytesReader to enforce the limit.
	limitedReader := http.MaxBytesReader(c.Writer, c.Request.Body, maxBytes)
	// Define a minimal ReadCloser interface so we don't need additional imports.
	type readCloser interface {
	Read(p []byte) (n int, err error)
	Close() error
	}
	// maxBytesCapture wraps a ReadCloser and records when a *http.MaxBytesError occurs.
	type maxBytesCapture struct {
	rc readCloser
	onError func(error)
	}
	func(m *maxBytesCapture) Read(p []byte) (int, error) {
	n, err := m.rc.Read(p)
	if err != nil && m.onError != nil {
	m.onError(err)
	}
	return n, err
	}
	func(m *maxBytesCapture) Close() error {
	return m.rc.Close()
	}
	var exceeded bool
	// Replace the request body with our capturing wrapper.
	c.Request.Body = &maxBytesCapture{
	rc: limitedReader,
	onError: func(err error) {
	var maxBytesErr *http.MaxBytesError
	if errors.As(err, &maxBytesErr) {
	exceeded = true
	}
	},
	}
	c.Next()
	// If the body size was exceeded and the handler has not yet written a response,
	// return a 413 so clients receive a clear signal that the payload was too large.
	if exceeded && !c.Writer.Written() {
	c.AbortWithStatusJSON(http.StatusRequestEntityTooLarge,
	gin.H{"error": "request body too large"})
	return
	}

[Copilot]

Same issue as in Create: Update wraps Validate() errors as the raw validation error rather than dberrors.ErrValidation, so HTTP layers using sentinel checks can’t reliably map these to 400 responses. Consider wrapping with dberrors.ErrValidation so callers can distinguish user-input validation from internal failures.

[Copilot]

Pull request overview

Copilot reviewed 34 out of 34 changed files in this pull request and generated 2 comments.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

In Azure Table Storage List(), RowKey is parsed with bitSize=32, but IDs generated by nextID() use 48 bits. This will cause strconv.ParseUint to fail for almost all created items (IDs > 2^32-1), breaking list operations. Parse with a 64-bit size (and ensure the cast to uint remains safe).

[Copilot]

The new optimistic-locking behavior in GenericRepository.Update() (version increment + WHERE version=old + RowsAffected==0 => conflict) isn’t covered by unit tests for the real GORM-backed repository. Adding a test that creates an item, performs an update, then attempts a second update with a stale version (and asserts a version-mismatch error + no data clobber) would help prevent regressions.