bug: `updateCard` applies `title` and `linkIds` updates in two separate, non-atomic operations — network/DB failure between them leaves card in a permanently inconsistent state

[hariom888]

Description:

apps/backend/src/services/cardService.ts updateCard() handles a combined { title, linkIds } request as two sequential, independent write operations:

if (body.title) {
  await app.prisma.card.update({ where: { id }, data: { title: body.title } })
}

if (body.linkIds) {
  await app.prisma.$transaction(async (tx) => {
    await tx.cardLink.deleteMany({ where: { cardId: id } })
    if (linkIds.length > 0) {
      await tx.cardLink.createMany({ ... })
    }
  })
}

The title update is committed to the database before the linkIds transaction begins. If the process crashes, the DB connection drops, or the linkIds transaction rolls back (e.g., a FK violation, a timeout, or the ownership check failing after the title has already been committed), the card will have its new title but retain the old set of links. The caller receives a 500 error but the title mutation is permanent — there is no rollback and no compensating write.

Additionally, the linkIds block itself first calls deleteMany then createMany inside the transaction, but the ownership check occurs before entering the transaction using a plain Prisma query outside tx. A TOCTOU window exists between that check and the createMany — another concurrent request could delete a platformLink between validation and use.

Affected file: apps/backend/src/services/cardService.ts

[hariom888]

Hi, I'd like to be assigned to this under GSSoC'26. Technical breakdown:

Root cause:
cardService.updateCard L40–55 runs two independent database writes sequentially rather than wrapping them in a single $transaction. Prisma interactive transactions support multiple model operations; both the card.update (title) and the cardLink.deleteMany / cardLink.createMany (links) should be enclosed in one tx block so that either all changes commit or none do.

Affected modules/files:

• apps/backend/src/services/cardService.ts — primary bug site
• apps/backend/src/__tests__/cards.test.ts — integration tests for partial update scenarios

Proposed fix approach:

1. Wrap the entire updateCard body in a single app.prisma.$transaction(async (tx) => { ... }).
2. Move the ownership check for linkIds inside the transaction using tx.platformLink.findMany(...).
3. Execute tx.card.update(...) for title and tx.cardLink.deleteMany / tx.cardLink.createMany for links within the same transaction client so both succeed or both roll back atomically.

Regression/unit test considerations:

• Mock a DB failure after the card.update step and assert the title is not persisted if links fail.
• Test that sending both title and linkIds in one request either fully commits or fully rolls back.
• Test the concurrent ownership TOCTOU scenario: delete a platformLink between validation and use — the transaction should reject the createMany with a FK error, and the title should not have been committed.

Requesting assignment. Thank you!

[Harxhit]

@hariom888 I have assigned this issue to you.