From 377422a9d568d7d89a170df6fc2d0d0012384b70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A9rnyi=20M=C3=A1rk?= <gernyimark@gmail.com>
Date: Mon, 30 Mar 2026 00:59:02 +0200
Subject: [PATCH] add race condition detection for invite token usage

---
 server/src/routes/oidc.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/src/routes/oidc.ts b/server/src/routes/oidc.ts
index 0118df9..99493a4 100644
--- a/server/src/routes/oidc.ts
+++ b/server/src/routes/oidc.ts
@@ -225,9 +225,12 @@ router.get('/callback', async (req: Request, res: Response) => {
       ).run(username, email, hash, role, sub, config.issuer);
 
       if (validInvite) {
-        db.prepare(
+        const updated = db.prepare(
           'UPDATE invite_tokens SET used_count = used_count + 1 WHERE id = ? AND (max_uses = 0 OR used_count < max_uses)'
         ).run(validInvite.id);
+        if (updated.changes === 0) {
+          console.warn(`[OIDC] Invite token ${pending.inviteToken?.slice(0, 8)}... exceeded max_uses (race condition)`);
+        }
       }
 
       user = { id: Number(result.lastInsertRowid), username, email, role } as User;