CRITICAL: Async route handlers lack try/catch - unhandled rejections crash process #68

Closed
opened 2026-05-31 12:02:21 -05:00 by null · 1 comment
Owner

Bug Description

Multiple async route handlers across the codebase lack try/catch blocks. On Express 4 (which this project uses), unhandled promise rejections from await calls will crash the Node.js process rather than being caught by Express error middleware.

Affected Routes

Most critical (auth routes with bcrypt calls):

  • routes/auth.js:157 - POST /change-password calls await bcrypt.compare() and await hashPassword()
  • routes/auth.js:219 - POST /users calls await hashPassword()

Additional async routes without try/catch:

  • routes/admin.js - lines 51, 88, 104, 134, 152, 183, 358, 384, 423 (9 handlers)
  • routes/dataSources.js - lines 71, 172, 194 (3 handlers)
  • routes/authOidc.js - lines 32, 60 (2 handlers)
  • routes/profile.js:217 - POST /change-password
  • routes/status.js:35
  • routes/import.js - lines 73, 115, 158, 176, 206, 224 (6 handlers)

Impact

If bcrypt.compare(), hashPassword(), or any DB operation throws an unexpected error in these handlers, the unhandled rejection will terminate the server process. No process.on(unhandledRejection) handler exists either.

  1. Add an asyncHandler wrapper that catches async errors
  2. Wrap all async route handlers with it
  3. Add a process.on(unhandledRejection) handler as a safety net
## Bug Description Multiple async route handlers across the codebase lack try/catch blocks. On Express 4 (which this project uses), unhandled promise rejections from await calls will crash the Node.js process rather than being caught by Express error middleware. ## Affected Routes Most critical (auth routes with bcrypt calls): - routes/auth.js:157 - POST /change-password calls await bcrypt.compare() and await hashPassword() - routes/auth.js:219 - POST /users calls await hashPassword() Additional async routes without try/catch: - routes/admin.js - lines 51, 88, 104, 134, 152, 183, 358, 384, 423 (9 handlers) - routes/dataSources.js - lines 71, 172, 194 (3 handlers) - routes/authOidc.js - lines 32, 60 (2 handlers) - routes/profile.js:217 - POST /change-password - routes/status.js:35 - routes/import.js - lines 73, 115, 158, 176, 206, 224 (6 handlers) ## Impact If bcrypt.compare(), hashPassword(), or any DB operation throws an unexpected error in these handlers, the unhandled rejection will terminate the server process. No process.on(unhandledRejection) handler exists either. ## Recommended Fix 1. Add an asyncHandler wrapper that catches async errors 2. Wrap all async route handlers with it 3. Add a process.on(unhandledRejection) handler as a safety net
null added the
architecture
priority:medium
bug
labels 2026-05-31 12:02:21 -05:00
null added
backend
priority:critical
and removed
architecture
priority:medium
labels 2026-05-31 12:28:09 -05:00
Author
Owner

v0.34.2.1 closed

v0.34.2.1 closed
null closed this issue 2026-05-31 12:46:13 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#68
No description provided.