Bug: Timeout middleware registered after catch-all routes — never fires #54

Closed
opened 2026-05-17 17:24:21 -05:00 by null · 0 comments
Owner

Problem

In server/index.js, the timeoutMiddleware is registered via app.use(timeoutMiddleware) after the 404 catch-all for API routes and the SPA catch-all app.get('*'). Since Express processes middleware in registration order, by the time a request reaches the timeout middleware, a response has already been sent by one of the earlier route handlers. The timeout middleware will never fire.

Location

server/index.js — the app.use(timeoutMiddleware) call is at line ~545, after:

  • app.use((req, res, next) => { if (req.path.startsWith('/api'))... }) (404 catch-all)
  • app.use(express.static(...)) (static files)
  • app.get('*', ...) (SPA catch-all)

Fix

Move app.use(timeoutMiddleware) to before the route definitions (before the API routes), so it can actually enforce timeouts on requests. Example:

// Apply timeout middleware early
app.use(timeoutMiddleware)

// --- API Routes ---
app.get('/api/health', ...)
app.post('/api/leads', ...)
// etc.

Severity

Medium — currently no request timeouts are enforced. In production, a slow or hung request could consume a connection indefinitely.

## Problem In `server/index.js`, the `timeoutMiddleware` is registered via `app.use(timeoutMiddleware)` **after** the 404 catch-all for API routes and the SPA catch-all `app.get('*')`. Since Express processes middleware in registration order, by the time a request reaches the timeout middleware, a response has already been sent by one of the earlier route handlers. The timeout middleware will never fire. ## Location `server/index.js` — the `app.use(timeoutMiddleware)` call is at line ~545, after: - `app.use((req, res, next) => { if (req.path.startsWith('/api'))... })` (404 catch-all) - `app.use(express.static(...))` (static files) - `app.get('*', ...)` (SPA catch-all) ## Fix Move `app.use(timeoutMiddleware)` to **before** the route definitions (before the API routes), so it can actually enforce timeouts on requests. Example: ```js // Apply timeout middleware early app.use(timeoutMiddleware) // --- API Routes --- app.get('/api/health', ...) app.post('/api/leads', ...) // etc. ``` ## Severity Medium — currently no request timeouts are enforced. In production, a slow or hung request could consume a connection indefinitely.
null added the
P2 Medium
bug
backend
labels 2026-05-17 17:30:43 -05:00
null closed this issue 2026-05-17 17:47:02 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#54
No description provided.