Server: timeoutMiddleware registered after catch-all route — never applies to SPA/404 handlers #65

Closed
opened 2026-05-17 17:53:21 -05:00 by null · 0 comments
Owner

Bug Description

In server/index.js, the timeoutMiddleware is registered with app.use(timeoutMiddleware) after the catch-all app.get('*', ...) SPA handler (line ~285) and the app.use('/api', ...) 404 handler (line ~276).

Because Express processes middleware and routes in registration order, the catch-all app.get('*') handler matches GET requests before timeoutMiddleware is reached. This means:

  • SPA routes have no request timeout protection
  • The 404 API catch-all also runs without timeout protection

Fix

Move app.use(timeoutMiddleware) to BEFORE the API route definitions (or at least before the catch-all routes). The middleware should be registered early in the middleware chain, after body parsing and rate limiting but before route handlers.

Current order (broken):

  1. Routes (including catch-all app.get('*'))
  2. app.use(timeoutMiddleware) ← too late

Desired order:

  1. Body parsing, rate limiting, etc.
  2. app.use(timeoutMiddleware) ← early enough
  3. Route handlers
  4. Catch-all handlers

Labels

  • bug, backend, P2 Medium
## Bug Description In `server/index.js`, the `timeoutMiddleware` is registered with `app.use(timeoutMiddleware)` **after** the catch-all `app.get('*', ...)` SPA handler (line ~285) and the `app.use('/api', ...)` 404 handler (line ~276). Because Express processes middleware and routes in registration order, the catch-all `app.get('*')` handler matches GET requests before `timeoutMiddleware` is reached. This means: - SPA routes have no request timeout protection - The 404 API catch-all also runs without timeout protection ## Fix Move `app.use(timeoutMiddleware)` to BEFORE the API route definitions (or at least before the catch-all routes). The middleware should be registered early in the middleware chain, after body parsing and rate limiting but before route handlers. Current order (broken): 1. Routes (including catch-all `app.get('*')`) 2. `app.use(timeoutMiddleware)` ← too late Desired order: 1. Body parsing, rate limiting, etc. 2. `app.use(timeoutMiddleware)` ← early enough 3. Route handlers 4. Catch-all handlers ## Labels - bug, backend, P2 Medium
null added the
P2 Medium
bug
backend
labels 2026-05-17 17:53:21 -05:00
null closed this issue 2026-05-17 18:04:29 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#65
No description provided.