fix: close TOCTOU in CREATE path; add anti-forgery, loose-track, and case-sensitivity tests
FindOrCreateRelease now returns (ReleaseDto, bool WasCreated); the CREATE path in UploadAsync rejects WasCreated=false as a duplicate rather than silently attaching on a lost race.
This commit is contained in:
@@ -59,8 +59,12 @@ public interface ITrackService
|
||||
/// Resolve the release matching <paramref name="title"/> + <paramref name="artist"/>, creating
|
||||
/// one from <paramref name="releaseData"/> when none exists. Backs the upload flow's FK
|
||||
/// resolution so a track lands on a shared release rather than duplicating release-cardinal data.
|
||||
/// The <c>WasCreated</c> flag in the result is <see langword="true"/> when a new row was inserted
|
||||
/// and <see langword="false"/> when an existing row was found (including after a lost concurrent-insert
|
||||
/// race). The CREATE path in <c>UnifiedTrackService.UploadAsync</c> uses this to turn a
|
||||
/// "found existing" outcome into a duplicate rejection rather than a silent attach.
|
||||
/// </summary>
|
||||
Task<ResultContainer<ReleaseDto>> FindOrCreateRelease(
|
||||
Task<ResultContainer<(ReleaseDto Release, bool WasCreated)>> FindOrCreateRelease(
|
||||
string title, string artist, ReleaseDto releaseData, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
|
||||
Reference in New Issue
Block a user