How to avoid two concurrent API requests breaking the logic behind document validation?

Question

I have an API that in order to insert a new item it needs to be validated. The validation basically is a type validator(string, number, Date, e.t.c) and queries the database that checks if the "user" has an "item" in the same date, which if it does the validation is unsuccessful.

Pseudocode goes like this:

const Item = require("./models/item");
function post(newDoc){

  let errors = await checkForDocErrors(newDoc)
  if (errors) {
    throw errors;
  }

  let itemCreated = await Item.create(newDoc);

  return itemCreated;


}

My problem is if I do two concurrent requests like this:

const request = require("superagent");

// Inserts a new Item
request.post('http://127.0.0.1:5000/api/item')
.send({
  "id_user": "6c67ea36-5bfd-48ec-af62-cede984dff9d",
  "start_date": "2019-04-02",
  "name": "Water Bottle"
})
/* 
   Inserts a new Item, which shouldn't do. Resulting in two items having the
   same date.
*/
request.post('http://127.0.0.1:5000/api/item')
.send({
  "id_user": "6c67ea36-5bfd-48ec-af62-cede984dff9d",
  "start_date": "2019-04-02",
  "name": "Toothpick"
})

Both will be successful, which it shouldn't be since an "user" cannot have two "items" in the same date.

If I execute the second one after the first is finished, everything works as expected.

request.post('http://127.0.0.1:5000/api/item') // Inserts a new Item
.send({
  "id_user": "6c67ea36-5bfd-48ec-af62-cede984dff9d",
  "start_date": "2019-04-02",
  "name": "Water Bottle"
})
.then((res) => {
  // It is not successful since there is already an item with that date
  // as expected
  request.post('http://127.0.0.1:5000/api/item') 
  .send({
    "id_user": "6c67ea36-5bfd-48ec-af62-cede984dff9d",
    "start_date": "2019-04-02",
    "name": "Toothpick"
  })
})

To avoid this I send one request with an array of documents, but I want to prevent this issue or at least make less likely to happen.

SOLUTION

I created a redis server. Used the package redis-lock and wrapped around the POST route.

var client = require("redis").createClient()
var lock = require("redis-lock")(client);
var itemController = require('./controllers/item');
router.post('/', function(req, res){
  let userId = "";
  if (typeof req.body === 'object' && typeof req.body.id_user === 'string') {
    userId = req.body.id_user;
  }
  lock('POST ' + req.path + userId, async function(done){
    try {
      let result = await itemController.post(req.body)
      res.json(result);
    } catch (e) {
      res.status(500).send("Server Error");
    }
    done()

  })
}

Thank you.

@AshwanthMadhav I don't think so, because as long as the `id_user` is different two items can have the same date. — Lucas Gomes, Apr 11 '19 at 09:53
In loopback `SiteUser.validateUniquenessOf('login', { scopedTo: ['siteId'] })` There is an option `scopedTo`. So i think there may be an option in your platform. — Ashwanth Madhav, Apr 11 '19 at 09:59

score 4 · Accepted Answer · answered Apr 11 '19 at 10:06

4

Explain

That is a race condition.

two or more threads can access shared data and they try to change it at the same time

What is a race condition?

Solution:

There are many ways to prevent conflict data in this case, a lock is 1 option.
You can lock on application level or database level... but I prefer you read this thread before chose any of them.

Optimistic vs. Pessimistic locking
Quick solution: pessimistic-lock https://www.npmjs.com/package/redis-lock

answered Apr 11 '19 at 10:06

Đinh Anh Huy

505
4
17

1

`redis-lock` saved me. Thank you! I've actually tried setting a key in redis db and deleting that key at the end of execution but I failed in implementing it. – Karma Blackshaw Mar 11 '22 at 13:30

radar155 · Answer 2 · 2019-04-11T10:04:47.700

1

You should create a composite index or a composite primary key that includes the id_user and the start_date fields. This will ensure that no documents for the same user with the same date can be created, and the database will throw an error if you'll try to do it. Composite index with mongoose

You could also use transactions. To do it, you should execute the find and the create methods inside a transaction, to ensure that no concurrent queries on the same document will be executed. Mongoose transactions tutorial

More infos

I would go with an unique composite index, that in your specific case should be something like

mySchema.index({user_id: 1, start_date: 1}, {unique: true});

edited Apr 11 '19 at 10:04

answered Apr 11 '19 at 09:58

radar155

1,796
2
11
28

This a good solution for this case, but I have collections that envolve date ranges and creating indexes could not be as viable. Thus I chose @Đinh Anh Huy answer because it could be applied in more cases. – Lucas Gomes Apr 11 '19 at 10:54
"Locking at Database level" basically means making an isolated read transaction, as I said. "Locking at application level" is unreliable when you scale. You'll need anyway a centralized locking system (so database is the better option). – radar155 Apr 11 '19 at 12:15
@Radar155 Lock on application level also a make data isolate even you scale out to several services (in some case). Ex: Shard user per service (User 1-100 service A, user 101-200 service B, ...) and then lock each user action on each service. There are many pros and cons of each solution, so think we must pick the right answer for the right problem. – Đinh Anh Huy Apr 18 '19 at 03:02

How to avoid two concurrent API requests breaking the logic behind document validation?

2 Answers2

Explain

Solution:

Linked