HIGH: household create_invite opens Store but never closes it — connection leak #93

Closed
opened 2026-04-18 09:02:10 -07:00 by pyr0ball · 0 comments
Owner

Summary

POST /api/v1/household/invite opens a Store (SQLite connection) but does not close it, leaking the connection on every invite creation.

Affected Code

app/api/endpoints/household.py, create_invite():

@router.post("/invite", ...)
async def create_invite(session: CloudUser = Depends(_require_household_owner)):
    store = Store(session.db)  # ← opened
    token = secrets.token_hex(32)
    ...
    store.conn.execute(...)
    store.conn.commit()
    ...
    return HouseholdInviteResponse(...)
    # ← store never closed; connection leaked

Fix

async def create_invite(session: CloudUser = Depends(_require_household_owner)):
    store = Store(session.db)
    try:
        token = secrets.token_hex(32)
        expires_at = (datetime.now(timezone.utc) + timedelta(days=_INVITE_TTL_DAYS)).isoformat()
        store.conn.execute(
            "INSERT INTO household_invites (token, household_id, created_by, expires_at) VALUES (?, ?, ?, ?)",
            (token, session.household_id, session.user_id, expires_at),
        )
        store.conn.commit()
        invite_url = f"{_KIWI_BASE_URL}/#/join?household_id={session.household_id}&token={token}"
        return HouseholdInviteResponse(token=token, invite_url=invite_url, expires_at=expires_at)
    finally:
        store.close()
## Summary `POST /api/v1/household/invite` opens a `Store` (SQLite connection) but does not close it, leaking the connection on every invite creation. ## Affected Code `app/api/endpoints/household.py`, `create_invite()`: ```python @router.post("/invite", ...) async def create_invite(session: CloudUser = Depends(_require_household_owner)): store = Store(session.db) # ← opened token = secrets.token_hex(32) ... store.conn.execute(...) store.conn.commit() ... return HouseholdInviteResponse(...) # ← store never closed; connection leaked ``` ## Fix ```python async def create_invite(session: CloudUser = Depends(_require_household_owner)): store = Store(session.db) try: token = secrets.token_hex(32) expires_at = (datetime.now(timezone.utc) + timedelta(days=_INVITE_TTL_DAYS)).isoformat() store.conn.execute( "INSERT INTO household_invites (token, household_id, created_by, expires_at) VALUES (?, ?, ?, ?)", (token, session.household_id, session.user_id, expires_at), ) store.conn.commit() invite_url = f"{_KIWI_BASE_URL}/#/join?household_id={session.household_id}&token={token}" return HouseholdInviteResponse(token=token, invite_url=invite_url, expires_at=expires_at) finally: store.close() ```
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/kiwi#93
No description provided.