HIGH: household create_invite opens Store but never closes it — connection leak #93

New issue

Closed

opened 2026-04-18 09:02:10 -07:00 by pyr0ball · 0 comments

pyr0ball commented 2026-04-18 09:02:10 -07:00

Owner

Copy link

Summary

POST /api/v1/household/invite opens a Store (SQLite connection) but does not close it, leaking the connection on every invite creation.

Affected Code

app/api/endpoints/household.py, create_invite():

@router.post("/invite", ...)
async def create_invite(session: CloudUser = Depends(_require_household_owner)):
    store = Store(session.db)  # ← opened
    token = secrets.token_hex(32)
    ...
    store.conn.execute(...)
    store.conn.commit()
    ...
    return HouseholdInviteResponse(...)
    # ← store never closed; connection leaked

Fix

async def create_invite(session: CloudUser = Depends(_require_household_owner)):
    store = Store(session.db)
    try:
        token = secrets.token_hex(32)
        expires_at = (datetime.now(timezone.utc) + timedelta(days=_INVITE_TTL_DAYS)).isoformat()
        store.conn.execute(
            "INSERT INTO household_invites (token, household_id, created_by, expires_at) VALUES (?, ?, ?, ?)",
            (token, session.household_id, session.user_id, expires_at),
        )
        store.conn.commit()
        invite_url = f"{_KIWI_BASE_URL}/#/join?household_id={session.household_id}&token={token}"
        return HouseholdInviteResponse(token=token, invite_url=invite_url, expires_at=expires_at)
    finally:
        store.close()

## Summary `POST /api/v1/household/invite` opens a `Store` (SQLite connection) but does not close it, leaking the connection on every invite creation. ## Affected Code `app/api/endpoints/household.py`, `create_invite()`: ```python @router.post("/invite", ...) async def create_invite(session: CloudUser = Depends(_require_household_owner)): store = Store(session.db) # ← opened token = secrets.token_hex(32) ... store.conn.execute(...) store.conn.commit() ... return HouseholdInviteResponse(...) # ← store never closed; connection leaked ``` ## Fix ```python async def create_invite(session: CloudUser = Depends(_require_household_owner)): store = Store(session.db) try: token = secrets.token_hex(32) expires_at = (datetime.now(timezone.utc) + timedelta(days=_INVITE_TTL_DAYS)).isoformat() store.conn.execute( "INSERT INTO household_invites (token, household_id, created_by, expires_at) VALUES (?, ?, ?, ?)", (token, session.household_id, session.user_id, expires_at), ) store.conn.commit() invite_url = f"{_KIWI_BASE_URL}/#/join?household_id={session.household_id}&token={token}" return HouseholdInviteResponse(token=token, invite_url=invite_url, expires_at=expires_at) finally: store.close() ```

pyr0ball referenced this issue from a commit 2026-04-18 15:39:06 -07:00

fix: recipe enrichment backfill, main_ingredient browser domain, bug batch

pyr0ball referenced this issue 2026-04-18 15:39:32 -07:00

fix: recipe enrichment backfill, main_ingredient browser, bug batch #109

pyr0ball closed this issue 2026-04-18 15:50:41 -07:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/recipe-enrichment-and-bugfixes

fix/a11y-audit

feature/community

feature/meal-planner

feature/orch-auto-lifecycle

feature/shared-task-scheduler

v0.5.1

v0.3.0

v0.5.0

v0.2.0

Labels

Clear labels   

accessibility

  

backlog

  

beta-feedback

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

feature-request

  

help wanted

Need some help

  

invalid

Something is wrong

  

needs-design

  

needs-triage

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

accessibility

backlog

beta-feedback

bug

duplicate

enhancement

feature-request

help wanted

invalid

needs-design

needs-triage

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/kiwi#93

No description provided.