server workflow API has TOCTOU races that silently eat edits + no auth at all #354
Description
model/workflows.py does find_one then insert_one for ID generation, classic TOCTOU, two concurrent requests grab the same ID and mongo won't stop them (no unique index). same thing for updates: read hash -- compare -- write as separate ops, so two users pushing at the same time both pass the hash check and last write wins silently. the whole optimistic locking thing is pointless if it's not atomic. needs find_one_and_update with the hash in the filter.
IDs use random.choice() not secrets. also zero auth on any endpoint so anyone with a 6-char ID can wipe a workflow.
minor but annoying: bare except: in the controller catches KeyboardInterrupt, no MAX_CONTENT_LENGTH on flask, and the test file only covers GET. POST create/update are completely untested.
repro: open same workflow in two tabs, edit differently, push both at roughly the same time. one silently overwrites the other, no conflict error.