# Backend Routes - Bug Analysis

> 25 issues found in `src/routes/`

---

## CRITICAL (4)

### 1. No Authentication on ANY Route
**Files:** All route files
**Lines:** Every router.get/post/put/delete
**Description:** No JWT validation, no API key checks, no user verification. Every endpoint is publicly accessible.
**Impact:** Unauthorized access to all data, ability to send SMS, modify leads, extract intel.
**Fix:**
```javascript
const requireAuth = (req, res, next) => {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.status(401).json({ error: 'Unauthorized' });
  // Verify JWT
  next();
};
router.post('/', requireAuth, handler);
```

### 2. Hardcoded Google Sheets Credentials
**File:** `leads.js:460-461`
**Description:** Sheet ID and GID exposed in source code.
**Impact:** Anyone with repo access can access the Google Sheet.
**Fix:** Move to `GOOGLE_SHEET_ID` and `GOOGLE_SHEET_GID` env vars.

### 3. User ID Header Spoofing
**Files:** achievements.js, aiAlerts.js, coaching.js, xp.js, analytics.js, sms.js
**Lines:** Various (e.g., achievements.js:247,301)
**Description:** `const userId = req.headers['x-user-id'] || 'default-user'` - client controls identity.
**Impact:** Impersonate any user, view/modify their data.
**Fix:** Get user from authenticated JWT token.

### 4. SQL Injection via Template Literals
**Files:** leads.js:82, prompts.js:46, scripts.js:776
**Description:** `.or()` queries use string interpolation with user input.
**Impact:** Bypass filters, access unauthorized data.
**Fix:** Use parameterized queries exclusively.

---

## HIGH (7)

### 5. Race Condition in XP Award
**File:** `xp.js:145-189`
**Description:** Check-then-act without locking. Two concurrent requests can corrupt XP.
**Fix:** Use Supabase increment or database locking.

### 6. Unhandled Promise Rejections
**Files:** leads.js:426-436, sms.js:420-429, ai.js:561-563
**Description:** Fire-and-forget promises only log errors.
**Impact:** Silent failures, data not captured.
**Fix:** Implement proper error handling with alerting.

### 7. Missing Phone Validation
**File:** `sms.js:284-288`
**Description:** No null check after phone normalization.
**Impact:** SMS sent to null, crashes or silent failure.

### 8. No Status Validation
**File:** `leads.js:372`
**Description:** Lead status updates accept any value.
**Impact:** Invalid statuses corrupt database.
**Fix:** Whitelist: `['new', 'engaged', 'converted', 'opted_out', 'archived']`

### 9. DoS via Unbounded Limit
**Files:** callList.js:30, xp.js:244, coaching.js:60
**Description:** `?limit=999999999` causes massive queries.
**Fix:** Always validate: `Math.min(100, parseInt(limit))`

### 10. Missing Batch Error Handling
**File:** `sms.js:615-654`
**Description:** Batch SMS loop has minimal error handling.
**Impact:** Partial failures go unnoticed.

### 11. Missing Rate Limits on AI Endpoints
**File:** `ai.js`
**Description:** `/draft-message`, `/voice-command`, `/objection-response` have no rate limiting.
**Impact:** Spam API, massive OpenAI bills.

---

## MEDIUM (7)

### 12. Error Messages Leak Info
**Files:** Multiple
**Description:** `res.status(500).json({ error: error.message })` exposes internals.
**Fix:** Return generic message in production.

### 13. Inconsistent UUID Validation
**Files:** leads.js, aiAlerts.js
**Description:** Some routes validate UUID format, others don't.

### 14. Unbounded Data Fetching
**File:** `callList.js:48`
**Description:** `.limit(limitNum * 2)` fetches double requested.

### 15. Missing Array Element Validation
**File:** `sms.js:555-566`
**Description:** Array validated but individual elements aren't.

### 16. Default User Fallback
**Files:** Multiple
**Description:** `'default-user'` fallback pollutes data.

### 17. No Pagination Validation
**Files:** coaching.js:75, xp.js:251
**Description:** Offset not validated against reasonable bounds.

### 18. Race Condition in Conversion Pattern
**File:** `leads.js:424-436`
**Description:** Background capture might fail after response sent.

---

## LOW (7)

### 19. Sensitive Data in Logs
**Files:** calls.js, webhooks.js, voice.js
**Description:** Lead names logged to console.

### 20. No CORS Configuration
**Files:** All
**Description:** Should be in main app.js but verify.

### 21. Query Comment Injection
**File:** `leads.js:82`
**Description:** Search input interpolated into filter string.

### 22. Inconsistent Error Format
**Files:** Throughout
**Description:** Mix of `{ error }` and `errorResponse()`.

### 23. No Request ID Correlation
**Files:** All
**Description:** Hard to trace errors across logs.

### 24. Cache Memory Leak
**File:** `voice.js:13-15`
**Description:** `callLeadCache` has no cleanup job.

### 25. No API Timeouts
**Files:** ai.js, scripts.js
**Description:** External calls can hang indefinitely.