fix(backend): prevent concurrent LeetCode profile verification race conditions (#416)

[itssagarK]

What does this PR do?

This PR fixes a Time-Of-Check to Time-Of-Use (TOCTOU) race condition in the LeetCode profile verification flow.

Previously, the verification endpoint checked whether a LeetCode profile was available before assigning it to a user. Under concurrent requests, multiple users could pass the availability check and attempt to claim the same profile simultaneously, leading to inconsistent ownership.

This PR introduces an atomic claim mechanism to ensure that only one user can successfully claim a profile.

Changes Made

Atomic Profile Claiming

• Normalized the LeetCode username once and reused it throughout the verification flow.
• Added an atomic update path for existing unclaimed profiles.
• Added conflict detection using .is("claimed_by", null) during updates.
• Prevented concurrent requests from claiming the same profile.

Safe Profile Creation

• Added an atomic insert flow when no profile record exists.
• Relies on database uniqueness constraints to prevent duplicate claims.
• Returns a 409 Conflict if another request claims the profile first.

Improved Error Handling

• Returns a clear conflict message when a profile is claimed during a concurrent request.
• Prevents ambiguous ownership states.

Reduced Race Window

• Claims the profile before performing expensive LeetCode API requests.
• Ensures only the successful claimant proceeds with profile synchronization.

Why this matters

Before this fix

• Two users could attempt to verify the same LeetCode profile simultaneously.
• Both requests could pass the availability check.
• Ownership could become inconsistent depending on request timing.
• Identity verification integrity could be compromised.

After this fix

• Profile claiming is protected at the database layer.
• Only one request can successfully claim a profile.
• Concurrent requests fail safely with a conflict response.
• Ownership remains consistent and reliable.

Testing

Verified:

• Existing unclaimed profiles can only be claimed once.
• Concurrent verification attempts return proper conflict responses.
• New profile creation respects uniqueness constraints.
• Existing verification flow remains functional.

Related Issue

Fixes #416

Checklist

• npm run lint passes
• Tested locally
• No secrets or .env values committed
• I acknowledge that an automated AI Reviewer will perform a preliminary review of this PR.
• ⭐ I have starred this repository! (We prioritize PRs and assignments for stargazers)

[vercel]

@itssagarK is attempting to deploy a commit to the ixotic27-8245's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

✅ Security Scan: Clean

No suspicious patterns detected. The official Copilot bot will provide detailed AI feedback shortly.

⭐ If you enjoyed contributing, please consider starring the repository!

[itssagarK]

Hi @Ixotic27,

This PR fixes the TOCTOU race condition reported in #416.

The solution introduces atomic claim logic at the database layer, ensuring that only one user can successfully claim a LeetCode profile even when multiple verification requests occur simultaneously.

The existing verification workflow remains unchanged while preventing ownership conflicts and improving profile integrity.

Thank you for reviewing.

[github-actions]

🚨 Hey @itssagarK, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

🔍 What failed:

• Production Build failed at step(s): Build

📋 Error Details (first 2):

• .github:2: Node.js 20 is deprecated. The following actions target Node.js 20 but are being forced to run on Node.js 24: actions/checkout@v4, actions/setup-node@v4. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
• .github:63: Process completed with exit code 1.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run lint           # Run ESLint
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪