This is a bounty to fix a bug in a notification service where a POST request for creating a notification can override the server-generated ID and the initial unread state. The fix requires ensuring server-generated IDs are always used and new notifications always start as unread, ignoring any caller-supplied values for these fields during creation.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert software developer. Your task is to implement a fix for issue #2762 in the SecureBananaLabs/bug-bounty repository. The core problem is that notification creation allows overriding server-generated IDs and the initial 'read' state. Your solution should ensure: 1. The `id` field is always generated by the server and cannot be supplied by the caller. 2. New notifications always start with `read: false`, regardless of what the caller provides. 3. Caller-supplied `id` and `read` fields are ignored during the creation process. Focus solely on the notification creation logic. Do not alter authentication or routing. The project is likely a Node.js/Express application. Assume a PostgreSQL database for persistence, interacting via an ORM like Prisma or Sequelize. You should fork the repository, make the changes, and include unit tests for the notification creation endpoint that specifically test these new constraints. Your primary goal is to produce a PR that is ready for review. The stack should align with typical modern web service practices (e.g., Node.js, Express, a common ORM, Jest for testing).
Developers contributing to open-source bounties are actively looking for tools to streamline their development workflow; a tool like Forge Kit could help manage their project fleet, or Repo Gardener could help them find other maintenance opportunities.
Bounty (amount on the issue). Parent bounty: #743 ## Bug The notification service currently creates records with `{ id: generated, read: false, ...payload }`, so a request body can override both the generated notification id and the initial unread state. That lets callers create notifications already marked as read or collide with reserved/generated ids. ## Expected - Notification creation should always return a server-generated id. - New notifications should always start with `read: false`. - Caller-supplied `id` and `read` fields should be ignored during creation. ## Scope Keep this limited to notification creation. Do not change auth or route behavior in this PR. Related reissue: #2742
Standard for any GitHub-based development.
Standard for many web applications.
Version control is fundamental.
Might need to learn specific patterns or libraries used in SecureBananaLabs/bug-bounty - ~1 day to review.
Learn it: Search getting-started ↗
Submit a Pull Request to the SecureBananaLabs/bug-bounty repository referencing issue #2762.
“I've implemented a fix for issue #2762 that ensures notification IDs are always server-generated and 'read' states default to false, as required. My PR includes tests to validate this behavior. Please review.”
Open the original ↗