From 8051015bb85d1b6b9d6a485dea9c7db094046c70 Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Mon, 18 Oct 2021 16:36:56 +0200
Subject: [PATCH] Fixed race condition when linking subscriptions

no-issue

Without forcing linkSubscription to run inside a transaction - it's
possible to have race conditions where it is called twice, and attempt
to insert duplicate rows into the database.
---
 ghost/members-api/lib/repositories/member.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ghost/members-api/lib/repositories/member.js b/ghost/members-api/lib/repositories/member.js
index 1e9c234383..65f37f172e 100644
--- a/ghost/members-api/lib/repositories/member.js
+++ b/ghost/members-api/lib/repositories/member.js
@@ -519,6 +519,15 @@ module.exports = class MemberRepository {
         if (!this._stripeAPIService.configured) {
             throw new errors.BadRequestError(tpl(messages.noStripeConnection, {action: 'link Stripe Subscription'}));
         }
+
+        if (!options.transacting) {
+            return this._Member.transaction((transacting) => {
+                return this.linkSubscription(data, {
+                    ...options,
+                    transacting
+                });
+            });
+        }
         const member = await this._Member.findOne({
             id: data.id
         }, options);