transactions often aren't used because of { options: { session:

[ElectricNroff]

Several parts of the code at 69b2859 call Mongoose functions with an object that has a top-level property named options but is was apparently intended that that object had a top-level property named session instead. Picking audit.controller because it's first in alphabetical order:

cve-services/src/controller/audit.controller/audit.controller.js

Lines 77 to 82 in 69b2859

	returnValue = await repo.appendToAuditHistoryForOrg(
	body.target_uuid,
	entry.audit_object,
	entry.change_author,
	{ session, upsert: true }
	)

Then, line 30 and line 44 below each create a new object with a single key named options, and a value that is an object with keys named session and upsert

cve-services/src/repositories/auditRepository.js

Lines 21 to 44 in 69b2859

	async appendToAuditHistoryForOrg (targetUUID, auditObject, changeAuthor, options = {}) {
	const historyEntry = {
	timestamp: new Date(),
	audit_object: auditObject,
	change_author: changeAuthor
	}
	try {
	// Try to find existing document
	let audit = await this.findOneByTargetUUID(targetUUID, { options })
	if (!audit) {
	// Create new document if doesn't exist
	// Assuming 'uuid' is available for generating a new UUID
	audit = new Audit({
	uuid: uuid.v4(),
	target_uuid: targetUUID,
	history: [historyEntry]
	})
	} else {
	// Append to existing history
	audit.history.push(historyEntry)
	}
	await audit.save({ options })

In this last code block, Mongoose is being used with an argument of the form {options: {session ... - from the perspective of Mongoose, options is an unrecognized key and is ignored, there is no top-level key named session, and thus .findOne occurs outside of the transaction. (Also, the above audit.save occurs outside of the transaction).

cve-services/src/repositories/auditRepository.js

Lines 67 to 71 in 69b2859

	async findOneByTargetUUID (targetUUID, options = {}) {
	const query = { target_uuid: targetUUID }
	const auditObject = await Audit.findOne(query, null, options)
	return auditObject
	}

This might also affect baseOrgRepository.js, baseUserRepository.js, conversationRepository.js, and reviewObjectRepository.js.

[cberger8]

Great catch, and that's something that isn't really caught by our tests. Will work through and identify all places where this occurs and unwrap the objects accordingly.