Affiliate ye kayit oldum, iki farkli ID yarattim — OTP verify TOCTOU race + Gmail prefetch (PR #646 VI F3)
Konya Selcuklu icerik ureticisi Aybars (26), thMenu affiliate basvurdu, welcome email gelmesinden 5dk sonra IKI ayri Affiliate ID gordu (AYBARS22 + AYBARS76). Support 2 yanlis teori cururttu (cift Submit, case-sensitive email). Workers ingest log: 8ms arayla iki verify request, ayni token. (1) 15:14:23.142 IP 66.249.93.71 user-agent Google-Email-Verification — Gmail safety prefetch service. (2) 15:14:23.150 IP 88.232.x AppleWebKit — Aybars in gercek tikla. Verify endpoint kodu: SELECT consumed=0 + validate + UPDATE SET consumed=1 + createAffiliate. Step 1-3 arasi race window: Request A SELECT consumed=0, UPDATE, createAffiliate=AYBARS22. Request B (8ms sonra) SELECT consumed=0 still (D1 eventual-consistency snapshot), UPDATE (idempotent no-op), createAffiliate=AYBARS76. Iki affiliate. Daha derinde: verify endpoint GET methodu kullaniyordu — RFC 9110 §9.2.1 GET safe method olmali, state-change OLMAMALI; Gmail/Outlook/Mimecast/Slack hepsi inbox URL prefetch yapar, GET-with-state-change endpoint i istemeden trigger eder. **PR #646 batch VI F3** fix iki katmanli: (1) atomic claim guard — UPDATE SET consumed=1 WHERE token=? AND consumed=0 AND expires_at>? + meta.changes detection; concurrent caller dan sadece biri basarili (meta.changes===1), digeri meta.changes===0 invalid_or_expired. (2) POST method enforcement — verify endpoint GET ten POST a degisti, email link form a yonlendiriyor, manuel button basisi POST tetikliyor; email-scanning service POST yapmaz, prefetch path kapali. Aybars in AYBARS76 silindi, AYBARS22 keep edildi. Pattern: OTP, magic-link, single-use token, password-reset, account-deletion-confirm hepsi atomic UPDATE + WHERE race guard + POST method ile consume edilmeli; SELECT-then-UPDATE pattern + GET method state-change RFC violation kombo zaten Gmail-Outlook-Mimecast prefetch ile silent-double-spend uretir.