Bug: Duplicate `/health` Route in `server.js` — Real Health Check Is Dead Code, Always Returns `ok`

[devprashant19]

Affected File

Node.js Gateway — backend/server.js

---

Bug Description

There are two GET /health route handlers registered in server.js. Express resolves routes in registration order and stops at the first match, so the second handler is never executed.

First handler (line 47 — always wins, returns a dumb static response):

app.get('/health', (req, res) => {
    res.json({ 
        status: 'ok', 
        message: 'Server is running',
        limit: '1MB'
    });
});

Second handler (line 104 — unreachable dead code, contains the real health check):

app.get("/health", async (req, res) => {
  try {
    const healthStatus = await getHealthStatus();
    const statusCode = healthStatus.status === "healthy" ? 200 : 503;
    res.status(statusCode).json(healthStatus);
  } catch (error) {
    res.status(500).json({ ... });
  }
});

getHealthStatus() (from utils/healthCheck.js) checks MongoDB connectivity and returns a 503 when the database is unavailable. Because this handler is never reached, the /health endpoint always returns 200 with {status:"ok"} — even when MongoDB is down and the server cannot process any requests.

Impact:

• Docker and Kubernetes health probes see a healthy service even when MongoDB is disconnected, causing traffic to be routed to a broken instance.
• Monitoring systems get false-positive health signals, hiding outages.
• The getHealthStatus utility and all the infrastructure built around real health checking is wasted code.

---

Steps to Reproduce

1. Start the Node server with MongoDB disconnected (e.g., wrong MONGODB_URI).
2. Call GET http://localhost:3000/health.
3. Observe response: {"status":"ok","message":"Server is running","limit":"1MB"} with HTTP 200.
4. Expected: HTTP 503 with a degraded status indicating DB failure.

---

Expected Behavior

GET /health calls getHealthStatus(), returns 200 when all dependencies are healthy, and 503 when MongoDB is disconnected or any dependency fails.

---

Actual Behavior

GET /health always returns HTTP 200 {"status":"ok"} regardless of the actual service health.

---

Proposed Fix

Remove the first (dumb) handler at line 47 entirely. Keep only the second handler at line 104:

// DELETE lines 47–53 (the dumb static handler)

// Keep only this handler (line 104):
app.get("/health", async (req, res) => {
  try {
    const healthStatus = await getHealthStatus();
    const statusCode = healthStatus.status === "healthy" ? 200 : 503;
    res.status(statusCode).json(healthStatus);
  } catch (error) {
    res.status(500).json({
      status: 'error',
      message: 'Failed to retrieve health status',
      error: error.message
    });
  }
});

---

Scope of Contribution

• Frontend
• Backend
• Database
• API
• Authentication
• AI/ML
• DevOps / CI-CD
• Documentation
• UI/UX

---

Pre-submission Checklist

• I have checked existing issues for duplicates.
• I have verified this issue exists in the current codebase.

[github-actions]

👋 Welcome back! Thanks for your continued contribution. Your issue/PR is received and waiting for maintainer review.

[github-actions]

The issue describes a bug in a Flask-based API where Gmail and Outlook OAuth tokens are stored in an insecure, in-memory Python dictionary without persistence or encryption. This causes tokens to be lost upon application restart, fails to work across multiple worker deployments, and poses a security risk from potential memory dumps. The proposed fix suggests securely persisting tokens in an encrypted database, ensuring tokens survive restarts and are accessible across worker processes.

[devprashant19]

hi @Userunknown84 I would like to work on the issue, please assign it to me