From 5ee4f4e34be092b71ff26b0ad7a84cf99c46ba0b Mon Sep 17 00:00:00 2001
From: "CanbiZ (MickLesk)" <47820557+MickLesk@users.noreply.github.com>
Date: Thu, 12 Feb 2026 13:45:32 +0100
Subject: [PATCH] fix(api): prevent duplicate post_to_api submissions (#11836)

Add POST_TO_API_DONE idempotency guard to post_to_api() to prevent
the same telemetry record from being submitted twice with the same
RANDOM_UUID. This mirrors the existing POST_UPDATE_DONE pattern in
post_update_to_api().

post_to_api() is called twice in build.func:
- After storage validation (inside CONTAINER_STORAGE check)
- After create_lxc_container() completes

When both execute, the second call fails with a random_id uniqueness
violation on PocketBase, generating server-side errors.
---
 misc/api.func | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/misc/api.func b/misc/api.func
index 09d1a82e8..468824bfe 100644
--- a/misc/api.func
+++ b/misc/api.func
@@ -353,6 +353,9 @@ detect_ram() {
 # - Never blocks or fails script execution
 # ------------------------------------------------------------------------------
 post_to_api() {
+  # Prevent duplicate submissions (post_to_api is called from multiple places)
+  [[ "${POST_TO_API_DONE:-}" == "true" ]] && return 0
+
   # Silent fail - telemetry should never break scripts
   command -v curl &>/dev/null || {
     [[ "${DEV_MODE:-}" == "true" ]] && echo "[DEBUG] curl not found, skipping" >&2
@@ -440,6 +443,8 @@ EOF
       -H "Content-Type: application/json" \
       -d "$JSON_PAYLOAD" &>/dev/null || true
   fi
+
+  POST_TO_API_DONE=true
 }
 
 # ------------------------------------------------------------------------------