Missing timeout on outbound HTTP requests can hang workers indefinitely #2747
Description
I was going through the codebase and noticed that several requests.post() and requests.get() calls don't specify a timeout parameter. Without it, these calls will
block forever if the remote server accepts the connection but never responds.
The most concerning one is in api/webhooks.py, the target_url is set by organizers, so a slow or malicious endpoint could tie up a Celery worker permanently.
Affected locations
- `app/eventyay/api/webhooks.py` (line ~316) — webhook delivery, user-provided URL
- `app/eventyay/base/services/update_check.py` (line ~59) — periodic update check
- `app/eventyay/base/services/mail.py` (line ~669) — mail-related HTTP call
- `app/eventyay/features/analytics/graphs/utils.py` (line ~104)
- `app/eventyay/features/social/utils.py` (line ~27)
Example
**current code in webhooks.py**
resp = requests.post(webhook.target_url, json=payload, allow_redirects=False)
**should be**
resp = requests.post(webhook.target_url, json=payload, allow_redirects=False, timeout=30)
**Why this matters**
- A hanging request holds a Celery worker (or web thread) hostage with no way to recover
- The webhook case is the worst since target_url comes from user input
- If enough workers get stuck, the whole task queue stops processing
- Python's requests library docs explicitly recommend always setting a timeout