v1 treatments API inconsistently handles string _id values, breaking Loop Temporary Override update/delete sync

[AndyLow91]

Summary
Nightscout v1 accepts client-supplied string _id values when creating treatments, but later treats those same _id values as if they must be Mongo ObjectIds.

This is a problem for Loop Temporary Override treatments, because Loop uploads them with UUID-style _id values, for example:

{
  "_id": "69F15FD2-8075-4DEB-AEA3-4352F455840D",
  "enteredBy": "Loop",
  "eventType": "Temporary Override",
  "created_at": "2026-02-17T02:00:16.000Z",
  "timestamp": "2026-02-17T02:00:16Z",
  "durationType": "indefinite",
  "correctionRange": [90, 110],
  "insulinNeedsScaleFactor": 1.2,
  "reason": "Override Name",
  "utcOffset": 0
}

The initial POST succeeds, and the treatment is stored.
Later update/delete operations against that same treatment can fail because Nightscout v1 tries to coerce _id into ObjectId, or because it upserts by created_at + eventType instead of _id.

This can cause Loop override treatment sync to get stuck after an indefinite override, and subsequent override banners on the graph may stop appearing.

User-visible impact
Symptoms reported from real deployments:

A Temporary Override banner appears on the graph and persists.
Later devicestatus.override.active=false clears the live override pill, but the graph overlay remains because the overlay is driven by treatments, not devicestatus.
After the original indefinite override ages out of the graph window, the old banner disappears.
From that point onward, future Loop override banners may stop appearing entirely because override treatment sync is stalled by a failed update/delete on the earlier UUID-backed treatment.
Why this shows up specifically with Loop
Loop/NightscoutService uploads override treatments with:

eventType: "Temporary Override"
durationType: "indefinite" for infinite overrides
_id = override.syncIdentifier.uuidString
That means the _id is a UUID string, not a Mongo ObjectId.

Nightscout accepts that on create, but v1 treatment update/delete paths are not consistent with that acceptance.

Reproduction
POST a treatment with a UUID _id:

{
  "_id": "69F15FD2-8075-4DEB-AEA3-4352F455840D",
  "eventType": "Temporary Override",
  "created_at": "2026-02-17T02:00:16.000Z",
  "durationType": "indefinite",
  "correctionRange": [90, 110],
  "insulinNeedsScaleFactor": 1.2,
  "reason": "test override"
}

Nightscout stores it successfully.

Later attempt one of the following:

DELETE /api/v1/treatments/69F15FD2-8075-4DEB-AEA3-4352F455840D
PUT /api/v1/treatments/ with the same _id
POST /api/v1/treatments/ again with the same _id but a changed created_at
Actual behavior
Initial create succeeds.
Delete can fail because _id is treated as ObjectId.
Update can fail for the same reason, or miss the existing treatment because matching is based on created_at + eventType.
Reposting with the same _id but a different created_at can fail or behave inconsistently because the dedupe/upsert key is not _id.
Loop can keep retrying the same failed override sync batch, preventing later override treatments from syncing.
Expected behavior
Nightscout v1 should handle client-supplied treatment _id values consistently across create, update, and delete:

If _id is a UUID/string, it should remain a string.
Only 24-hex _id values should be converted to Mongo ObjectId.
If a client supplies _id, v1 treatment upserts should match by _id.
DELETE and PUT should work for both Mongo ObjectId ids and string UUID ids.
Root cause
There are two related problems in the v1 treatment path:

_id coercion is too aggressive.
Query/delete/update paths assume _id must be ObjectId.
UUID strings like 69F15FD2-8075-4DEB-AEA3-4352F455840D are not valid ObjectIds.
Treatment upsert matching ignores client _id.
v1 POST/replace logic matches treatments by created_at + eventType.
If the client reuses the same _id but changes created_at, Nightscout does not reliably target the existing treatment.

Why this matters beyond one bad treatment
Loop advances its override sync anchor only after the override upload operation succeeds. If one UUID-backed override treatment cannot be updated or deleted, the same override batch can be retried repeatedly, and newer override treatments never get through. That makes the graph overlay behavior look like “one indefinite override happened, then future override banners stopped working.”

Proposed fix
In the v1 treatment API/storage layer:

Only convert _id to ObjectId when it is a 24-character hex string.
Leave UUID/string _id values as strings.
Prefer _id as the upsert key when the client supplied one.
Fall back to created_at + eventType only for legacy callers that did not supply _id.
Ensure PUT /api/v1/treatments/ and DELETE /api/v1/treatments/:id work for both string and ObjectId ids.
Additional note
This issue affects the graph override banner path because that banner is driven by treatments, not devicestatus. So even when live override state in devicestatus is correct, graph overlays can diverge if treatment sync breaks.

If useful, I can also provide a minimal regression test matrix for:

UUID _id POST
UUID _id repost with changed created_at
UUID _id PUT
UUID _id DELETE

[AndyLow91]

Addressed this issue is #8447

[zehnBE]

Hey @AndyLow91
on my side, we have patched it so:

Bug: UUID-style _id from AAPS/Loop crashes websocket.js and breaks treatment upserts

Environment

• Nightscout version: 15.0.x (master), dev, dev-psonnera
• MongoDB: 5.x - 8.x
• Node: 16.x - 22.x
• Affected clients: AndroidAPS (NSClient v1 and v3), Loop (iOS)

Description

AAPS and Loop send treatment data via WebSocket (dbUpdate, dbUpdateUnset, dbRemove) and REST API (POST /treatments) using UUID-style _id values such as e4d3f8b1-beb9-57f5-b10c-0bf59fb52d32. Nightscout passes these directly to new ObjectID(), which only accepts 24-character hex strings.

This causes two separate failures:

1. websocket.js — ObjectID constructor throws

All four WebSocket data handlers call new ObjectID(data._id) without validating the format. When a UUID string is passed:

• In dbUpdate: a try/catch exists, but the catch block creates a random new ObjectID via new ObjectID(). This random ID never matches any existing document, so the update silently fails with Got results null.
• In dbUpdateUnset, the dedup block, and dbRemove: there is no try/catch at all, so the error propagates uncaught.

2. treatments.js — MongoDB rejects immutable _id change

When a client POSTs a treatment with a UUID _id, the upsert function matches an existing document by created_at + eventType, but the update payload still contains the UUID _id. MongoDB rejects this with error code 66: "immutable field '_id' was found to have been altered".

Steps to Reproduce

1. Set up Nightscout with MongoDB
2. Connect an AAPS client using NSClient v1 or v3
3. Client sends dbUpdate via WebSocket with _id: "f5b16577-107f-554a-8a02-4b5719c128a3"
4. Server throws at new ObjectID(data._id) in lib/server/websocket.js
5. Client sends POST /treatments with a UUID _id
6. Server attempts upsert, MongoDB rejects with error code 66

Error Logs

websocket.js:

[TT-DEBUG] dbUpdate: {"collection":"treatments","_id":"e4d3f8b1-beb9-57f5-b10c-0bf59fb52d32","eventType":"Temp Basal","isValid":true,"duration":11}
Error: Argument passed in must be a single String of 12 bytes or a string of 24 hex characters
    at new ObjectID (/opt/app/node_modules/bson/lib/bson/objectid.js:59:11)
    at Socket.dbUpdate (/opt/app/lib/server/websocket.js:220:16)
got data-received event, requesting reload
Got results null

treatments.js:

Problem upserting treatment MongoServerError: Plan executor error during findAndModify ::
caused by :: After applying the update, the (immutable) field '_id' was found to have been
altered to _id: "CF020994-E794-46B8-9FF0-D5653BCDEC86"

Proposed Fix

websocket.js — safeObjectID() helper

Add a helper function after the ObjectID require that validates the _id format before constructing an ObjectID. If it is not a valid 24-hex string, the value passes through as-is for use in MongoDB queries (MongoDB can query by string _id without issues):

function safeObjectID(id) {
  if (/^[0-9a-fA-F]{24}$/.test(id)) return new ObjectID(id);
  return id;
}

Replace all four locations:

Handler	Before	After
dbUpdate (~line 220)	id = new ObjectID(data._id)	id = safeObjectID(data._id)
dbUpdate catch block	id = new ObjectID()	id = data._id
dbUpdateUnset (~line 277)	var objId = new ObjectID(data._id)	var objId = safeObjectID(data._id)
dedup block (~line 404)	var objId = new ObjectID(array[0]._id)	var objId = safeObjectID(array[0]._id)
dbRemove (~line 517)	var objId = new ObjectID(data._id)	var objId = safeObjectID(data._id)

Testing Done

Verified on a production multi-tenant Nightscout hosting environment with live clients:

• AAPS dbUpdate with UUID _id — no crash, document found and updated correctly
• Loop POST /treatments with UUID _id — upsert succeeds, [TreatmentFix] log confirms migration
• Temporary Override via Loop remote caregiver — treatment and profile created correctly
• Carb Correction create + delete cycle — works end-to-end via REST API
• Standard 24-hex ObjectID _id values — unchanged behavior, safeObjectID() passes through to new ObjectID() as before
• Tested on master (15.0.4), dev, and dev-psonnera branches

Additional Context

A centralized safeObjectID() utility would prevent this class of bug across the entire codebase. The pattern new ObjectID(user_input) without validation appears in multiple files and will break whenever a client sends a non-24-hex _id.

uuid-patch-on-10be.txt

[bewest]

Thanks, I left a comment worrying about this in the other pr.

[zehnBE]

ah ok. On my side, it works fine and the users had complaint, so i need to fix it. And i try/debug it with a few User, that it really works with aaps/loop. Maybe not all stuff is patched, but that, what i see, what the Users use, works now.
But i am not a js developer and maybe this helps to fix it.

[bewest]

What is the impact of stripping _id from any incoming data that is not an objectId? Is it tenable to support people sending invalid objectids and expecting mongodb to work properly. We can adopt a data model layer and validate input, and choose and migrate to a different field for internal id. There's a reason it's not working, and I'm not sure it's a good idea to lean into breaking behavior. If Loop and AAPS decided to correctly use objectIDs, what would the impact be?

[bewest]

The next step here is to generate test harnesses that can faithfully represent Loop/AAPS style uploads, so we can evaluate and capture behavior in the wild.

[AndyLow91]

@bewest Yes, If we strip any _id fields, the Mongo will automatically assign one whenever the entry is entered into the collection. However, I believe Loop wants to go back in to edit the entry once the user has stopped the override, and it requires the identifier that it previously gave, so do this would break it further, unless Loop updated their logic to store and be aware of, say, 'UUID' being the stored key rather than '_id'

[bewest]

Yes. Ok, I think we can accommodate this: https://github.com/bewest/rag-nightscout-ecosystem-alignment/blob/main/traceability/treatments-gaps.md#gap-treat-012-v1-api-incorrectly-coerces-uuid-_id-to-objectid. I will try to develop swift and kotlin test harnesses from the third party sources to confirm fixes.

[bewest]

https://github.com/bewest/rag-nightscout-ecosystem-alignment/blob/main/docs/reports/option-g-test-validation-report.md, #8421

Thanks, Andy. I was able to create some tests using the swift and kotlin code to investigate this a bit further.

[bewest]

I was probing for other places where this kind of thing might be an issue and found some:
The issue became a problem when these two things collided:

1. MongoDB driver v4 (2022-02-16): Stricter ObjectId validation
2. Loop override uploads (2022-02-28): Using UUID as _id

But Trio entries with UUID _id is newer (2025-04-29) and would have the same issue if getEntry() is called with a
Trio-generated UUID.

Fixes Needed

┌──────────────┬─────────────────────┬───────────────────┐
│ Collection │ Current Fix │ Status │
├──────────────┼─────────────────────┼───────────────────┤
│ treatments │ Option G (PR #8447) │ ✅ Implemented │
├──────────────┼─────────────────────┼───────────────────┤
│ entries │ Same pattern needed │ ❌ Not yet │
├──────────────┼─────────────────────┼───────────────────┤
│ devicestatus │ N/A │ ✅ Server assigns │
└──────────────┴─────────────────────┴───────────────────┘

[bewest]

Thanks for putting #8447 together. #8421 folds that work together with additional work on backwards and forwards compatibility.