Common Claude Code Issues

API endpoint returns data in a different structure than the frontend expects. Frontend code calls API successfully but crashes when trying to access expected properties that don't exist or are nested differently.

This common integration problem surfaces when frontend and backend are developed independently without coordinating on response format.

Frontend makes a complex request (POST with JSON body) to API, preflight OPTIONS request fails with 403 or 405 error. Actual request never sent because browser stops at preflight check. Simple GET requests work but POST/PUT/DELETE fail.

CORS configuration exists but doesn't handle preflight requests correctly.

@NotNull, @NotBlank, @Size and other validation annotations are added to bean fields but validation never executes. Invalid data passes through without error. Validation was added but not wired up properly.

Annotations exist but validator isn't invoked on bean creation or API calls.

API has no rate limiting. Malicious users can spam endpoints with thousands of requests, causing DoS attack. Legitimate requests are throttled. API was designed but rate limiting was deferred as 'optimization' and never implemented.

No mechanism exists to slow down or reject excessive requests from single client.

Real-time features using WebSocket connections drop unexpectedly. Client loses connection to server with no reconnection attempt. Users experience gaps in real-time updates or are suddenly disconnected.

Connection works initially but doesn't handle network interruptions or server resets gracefully.

Frontend component was built but never connected to the actual API endpoint. The component's action buttons call mock functions or make requests to undefined URLs. Moving to production revealed that the UI flow is orphaned from backend logic.

Frontend was developed in isolation without coordinating with API development, leaving integration gaps.

Webhook endpoint receives POST requests (verified in logs) but event handlers don't execute. The webhook returns 200 OK but triggers no side effects. Events are silently dropped with no error indication, making this extremely difficult to debug.

This commonly happens when webhook routing is correct but handlers aren't invoked, or when async processing silently fails.

Stripe webhook endpoint is registered and receiving events (confirmed in Stripe dashboard) but handlers aren't executing. Payments are charged successfully in Stripe but the application doesn't record orders, send confirmations, or update inventory.

The webhook integration appears complete but events are being ignored silently.

Passwords are hashed but using a weak algorithm. Plain MD5, SHA-1, or simple salted SHA-256 is used instead of proper password hashing. Security audit flags the implementation as inadequate for protecting user credentials.

Password storage exists but doesn't use modern algorithms that resist brute-force attacks.

CORS configured with Access-Control-Allow-Origin: * allowing any origin to access the API. Security audit flags this as a vulnerability. Any website can make requests to the API on behalf of users.

While allowing all origins is convenient for development, it's a security risk in production.

JWT tokens are generated successfully but validation fails on subsequent requests. User logs in, receives token, but next request with the token in Authorization header is rejected. Tokens work briefly then expire or fail unexpectedly.

Token generation and validation logic both exist but something about the verification is failing.

Application fails to start with circular dependency error. Module A imports Module B which imports Module A, creating a cycle that prevents initialization. This often surfaces after refactoring when reorganizing modules.

The error message clearly indicates a circular dependency but resolving it requires understanding module relationships.

Application has configuration file (application.yml or .env) but settings aren't being loaded. Default values are used instead, causing application to attempt connections to wrong database, wrong API endpoints, or with wrong credentials.

Configuration file exists and is readable but isn't being discovered by the application.

After successfully authenticating with OAuth during a Claude Code session, the token is lost when starting a new session. Users are forced to re-authenticate every time they run Claude Code, defeating the purpose of persistent authentication.

This commonly occurs when the agent doesn't properly serialize session state or when the token storage mechanism isn't configured for persistence across CLI invocations.

When Claude Code attempts to access a GitHub repository, it receives 403 Forbidden errors despite having a valid GitHub token. The token was generated with limited scopes and lacks permissions needed for repository operations.

This manifests when the user's OAuth flow doesn't request all necessary scopes, or when GitHub's scope requirements change but the CLI isn't updated.

Unauthenticated users can access protected endpoints that should require authentication. The auth middleware exists but doesn't actually enforce authentication checks, allowing requests to bypass security.

This typically happens when middleware is registered but improperly configured, or when certain routes are accidentally whitelisted without restriction.

Security review discovers SQL injection vulnerability. Application constructs SQL queries by string concatenation with user input. Attacker could manipulate queries by injecting SQL code through input fields.

Query works correctly for normal input but fails to protect against malicious input.

When an operation fails partway through, previous changes aren't rolled back. Database is left in inconsistent state with partial changes. For example: charge credit card but fail to record order = customer charged but no order created.

Transaction management exists but doesn't properly rollback on all error types.

A new database migration file was created but didn't execute when starting the application. The database schema remains out of sync with the application code, causing runtime errors when trying to access new columns or tables.

This occurs when migration tools (Flyway, Liquibase) don't detect the new file, have incorrect naming conventions, or encounter permission issues during execution.

After refactoring ORM relationship configurations, related entities stopped lazy loading. Now every query that accesses relationships triggers additional database queries, causing severe N+1 query problems and timeouts.

The ORM configuration was changed to eager loading for debugging but wasn't reverted, or the lazy loading annotations were accidentally removed during refactoring.

Seed data script that populates initial test data in development is not executing. The database starts empty, causing tests and manual testing to fail. This might be a timing issue where seed data attempts to load before migrations complete.

Seed data loading is typically optional and failures are silently ignored, making this hard to debug.

Application encounters deadlock errors intermittently when multiple users perform operations simultaneously. Specific sequences of operations cause deadlock: Thread A waits for lock held by Thread B, which waits for lock held by Thread A. Application must retry deadlocked operations.

Deadlocks are hard to reproduce but fail under load testing or in production.

Application gradually exhausts Redis connection pool over hours. New connections fail with 'pool exhausted' error. Existing connections aren't being returned to the pool properly, causing connection leak.

Redis works initially but degrades as connections accumulate.

Application fails to make HTTPS requests to external services, throwing SSL certificate validation errors. In development with self-signed certificates it works (validation disabled), but in production with proper certificates it fails.

Certificate is valid and properly installed but the application doesn't trust it.

Docker build succeeds locally but fails in CI/CD pipeline with dependency resolution errors. The Dockerfile installs system packages that conflict with application dependencies, or transitive dependencies pull incompatible versions.

This often only appears in CI/CD because local Docker daemon caches layers, masking the real issue.

Application is running but logging statements produce no output. Debug logs don't appear even with verbose configuration. Application logs nowhere for troubleshooting despite logging statements in code.

Logging framework is configured but output isn't being written.

CI/CD pipeline fails during build or deployment steps because required environment variables aren't available. The application starts correctly in development where variables are set locally, but fails in the pipeline with 'variable not defined' errors.

This commonly occurs when moving configuration from .env files to CI/CD secret management, or when new required variables aren't added to all environments.

Gradle build cache contains stale artifacts from previous builds. Changes to source files aren't reflected in the compiled output, causing deploying of old code. Incremental builds work correctly, but CI/CD pipeline with partial cache hits behaves unexpectedly.

This is particularly problematic when generated code or resource files are cached but source changed.

Application attempts to write files (logs, uploads, caches) but fails with permission denied errors. The user running the application doesn't have write permissions to the target directory. Works in development where user has full permissions but fails in production.

This commonly occurs with log files, uploaded files, or temporary cache directories.

An endpoint that processes data times out when dataset size increases. The algorithm works correctly for small datasets but degrades exponentially with larger inputs. Response time jumps from 100ms to 10+ seconds as data volume grows.

The algorithm is correct but has poor time complexity that wasn't apparent at scale.

A background job that runs periodically starts consuming more memory with each execution. After hours of running, the application runs out of memory and crashes. The job itself is correct but something isn't being cleaned up properly.

Memory usage climbs steadily despite the job appearing to complete normally.

Application performance degrades significantly after adding a feature that loads related data. Profiling shows massive number of database queries (1 main query + N queries for each result). Adding 50 users slows down response by seconds instead of milliseconds.

The feature works correctly but is fundamentally inefficient, querying the database hundreds or thousands of times for what should be a few queries.

Code with multiple nested async operations becomes deeply nested and hard to follow (callback hell). Fixing bugs or adding features becomes dangerous due to complexity. Code written before async/await was standardized.

Refactoring to async/await would improve readability and maintainability significantly.

Processing large files or datasets causes out-of-memory errors. Profiling shows massive string accumulation. The issue: concatenating strings in a loop creates new string object each iteration.

Simple string concatenation is inefficient when done repeatedly.

Application state becomes inconsistent under certain conditions. Two async operations complete in unexpected order, leaving the application in an invalid state. Clicking buttons rapidly, loading data concurrently, or quickly switching views exposes the race condition.

Works fine in normal usage but fails under concurrent load or rapid user actions.

A small feature was added via npm package but bundle size increased 500KB. The feature doesn't justify the size increase. Build tools show the dependency is being included but it's rarely used, or lighter alternatives exist.

Adding the dependency solved a problem but created a new one: application loads slower for all users.

Server-side rendered pages fail to load with template syntax errors. Browser shows 500 error, server logs show the template couldn't be parsed. Changes to template files aren't working as expected.

Template syntax is close to correct but has subtle errors that prevent rendering.

A UI component successfully updates its state but the changes don't appear on screen. The developer confirms the state changed (via console logging) but the component remains visually unchanged. This typically affects forms, lists, and modal dialogs.

The component structure and lifecycle are correct, but something prevents the rendering system from detecting the state change as significant.

User-provided content displayed in template without escaping. Attacker can inject malicious JavaScript that executes in other users' browsers. Form submissions, comments, or user profiles become attack vectors.

Template renders user input directly, trusting it's safe when it's not.

A CSS rule was written and is definitely being loaded (visible in dev tools), but it's not applied to elements because a more specific rule is overriding it. This commonly happens after refactoring style organization or adding utility classes.

The style appears in the stylesheet but browsers display the override style instead, confusing developers about what went wrong.

A form was scaffolded with basic structure but validation is incomplete. Some fields check for empty values but don't validate format (emails, phone numbers). Others bypass validation entirely due to missing checks. Invalid data is submitted to backend.

Frontend validation is partially implemented but inconsistent across form fields.

Button or element has an onclick handler or click listener attached but clicking doesn't trigger it. The element responds to other interactions but the click handler isn't called. This often happens after dynamically adding elements or refactoring event binding.

Handler is defined and looks correct but isn't invoked when clicked.