This is a walkthrough of every bug we found and fixed, roughly in the order we found them.

The Setup

When a player places a bet, the provider sends a signed JWT callback to our server. Our server deducts the balance, records the transaction, and returns the updated balance. There are about a dozen callback endpoints: bet/make, bet/win, bet/refund, bet/rollback, bet/discard, ping, balance, and more.

The stack: FastAPI (async), SQLAlchemy (synchronous ORM with autoflush=False), PostgreSQL, a shared get_db dependency that yields a fresh SessionLocal() per request and commits on success / rolls back on exception.

Bug 1: Five parallel bets timing out

The provider’s test suite includes a test that fires five bet/make requests concurrently. Ours was timing out.

The culprit: create_single_bet was calling db.commit() after inserting each individual SingleBet. For a betslip with three selections, that meant three commits before the betslip itself was committed. SQLAlchemy’s synchronous commit() blocks the event loop for the duration of the round trip to PostgreSQL. Five concurrent requests x four commits each = twenty sequential event-loop blocks happening in what should have been parallel processing.

The fix: remove the commits from create_single_bet. Instead, stage the SingleBet objects with db.add() and let create_bet_slip’s existing final commit write everything in one shot.

# Before: 4 commits per bet (N selections + 1 betslip)
def create_single_bet(db, bet, ...):
    db_bet = SingleBet(...)
    db.add(db_bet)
    db.commit()       # <- blocking, per-selection
    db.refresh(db_bet)
    return db_bet

# After: 1 commit for everything
def create_single_bet(db, bet, ...):
    db_bet = SingleBet(...)
    db.add(db_bet)
    return db_bet     # committed later by create_bet_slip

Bug 2: Twenty parallel bets timing out

After fixing the five-parallel test, the twenty-parallel test started timing out. The five-parallel fix reduced commits per request, but there were still five commits in the bet/make path overall:

1. Reference entity creation (create_sport, create_tournament, etc.) - one commit each if the entity was new
2. create_bet_slip - one commit
3. update_user_finance_and_transaction - one commit (unavoidable - shared function)
4. create_transaction inside finance - one commit (unavoidable)
5. SportsbookTransaction - one commit
6. Bet model - one commit

We reduced this to two unavoidable commits by changing the SportsbookTransaction insert to a flush (which assigns the auto-increment ID without committing) and deferring the Bet insert to the get_db dependency’s final commit at request teardown:

# SportsbookTransaction: flush instead of commit
db.add(sportsbook_transaction_model)
db.flush()           # <- ID assigned, not yet committed
db.refresh(sportsbook_transaction_model)

# Bet model: stage only, committed by get_db
db.add(bet_model)
# no commit here - get_db commits on response 

The two remaining commits - finance update and create_transaction - live in a shared service used across the whole platform, so we left them alone.

Bug 3: The Race Condition We Found Along the Way

While fixing the parallel bet timeouts, we noticed that some bets were failing intermittently - not with a timeout, but with HTTP 500 errors. This only happened when the reference tables (sports, tournaments, categories) were empty, i.e., on a fresh database or after clearing data between test runs.

The root cause was a classic check-then-insert race:

def create_sport(db, bet):
    existing = db.query(Sport).filter(Sport.id == bet.sport_id).first()
    if existing is None:
        sport = Sport(id=bet.sport_id, name=bet.sport_name)
        db.add(sport)
        db.commit()   # <- crash if another session commits the same PK first 

With requests arriving simultaneously, all sessions query sports at the same instant, all find nothing, and all attempt to insert the same row (same sport ID as primary key). The first one to commit wins, and the others get PostgreSQL’s duplicate key value violates unique constraint -> IntegrityError -> HTTP 500.

The fix was to replace the check-then-insert pattern with PostgreSQL’s INSERT ... ON CONFLICT DO NOTHING, executed directly within the current session’s open transaction - no separate commit needed:

from sqlalchemy.dialects.postgresql import insert as pg_insert

def create_sport(db, bet):
    stmt = pg_insert(Sport.__table__).values(
        id=bet.sport_id,
        name=bet.sport_name,
        created_at=datetime.utcnow(),
        updated_at=datetime.utcnow(),
    ).on_conflict_do_nothing(index_elements=['id'])
    db.execute(stmt)
    # no commit - everything committed by create_bet_slip at the end 

PostgreSQL serializes concurrent inserts of the same key at the database level: the second session to arrive blocks briefly until the first commits, then silently skips the insert. No application-level errors, no individual commits per entity.

Bug 4: Deadlocks and Stale Data

In a sportsbook integration, a single “Bet Make” request often needs to update multiple tables: user finance, transaction history, and betslip details. Our original code used standard SQLAlchemy SELECT ... FOR UPDATE patterns within a single transaction.

Under parallel load, this created two critical issues:

When multiple bets for the same user arrived simultaneously, they queued up waiting for the finance row lock. In our async server, any await (like publishing an event to a message broker) yields the event loop. If a request held a lock and then yielded, a competing request could block the entire event loop while waiting for that lock, preventing the first request from ever resuming to release it.

Fix: We introduced explicit commits immediately after critical financial operations and before any asynchronous calls (like await publish_event).

What We Learned

1. SQLAlchemy’s with_for_update() is necessary but not sufficient. We use it to serialize concurrent balance deductions - it’s a SELECT ... FOR UPDATE that locks the user’s finance row so only one request at a time can read-and-modify the balance. But that lock only helps for the finance update. Reference table inserts need their own concurrency strategy, which is where ON CONFLICT DO NOTHING fits.
2. Committing inside a helper function is a trap. Every db.commit() inside a function that’s called from a request handler has two costs: it blocks the event loop (SQLAlchemy is synchronous; commit() is a network round trip to PostgreSQL), and it commits everything currently staged in the session - including objects staged by callers that weren’t expecting them to be committed yet. The right pattern is to stage everything with db.add() or db.flush() (for ID generation) and commit once at the handler’s exit point.
3. The get_db dependency is a natural commit point. FastAPI’s dependency injection system calls get_db’s finally block after the response is sent. Deferring the final commit there means the DB transaction stays open as short as possible (only while the response is being prepared), and any unhandled exception automatically triggers a rollback.
4. Flush is your friend for ID generation. db.flush() sends the INSERT to PostgreSQL within the open transaction, which means PostgreSQL assigns the auto-increment primary key, but the row isn’t visible to other sessions yet. You get the ID you need for foreign keys without paying for a commit.
5. Locks vs. Awaits. Never hold a row lock while the event loop can yield. Committing early releases these locks, allowing parallel requests for the same user to proceed while the first request handles non-critical secondary logic.

Testing Parallel Behavior

To reproduce and verify these fixes, we wrote a parallel load test script (test/parallel_test.py) that generates RSA-signed JWT payloads simulating the provider’s callback format and fires N concurrent requests using asyncio.gather. Key design decisions:

• All request bodies are built before the concurrent phase starts, so JWT signing time doesn’t skew the latency measurements.
• The script generates a throwaway RSA key pair and prints the public key so you can paste it into the development config’s PUBLIC_KEY for that test run.

After all fixes: 20/20 requests succeed, wall time well under the timeout threshold.

Part 1: The Size Battle (From 1GB to 350MB)

Most Python images are bloated because they treat the container like a virtual machine rather than a specialized runtime. We achieved a 65% reduction in size using three specific tactics:

1. The Multi-Stage “Surgical” Copy

In a single-stage build, your image keeps every tool used to compile dependencies (like gcc, g++, and python3-dev). These are massive.

Fix: Build everything in a builder stage, then copy only the resulting virtual environment into a clean runtime stage.

1. Selective Shared Libraries

You don’t need a compiler to run Python, but you do need the shared libraries that C-extensions (like psycopg2 or cryptography) link to. Instead of installing full development headers in the final image, we only install the lightweight runtime versions: libpq, libstdc++, and openssl.

1. The .dockerignore Guard

The most common cause of 1GB images? Running COPY . . and accidentally pulling in your local .venv, .git folder, and pycache.

Fix: A strict .dockerignore ensures that the only environment inside the container is the one built specifically for the container.

Part 2: The Hardcoded Shebang (Fixing “File Not Found”)

Even with a small image, you might encounter a confusing error:

bash: /opt/venv/bin/<binary>: cannot execute: required file not found

The “Ghost” Path Problem

When uv or pip installs a package like Gunicorn, it creates an executable script. The very first line of that script (the Shebang) points to the absolute path of the Python interpreter used during installation.

If you build in /build/.venv but move it to /opt/venv for production, Gunicorn will still try to find Python at /build/.... Because that folder doesn’t exist in the final stage, you get a “file not found” error.

The Fix: Path-Matching

The solution is to ensure the Builder and Runtime stages use the exact same directory structure. By setting WORKDIR /opt/venv in both stages, the internal paths created by uv remain valid when the environment is moved.

Dockerfile

# Builder: Build in the final destination
WORKDIR /opt/venv
RUN uv sync --frozen ...

# Runtime: Copy to the exact same path
COPY --from=builder /opt/venv/.venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

The Result

By combining uv’s speed with multi-stage path matching, we ended up with an image that is:

• Reproducible: uv.lock ensures zero dependency drift.
• Tiny: Alpine-based with zero build-tool bloat.
• Functional: No broken shebangs or missing shared libraries.

Let’s explore the problem by first installing a sample OpenLDAP server. The best way to do this is of course using Docker. Make sure you have Docker Desktop installed, and then execute the following:

docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.2.4

This will install a basic OpenLDAP server, which will contain a domain example.org along with a user named admin (with same password). Go ahead and test the server by executing the following:

docker exec my-openldap-container ldapsearch -x -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

You can execute commands inside the OpenLDAP container by running the below:

docker exec -it my-openldap-container sh

At this point, you can add another password-protected user:

echo "dn: cn=alex,dc=example,dc=org
objectClass: person
cn: alex
sn: goulielmos" > entry.txt

ldapadd -D "cn=admin,dc=example,dc=org" -w admin -f entry.txt

ldappasswd -s welcome123 -D "cn=admin,dc=example,dc=org" -w admin -x "cn=alex,dc=example,dc=org"

Now we are ready to create a basic Flask application and integrate LDAP authentication. Let’s try the proposed solution first, which is to install the flask-ldap3-login package:

mkdir flask_test
cd flask_test
python3 -m venv .venv
source .venv/bin/activate
pip install flask-ldap3-login

Note that the last command will also install the latest version of Flask automatically, which at the time of writing is 3.0.2. But here is where the problems start. Fire up a Python interpreter and try out your newly-installed package:

>>> from flask_ldap3_login import LDAP3LoginManager

Traceback (most recent call last):
  File "/Users/agou/Desktop/flask_test/.venv/lib/python3.12/site-packages/flask_ldap3_login/__init__.py", line 6, in <module>
    from flask import appctx_stack as stack
ImportError: cannot import name '_app_ctx_stack' from 'flask'

Yikes! It seems that flask_ldap3_login is not compatible with the latest version of Flask. To fix this, quit the interpreter and execute the below:

pip install flask==2.2.0
pip install werkzeug==2.2.0

Now the package works. Let’s try it again, according to the instructions of the official documentation:

from flask_ldap3_login import LDAP3LoginManager
config = dict()
config['LDAP_HOST'] = 'localhost'
config['LDAP_BASE_DN'] = 'dc=example,dc=org'
config['LDAP_BIND_USER_DN'] = ''         # or None or 'admin'
config['LDAP_BIND_USER_PASSWORD'] = ''   # or None or 'admin'
ldap_manager = LDAP3LoginManager()
ldap_manager.init_config(config)
response = ldap_manager.authenticate('alex', 'welcome123')
print(response.status)

Unfortunately, the authentication always fails for some reason, no matter the combination of BASE_DN, BIND_USER_DN and BIND_USER_PASSWORD. If you have any idea why, let me know in the comments.

But then, the epiphany comes: the real power of Flask is that it allows you to use anything; you are not tied to any specific package. So let’s try a different one. Once again, exit the interpreter and execute the below:

pip install python-ldap
The go into Python again to try it:

connect = ldap.initialize('ldap://localhost')
connect.simple_bind_s('cn=admin,dc=example,dc=org', 'admin')

Thank God this works! Time to write our Flask app. We just need to exit the interpreter and install one more package:

pip install flask_httpauth

Then create the below Flask app using your favorite editor:

# myapp.py
from flask import Flask
from flask_httpauth import HTTPBasicAuth
import ldap

app = Flask(__name__)
basic_auth = HTTPBasicAuth()

@basic_auth.verify_password
def verify_password(username, password):
  try:
    connect = ldap.initialize('ldap://localhost')
    connect.simple_bind_s(f'cn={username},dc=example,dc=org', password) # in other cases you might need domain+'\\'+username
    return username
  except:
    pass

@app.route('/myroute', methods=['POST'])
@basic_auth.login_required
def myroute():
  return basic_auth.current_user()

This is just a trivial app with only one route. The route is login-protected, and if it’s accessed successfully it just prints the logged-in username.

Let’s run the app:

flask --app myapp run

and try it using curl:

curl -u admin:admin -X POST http://127.0.0.1:5000/myroute

or with your manually-added credentials:

curl -u alex:welcome123 -X POST http://127.0.0.1:5000/myroute

It works in both cases. Enjoy your Flask app with the newly-added LDAP integration!

First of all, let’s illustrate the issue by creating a new Django project. (The instructions in the first part of the post, have been taken from Will Vincent’s excellent book Django for Professionals.)

mkdir logout_sample
cd logout_sample
python3 -m venv .venv
source .venv/bin/activate
pip install django #(at the time of writing, this installs version 4.2.7)
django-admin startproject config . #(don’t forget the dot)
python3 manage.py migrate
python3 manage.py createsuperuser

At this point, you cun run the project: python3 manage.py runserver
to check if everything works correctly.

Now, let’s create a pages app, which will contain our project’s common pages:

python3 manage.py startapp pages

Include this app in the settings:

# config/settings.py
INSTALLED_APPS = [
    ...
    'django.contrib.staticfiles',

    # Our apps
    'pages',
]

Now let’s create some templates. First, modify settings to enable a project-level templates folder:

TEMPLATES = [
  {
  ...
  #'DIRS': [],
  'DIRS': [BASE_DIR / 'templates'],

Create the templates folder:

mkdir templates

and add your base template, from which every other template will inherit:

<!-- templates/_base.html -->   
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>{% block title %}Our Site{% endblock title %}</title>
</head>
<body>
    <div class="container">
    {% block content %}
    {% endblock content %}
    </div>
</body>
</html>

Now we should create the homepage template, but first add the app’s URLs:

# pages/urls.py
from django.urls import path
from .views import HomePageView

urlpatterns = [
    path('', HomePageView.as_view(), name='home'),
]

Add a basic view:

# pages/views.py
from django.views.generic import TemplateView

class HomePageView(TemplateView):
  template_name = 'home.html'

Modify the project’s URLs:

# config/urls.py
from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('accounts/', include('django.contrib.auth.urls')),
    path('', include('pages.urls')),
]

Note here that we include django.contrib.auth.urls. If you inspect the relevant Django’s source code, you will see that by doing so, we are actually including the below code:

from django.contrib.auth import views
class LoginView(...): template_name = "registration/login.html"
class LogoutView(...): template_name = "registration/logged_out.html"
path("login/", views.LoginView.as_view(), name="login"),
path("logout/", views.LogoutView.as_view(), name="logout"),

This is important knowledge for the next steps.

Finally we can add our homepage template:

<!-- templates/home.html -->
{% extends "_base.html" %}
{% block title %}Home{% endblock title %}
{% block content %}
<h1>This is our home page.</h1>
{% if user.is_authenticated %}
  <p>Hi {{ user.email }}!</p>
  <p><a href="{% url 'logout' %}">Log Out</a></p>
{% else %}
  <p>You are not logged in</p>
  <a href="{% url 'login' %}">Log In</a>
{% endif %}
{% endblock content %}

Now we need our login template. Create the folder that Django expects for it (as we saw above):

mkdir templates/registration

and add the login template there:

<!-- templates/registration/login.html -->
{% extends "_base.html" %}
{% block title %}Log In{% endblock title %}
{% block content %}
<h2>Log In</h2>
<form method="post">
{% csrf_token %}
{{ form.as_p }}
<button type="submit">Log In</button>
</form>
{% endblock content %}

Also add the below line at the end of settings, so you will be redirected to the homepage after login:

LOGIN_REDIRECT_URL = 'home'

Now we are getting to the meat of things. Run the app, visit http://localhost:8000 and log in:

Clicking the logout link of our homepage, we are just redirected to the Admin logout page:

This isn’t optimal, because a user logging out from a custom app will see the different look and feel of the Admin logout page.

Let’s try adding the following line at the end of settings:

LOGOUT_REDIRECT_URL = 'home'

This will just redirect a logged out user to the home page. While this works for our custom apps, it isn’t optimal either. First of all, we might want to have a dedicated logout page (not just be redirected to the home page). Second and most important, now we have also lost the Admin logout! Users logging out from the Admin app, will be redirected to the homepage of our custom apps. Not good!

Let’s make a first attempt for a custom logout page. Remove LOGOUT_REDIRECT_URL = 'home' and create the below template, as the code expects:

<!-- templates/registration/logged_out.html -->
{% extends "_base.html" %}
{% block title %}Log Out{% endblock title %}
{% block content %}
<h2>You are logged out</h2>
{% endblock content %}

This works great for our custom apps, but it replaces (overrides) the Admin logout page, because the Admin template has the same name: contrib/admin/templates/registration/logged_out.html
This means that we have lost the Admin logout again, and now we have the reverse problem: a user logging out from the Admin app will see the different look and feel of our custom logout page.

(The Admin login was not replaced, because it exists in a special location: contrib/admin/templates/admin/login.html. This location was found by using the information in this article.)

So what’s the actual solution??

Rename registration/logged_out.html to registration/mylogout.html and change config/urls.py according to this article as follows:

# config/urls.py
from django.contrib.auth import views

urlpatterns = [
    path('admin/', admin.site.urls),

    path(
      'accounts/logout/',
      views.LogoutView.as_view(
        template_name='registration/mylogout.html',
        next_page=None),
      name='logout'),

    path('accounts/', include('django.contrib.auth.urls')),
    path('', include('pages.urls')),
]

Note that we specified our own logout URL first, effectively overriding the one in django.contrib.auth.urls.

Now we have the best of both worlds. The Admin app’s logout page continues to work, and our custom apps enjoy their own, dedicated logout page. Nice!

1. Issue tracking

Everything begins here, so this step is very important. Initially we were using plain-old email for issue tracking. We even implemented a mechanism for automatic ID creation per email message, so we could easily refer to a specific message later. However, email messages can’t be categorised easily. Besides that, email is used for so many other types of communication, thus it’s not reliable as an issue tracker.

Another option we tried was to use Jira, which covers all the necessary functionality. However, we ended up developing our own issue tracking system, for two reasons:

• We can utilise our existing user base
• Everything can be stored in our own database

Either way, the main concern here is to collect all information regarding a specific issue (messages and attachments) in a single place, and give it a unique ID. Every time someone wants us to fix a bug or build a new feature, they have to go through our issue tracking application. Having a good system ensures that all issues are carefully articulated and documented, and also provides statistical insights at the end of each year.

2. Specification document

Bug fixing is usually straightforward, but in the case of new features (or obviously, new projects) we have to transform the correspondence submitted to the issue tracking system, into a proper specification document, to be used by the developers. This document should contain ample implementation details, including database design (my favourite part). When the document is ready, we submit it to the issue tracking system as well. Spec writing is an art form in itself, so we are always trying to get better at this.

3. Create new local branch on local development machine

When we finally have our issue and our spec, it’s time to open a new branch to work on. This can be named anything the developer likes, but usually we name it the same as the issue ID.

4. Development and testing on local machine

This is the meat of the process, obviously. We don’t have a QA department, so we try to bring together developers, architects and users, as often as possible, during the development stage.

5. Update documentation

Here is where we are trying to improve. We used to store documentation in our document management system, i.e. SharePoint. But current good practices (I try to avoid the term “best practices”) dictate that all documentation should reside in the project’s repository, and be updated along with the code. In our case, this includes the below four documents for each project:

• User’s manual
• Technical document (architecture and code notes)
• API endpoint list (if applicable)
• README (installation instructions)

We try to avoid binary formats. All documents should be text-based, so they can be tracked and versioned by git. In order to support images and formatting in the documents, we use open markup technologies (currently HTML, and in the future Markdown) so the documents can be rendered properly when needed.

6. Commit

This is self-explanatory. We are just making sure to include the issue ID in each commit message, along with a short description. The only comment I would like to add here is something I recently read: “the commit is our principle unit of work. It deserves to be treated thoughtfully and with care.”

7. Git push to new remote branch

Self-explanatory as well. Just a quick note: when a “git push” of a new local branch is executed, a new remote branch is created automatically (provided that the developer has permission to do so).

8. Create pull request

This is important. It signifies that the developer is confident for his work, and is ready to submit it for code review. Again we include the issue ID in this step, so we can easily refer to the respective issue later.

9. Merge pull request

This is the code review step, usually performed by the team leader or software architect (that would be me, in most cases). If all the previous steps have been performed diligently, then this step is mostly a formality.

10. Delete new remote branch

After merging the pull request, the new remote branch can be safely deleted. Github offers this functionality by default. In the end, you will have your new commits plus one more (named “merge…”) on the remote main branch.

11. Git checkout main and git pull on local machine

This pulls all new commits, so there’s no need for “git merge”.

12. Delete new local branch on local machine

At this stage, the new local branch can be safely deleted as well.

13. Deployment: git pull on server

This is the 13th step, but hopefully it’s not bad luck. We just perform a “git pul” on the deployment server, and normally the new changes are automatically read, without needing to restart the application. This holds true for both Django and React apps.

Maintaining a good codebase is key in the success of a development department. Following the above steps, and at the same time improving the process continuously, we are hoping to be in a good position for many years to come.

The first step was making our office web-based. Ionia has always been a Microsoft shop, so the choice was obvious: move everything to SharePoint.

We use SharePoint for file storage (OneDrive), online collaboration (Office 365), approvals, workflows, and simple data storage (lists and document libraries). But most importantly, we use SharePoint as a placeholder and starting point for all our custom software. This presupposes that all this software is web-based.

So how did we achieve that? Well, for reporting needs we already had Power BI (see this excellent post by a former colleague). This means that reporting was almost ready. Our SQL Server databases are still on premises (we are not so bold yet to move them to the cloud), so we employed the Gateway mechanism to retrieve necessary data for our online Power BI reports. We also doubled down on our hiring of Power BI developers, using mostly UpWork to reach worldwide talent.

For simple applications, we use either Microsoft’s own solutions (for example, Planner) or we build our own Power Apps for custom needs. Power Apps are low-code, and they integrate seamlessly with SharePoint lists for data storage.

And now getting to the meat of things. We had a series of legacy desktop apps that needed to be ported to web. Not easy!

The first step was to move our codebase to the cloud. The solution is obvious: GitHub. We created an organisational account, plus various repositories for our projects, some private and others public. We educated and pushed in-house and external developers to use git.

Second step was to choose our new development stack. Web apps need a backend and a frontend, so we had to make a careful choice for both.

For the former, the most obvious choice was .NET which would make the porting of our current desktop apps easier. And indeed we did that successfully. But we didn’t stay there. Having used Python for various scripting needs across our systems, we also decided to give Django a try. It has been said that Django is like a superpower for solo developers or small teams, and this is true. It enables you to build a backend easily, gives you the ability to offer an API quickly if needed, and even provides a professional GUI out of the box, in the form of the Admin Panel.

For the frontend, we initially went with Razor Pages thinking that we will enjoy easier integration with our .NET backends. While this is true, we later found that the React framework is more powerful and much more popular with developers. So we are a React shop now and our apps look great!

The results of all the above have been very nice. When our users log into their workstations every morning, they are presented with our SharePoint intranet page and they have everything at their fingertips: files, data, reports and applications.

Things haven’t been easy and there is still much to do. But we are always learning and evolving, and we fully intend to advance even further. Oh, and if any of the above sounds interesting, we are always hiring!