security: remediate all P0-P2 audit findings (12 tasks)
P0 fixes: - WebSocket origin checking (reject untrusted origins) - WS session token moved from URL query param to first message frame - WebAuthn login cookie now uses Secure flag via shared SetSessionCookie - PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require) - Fixed DatabaseDSN to use real password instead of masked placeholder P1 fixes: - Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s) - Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.) - WS broadcasts scoped to server members (prevents cross-server data leak) - Webhook tokens stored as SHA-256 hashes (not plaintext) P2 fixes: - CSRF protection via Origin header validation on state-changing requests - MANAGE_CHANNELS permission enforced on channel update/delete - Upload validation: 25MB limit, extension allowlist, server-side MIME check - File serve: path traversal protection + Content-Disposition: attachment Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build). Zero CVEs (govulncheck, npm audit).
This commit is contained in:
+68
-19
@@ -21,7 +21,28 @@ const (
|
||||
var upgrader = websocket.Upgrader{
|
||||
ReadBufferSize: 1024,
|
||||
WriteBufferSize: 1024,
|
||||
CheckOrigin: func(r *http.Request) bool { return true },
|
||||
CheckOrigin: func(r *http.Request) bool { return true }, // default: allow all (overridden by SetAllowedOrigins)
|
||||
}
|
||||
|
||||
// SetAllowedOrigins replaces the default upgrader with one that validates
|
||||
// the Origin header against a trusted set. Call once at startup.
|
||||
func SetAllowedOrigins(origins []string) {
|
||||
originSet := make(map[string]struct{}, len(origins))
|
||||
for _, o := range origins {
|
||||
originSet[o] = struct{}{}
|
||||
}
|
||||
upgrader = websocket.Upgrader{
|
||||
ReadBufferSize: 1024,
|
||||
WriteBufferSize: 1024,
|
||||
CheckOrigin: func(r *http.Request) bool {
|
||||
origin := r.Header.Get("Origin")
|
||||
if origin == "" {
|
||||
return false
|
||||
}
|
||||
_, ok := originSet[origin]
|
||||
return ok
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Client is a middleman between the websocket connection and the hub.
|
||||
@@ -118,31 +139,59 @@ func (c *Client) writePump() {
|
||||
}
|
||||
}
|
||||
|
||||
// ServeWS handles websocket requests from the peer. It authenticates the
|
||||
// client via a session token passed as the "token" query parameter.
|
||||
// authMessage is the first frame the client must send after connecting.
|
||||
type authMessage struct {
|
||||
Token string `json:"token"`
|
||||
}
|
||||
|
||||
// ServeWS handles websocket requests from the peer. It upgrades the
|
||||
// connection first, then waits for an auth message frame containing the
|
||||
// session token. This avoids leaking the token in the URL (which would
|
||||
// appear in server logs, browser history, and Referer headers).
|
||||
func ServeWS(db *sql.DB, hub *Hub, logger *slog.Logger, w http.ResponseWriter, r *http.Request) {
|
||||
token := r.URL.Query().Get("token")
|
||||
if token == "" {
|
||||
http.Error(w, `{"error":"missing token"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
var userID string
|
||||
err := db.QueryRowContext(context.Background(),
|
||||
`SELECT user_id FROM sessions WHERE token = $1 AND expires_at > NOW()`,
|
||||
token,
|
||||
).Scan(&userID)
|
||||
if err != nil {
|
||||
http.Error(w, `{"error":"invalid or expired session"}`, http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
conn, err := upgrader.Upgrade(w, r, nil)
|
||||
if err != nil {
|
||||
logger.Error("websocket upgrade failed", "error", err)
|
||||
return
|
||||
}
|
||||
|
||||
// Short deadline for the auth frame; we don't want unauthenticated
|
||||
// connections hanging around consuming resources.
|
||||
conn.SetReadDeadline(time.Now().Add(10 * time.Second))
|
||||
_, raw, err := conn.ReadMessage()
|
||||
if err != nil {
|
||||
logger.Warn("ws auth: failed to read auth message", "error", err)
|
||||
conn.WriteMessage(websocket.TextMessage, []byte(`{"error":"auth timeout"}`))
|
||||
conn.Close()
|
||||
return
|
||||
}
|
||||
|
||||
var auth authMessage
|
||||
if err := json.Unmarshal(raw, &auth); err != nil || auth.Token == "" {
|
||||
logger.Warn("ws auth: invalid auth message")
|
||||
conn.WriteMessage(websocket.TextMessage, []byte(`{"error":"missing token"}`))
|
||||
conn.Close()
|
||||
return
|
||||
}
|
||||
|
||||
var userID string
|
||||
err = db.QueryRowContext(context.Background(),
|
||||
`SELECT user_id FROM sessions WHERE token = $1 AND expires_at > NOW()`,
|
||||
auth.Token,
|
||||
).Scan(&userID)
|
||||
if err != nil {
|
||||
logger.Warn("ws auth: invalid session", "error", err)
|
||||
conn.WriteMessage(websocket.TextMessage, []byte(`{"error":"invalid session"}`))
|
||||
conn.Close()
|
||||
return
|
||||
}
|
||||
|
||||
// Auth succeeded. Clear the auth deadline (readPump sets its own).
|
||||
conn.SetReadDeadline(time.Time{})
|
||||
|
||||
// Send ready signal so the client knows auth passed.
|
||||
conn.WriteMessage(websocket.TextMessage, []byte(`{"type":"ready"}`))
|
||||
|
||||
client := &Client{
|
||||
Hub: hub,
|
||||
Conn: conn,
|
||||
|
||||
@@ -28,6 +28,7 @@ type Hub struct {
|
||||
clients map[*Client]struct{}
|
||||
presence map[string]string // userID -> status
|
||||
lastActivity map[string]time.Time // userID -> last activity time
|
||||
userServers map[string]map[string]struct{} // userID -> set of serverIDs
|
||||
register chan *Client
|
||||
unregister chan *Client
|
||||
broadcast chan []byte
|
||||
@@ -41,6 +42,7 @@ func NewHub(db *sql.DB, logger *slog.Logger) *Hub {
|
||||
clients: make(map[*Client]struct{}),
|
||||
presence: make(map[string]string),
|
||||
lastActivity: make(map[string]time.Time),
|
||||
userServers: make(map[string]map[string]struct{}),
|
||||
register: make(chan *Client),
|
||||
unregister: make(chan *Client),
|
||||
broadcast: make(chan []byte, 256),
|
||||
@@ -63,6 +65,7 @@ func (h *Hub) Run() {
|
||||
h.lastActivity[client.UserID] = time.Now()
|
||||
h.mu.Unlock()
|
||||
|
||||
h.RefreshUserServers(client.UserID)
|
||||
h.setUserStatus(client.UserID, "online")
|
||||
h.broadcastPresence(client.UserID, "online")
|
||||
h.logger.Info("client connected", "user_id", client.UserID)
|
||||
@@ -79,6 +82,7 @@ func (h *Hub) Run() {
|
||||
if !hasOther {
|
||||
delete(h.presence, client.UserID)
|
||||
delete(h.lastActivity, client.UserID)
|
||||
delete(h.userServers, client.UserID)
|
||||
}
|
||||
h.mu.Unlock()
|
||||
|
||||
@@ -207,3 +211,65 @@ func (h *Hub) ClientCount() int {
|
||||
defer h.mu.RUnlock()
|
||||
return len(h.clients)
|
||||
}
|
||||
|
||||
// RefreshUserServers loads the server membership for a user from the database
|
||||
// and caches it. Call when a client connects or when server membership changes.
|
||||
func (h *Hub) RefreshUserServers(userID string) {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
rows, err := h.db.QueryContext(ctx, `SELECT server_id FROM members WHERE user_id = $1`, userID)
|
||||
if err != nil {
|
||||
h.logger.Error("failed to load user servers", "user_id", userID, "error", err)
|
||||
return
|
||||
}
|
||||
defer rows.Close()
|
||||
|
||||
servers := make(map[string]struct{})
|
||||
for rows.Next() {
|
||||
var sid string
|
||||
if err := rows.Scan(&sid); err == nil {
|
||||
servers[sid] = struct{}{}
|
||||
}
|
||||
}
|
||||
|
||||
h.mu.Lock()
|
||||
h.userServers[userID] = servers
|
||||
h.mu.Unlock()
|
||||
}
|
||||
|
||||
// BroadcastToServer sends an event only to clients who are members of the
|
||||
// given server. Use this for server-scoped events (messages, channels,
|
||||
// reactions) to prevent cross-server data leaks.
|
||||
func (h *Hub) BroadcastToServer(serverID string, event Event) {
|
||||
data, err := json.Marshal(event)
|
||||
if err != nil {
|
||||
h.logger.Error("failed to marshal event", "type", event.Type, "error", err)
|
||||
return
|
||||
}
|
||||
|
||||
h.mu.RLock()
|
||||
defer h.mu.RUnlock()
|
||||
|
||||
for client := range h.clients {
|
||||
servers, ok := h.userServers[client.UserID]
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
if _, member := servers[serverID]; member {
|
||||
select {
|
||||
case client.send <- data:
|
||||
default:
|
||||
go func(c *Client) { h.unregister <- c }(client)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// ServerIDForChannel looks up the server_id that owns the given channel.
|
||||
// Used by handlers to route events to the correct server scope.
|
||||
func (h *Hub) ServerIDForChannel(ctx context.Context, channelID string) (string, error) {
|
||||
var serverID string
|
||||
err := h.db.QueryRowContext(ctx, `SELECT server_id FROM channels WHERE id = $1`, channelID).Scan(&serverID)
|
||||
return serverID, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user