security: remediate all P0-P2 audit findings (12 tasks)

P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder

P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)

P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment

Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
This commit is contained in:
2026-06-29 09:30:50 -04:00
parent 5373105368
commit 130187c7be
23 changed files with 504 additions and 105 deletions
+66
View File
@@ -28,6 +28,7 @@ type Hub struct {
clients map[*Client]struct{}
presence map[string]string // userID -> status
lastActivity map[string]time.Time // userID -> last activity time
userServers map[string]map[string]struct{} // userID -> set of serverIDs
register chan *Client
unregister chan *Client
broadcast chan []byte
@@ -41,6 +42,7 @@ func NewHub(db *sql.DB, logger *slog.Logger) *Hub {
clients: make(map[*Client]struct{}),
presence: make(map[string]string),
lastActivity: make(map[string]time.Time),
userServers: make(map[string]map[string]struct{}),
register: make(chan *Client),
unregister: make(chan *Client),
broadcast: make(chan []byte, 256),
@@ -63,6 +65,7 @@ func (h *Hub) Run() {
h.lastActivity[client.UserID] = time.Now()
h.mu.Unlock()
h.RefreshUserServers(client.UserID)
h.setUserStatus(client.UserID, "online")
h.broadcastPresence(client.UserID, "online")
h.logger.Info("client connected", "user_id", client.UserID)
@@ -79,6 +82,7 @@ func (h *Hub) Run() {
if !hasOther {
delete(h.presence, client.UserID)
delete(h.lastActivity, client.UserID)
delete(h.userServers, client.UserID)
}
h.mu.Unlock()
@@ -207,3 +211,65 @@ func (h *Hub) ClientCount() int {
defer h.mu.RUnlock()
return len(h.clients)
}
// RefreshUserServers loads the server membership for a user from the database
// and caches it. Call when a client connects or when server membership changes.
func (h *Hub) RefreshUserServers(userID string) {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
rows, err := h.db.QueryContext(ctx, `SELECT server_id FROM members WHERE user_id = $1`, userID)
if err != nil {
h.logger.Error("failed to load user servers", "user_id", userID, "error", err)
return
}
defer rows.Close()
servers := make(map[string]struct{})
for rows.Next() {
var sid string
if err := rows.Scan(&sid); err == nil {
servers[sid] = struct{}{}
}
}
h.mu.Lock()
h.userServers[userID] = servers
h.mu.Unlock()
}
// BroadcastToServer sends an event only to clients who are members of the
// given server. Use this for server-scoped events (messages, channels,
// reactions) to prevent cross-server data leaks.
func (h *Hub) BroadcastToServer(serverID string, event Event) {
data, err := json.Marshal(event)
if err != nil {
h.logger.Error("failed to marshal event", "type", event.Type, "error", err)
return
}
h.mu.RLock()
defer h.mu.RUnlock()
for client := range h.clients {
servers, ok := h.userServers[client.UserID]
if !ok {
continue
}
if _, member := servers[serverID]; member {
select {
case client.send <- data:
default:
go func(c *Client) { h.unregister <- c }(client)
}
}
}
}
// ServerIDForChannel looks up the server_id that owns the given channel.
// Used by handlers to route events to the correct server scope.
func (h *Hub) ServerIDForChannel(ctx context.Context, channelID string) (string, error) {
var serverID string
err := h.db.QueryRowContext(ctx, `SELECT server_id FROM channels WHERE id = $1`, channelID).Scan(&serverID)
return serverID, err
}