security: LOW findings + fix .gitignore overmatch

- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
  (prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
  internal/server/ directory
This commit is contained in:
2026-06-29 09:41:44 -04:00
parent d25763cc84
commit 88756a72fa
7 changed files with 352 additions and 15 deletions
+19 -4
View File
@@ -223,10 +223,25 @@ func main() {
webhook.NewHandler(database.DB, hub).Execute(w, r)
})
// Swagger UI
r.Get("/docs/*", httpSwagger.Handler(
httpSwagger.URL("/docs/swagger.json"),
))
// Swagger UI (only accessible from localhost to avoid exposing API docs)
r.Group(func(r chi.Router) {
r.Use(func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
host := r.Host
if host == "" {
host = r.Header.Get("Host")
}
if host != "localhost:"+cfg.Port && host != "127.0.0.1:"+cfg.Port && host != "[::1]:"+cfg.Port {
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
return
}
next.ServeHTTP(w, r)
})
})
r.Get("/docs/*", httpSwagger.Handler(
httpSwagger.URL("/docs/swagger.json"),
))
})
// Static file serving for production (SPA)
staticDir := "/srv/web"