security: LOW findings + fix .gitignore overmatch

- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
  (prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
  internal/server/ directory
This commit is contained in:
2026-06-29 09:41:44 -04:00
parent d25763cc84
commit 88756a72fa
7 changed files with 352 additions and 15 deletions
+8
View File
@@ -90,6 +90,10 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request) {
http.Error(w, `{"error":"content is required"}`, http.StatusBadRequest)
return
}
if len(req.Content) > 4000 {
http.Error(w, `{"error":"message too long (max 4000 chars)"}`, http.StatusBadRequest)
return
}
var msg messageResponse
var editedAt sql.NullString
@@ -173,6 +177,10 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
http.Error(w, `{"error":"content is required"}`, http.StatusBadRequest)
return
}
if len(req.Content) > 4000 {
http.Error(w, `{"error":"message too long (max 4000 chars)"}`, http.StatusBadRequest)
return
}
var msg messageResponse
var editedAt sql.NullString