Commit Graph

57 Commits

Author SHA1 Message Date
hobokenchicken 1945703893 fix: case-insensitive login for username and email 2026-06-30 08:24:41 -04:00
hobokenchicken e380d4e381 docs: feature parity comparison with Discord, Guilded, TeamSpeak 6, Fluxer 2026-06-30 08:18:23 -04:00
hobokenchicken bbd7992e12 fix: nil pushHandler crash in message Create 2026-06-29 16:06:00 -04:00
hobokenchicken 6c8defb6fd feat: realtime status, mentions, push notifications 2026-06-29 15:52:34 -04:00
hobokenchicken 282a436995 fix: construct invite URL from code on frontend 2026-06-29 15:35:22 -04:00
hobokenchicken 6a737c3db3 fix: invite handler used creator_id but DB column is created_by 2026-06-29 15:32:24 -04:00
hobokenchicken 7261ebaafa fix: invite routes were double-nested under /invites causing 404->SPA fallback 2026-06-29 15:30:20 -04:00
hobokenchicken 2d3bf48e66 fix: add invite button, voice join dedup, voice panel immediate render 2026-06-29 15:28:05 -04:00
hobokenchicken a8a09cf7b4 fix: CSRF and WS origin check trust request Host header (same-origin) 2026-06-29 14:38:18 -04:00
hobokenchicken 7f56571004 fix: WS origin check now uses hostname matching instead of exact strings 2026-06-29 14:33:39 -04:00
hobokenchicken 369737565e fix: WebSocket cookie auth + connect on layout mount 2026-06-29 14:30:29 -04:00
hobokenchicken 90289fede1 sync: all server-side fixes and features 2026-06-29 14:24:45 -04:00
hobokenchicken c189bd2d83 fix: return messages in chronological order (oldest first) 2026-06-29 14:18:56 -04:00
hobokenchicken 175ec90705 fix: blank page on channel click + logout issue 2026-06-29 14:16:32 -04:00
hobokenchicken a7da8104d7 fix: channel List reads serverID from URL param, not query string 2026-06-29 14:11:33 -04:00
hobokenchicken 368d1f9427 fix: ensure reply_to column exists via ALTER TABLE in migration 2026-06-29 14:05:56 -04:00
hobokenchicken 9f138deb9d feat: login with username or email + change password
Backend:
- Login handler accepts username OR email via the same field
- New PUT /auth/me/password endpoint (verifies current password,
  requires min 8 chars for new password)

Frontend:
- Login form shows EMAIL OR USERNAME field (single field for both)
- Auth store updated with changePassword function
- UserSettings has new CHANGE PASSWORD section
2026-06-29 14:00:19 -04:00
hobokenchicken fec0eb1917 fix: use single quotes for SQL COALESCE defaults (not double quotes) 2026-06-29 13:53:17 -04:00
root 23902de912 feat: server members API + member list in sidebar + fix chat input
Backend:
- Add GET /api/v1/servers/{serverID}/members endpoint
- Wire MemberHandler routes in main.go

Frontend:
- Create member store (fetchMembers by server ID)
- MemberList now fetches members from API instead of empty props
- ChatArea: show channel name instead of ID, add error display,
  add flex-1 + min-w-0 to input for proper sizing, error handling
  on sendMessage
2026-06-29 17:51:32 +00:00
root bb67a7652e fix: resolve duplicate path prefix issues for message and webhook routes 2026-06-29 17:48:28 +00:00
hobokenchicken de465c6527 fix: read serverID from URL param instead of body in channel create
The channel Create handler was expecting server_id in the JSON body,
but the frontend sends it in the URL path (/servers/{serverID}/channels).
Now reads serverID from chi.URLParam and only requires name in the body.
2026-06-29 13:35:50 -04:00
hobokenchicken 118155d737 fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access
The CSRF middleware was rejecting requests from LAN IPs because
cfg.Host defaults to 'localhost' which doesn't match the LAN IP.

Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of
full origins) for additional trusted origins beyond cfg.Host.

Removed debug logging from CSRF middleware.
2026-06-29 13:20:07 -04:00
hobokenchicken 5c7e461dad fix: CSRF middleware now trusts origin hostname match instead of exact prefix
The old CSRF middleware used exact string matching against a static list
of origins (https://host, http://localhost:port). This broke when the
frontend ran on a different port (Vite dev server) or accessed via LAN IP.

New behavior:
- Origin hostname matching: any Origin whose hostname matches cfg.Host
  is trusted, regardless of scheme or port
- Localhost variants always trusted: localhost, 127.0.0.1, ::1
- Additional origins can be passed explicitly (future env var support)
2026-06-29 12:57:52 -04:00
hobokenchicken 3f33859f4a feat: UI for server/channel creation, settings link, role management backend
Frontend:
- Settings link in header next to logout
- [+] button to create server (name + optional icon)
- [#] button to join server via invite code
- [+] button to create channel (name, type, category)
- Server name shown instead of UUID in channel list header
- /invites/:code route wired for JoinServer component

Backend:
- Wire role CRUD + member-role assignment routes (MANAGE_SERVER gated)
- Seed @everyone default role on server creation
2026-06-29 12:50:46 -04:00
root 3072cda051 fix: resolve Sscanf greedy parsing bug in VerifyPassword 2026-06-29 16:25:58 +00:00
root a81a8e6901 fix: make session cookie Secure attribute optional for HTTP/LAN dev 2026-06-29 16:19:58 +00:00
root d122133e93 config: expose vite dev server to lan and configure api proxy 2026-06-29 16:14:11 +00:00
root 78c0c28ff5 fix: shell and nvm path sourcing in Makefile web targets 2026-06-29 16:10:03 +00:00
root 4eaab40e48 fix: expose local ports in compose and auto-load .env in config package 2026-06-29 15:48:29 +00:00
root bd2a7ec2a6 fix: load LiveKit and WebPush configuration fields in Load() 2026-06-29 15:45:06 +00:00
hobokenchicken 88756a72fa security: LOW findings + fix .gitignore overmatch
- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
  (prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
  internal/server/ directory
2026-06-29 09:41:44 -04:00
hobokenchicken d25763cc84 feat(voice): add AudioPresets and publish defaults for voice quality 2026-06-29 09:37:25 -04:00
hobokenchicken 130187c7be security: remediate all P0-P2 audit findings (12 tasks)
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder

P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)

P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment

Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken 5373105368 Simplify Quick Start: single docker compose up
- Dockerfile: auto-generate DUMPSTER_SECRET if not set
- compose.yml: remove env_file requirement, use env vars with defaults, share web_assets volume with caddy
- README: Quick Start is now 3 commands (clone, cd, docker compose up)
2026-06-28 19:31:06 -04:00
hobokenchicken 27f2faecaa Fix README: WebAuthn passkeys no longer deferred 2026-06-28 19:20:13 -04:00
hobokenchicken 72ca99b58d Add swaggo annotations to all handlers and regenerate full Swagger docs
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken 1b7778930c Update README: all items complete 2026-06-28 19:06:47 -04:00
hobokenchicken 613d4b8c6e Complete WebAuthn backend + push notification mention parsing
Backend:
- internal/auth/webauthn.go: full RegisterBegin/Finish, LoginBegin/Finish implementation
  - In-memory challenge store with eviction
  - Credential storage in webauthn_credentials table
  - Session creation on successful passkey login
  - Cookie-based challenge linking for login flow
- internal/message/mentions.go: @mention parsing and push notification dispatch
  - Parses @user, @everyone, @role mentions
  - Skips DND users
  - Async goroutine dispatch for non-blocking
- internal/message/handlers.go: wired mention handler into Create
- cmd/server/main.go: added push handler initialization, pass to message handler
2026-06-28 19:06:03 -04:00
hobokenchicken 0f99ee53bc Update README: mark push, WebAuthn, Swagger as done 2026-06-28 18:53:22 -04:00
hobokenchicken bb0540b70c Finish Phase 6: Push frontend, WebAuthn frontend, OpenAPI/Swagger
Frontend:
- stores/push.ts: fixed VAPID key endpoint, added checkSubscription, proper subscription format
- UserSettings.tsx: added [ENABLE PUSH] toggle and [REGISTER PASSKEY] button
- LoginForm.tsx: added [SIGN IN WITH PASSKEY] button

Backend:
- cmd/server/main.go: added Swagger annotations, /docs/* route
- docs/: generated swagger.json, swagger.yaml, docs.go
- Makefile: added docs target for swag init
2026-06-28 18:53:05 -04:00
hobokenchicken 4a9e0c1f76 Update README: Phase 6 features 2026-06-28 17:54:12 -04:00
hobokenchicken af1de3d140 Phase 6: Permissions, Push, WebAuthn scaffolding
Backend:
- internal/permissions/permissions.go: permission bitflags (VIEW_CHANNEL through SHARE_SCREEN)
- internal/permissions/checker.go: permission checker with role aggregation
- internal/middleware/permission.go: RequirePermission middleware
- internal/push/handlers.go: push subscription CRUD, VAPID key endpoint, SendPush
- internal/auth/webauthn.go: WebAuthn passkey scaffolding (begin/finish endpoints)
- internal/db/db.go: is_default on roles, push_subscriptions table, webauthn_credentials table
- go.mod: added webpush-go, go-webauthn dependencies

Frontend:
- stores/role.ts: Zustand store for role management
- RoleManager.tsx: role CRUD with permission checkboxes
- MemberRoleAssign.tsx: assign roles to members
- App.tsx: /servers/:serverId/roles route
2026-06-28 17:53:44 -04:00
hobokenchicken 1db0c3b37a Update README: mark TUI client as done 2026-06-28 17:46:40 -04:00
hobokenchicken 2a6b3830d5 Phase 5: TUI client (Bubbletea)
- cmd/tui/main.go: entry point with --server, --token, --version flags
- cmd/tui/config.go: config from ~/.config/dumpster/config.yaml or env vars
- cmd/tui/auth.go: login flow, session cookie management
- cmd/tui/api.go: HTTP client for servers, channels, messages, voice
- cmd/tui/model.go: root bubbletea model with state management
- cmd/tui/theme.go: Gruvbox dark lipgloss styles
- cmd/tui/servers.go: server bar with [D] style initials
- cmd/tui/channels.go: channel list with #text and 🔊 voice
- cmd/tui/chat.go: IRC-style message viewport with colored usernames
- cmd/tui/input.go: message input with > _ prompt
- cmd/tui/members.go: member list with ●/◐/○ status
- cmd/tui/ws.go: WebSocket client for real-time events
- cmd/tui/voice.go: voice state tracking and mute toggle
- cmd/tui/keys.go: vim-style keybindings (j/k, g/G, Tab, /, etc)
- cmd/tui/views.go: multi-pane layout rendering
- Makefile: added build-tui and run-tui targets
- go.mod/go.sum: added charmbracelet dependencies
2026-06-28 17:46:19 -04:00
hobokenchicken 297cc47631 Fix README: update auth description, add LIVEKIT_* env var 2026-06-28 17:17:38 -04:00
hobokenchicken d8a91d7818 Update README: Phase 4 bots & extensibility complete 2026-06-28 17:01:37 -04:00
hobokenchicken 000ce85816 Phase 4: Bots & Extensibility
Backend:
- internal/bot/auth.go: bot token generation and verification
- internal/bot/handlers.go: bot CRUD (create, list, get, update, delete, server management, token regen)
- internal/bot/commands.go: slash command registration and management
- internal/webhook/handlers.go: webhook CRUD and execution endpoint
- internal/webhook/token.go: webhook token generation
- internal/db/db.go: bots, bot_servers, slash_commands, webhooks tables
- internal/gateway/events.go: BOT_JOIN, BOT_LEAVE event constants
- cmd/server/main.go: wired bot, webhook, invite routes

Frontend:
- stores/bot.ts: Zustand store for bot management
- BotManager.tsx: bot list, create, edit, delete, add to server, token display
- CommandManager.tsx: slash command CRUD per bot
- SlashCommandPopup.tsx: / command autocomplete popup
- App.tsx: /bots and /bots/:id/commands routes

Examples:
- examples/modbot/: auto-delete banned words, /kick, /ban, /purge commands
- examples/welcome/: welcome message on member join
2026-06-28 17:00:37 -04:00
hobokenchicken 01c67f9531 Update README: Phase 3 features complete 2026-06-28 16:45:35 -04:00
hobokenchicken bb650ac2a0 Phase 3: Polish & PWA
Backend:
- DB: reactions table, invites table, reply_to column on messages
- gateway/events.go: added REACTION_ADD, REACTION_REMOVE events
- internal/reaction/handlers.go: reaction CRUD with WebSocket broadcast
- internal/invite/handlers.go: invite creation, info, join with code
- gateway/hub.go: presence tracking with idle detection
- gateway/client.go: idle timeout support

Frontend - Social:
- TypingIndicator: real-time 'user is typing...' display
- ReactionBar: emoji reactions on messages with counts
- EmojiPicker: searchable emoji grid for reactions
- ReplyBar: quoted reply display above messages
- MentionPopup: @mention autocomplete with user list

Frontend - PWA:
- manifest.json: PWA manifest with theme color and icons
- sw.js: service worker with cache-first strategy and push support
- stores/push.ts: push notification subscription management
- InstallPrompt: 'Add to Home Screen' banner

Frontend - Mobile:
- MobileNav: bottom nav bar for mobile (servers/channels/chat/members)
- MobileDrawer: slide-out drawer with server bar + channel list
- index.html: PWA meta tags, safe area viewport

Frontend - Polish:
- ThemeToggle: dark/light mode switch with localStorage persistence
- InviteModal: generate invite links with expiry and max uses
- JoinServer: /invite/:code join flow
- stores/typing.ts: typing indicator state management
- stores/presence.ts: real-time presence tracking
- tailwind.config.js: darkMode: 'class', light mode color tokens
- styles/index.css: light mode CSS variable overrides
2026-06-28 16:44:39 -04:00
hobokenchicken ab35bdd1ae Update README: mark Phase 2 voice/video as complete 2026-06-28 16:27:34 -04:00