hobokenchicken
89f8381e2d
added features and fixes
2026-07-02 15:34:00 +00:00
hobokenchicken
ca7a9e30f1
fix: message list now returns most recent 50, not oldest 50
...
Query was ORDER BY ASC LIMIT 50 — returning the 50 oldest messages.
On page refresh users saw ancient messages instead of recent ones.
Changed to ORDER BY DESC LIMIT then reverse in Go so the API still
returns chronological order but from the bottom of the history.
2026-07-02 09:19:31 -04:00
hobokenchicken
215f931311
fix: wire permission checks into message/channel handlers
...
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions)
- Refactor requireChannelAccess to accept required permission bitmap
- Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL
- BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES
- Channel handler List filters out channels user cannot view
- Remove dead checkPermission method from message handler
- Fix frontend avatar upload: parse response URL, call updateProfile
2026-06-30 13:47:08 -04:00
hobokenchicken
2caedc172b
fix: resolve 7 audit issues - webhook tokens, cookie security, avatar save, TUI fallback, dead code, valkey default
2026-06-30 13:29:34 -04:00
hobokenchicken
cc6ed741f0
feat(phase7): per-channel notification settings and read receipts
...
Phase 7.1 — Per-channel notification settings
- New notification_settings table (user_id, channel_id, level)
- GET/PUT/DELETE handlers under /channels/{channelID}/notifications
- Push dispatch and @mention loops filtered by notification level
- Frontend: bell icon per channel cycling all/mentions/none
Phase 7.4 — Read receipts
- New read_states table (user_id, channel_id, last_read_message_id)
- PUT /channels/{channelID}/read and GET /users/me/read-states
- Auto-mark-read when messages load in ChatArea
- Unread dot for channels never opened
Also: favicon/icon refresh in index.html
2026-06-30 12:39:14 -04:00
hobokenchicken
d7c84647e5
feat(phase2): bulk delete + audit log; update roadmap/parity docs
2026-06-30 10:20:57 -04:00
hobokenchicken
d3b7f39b9e
fix(build): make build-web works; gofmt all Go files
2026-06-30 10:01:11 -04:00
hobokenchicken
30e159cbdb
sync: phase 1 backend + frontend from server
2026-06-30 09:26:03 -04:00
hobokenchicken
bbd7992e12
fix: nil pushHandler crash in message Create
2026-06-29 16:06:00 -04:00
hobokenchicken
6c8defb6fd
feat: realtime status, mentions, push notifications
2026-06-29 15:52:34 -04:00
hobokenchicken
c189bd2d83
fix: return messages in chronological order (oldest first)
2026-06-29 14:18:56 -04:00
root
bb67a7652e
fix: resolve duplicate path prefix issues for message and webhook routes
2026-06-29 17:48:28 +00:00
hobokenchicken
88756a72fa
security: LOW findings + fix .gitignore overmatch
...
- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
(prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
internal/server/ directory
2026-06-29 09:41:44 -04:00
hobokenchicken
130187c7be
security: remediate all P0-P2 audit findings (12 tasks)
...
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder
P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)
P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment
Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken
72ca99b58d
Add swaggo annotations to all handlers and regenerate full Swagger docs
...
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken
613d4b8c6e
Complete WebAuthn backend + push notification mention parsing
...
Backend:
- internal/auth/webauthn.go: full RegisterBegin/Finish, LoginBegin/Finish implementation
- In-memory challenge store with eviction
- Credential storage in webauthn_credentials table
- Session creation on successful passkey login
- Cookie-based challenge linking for login flow
- internal/message/mentions.go: @mention parsing and push notification dispatch
- Parses @user, @everyone, @role mentions
- Skips DND users
- Async goroutine dispatch for non-blocking
- internal/message/handlers.go: wired mention handler into Create
- cmd/server/main.go: added push handler initialization, pass to message handler
2026-06-28 19:06:03 -04:00
hobokenchicken
e69553af02
Profiles, Giphy, uploads, settings UI
...
Backend:
- Auth: split routes into RegisterPublicRoutes + RegisterProtectedRoutes
- Auth: PATCH /me for profile updates (display_name, bio, accent_color, status_text)
- Auth: Gravatar fallback for avatars on register
- DB: users table now has bio, accent_color, status_text columns
- giphy/client.go: Search() and GetTrending() against Giphy API
- upload/handlers.go: MinIO file upload + serve
- config: added GiphyConfig and MinIO config
- cmd/server: wired giphy (/gifs/search, /gifs/trending), upload (/upload), files (/files/*) routes
Frontend:
- auth store: updated User interface with new profile fields, added updateProfile()
- UserSettings.tsx: terminal-styled profile editor (display_name, bio, accent_color, status_text, avatar upload)
- GiphyPicker.tsx: terminal-styled GIF picker with search + trending
- ChatArea.tsx: integrated [GIF] button into message input
- App.tsx: imports UserSettings, added /settings route
2026-06-28 16:06:08 -04:00
hobokenchicken
bb5a56816b
Phase 1 MVP: gateway, CRUD handlers, frontend components
...
Backend:
- WebSocket gateway (hub, client, events) with fanout broadcast
- Server CRUD handlers (create, list, get, update, delete)
- Channel CRUD handlers (create, list, get, update, delete)
- Message CRUD handlers (list with cursor pagination, create, update, delete)
- cmd/migrate standalone migration CLI (up/down)
- cmd/server wired to all handlers + WebSocket + static file serving
Frontend:
- Zustand stores: auth, server, channel, message, websocket
- API client with fetch wrapper
- Terminal-styled components: Layout, LoginForm, ChatArea, ChannelList, ServerBar, MemberList
- React Router with login and main routes
- Gruvbox dark palette throughout
Ops:
- Docker Compose with app service (multi-stage build)
- Caddyfile with WebSocket upgrade support
- Makefile for common tasks
2026-06-26 14:47:29 -04:00