hobokenchicken
3ef753ff69
fix: remove stale idx_webhooks_token index from migration
...
The token column was dropped in a previous migration step
(ALTER TABLE webhooks DROP COLUMN IF EXISTS token), but the
CREATE INDEX referencing it still ran, causing migration failure
on databases where the column was already removed.
2026-06-30 13:49:50 -04:00
hobokenchicken
215f931311
fix: wire permission checks into message/channel handlers
...
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions)
- Refactor requireChannelAccess to accept required permission bitmap
- Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL
- BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES
- Channel handler List filters out channels user cannot view
- Remove dead checkPermission method from message handler
- Fix frontend avatar upload: parse response URL, call updateProfile
2026-06-30 13:47:08 -04:00
hobokenchicken
2caedc172b
fix: resolve 7 audit issues - webhook tokens, cookie security, avatar save, TUI fallback, dead code, valkey default
2026-06-30 13:29:34 -04:00
hobokenchicken
d663638387
feat(phase8.1): server groups — table, CRUD handler, collapsible channel sections
2026-06-30 12:50:53 -04:00
hobokenchicken
cc6ed741f0
feat(phase7): per-channel notification settings and read receipts
...
Phase 7.1 — Per-channel notification settings
- New notification_settings table (user_id, channel_id, level)
- GET/PUT/DELETE handlers under /channels/{channelID}/notifications
- Push dispatch and @mention loops filtered by notification level
- Frontend: bell icon per channel cycling all/mentions/none
Phase 7.4 — Read receipts
- New read_states table (user_id, channel_id, last_read_message_id)
- PUT /channels/{channelID}/read and GET /users/me/read-states
- Auto-mark-read when messages load in ChatArea
- Unread dot for channels never opened
Also: favicon/icon refresh in index.html
2026-06-30 12:39:14 -04:00
hobokenchicken
775bd953b0
feat(phase6): video grid, noise suppression, whisper system
...
- New VideoGrid component: live camera feeds (local + remote) in VoicePanel
- Camera toggle in VoiceControls: enable/disable video per participant
- Noise suppression toggle in VoiceControls + voice store
- VOICE_WHISPER WS event: backend routes whisper to target user only
- Whisper UI: per-participant whisper button, notification toasts with dismiss
- Fix circular import between voice.ts and ws.ts (use lazy accessor)
2026-06-30 12:21:53 -04:00
hobokenchicken
6db4e3cc2d
feat(phase5): scheduling/availability - DB, API, UI in server settings
2026-06-30 11:29:43 -04:00
hobokenchicken
74d2153ffa
feat(phase5): list channels - todo/in_progress/done columns, CRUD
2026-06-30 11:26:15 -04:00
hobokenchicken
dbebc1f381
feat(phase5): docs channels - CRUD, wiki sidebar, markdown editor
2026-06-30 11:19:32 -04:00
hobokenchicken
e65ce54e36
feat(phase5): calendar channels - events, RSVPs, calendar view
2026-06-30 11:15:40 -04:00
hobokenchicken
58ce09cc18
feat(phase4): rich profiles, badges DB, block list
2026-06-30 11:04:32 -04:00
hobokenchicken
368172e3d6
feat(phase3): forum channels + tags + card UI
2026-06-30 10:44:52 -04:00
hobokenchicken
f3f03df710
feat(phase3): threads backend + thread panel UI
2026-06-30 10:36:18 -04:00
hobokenchicken
bd260183ef
feat(phase2): channel permission overrides + expanded role UI + audit log cleanup
2026-06-30 10:28:03 -04:00
hobokenchicken
d7c84647e5
feat(phase2): bulk delete + audit log; update roadmap/parity docs
2026-06-30 10:20:57 -04:00
hobokenchicken
d3b7f39b9e
fix(build): make build-web works; gofmt all Go files
2026-06-30 10:01:11 -04:00
hobokenchicken
30e159cbdb
sync: phase 1 backend + frontend from server
2026-06-30 09:26:03 -04:00
hobokenchicken
1945703893
fix: case-insensitive login for username and email
2026-06-30 08:24:41 -04:00
hobokenchicken
bbd7992e12
fix: nil pushHandler crash in message Create
2026-06-29 16:06:00 -04:00
hobokenchicken
6c8defb6fd
feat: realtime status, mentions, push notifications
2026-06-29 15:52:34 -04:00
hobokenchicken
6a737c3db3
fix: invite handler used creator_id but DB column is created_by
2026-06-29 15:32:24 -04:00
hobokenchicken
a8a09cf7b4
fix: CSRF and WS origin check trust request Host header (same-origin)
2026-06-29 14:38:18 -04:00
hobokenchicken
7f56571004
fix: WS origin check now uses hostname matching instead of exact strings
2026-06-29 14:33:39 -04:00
hobokenchicken
369737565e
fix: WebSocket cookie auth + connect on layout mount
2026-06-29 14:30:29 -04:00
hobokenchicken
c189bd2d83
fix: return messages in chronological order (oldest first)
2026-06-29 14:18:56 -04:00
hobokenchicken
175ec90705
fix: blank page on channel click + logout issue
2026-06-29 14:16:32 -04:00
hobokenchicken
a7da8104d7
fix: channel List reads serverID from URL param, not query string
2026-06-29 14:11:33 -04:00
hobokenchicken
368d1f9427
fix: ensure reply_to column exists via ALTER TABLE in migration
2026-06-29 14:05:56 -04:00
hobokenchicken
9f138deb9d
feat: login with username or email + change password
...
Backend:
- Login handler accepts username OR email via the same field
- New PUT /auth/me/password endpoint (verifies current password,
requires min 8 chars for new password)
Frontend:
- Login form shows EMAIL OR USERNAME field (single field for both)
- Auth store updated with changePassword function
- UserSettings has new CHANGE PASSWORD section
2026-06-29 14:00:19 -04:00
hobokenchicken
fec0eb1917
fix: use single quotes for SQL COALESCE defaults (not double quotes)
2026-06-29 13:53:17 -04:00
root
23902de912
feat: server members API + member list in sidebar + fix chat input
...
Backend:
- Add GET /api/v1/servers/{serverID}/members endpoint
- Wire MemberHandler routes in main.go
Frontend:
- Create member store (fetchMembers by server ID)
- MemberList now fetches members from API instead of empty props
- ChatArea: show channel name instead of ID, add error display,
add flex-1 + min-w-0 to input for proper sizing, error handling
on sendMessage
2026-06-29 17:51:32 +00:00
root
bb67a7652e
fix: resolve duplicate path prefix issues for message and webhook routes
2026-06-29 17:48:28 +00:00
hobokenchicken
de465c6527
fix: read serverID from URL param instead of body in channel create
...
The channel Create handler was expecting server_id in the JSON body,
but the frontend sends it in the URL path (/servers/{serverID}/channels).
Now reads serverID from chi.URLParam and only requires name in the body.
2026-06-29 13:35:50 -04:00
hobokenchicken
5c7e461dad
fix: CSRF middleware now trusts origin hostname match instead of exact prefix
...
The old CSRF middleware used exact string matching against a static list
of origins (https://host , http://localhost:port ). This broke when the
frontend ran on a different port (Vite dev server) or accessed via LAN IP.
New behavior:
- Origin hostname matching: any Origin whose hostname matches cfg.Host
is trusted, regardless of scheme or port
- Localhost variants always trusted: localhost, 127.0.0.1, ::1
- Additional origins can be passed explicitly (future env var support)
2026-06-29 12:57:52 -04:00
hobokenchicken
3f33859f4a
feat: UI for server/channel creation, settings link, role management backend
...
Frontend:
- Settings link in header next to logout
- [+] button to create server (name + optional icon)
- [#] button to join server via invite code
- [+] button to create channel (name, type, category)
- Server name shown instead of UUID in channel list header
- /invites/:code route wired for JoinServer component
Backend:
- Wire role CRUD + member-role assignment routes (MANAGE_SERVER gated)
- Seed @everyone default role on server creation
2026-06-29 12:50:46 -04:00
root
3072cda051
fix: resolve Sscanf greedy parsing bug in VerifyPassword
2026-06-29 16:25:58 +00:00
root
a81a8e6901
fix: make session cookie Secure attribute optional for HTTP/LAN dev
2026-06-29 16:19:58 +00:00
root
4eaab40e48
fix: expose local ports in compose and auto-load .env in config package
2026-06-29 15:48:29 +00:00
root
bd2a7ec2a6
fix: load LiveKit and WebPush configuration fields in Load()
2026-06-29 15:45:06 +00:00
hobokenchicken
88756a72fa
security: LOW findings + fix .gitignore overmatch
...
- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
(prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
internal/server/ directory
2026-06-29 09:41:44 -04:00
hobokenchicken
130187c7be
security: remediate all P0-P2 audit findings (12 tasks)
...
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder
P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)
P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment
Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken
72ca99b58d
Add swaggo annotations to all handlers and regenerate full Swagger docs
...
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken
613d4b8c6e
Complete WebAuthn backend + push notification mention parsing
...
Backend:
- internal/auth/webauthn.go: full RegisterBegin/Finish, LoginBegin/Finish implementation
- In-memory challenge store with eviction
- Credential storage in webauthn_credentials table
- Session creation on successful passkey login
- Cookie-based challenge linking for login flow
- internal/message/mentions.go: @mention parsing and push notification dispatch
- Parses @user, @everyone, @role mentions
- Skips DND users
- Async goroutine dispatch for non-blocking
- internal/message/handlers.go: wired mention handler into Create
- cmd/server/main.go: added push handler initialization, pass to message handler
2026-06-28 19:06:03 -04:00
hobokenchicken
af1de3d140
Phase 6: Permissions, Push, WebAuthn scaffolding
...
Backend:
- internal/permissions/permissions.go: permission bitflags (VIEW_CHANNEL through SHARE_SCREEN)
- internal/permissions/checker.go: permission checker with role aggregation
- internal/middleware/permission.go: RequirePermission middleware
- internal/push/handlers.go: push subscription CRUD, VAPID key endpoint, SendPush
- internal/auth/webauthn.go: WebAuthn passkey scaffolding (begin/finish endpoints)
- internal/db/db.go: is_default on roles, push_subscriptions table, webauthn_credentials table
- go.mod: added webpush-go, go-webauthn dependencies
Frontend:
- stores/role.ts: Zustand store for role management
- RoleManager.tsx: role CRUD with permission checkboxes
- MemberRoleAssign.tsx: assign roles to members
- App.tsx: /servers/:serverId/roles route
2026-06-28 17:53:44 -04:00
hobokenchicken
000ce85816
Phase 4: Bots & Extensibility
...
Backend:
- internal/bot/auth.go: bot token generation and verification
- internal/bot/handlers.go: bot CRUD (create, list, get, update, delete, server management, token regen)
- internal/bot/commands.go: slash command registration and management
- internal/webhook/handlers.go: webhook CRUD and execution endpoint
- internal/webhook/token.go: webhook token generation
- internal/db/db.go: bots, bot_servers, slash_commands, webhooks tables
- internal/gateway/events.go: BOT_JOIN, BOT_LEAVE event constants
- cmd/server/main.go: wired bot, webhook, invite routes
Frontend:
- stores/bot.ts: Zustand store for bot management
- BotManager.tsx: bot list, create, edit, delete, add to server, token display
- CommandManager.tsx: slash command CRUD per bot
- SlashCommandPopup.tsx: / command autocomplete popup
- App.tsx: /bots and /bots/:id/commands routes
Examples:
- examples/modbot/: auto-delete banned words, /kick, /ban, /purge commands
- examples/welcome/: welcome message on member join
2026-06-28 17:00:37 -04:00
hobokenchicken
bb650ac2a0
Phase 3: Polish & PWA
...
Backend:
- DB: reactions table, invites table, reply_to column on messages
- gateway/events.go: added REACTION_ADD, REACTION_REMOVE events
- internal/reaction/handlers.go: reaction CRUD with WebSocket broadcast
- internal/invite/handlers.go: invite creation, info, join with code
- gateway/hub.go: presence tracking with idle detection
- gateway/client.go: idle timeout support
Frontend - Social:
- TypingIndicator: real-time 'user is typing...' display
- ReactionBar: emoji reactions on messages with counts
- EmojiPicker: searchable emoji grid for reactions
- ReplyBar: quoted reply display above messages
- MentionPopup: @mention autocomplete with user list
Frontend - PWA:
- manifest.json: PWA manifest with theme color and icons
- sw.js: service worker with cache-first strategy and push support
- stores/push.ts: push notification subscription management
- InstallPrompt: 'Add to Home Screen' banner
Frontend - Mobile:
- MobileNav: bottom nav bar for mobile (servers/channels/chat/members)
- MobileDrawer: slide-out drawer with server bar + channel list
- index.html: PWA meta tags, safe area viewport
Frontend - Polish:
- ThemeToggle: dark/light mode switch with localStorage persistence
- InviteModal: generate invite links with expiry and max uses
- JoinServer: /invite/:code join flow
- stores/typing.ts: typing indicator state management
- stores/presence.ts: real-time presence tracking
- tailwind.config.js: darkMode: 'class', light mode color tokens
- styles/index.css: light mode CSS variable overrides
2026-06-28 16:44:39 -04:00
hobokenchicken
8ee0ce657f
Phase 2 backend: LiveKit voice integration
...
Backend:
- internal/voice/client.go: LiveKit token generation, room management, participant listing
- internal/voice/handlers.go: POST /voice/token, GET /voice/rooms/{roomID}/participants
- internal/gateway/events.go: added VOICE_JOIN, VOICE_LEAVE, VOICE_MUTE, VOICE_DEAFEN events
- cmd/server/main.go: wired voice client and routes under /api/v1/voice
- Docker: livekit.yaml config verified
Frontend deps:
- Added livekit-client and @livekit/components-react packages
2026-06-28 16:21:16 -04:00
hobokenchicken
e69553af02
Profiles, Giphy, uploads, settings UI
...
Backend:
- Auth: split routes into RegisterPublicRoutes + RegisterProtectedRoutes
- Auth: PATCH /me for profile updates (display_name, bio, accent_color, status_text)
- Auth: Gravatar fallback for avatars on register
- DB: users table now has bio, accent_color, status_text columns
- giphy/client.go: Search() and GetTrending() against Giphy API
- upload/handlers.go: MinIO file upload + serve
- config: added GiphyConfig and MinIO config
- cmd/server: wired giphy (/gifs/search, /gifs/trending), upload (/upload), files (/files/*) routes
Frontend:
- auth store: updated User interface with new profile fields, added updateProfile()
- UserSettings.tsx: terminal-styled profile editor (display_name, bio, accent_color, status_text, avatar upload)
- GiphyPicker.tsx: terminal-styled GIF picker with search + trending
- ChatArea.tsx: integrated [GIF] button into message input
- App.tsx: imports UserSettings, added /settings route
2026-06-28 16:06:08 -04:00
hobokenchicken
bb5a56816b
Phase 1 MVP: gateway, CRUD handlers, frontend components
...
Backend:
- WebSocket gateway (hub, client, events) with fanout broadcast
- Server CRUD handlers (create, list, get, update, delete)
- Channel CRUD handlers (create, list, get, update, delete)
- Message CRUD handlers (list with cursor pagination, create, update, delete)
- cmd/migrate standalone migration CLI (up/down)
- cmd/server wired to all handlers + WebSocket + static file serving
Frontend:
- Zustand stores: auth, server, channel, message, websocket
- API client with fetch wrapper
- Terminal-styled components: Layout, LoginForm, ChatArea, ChannelList, ServerBar, MemberList
- React Router with login and main routes
- Gruvbox dark palette throughout
Ops:
- Docker Compose with app service (multi-stage build)
- Caddyfile with WebSocket upgrade support
- Makefile for common tasks
2026-06-26 14:47:29 -04:00
hobokenchicken
e499ce884d
Initial scaffold: Go backend, React frontend, Docker Compose
...
- Go backend: config, db (PostgreSQL migrations), auth (argon2id + sessions),
middleware (cookie sessions, RequireAuth), chi router, cmd/server
- React frontend: Vite + React 18 + TS + Tailwind + Gruvbox palette + terminal CSS
- Docker: compose.yml (Postgres, Valkey, minio, LiveKit, coturn, Caddy),
livekit.yaml, Caddyfile, Dockerfile (multi-stage Go+Node+Alpine)
- .env.example, .gitignore, README.md
2026-06-26 14:41:10 -04:00