hobokenchicken
d7c84647e5
feat(phase2): bulk delete + audit log; update roadmap/parity docs
2026-06-30 10:20:57 -04:00
hobokenchicken
d3b7f39b9e
fix(build): make build-web works; gofmt all Go files
2026-06-30 10:01:11 -04:00
hobokenchicken
30e159cbdb
sync: phase 1 backend + frontend from server
2026-06-30 09:26:03 -04:00
hobokenchicken
bbd7992e12
fix: nil pushHandler crash in message Create
2026-06-29 16:06:00 -04:00
hobokenchicken
6c8defb6fd
feat: realtime status, mentions, push notifications
2026-06-29 15:52:34 -04:00
hobokenchicken
c189bd2d83
fix: return messages in chronological order (oldest first)
2026-06-29 14:18:56 -04:00
root
bb67a7652e
fix: resolve duplicate path prefix issues for message and webhook routes
2026-06-29 17:48:28 +00:00
hobokenchicken
88756a72fa
security: LOW findings + fix .gitignore overmatch
...
- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
(prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
internal/server/ directory
2026-06-29 09:41:44 -04:00
hobokenchicken
130187c7be
security: remediate all P0-P2 audit findings (12 tasks)
...
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder
P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)
P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment
Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken
72ca99b58d
Add swaggo annotations to all handlers and regenerate full Swagger docs
...
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken
613d4b8c6e
Complete WebAuthn backend + push notification mention parsing
...
Backend:
- internal/auth/webauthn.go: full RegisterBegin/Finish, LoginBegin/Finish implementation
- In-memory challenge store with eviction
- Credential storage in webauthn_credentials table
- Session creation on successful passkey login
- Cookie-based challenge linking for login flow
- internal/message/mentions.go: @mention parsing and push notification dispatch
- Parses @user, @everyone, @role mentions
- Skips DND users
- Async goroutine dispatch for non-blocking
- internal/message/handlers.go: wired mention handler into Create
- cmd/server/main.go: added push handler initialization, pass to message handler
2026-06-28 19:06:03 -04:00
hobokenchicken
e69553af02
Profiles, Giphy, uploads, settings UI
...
Backend:
- Auth: split routes into RegisterPublicRoutes + RegisterProtectedRoutes
- Auth: PATCH /me for profile updates (display_name, bio, accent_color, status_text)
- Auth: Gravatar fallback for avatars on register
- DB: users table now has bio, accent_color, status_text columns
- giphy/client.go: Search() and GetTrending() against Giphy API
- upload/handlers.go: MinIO file upload + serve
- config: added GiphyConfig and MinIO config
- cmd/server: wired giphy (/gifs/search, /gifs/trending), upload (/upload), files (/files/*) routes
Frontend:
- auth store: updated User interface with new profile fields, added updateProfile()
- UserSettings.tsx: terminal-styled profile editor (display_name, bio, accent_color, status_text, avatar upload)
- GiphyPicker.tsx: terminal-styled GIF picker with search + trending
- ChatArea.tsx: integrated [GIF] button into message input
- App.tsx: imports UserSettings, added /settings route
2026-06-28 16:06:08 -04:00
hobokenchicken
bb5a56816b
Phase 1 MVP: gateway, CRUD handlers, frontend components
...
Backend:
- WebSocket gateway (hub, client, events) with fanout broadcast
- Server CRUD handlers (create, list, get, update, delete)
- Channel CRUD handlers (create, list, get, update, delete)
- Message CRUD handlers (list with cursor pagination, create, update, delete)
- cmd/migrate standalone migration CLI (up/down)
- cmd/server wired to all handlers + WebSocket + static file serving
Frontend:
- Zustand stores: auth, server, channel, message, websocket
- API client with fetch wrapper
- Terminal-styled components: Layout, LoginForm, ChatArea, ChannelList, ServerBar, MemberList
- React Router with login and main routes
- Gruvbox dark palette throughout
Ops:
- Docker Compose with app service (multi-stage build)
- Caddyfile with WebSocket upgrade support
- Makefile for common tasks
2026-06-26 14:47:29 -04:00