hobokenchicken
dbebc1f381
feat(phase5): docs channels - CRUD, wiki sidebar, markdown editor
2026-06-30 11:19:32 -04:00
hobokenchicken
e65ce54e36
feat(phase5): calendar channels - events, RSVPs, calendar view
2026-06-30 11:15:40 -04:00
hobokenchicken
58ce09cc18
feat(phase4): rich profiles, badges DB, block list
2026-06-30 11:04:32 -04:00
hobokenchicken
368172e3d6
feat(phase3): forum channels + tags + card UI
2026-06-30 10:44:52 -04:00
hobokenchicken
f3f03df710
feat(phase3): threads backend + thread panel UI
2026-06-30 10:36:18 -04:00
hobokenchicken
bd260183ef
feat(phase2): channel permission overrides + expanded role UI + audit log cleanup
2026-06-30 10:28:03 -04:00
hobokenchicken
d7c84647e5
feat(phase2): bulk delete + audit log; update roadmap/parity docs
2026-06-30 10:20:57 -04:00
hobokenchicken
d3b7f39b9e
fix(build): make build-web works; gofmt all Go files
2026-06-30 10:01:11 -04:00
hobokenchicken
30e159cbdb
sync: phase 1 backend + frontend from server
2026-06-30 09:26:03 -04:00
hobokenchicken
d4cdd89544
docs: 8-phase roadmap to Guilded feature parity
2026-06-30 08:38:37 -04:00
hobokenchicken
1945703893
fix: case-insensitive login for username and email
2026-06-30 08:24:41 -04:00
hobokenchicken
e380d4e381
docs: feature parity comparison with Discord, Guilded, TeamSpeak 6, Fluxer
2026-06-30 08:18:23 -04:00
hobokenchicken
bbd7992e12
fix: nil pushHandler crash in message Create
2026-06-29 16:06:00 -04:00
hobokenchicken
6c8defb6fd
feat: realtime status, mentions, push notifications
2026-06-29 15:52:34 -04:00
hobokenchicken
282a436995
fix: construct invite URL from code on frontend
2026-06-29 15:35:22 -04:00
hobokenchicken
6a737c3db3
fix: invite handler used creator_id but DB column is created_by
2026-06-29 15:32:24 -04:00
hobokenchicken
7261ebaafa
fix: invite routes were double-nested under /invites causing 404->SPA fallback
2026-06-29 15:30:20 -04:00
hobokenchicken
2d3bf48e66
fix: add invite button, voice join dedup, voice panel immediate render
2026-06-29 15:28:05 -04:00
hobokenchicken
a8a09cf7b4
fix: CSRF and WS origin check trust request Host header (same-origin)
2026-06-29 14:38:18 -04:00
hobokenchicken
7f56571004
fix: WS origin check now uses hostname matching instead of exact strings
2026-06-29 14:33:39 -04:00
hobokenchicken
369737565e
fix: WebSocket cookie auth + connect on layout mount
2026-06-29 14:30:29 -04:00
hobokenchicken
90289fede1
sync: all server-side fixes and features
2026-06-29 14:24:45 -04:00
hobokenchicken
c189bd2d83
fix: return messages in chronological order (oldest first)
2026-06-29 14:18:56 -04:00
hobokenchicken
175ec90705
fix: blank page on channel click + logout issue
2026-06-29 14:16:32 -04:00
hobokenchicken
a7da8104d7
fix: channel List reads serverID from URL param, not query string
2026-06-29 14:11:33 -04:00
hobokenchicken
368d1f9427
fix: ensure reply_to column exists via ALTER TABLE in migration
2026-06-29 14:05:56 -04:00
hobokenchicken
9f138deb9d
feat: login with username or email + change password
...
Backend:
- Login handler accepts username OR email via the same field
- New PUT /auth/me/password endpoint (verifies current password,
requires min 8 chars for new password)
Frontend:
- Login form shows EMAIL OR USERNAME field (single field for both)
- Auth store updated with changePassword function
- UserSettings has new CHANGE PASSWORD section
2026-06-29 14:00:19 -04:00
hobokenchicken
fec0eb1917
fix: use single quotes for SQL COALESCE defaults (not double quotes)
2026-06-29 13:53:17 -04:00
root
23902de912
feat: server members API + member list in sidebar + fix chat input
...
Backend:
- Add GET /api/v1/servers/{serverID}/members endpoint
- Wire MemberHandler routes in main.go
Frontend:
- Create member store (fetchMembers by server ID)
- MemberList now fetches members from API instead of empty props
- ChatArea: show channel name instead of ID, add error display,
add flex-1 + min-w-0 to input for proper sizing, error handling
on sendMessage
2026-06-29 17:51:32 +00:00
root
bb67a7652e
fix: resolve duplicate path prefix issues for message and webhook routes
2026-06-29 17:48:28 +00:00
hobokenchicken
de465c6527
fix: read serverID from URL param instead of body in channel create
...
The channel Create handler was expecting server_id in the JSON body,
but the frontend sends it in the URL path (/servers/{serverID}/channels).
Now reads serverID from chi.URLParam and only requires name in the body.
2026-06-29 13:35:50 -04:00
hobokenchicken
118155d737
fix: support DUMPSTER_CSRF_ORIGINS env var for LAN access
...
The CSRF middleware was rejecting requests from LAN IPs because
cfg.Host defaults to 'localhost' which doesn't match the LAN IP.
Now supports DUMPSTER_CSRF_ORIGINS env var (comma-separated list of
full origins) for additional trusted origins beyond cfg.Host.
Removed debug logging from CSRF middleware.
2026-06-29 13:20:07 -04:00
hobokenchicken
5c7e461dad
fix: CSRF middleware now trusts origin hostname match instead of exact prefix
...
The old CSRF middleware used exact string matching against a static list
of origins (https://host , http://localhost:port ). This broke when the
frontend ran on a different port (Vite dev server) or accessed via LAN IP.
New behavior:
- Origin hostname matching: any Origin whose hostname matches cfg.Host
is trusted, regardless of scheme or port
- Localhost variants always trusted: localhost, 127.0.0.1, ::1
- Additional origins can be passed explicitly (future env var support)
2026-06-29 12:57:52 -04:00
hobokenchicken
3f33859f4a
feat: UI for server/channel creation, settings link, role management backend
...
Frontend:
- Settings link in header next to logout
- [+] button to create server (name + optional icon)
- [#] button to join server via invite code
- [+] button to create channel (name, type, category)
- Server name shown instead of UUID in channel list header
- /invites/:code route wired for JoinServer component
Backend:
- Wire role CRUD + member-role assignment routes (MANAGE_SERVER gated)
- Seed @everyone default role on server creation
2026-06-29 12:50:46 -04:00
root
3072cda051
fix: resolve Sscanf greedy parsing bug in VerifyPassword
2026-06-29 16:25:58 +00:00
root
a81a8e6901
fix: make session cookie Secure attribute optional for HTTP/LAN dev
2026-06-29 16:19:58 +00:00
root
d122133e93
config: expose vite dev server to lan and configure api proxy
2026-06-29 16:14:11 +00:00
root
78c0c28ff5
fix: shell and nvm path sourcing in Makefile web targets
2026-06-29 16:10:03 +00:00
root
4eaab40e48
fix: expose local ports in compose and auto-load .env in config package
2026-06-29 15:48:29 +00:00
root
bd2a7ec2a6
fix: load LiveKit and WebPush configuration fields in Load()
2026-06-29 15:45:06 +00:00
hobokenchicken
88756a72fa
security: LOW findings + fix .gitignore overmatch
...
- Swagger UI restricted to localhost only
- Message content length limit (4000 chars max) on create + update
- Bot/server/webhook ownership checks return 404 instead of 403
(prevents resource ID enumeration)
- Fix .gitignore: /server instead of server to stop ignoring
internal/server/ directory
2026-06-29 09:41:44 -04:00
hobokenchicken
d25763cc84
feat(voice): add AudioPresets and publish defaults for voice quality
2026-06-29 09:37:25 -04:00
hobokenchicken
130187c7be
security: remediate all P0-P2 audit findings (12 tasks)
...
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder
P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)
P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment
Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken
5373105368
Simplify Quick Start: single docker compose up
...
- Dockerfile: auto-generate DUMPSTER_SECRET if not set
- compose.yml: remove env_file requirement, use env vars with defaults, share web_assets volume with caddy
- README: Quick Start is now 3 commands (clone, cd, docker compose up)
2026-06-28 19:31:06 -04:00
hobokenchicken
27f2faecaa
Fix README: WebAuthn passkeys no longer deferred
2026-06-28 19:20:13 -04:00
hobokenchicken
72ca99b58d
Add swaggo annotations to all handlers and regenerate full Swagger docs
...
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken
1b7778930c
Update README: all items complete
2026-06-28 19:06:47 -04:00
hobokenchicken
613d4b8c6e
Complete WebAuthn backend + push notification mention parsing
...
Backend:
- internal/auth/webauthn.go: full RegisterBegin/Finish, LoginBegin/Finish implementation
- In-memory challenge store with eviction
- Credential storage in webauthn_credentials table
- Session creation on successful passkey login
- Cookie-based challenge linking for login flow
- internal/message/mentions.go: @mention parsing and push notification dispatch
- Parses @user, @everyone, @role mentions
- Skips DND users
- Async goroutine dispatch for non-blocking
- internal/message/handlers.go: wired mention handler into Create
- cmd/server/main.go: added push handler initialization, pass to message handler
2026-06-28 19:06:03 -04:00
hobokenchicken
0f99ee53bc
Update README: mark push, WebAuthn, Swagger as done
2026-06-28 18:53:22 -04:00
hobokenchicken
bb0540b70c
Finish Phase 6: Push frontend, WebAuthn frontend, OpenAPI/Swagger
...
Frontend:
- stores/push.ts: fixed VAPID key endpoint, added checkSubscription, proper subscription format
- UserSettings.tsx: added [ENABLE PUSH] toggle and [REGISTER PASSKEY] button
- LoginForm.tsx: added [SIGN IN WITH PASSKEY] button
Backend:
- cmd/server/main.go: added Swagger annotations, /docs/* route
- docs/: generated swagger.json, swagger.yaml, docs.go
- Makefile: added docs target for swag init
2026-06-28 18:53:05 -04:00