18 Commits

Author SHA1 Message Date
hobokenchicken 10a702f732 fix: server owner can now update channel settings
Channel Update handler required MANAGE_CHANNELS role permission.
Server owner was getting 'forbidden' because their roles didn't
include that bit. Added owner bypass (same pattern as Delete).
2026-07-02 09:15:18 -04:00
hobokenchicken 17c09edc4f fix: channel PATCH was nulling group_id on name-only updates
group_id =  without COALESCE wrote NULL when only name was sent,
orphaning the channel from its group.
2026-07-02 08:30:09 -04:00
root f4437c5e1d feat: add SMTP email support and fix profile/permissions bugs 2026-06-30 19:29:08 +00:00
hobokenchicken 215f931311 fix: wire permission checks into message/channel handlers
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions)
- Refactor requireChannelAccess to accept required permission bitmap
- Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL
- BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES
- Channel handler List filters out channels user cannot view
- Remove dead checkPermission method from message handler
- Fix frontend avatar upload: parse response URL, call updateProfile
2026-06-30 13:47:08 -04:00
hobokenchicken d663638387 feat(phase8.1): server groups — table, CRUD handler, collapsible channel sections 2026-06-30 12:50:53 -04:00
hobokenchicken 74d2153ffa feat(phase5): list channels - todo/in_progress/done columns, CRUD 2026-06-30 11:26:15 -04:00
hobokenchicken dbebc1f381 feat(phase5): docs channels - CRUD, wiki sidebar, markdown editor 2026-06-30 11:19:32 -04:00
hobokenchicken e65ce54e36 feat(phase5): calendar channels - events, RSVPs, calendar view 2026-06-30 11:15:40 -04:00
hobokenchicken 368172e3d6 feat(phase3): forum channels + tags + card UI 2026-06-30 10:44:52 -04:00
hobokenchicken f3f03df710 feat(phase3): threads backend + thread panel UI 2026-06-30 10:36:18 -04:00
hobokenchicken bd260183ef feat(phase2): channel permission overrides + expanded role UI + audit log cleanup 2026-06-30 10:28:03 -04:00
hobokenchicken 30e159cbdb sync: phase 1 backend + frontend from server 2026-06-30 09:26:03 -04:00
hobokenchicken a7da8104d7 fix: channel List reads serverID from URL param, not query string 2026-06-29 14:11:33 -04:00
hobokenchicken de465c6527 fix: read serverID from URL param instead of body in channel create
The channel Create handler was expecting server_id in the JSON body,
but the frontend sends it in the URL path (/servers/{serverID}/channels).
Now reads serverID from chi.URLParam and only requires name in the body.
2026-06-29 13:35:50 -04:00
hobokenchicken 130187c7be security: remediate all P0-P2 audit findings (12 tasks)
P0 fixes:
- WebSocket origin checking (reject untrusted origins)
- WS session token moved from URL query param to first message frame
- WebAuthn login cookie now uses Secure flag via shared SetSessionCookie
- PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require)
- Fixed DatabaseDSN to use real password instead of masked placeholder

P1 fixes:
- Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s)
- Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.)
- WS broadcasts scoped to server members (prevents cross-server data leak)
- Webhook tokens stored as SHA-256 hashes (not plaintext)

P2 fixes:
- CSRF protection via Origin header validation on state-changing requests
- MANAGE_CHANNELS permission enforced on channel update/delete
- Upload validation: 25MB limit, extension allowlist, server-side MIME check
- File serve: path traversal protection + Content-Disposition: attachment

Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build).
Zero CVEs (govulncheck, npm audit).
2026-06-29 09:30:50 -04:00
hobokenchicken 72ca99b58d Add swaggo annotations to all handlers and regenerate full Swagger docs
- Added @Summary/@Router/@Param/@Success/@Security annotations to all API handlers
- Regenerated docs/swagger.json, docs/swagger.yaml, docs/docs.go with full endpoint definitions
- Fixed generated docs.go to remove unsupported LeftDelim/RightDelim fields
2026-06-28 19:16:42 -04:00
hobokenchicken e69553af02 Profiles, Giphy, uploads, settings UI
Backend:
- Auth: split routes into RegisterPublicRoutes + RegisterProtectedRoutes
- Auth: PATCH /me for profile updates (display_name, bio, accent_color, status_text)
- Auth: Gravatar fallback for avatars on register
- DB: users table now has bio, accent_color, status_text columns
- giphy/client.go: Search() and GetTrending() against Giphy API
- upload/handlers.go: MinIO file upload + serve
- config: added GiphyConfig and MinIO config
- cmd/server: wired giphy (/gifs/search, /gifs/trending), upload (/upload), files (/files/*) routes

Frontend:
- auth store: updated User interface with new profile fields, added updateProfile()
- UserSettings.tsx: terminal-styled profile editor (display_name, bio, accent_color, status_text, avatar upload)
- GiphyPicker.tsx: terminal-styled GIF picker with search + trending
- ChatArea.tsx: integrated [GIF] button into message input
- App.tsx: imports UserSettings, added /settings route
2026-06-28 16:06:08 -04:00
hobokenchicken bb5a56816b Phase 1 MVP: gateway, CRUD handlers, frontend components
Backend:
- WebSocket gateway (hub, client, events) with fanout broadcast
- Server CRUD handlers (create, list, get, update, delete)
- Channel CRUD handlers (create, list, get, update, delete)
- Message CRUD handlers (list with cursor pagination, create, update, delete)
- cmd/migrate standalone migration CLI (up/down)
- cmd/server wired to all handlers + WebSocket + static file serving

Frontend:
- Zustand stores: auth, server, channel, message, websocket
- API client with fetch wrapper
- Terminal-styled components: Layout, LoginForm, ChatArea, ChannelList, ServerBar, MemberList
- React Router with login and main routes
- Gruvbox dark palette throughout

Ops:
- Docker Compose with app service (multi-stage build)
- Caddyfile with WebSocket upgrade support
- Makefile for common tasks
2026-06-26 14:47:29 -04:00