# dumpsterChat Codebase Audit Report This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues. --- ## 1. Security Vulnerabilities & Bypasses ### ๐Ÿšจ Plaintext Webhook Tokens Stored in Database (Task 8 Regression/Incomplete) โœ… RESOLVED * **Location:** [internal/db/db.go](file:///opt/dumpsterChat/internal/db/db.go#L171-L191), [internal/webhook/handlers.go](file:///opt/dumpsterChat/internal/webhook/handlers.go#L145-L151) * **Fix:** DROP COLUMN migration added, INSERT no longer stores plaintext `token`. ### ๐Ÿšจ Message and Channel Access Bypasses Role Permissions & Overrides * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go#L671-L692), [internal/channel/handlers.go](file:///opt/dumpsterChat/internal/channel/handlers.go#L165-L187) * **Description:** Access to channel reading, message listing, and message posting is checked solely via server membership (`members` table). Role permissions (like `VIEW_CHANNEL` or `SEND_MESSAGES`) and channel-level overrides (`channel_overrides` table) are completely ignored. * **Impact:** Any user who is a member of a server can read, search, and post messages in *any* channel on that server (including private, forum, calendar, or documentation channels), completely bypassing the permissions configuration system. * **Remediation:** Update `requireChannelAccess` in `message.Handler` to use `permissions.Checker` to verify channel permission overrides and server roles. ### โš ๏ธ WebAuthn Session Cookie SameSite Laxity โœ… RESOLVED * **Location:** [internal/auth/cookie.go](file:///opt/dumpsterChat/internal/auth/cookie.go#L20) * **Fix:** Changed to `http.SameSiteStrictMode`. ### โš ๏ธ WebAuthn Session Cookie Secure Flag Relies on Env Var โœ… RESOLVED * **Location:** [internal/auth/cookie.go](file:///opt/dumpsterChat/internal/auth/cookie.go#L12-L19) * **Fix:** Default `secure` to `true` unless `COOKIE_SECURE=false` explicitly set. --- ## 2. Functional Bugs & Defects ### ๐Ÿ› User Avatar Cannot Be Changed โœ… RESOLVED * **Location:** [internal/auth/handlers.go](file:///opt/dumpsterChat/internal/auth/handlers.go#L212-L225) * **Fix:** Added `AvatarURL` to `updateProfileRequest`, wired into SQL UPDATE for `avatar` column. ### ๐Ÿ› TUI Client Auth Failure Fallback Bug โœ… RESOLVED * **Location:** [cmd/tui/auth.go](file:///opt/dumpsterChat/cmd/tui/auth.go#L28) * **Fix:** Fallback reads into password variable instead of overwriting email. --- ## 3. Dead Code ### ๐Ÿ—‘๏ธ Unused `ComputeChannelPermissions` โœ… RESOLVED * **Location:** [internal/permissions/overrides.go](file:///opt/dumpsterChat/internal/permissions/overrides.go#L10) * **Fix:** Removed the unused function. ### ๐Ÿ—‘๏ธ Duplicated Permission Verification * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go#L136-L164) * **Description:** The `checkPermission` method in `message.Handler` duplicates role checking queries instead of using the `permissions.Checker` struct. ### ๐Ÿ—‘๏ธ Obsolete Handler Type โœ… RESOLVED * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go#L31-L35) * **Fix:** Removed `Handler_old`. --- ## 4. Maintenance & Infrastructure ### ๐Ÿงช No Tests * **Description:** There are zero unit or integration tests in the Go backend or React frontend (`go test ./...` runs but finds no test files). * **Remediation:** Introduce tests for critical components such as permissions checking, message parsing, and session stores. ### ๐Ÿ”‘ Hardcoded Valkey Password Placeholder โœ… RESOLVED * **Location:** [internal/config/config.go](file:///opt/dumpsterChat/internal/config/config.go#L111) * **Fix:** Default fallback set to `redis://localhost:6379`.