# dumpsterChat Codebase Audit Report This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues. --- ## 1. Security Vulnerabilities & Bypasses ### ๐Ÿšจ Plaintext Webhook Tokens Stored in Database โœ… RESOLVED * **Location:** [internal/db/db.go](file:///opt/dumpsterChat/internal/db/db.go#L189), [internal/webhook/handlers.go](file:///opt/dumpsterChat/internal/webhook/handlers.go#L143-L151) * **Fix:** Plaintext token column has been dropped via DDL migration (`ALTER TABLE webhooks DROP COLUMN IF EXISTS token;`), and webhook creation no longer stores plaintext tokens in the database. ### ๐Ÿšจ Message and Channel Access Bypasses Role Permissions & Overrides โœ… RESOLVED * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go), [internal/channel/handlers.go](file:///opt/dumpsterChat/internal/channel/handlers.go) * **Fix:** Added `CheckChannelPermission` method to `permissions.Checker` that layers channel overrides on top of role permissions. Updated `requireChannelAccess` to accept a required permission bitmap โ€” message Create checks `SEND_MESSAGES`, List/Search check `VIEW_CHANNEL`, BulkDelete uses `CheckPermission` for `MANAGE_MESSAGES`. Channel handler List now filters out channels the user cannot view. ### โš ๏ธ WebAuthn Session Cookie SameSite Laxity โœ… RESOLVED * **Location:** [internal/auth/cookie.go](file:///opt/dumpsterChat/internal/auth/cookie.go#L17) * **Fix:** Changed SameSite configuration to `http.SameSiteStrictMode`. ### โš ๏ธ WebAuthn Session Cookie Secure Flag Relies on Env Var โœ… RESOLVED * **Location:** [internal/auth/cookie.go](file:///opt/dumpsterChat/internal/auth/cookie.go#L12) * **Fix:** Default `secure` is now set to `true` unless `COOKIE_SECURE=false` is explicitly set in environment variables. --- ## 2. Functional Bugs & Defects ### ๐Ÿ› User Avatar Cannot Be Changed โœ… RESOLVED * **Location:** [internal/auth/handlers.go](file:///opt/dumpsterChat/internal/auth/handlers.go#L210-L220), [web/src/components/UserSettings.tsx](file:///opt/dumpsterChat/web/src/components/UserSettings.tsx) * **Fix:** Backend accepts `avatar_url` in PATCH profile. Frontend upload now parses the returned URL and calls `updateProfile` to save it. `UpdateProfilePayload` type also gained the `avatar_url` field. ### ๐Ÿ› TUI Client Auth Failure Fallback Bug โœ… RESOLVED * **Location:** [cmd/tui/auth.go](file:///opt/dumpsterChat/cmd/tui/auth.go#L21-L36) * **Fix:** Correctly handles password input via fallback `pwLine` scanner without overwriting the user's email address. --- ## 3. Dead Code ### ๐Ÿ—‘๏ธ Unused `ComputeChannelPermissions` โœ… RESOLVED * **Location:** [internal/permissions/overrides.go](file:///opt/dumpsterChat/internal/permissions/overrides.go) * **Fix:** Unused function removed from the package. ### ๐Ÿ—‘๏ธ Duplicated Permission Verification โœ… RESOLVED * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go) * **Fix:** Removed the dead `checkPermission` method. Callers now use the `Checker` from the `permissions` package and its new `CheckChannelPermission` method. ### ๐Ÿ—‘๏ธ Obsolete Handler Type โœ… RESOLVED * **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go) * **Fix:** Removed obsolete `Handler_old` struct definition. --- ## 4. Maintenance & Infrastructure ### ๐Ÿงช No Tests * **Description:** There are zero unit or integration tests in the Go backend or React frontend (`go test ./...` runs but finds no test files). * **Remediation:** Introduce tests for critical components such as permissions checking, message parsing, and session stores. ### ๐Ÿ”‘ Hardcoded Valkey Password Placeholder โœ… RESOLVED * **Location:** [internal/config/config.go](file:///opt/dumpsterChat/internal/config/config.go#L111) * **Fix:** Default fallback URL set to `redis://localhost:6379`.