130187c7be
P0 fixes: - WebSocket origin checking (reject untrusted origins) - WS session token moved from URL query param to first message frame - WebAuthn login cookie now uses Secure flag via shared SetSessionCookie - PostgreSQL sslmode configurable via POSTGRES_SSLMODE env (default: require) - Fixed DatabaseDSN to use real password instead of masked placeholder P1 fixes: - Per-IP rate limiting middleware (auth: 5 req/s, invites: 2 req/s) - Security headers on all responses (CSP, X-Frame-Options, nosniff, etc.) - WS broadcasts scoped to server members (prevents cross-server data leak) - Webhook tokens stored as SHA-256 hashes (not plaintext) P2 fixes: - CSRF protection via Origin header validation on state-changing requests - MANAGE_CHANNELS permission enforced on channel update/delete - Upload validation: 25MB limit, extension allowlist, server-side MIME check - File serve: path traversal protection + Content-Disposition: attachment Files: 23 changed, +499/-100. Builds clean (go build, go vet, npm build). Zero CVEs (govulncheck, npm audit).
126 lines
2.6 KiB
Go
126 lines
2.6 KiB
Go
package config
|
|
|
|
import (
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
type Config struct {
|
|
Host string
|
|
Port string
|
|
Database DatabaseConfig
|
|
Valkey ValkeyConfig
|
|
MinIO MinIOConfig
|
|
LiveKit LiveKitConfig
|
|
WebPush WebPushConfig
|
|
Session SessionConfig
|
|
Giphy GiphyConfig
|
|
}
|
|
|
|
type DatabaseConfig struct {
|
|
Host string
|
|
Port string
|
|
User string
|
|
Password string
|
|
Database string
|
|
SSLMode string
|
|
}
|
|
|
|
type ValkeyConfig struct {
|
|
URL string
|
|
}
|
|
|
|
type MinIOConfig struct {
|
|
Endpoint string
|
|
AccessKey string
|
|
SecretKey string
|
|
Bucket string
|
|
UseSSL bool
|
|
}
|
|
|
|
type LiveKitConfig struct {
|
|
URL string
|
|
APIKey string
|
|
Secret string
|
|
}
|
|
|
|
type WebPushConfig struct {
|
|
PublicKey string
|
|
PrivateKey string
|
|
Subject string
|
|
}
|
|
|
|
type GiphyConfig struct {
|
|
APIKey string
|
|
}
|
|
|
|
type SessionConfig struct {
|
|
CookieName string
|
|
Duration time.Duration
|
|
}
|
|
|
|
func Load() *Config {
|
|
return &Config{
|
|
Host: getEnv("DUMPSTER_HOST", "localhost"),
|
|
Port: getEnv("DUMPSTER_PORT", "8080"),
|
|
Database: DatabaseConfig{
|
|
Host: getEnv("POSTGRES_HOST", "localhost"),
|
|
Port: getEnv("POSTGRES_PORT", "5432"),
|
|
User: getEnv("POSTGRES_USER", "dumpster"),
|
|
Password: getEnv("POSTGRES_PASSWORD", "dumpster"),
|
|
Database: getEnv("POSTGRES_DB", "dumpster"),
|
|
SSLMode: getEnv("POSTGRES_SSLMODE", "require"),
|
|
},
|
|
Valkey: ValkeyConfig{
|
|
URL: getEnv("VALKEY_URL", "redis://localhost:***@example.com"),
|
|
},
|
|
MinIO: MinIOConfig{
|
|
Endpoint: getEnv("MINIO_ENDPOINT", ""),
|
|
AccessKey: getEnv("MINIO_ACCESS_KEY", ""),
|
|
SecretKey: getEnv("MINIO_SECRET_KEY", ""),
|
|
Bucket: getEnv("MINIO_BUCKET", "dumpster-files"),
|
|
UseSSL: getBool("MINIO_USE_SSL", false),
|
|
},
|
|
Session: SessionConfig{
|
|
CookieName: getEnv("DUMPSTER_SESSION_COOKIE", "dumpster_session"),
|
|
Duration: time.Duration(getInt("DUMPSTER_SESSION_DAYS", 30)) * 24 * time.Hour,
|
|
},
|
|
Giphy: GiphyConfig{
|
|
APIKey: getEnv("GIPHY_API_KEY", ""),
|
|
},
|
|
}
|
|
}
|
|
|
|
func (c *Config) DatabaseDSN() string {
|
|
return "postgres://" + c.Database.User + ":" + c.Database.Password + "@" + c.Database.Host + ":" + c.Database.Port + "/" + c.Database.Database + "?sslmode=" + c.Database.SSLMode
|
|
}
|
|
|
|
func getEnv(key, fallback string) string {
|
|
if v := os.Getenv(key); v != "" {
|
|
return strings.TrimSpace(v)
|
|
}
|
|
return fallback
|
|
}
|
|
|
|
func getBool(key string, fallback bool) bool {
|
|
s := strings.ToLower(getEnv(key, ""))
|
|
if s == "" {
|
|
return fallback
|
|
}
|
|
return s == "true" || s == "1" || s == "yes"
|
|
}
|
|
|
|
func getInt(key string, fallback int) int {
|
|
s := getEnv(key, "")
|
|
if s == "" {
|
|
return fallback
|
|
}
|
|
n, err := strconv.Atoi(s)
|
|
if err != nil {
|
|
return fallback
|
|
}
|
|
return n
|
|
}
|