Files
dumpsterChat/ISSUES.md
T

4.5 KiB

dumpsterChat Codebase Audit Report

This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues.


1. Security Vulnerabilities & Bypasses

🚨 Plaintext Webhook Tokens Stored in Database RESOLVED

  • Location: internal/db/db.go, internal/webhook/handlers.go
  • Fix: Plaintext token column has been dropped via DDL migration (ALTER TABLE webhooks DROP COLUMN IF EXISTS token;), and webhook creation no longer stores plaintext tokens in the database.

🚨 Message and Channel Access Bypasses Role Permissions & Overrides

  • Location: internal/message/handlers.go, internal/channel/handlers.go
  • Description: Access to channel reading, message listing, and message posting is checked solely via server membership (members table). Role permissions (like VIEW_CHANNEL or SEND_MESSAGES) and channel-level overrides (channel_overrides table) are completely ignored.
  • Impact: Any user who is a member of a server can read, search, and post messages in any channel on that server (including private, forum, calendar, or documentation channels), completely bypassing the permissions configuration system.
  • Remediation: Update requireChannelAccess in message.Handler to use permissions.Checker to verify channel permission overrides and server roles.
  • Location: internal/auth/cookie.go
  • Fix: Default secure is now set to true unless COOKIE_SECURE=false is explicitly set in environment variables.

2. Functional Bugs & Defects

🐛 User Avatar Cannot Be Changed (Backend fixed, Frontend still broken) ⚠️ PARTIALLY RESOLVED

  • Location: internal/auth/handlers.go, web/src/components/UserSettings.tsx
  • Status: The backend has been successfully updated to accept AvatarURL in the PATCH request. However, the frontend avatar upload code is still broken: it uploads the file to /api/v1/upload but does not parse the response URL, nor does it call the profile update endpoint to save the returned URL.
  • Remediation: Update handleAvatarUpload in UserSettings.tsx to read the returned JSON URL and send a PATCH request via updateProfile containing the avatar_url.

🐛 TUI Client Auth Failure Fallback Bug RESOLVED

  • Location: cmd/tui/auth.go
  • Fix: Correctly handles password input via fallback pwLine scanner without overwriting the user's email address.

3. Dead Code

🗑️ Unused ComputeChannelPermissions RESOLVED

🗑️ Duplicated Permission Verification

  • Location: internal/message/handlers.go
  • Description: The checkPermission method in message.Handler duplicates role checking queries instead of using the permissions.Checker struct.

🗑️ Obsolete Handler Type RESOLVED


4. Maintenance & Infrastructure

🧪 No Tests

  • Description: There are zero unit or integration tests in the Go backend or React frontend (go test ./... runs but finds no test files).
  • Remediation: Introduce tests for critical components such as permissions checking, message parsing, and session stores.

🔑 Hardcoded Valkey Password Placeholder RESOLVED