3
Phase 6
hobokenchicken edited this page 2026-06-28 19:20:43 -04:00

Phase 6: Security, Permissions & Polish

Phase 6 adds roles & permissions, push notifications, WebAuthn passkeys, and REST API documentation.

Features Implemented

Roles & Permissions

Feature Status Description
Permission bitflags 11 permissions from VIEW_CHANNEL to SHARE_SCREEN
Permission checker Aggregates permissions from all user roles
Permission middleware RequirePermission middleware for route protection
Role CRUD Create, list, update, delete roles per server
Member role assignment Assign/remove roles from members
Default @everyone role Seeded on server creation with basic permissions
Frontend role manager Role CRUD UI with permission checkboxes
Member role assign UI to assign roles to members

Push Notifications

Feature Status Description
VAPID key support Backend ready for VAPID keys
Push subscription CRUD Subscribe/unsubscribe endpoints
Push sender SendPush function for mentioned users
Push subscription table DB storage for push subscriptions
Frontend push store Subscribe/unsubscribe with VAPID key fetch
Settings UI toggle [ENABLE PUSH] / [DISABLE PUSH] in UserSettings
Service worker Handles push events and notification clicks
Mention parsing Parses @user, @everyone, @role and dispatches push

WebAuthn Passkeys

Feature Status Description
Backend complete Full registration and login begin/finish flow
Credential storage webauthn_credentials table
Challenge store In-memory challenge store with eviction
Frontend register [REGISTER PASSKEY] button in UserSettings
Frontend login [SIGN IN WITH PASSKEY] button on LoginForm

REST API Documentation

Feature Status Description
Swagger annotations Full @Summary/@Router/@Param/@Success/@Security on all handlers
Swagger UI Served at /docs endpoint
Generated spec docs/swagger.json, docs/swagger.yaml with all endpoints
Makefile target make docs to regenerate

API Endpoints

Roles

# Create role
POST /api/v1/servers/{serverID}/roles
{ "name": "Moderator", "color": "#fe8019", "permissions": 76, "position": 1 }

# List roles
GET /api/v1/servers/{serverID}/roles

# Update role
PATCH /api/v1/servers/{serverID}/roles/{roleID}

# Delete role
DELETE /api/v1/servers/{serverID}/roles/{roleID}

# Assign roles to member
PUT /api/v1/servers/{serverID}/members/{userID}/roles
{ "role_ids": ["uuid1", "uuid2"] }

Push

# Get VAPID public key
GET /api/v1/push/vapid-public-key

# Subscribe to push
POST /api/v1/push/subscribe
{ "endpoint": "...", "p256dh": "...", "auth": "..." }

# Unsubscribe
POST /api/v1/push/unsubscribe
{ "endpoint": "..." }

WebAuthn

# Begin passkey registration
POST /api/v1/auth/webauthn/register/begin

# Finish passkey registration
POST /api/v1/auth/webauthn/register/finish

# Begin passkey login
POST /api/v1/auth/webauthn/login/begin

# Finish passkey login
POST /api/v1/auth/webauthn/login/finish

Swagger UI

Access the interactive API documentation at:

http://localhost:8080/docs

Permission Constants

Permission Bit Value
VIEW_CHANNEL 0 1
SEND_MESSAGES 1 2
MANAGE_MESSAGES 2 4
KICK_MEMBERS 3 8
BAN_MEMBERS 4 16
MANAGE_SERVER 5 32
MANAGE_CHANNELS 6 64
ADMINISTRATOR 7 128
CONNECT_VOICE 8 256
SPEAK_VOICE 9 512
SHARE_SCREEN 10 1024