Fix 113 hardening issues across entire Go backend

Security:
- Replace all binding: tags with validate: + c.Validate() in admin handlers
- Add rate limiting to auth endpoints (login, register, password reset)
- Add security headers (HSTS, XSS protection, nosniff, frame options)
- Wire Google Pub/Sub token verification into webhook handler
- Replace ParseUnverified with proper OIDC/JWKS key verification
- Verify inner Apple JWS signatures in webhook handler
- Add io.LimitReader (1MB) to all webhook body reads
- Add ownership verification to file deletion
- Move hardcoded admin credentials to env vars
- Add uniqueIndex to User.Email
- Hide ConfirmationCode from JSON serialization
- Mask confirmation codes in admin responses
- Use http.DetectContentType for upload validation
- Fix path traversal in storage service
- Replace os.Getenv with Viper in stripe service
- Sanitize Redis URLs before logging
- Separate DEBUG_FIXED_CODES from DEBUG flag
- Reject weak SECRET_KEY in production
- Add host check on /_next/* proxy routes
- Use explicit localhost CORS origins in debug mode
- Replace err.Error() with generic messages in all admin error responses

Critical fixes:
- Rewrite FCM to HTTP v1 API with OAuth 2.0 service account auth
- Fix user_customuser -> auth_user table names in raw SQL
- Fix dashboard verified query to use UserProfile model
- Add escapeLikeWildcards() to prevent SQL wildcard injection

Bug fixes:
- Add bounds checks for days/expiring_soon query params (1-3650)
- Add receipt_data/transaction_id empty-check to RestoreSubscription
- Change Active bool -> *bool in device handler
- Check all unchecked GORM/FindByIDWithProfile errors
- Add validation for notification hour fields (0-23)
- Add max=10000 validation on task description updates

Transactions & data integrity:
- Wrap registration flow in transaction
- Wrap QuickComplete in transaction
- Move image creation inside completion transaction
- Wrap SetSpecialties in transaction
- Wrap GetOrCreateToken in transaction
- Wrap completion+image deletion in transaction

Performance:
- Batch completion summaries (2 queries vs 2N)
- Reuse single http.Client in IAP validation
- Cache dashboard counts (30s TTL)
- Batch COUNT queries in admin user list
- Add Limit(500) to document queries
- Add reminder_stage+due_date filters to reminder queries
- Parse AllowedTypes once at init
- In-memory user cache in auth middleware (30s TTL)
- Timezone change detection cache
- Optimize P95 with per-endpoint sorted buffers
- Replace crypto/md5 with hash/fnv for ETags

Code quality:
- Add sync.Once to all monitoring Stop()/Close() methods
- Replace 8 fmt.Printf with zerolog in auth service
- Log previously discarded errors
- Standardize delete response shapes
- Route hardcoded English through i18n
- Remove FileURL from DocumentResponse (keep MediaURL only)
- Thread user timezone through kanban board responses
- Initialize empty slices to prevent null JSON
- Extract shared field map for task Update/UpdateTx
- Delete unused SoftDeleteModel, min(), formatCron, legacy handlers

Worker & jobs:
- Wire Asynq email infrastructure into worker
- Register HandleReminderLogCleanup with daily 3AM cron
- Use per-user timezone in HandleSmartReminder
- Replace direct DB queries with repository calls
- Delete legacy reminder handlers (~200 lines)
- Delete unused task type constants

Dependencies:
- Replace archived jung-kurt/gofpdf with go-pdf/fpdf
- Replace unmaintained gomail.v2 with wneessen/go-mail
- Add TODO for Echo jwt v3 transitive dep removal

Test infrastructure:
- Fix MakeRequest/SeedLookupData error handling
- Replace os.Exit(0) with t.Skip() in scope/consistency tests
- Add 11 new FCM v1 tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/auth.go

@@ -25,19 +25,24 @@ const (
 	TokenCacheTTL = 5 * time.Minute
 	// TokenCachePrefix is the prefix for token cache keys
 	TokenCachePrefix = "auth_token_"
+	// UserCacheTTL is how long full user records are cached in memory to
+	// avoid hitting the database on every authenticated request.
+	UserCacheTTL = 30 * time.Second
 )
 
 // AuthMiddleware provides token authentication middleware
 type AuthMiddleware struct {
-	db    *gorm.DB
-	cache *services.CacheService
+	db        *gorm.DB
+	cache     *services.CacheService
+	userCache *UserCache
 }
 
 // NewAuthMiddleware creates a new auth middleware instance
 func NewAuthMiddleware(db *gorm.DB, cache *services.CacheService) *AuthMiddleware {
 	return &AuthMiddleware{
-		db:    db,
-		cache: cache,
+		db:        db,
+		cache:     cache,
+		userCache: NewUserCache(UserCacheTTL),
 	}
 }
 
@@ -138,7 +143,8 @@ func extractToken(c echo.Context) (string, error) {
 	return token, nil
 }
 
-// getUserFromCache tries to get user from Redis cache
+// getUserFromCache tries to get user from Redis cache, then from the
+// in-memory user cache, before falling back to the database.
 func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*models.User, error) {
 	if m.cache == nil {
 		return nil, fmt.Errorf("cache not available")
@@ -152,10 +158,20 @@ func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*m
 		return nil, err
 	}
 
-	// Get user from database by ID
+	// Try in-memory user cache first to avoid a DB round-trip
+	if cached := m.userCache.Get(userID); cached != nil {
+		if !cached.IsActive {
+			m.cache.InvalidateAuthToken(ctx, token)
+			m.userCache.Invalidate(userID)
+			return nil, fmt.Errorf("user is inactive")
+		}
+		return cached, nil
+	}
+
+	// In-memory cache miss — fetch from database
 	var user models.User
 	if err := m.db.First(&user, userID).Error; err != nil {
-		// User was deleted - invalidate cache
+		// User was deleted - invalidate caches
 		m.cache.InvalidateAuthToken(ctx, token)
 		return nil, err
 	}
@@ -166,10 +182,13 @@ func (m *AuthMiddleware) getUserFromCache(ctx context.Context, token string) (*m
 		return nil, fmt.Errorf("user is inactive")
 	}
 
+	// Store in in-memory cache for subsequent requests
+	m.userCache.Set(&user)
 	return &user, nil
 }
 
-// getUserFromDatabase looks up the token in the database
+// getUserFromDatabase looks up the token in the database and caches the
+// resulting user record in memory.
 func (m *AuthMiddleware) getUserFromDatabase(token string) (*models.User, error) {
 	var authToken models.AuthToken
 	if err := m.db.Preload("User").Where("key = ?", token).First(&authToken).Error; err != nil {
@@ -181,6 +200,8 @@ func (m *AuthMiddleware) getUserFromDatabase(token string) (*models.User, error)
 		return nil, fmt.Errorf("user is inactive")
 	}
 
+	// Store in in-memory cache for subsequent requests
+	m.userCache.Set(&authToken.User)
 	return &authToken.User, nil
 }
 
@@ -220,7 +241,11 @@ func GetAuthToken(c echo.Context) string {
 	if token == nil {
 		return ""
 	}
-	return token.(string)
+	tokenStr, ok := token.(string)
+	if !ok {
+		return ""
+	}
+	return tokenStr
 }
 
 // MustGetAuthUser retrieves the authenticated user or returns error with 401

internal/middleware/host_check.go

@@ -0,0 +1,40 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/treytartt/honeydue-api/internal/dto/responses"
+)
+
+// HostCheck returns middleware that validates the request Host header against
+// a set of allowed hosts. This prevents SSRF attacks where an attacker crafts
+// a request with an arbitrary Host header to reach internal services via the
+// reverse proxy.
+//
+// If allowedHosts is empty the middleware is a no-op (all hosts pass).
+func HostCheck(allowedHosts []string) echo.MiddlewareFunc {
+	allowed := make(map[string]struct{}, len(allowedHosts))
+	for _, h := range allowedHosts {
+		allowed[h] = struct{}{}
+	}
+
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			// If no allowed hosts configured, skip the check
+			if len(allowed) == 0 {
+				return next(c)
+			}
+
+			host := c.Request().Host
+			if _, ok := allowed[host]; !ok {
+				return c.JSON(http.StatusForbidden, responses.ErrorResponse{
+					Error: "Forbidden",
+				})
+			}
+
+			return next(c)
+		}
+	}
+}

internal/middleware/rate_limit.go

@@ -0,0 +1,68 @@
+package middleware
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+	"golang.org/x/time/rate"
+
+	"github.com/treytartt/honeydue-api/internal/dto/responses"
+)
+
+// AuthRateLimiter returns rate-limiting middleware tuned for authentication
+// endpoints. It uses Echo's built-in in-memory rate limiter keyed by client
+// IP address.
+//
+// Parameters:
+//   - ratePerSecond: sustained request rate (e.g., 10/60.0 for ~10 per minute)
+//   - burst: maximum burst size above the sustained rate
+func AuthRateLimiter(ratePerSecond rate.Limit, burst int) echo.MiddlewareFunc {
+	store := middleware.NewRateLimiterMemoryStoreWithConfig(
+		middleware.RateLimiterMemoryStoreConfig{
+			Rate:      ratePerSecond,
+			Burst:     burst,
+			ExpiresIn: 5 * time.Minute,
+		},
+	)
+
+	return middleware.RateLimiterWithConfig(middleware.RateLimiterConfig{
+		Skipper: middleware.DefaultSkipper,
+		IdentifierExtractor: func(c echo.Context) (string, error) {
+			return c.RealIP(), nil
+		},
+		Store: store,
+		DenyHandler: func(c echo.Context, _ string, _ error) error {
+			return c.JSON(http.StatusTooManyRequests, responses.ErrorResponse{
+				Error: "Too many requests. Please try again later.",
+			})
+		},
+		ErrorHandler: func(c echo.Context, err error) error {
+			return c.JSON(http.StatusForbidden, responses.ErrorResponse{
+				Error: "Unable to process request.",
+			})
+		},
+	})
+}
+
+// LoginRateLimiter returns rate-limiting middleware for login endpoints.
+// Allows 10 requests per minute with a burst of 5.
+func LoginRateLimiter() echo.MiddlewareFunc {
+	// 10 requests per 60 seconds = ~0.167 req/s, burst 5
+	return AuthRateLimiter(rate.Limit(10.0/60.0), 5)
+}
+
+// RegistrationRateLimiter returns rate-limiting middleware for registration
+// endpoints. Allows 5 requests per minute with a burst of 3.
+func RegistrationRateLimiter() echo.MiddlewareFunc {
+	// 5 requests per 60 seconds = ~0.083 req/s, burst 3
+	return AuthRateLimiter(rate.Limit(5.0/60.0), 3)
+}
+
+// PasswordResetRateLimiter returns rate-limiting middleware for password
+// reset endpoints. Allows 3 requests per minute with a burst of 2.
+func PasswordResetRateLimiter() echo.MiddlewareFunc {
+	// 3 requests per 60 seconds = 0.05 req/s, burst 2
+	return AuthRateLimiter(rate.Limit(3.0/60.0), 2)
+}

internal/middleware/timezone.go

@@ -7,14 +7,25 @@ import (
 )
 
 const (
-	// TimezoneKey is the key used to store the user's timezone in the context
+	// TimezoneKey is the key used to store the user's timezone *time.Location in the context
 	TimezoneKey = "user_timezone"
+	// TimezoneNameKey stores the raw IANA timezone string from the request header
+	TimezoneNameKey = "user_timezone_name"
+	// TimezoneChangedKey is a bool context key indicating whether the timezone
+	// differs from the previously cached value for this user. Handlers should
+	// only persist the timezone to DB when this is true.
+	TimezoneChangedKey = "timezone_changed"
 	// UserNowKey is the key used to store the timezone-aware "now" time in the context
 	UserNowKey = "user_now"
 	// TimezoneHeader is the HTTP header name for the user's timezone
 	TimezoneHeader = "X-Timezone"
 )
 
+// package-level timezone cache shared across requests. It is safe for
+// concurrent use and has no TTL — entries are only updated when a new
+// timezone value is observed for a given user.
+var tzCache = NewTimezoneCache()
+
 // TimezoneMiddleware extracts the user's timezone from the request header
 // and stores a timezone-aware "now" time in the context.
 //
@@ -22,14 +33,31 @@ const (
 // or a UTC offset (e.g., "-08:00", "+05:30").
 //
 // If no timezone is provided or it's invalid, UTC is used as the default.
+//
+// The middleware also compares the incoming timezone with a cached value per
+// user and sets TimezoneChangedKey in the context so downstream handlers
+// know whether a DB write is needed.
 func TimezoneMiddleware() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
 			tzName := c.Request().Header.Get(TimezoneHeader)
 			loc := parseTimezone(tzName)
 
-			// Store the location and the current time in that timezone
+			// Store the location and the raw name in the context
 			c.Set(TimezoneKey, loc)
+			c.Set(TimezoneNameKey, tzName)
+
+			// Determine whether the timezone changed for this user so handlers
+			// can skip unnecessary DB writes.
+			changed := false
+			if tzName != "" {
+				if user := GetAuthUser(c); user != nil {
+					if !tzCache.GetAndCompare(user.ID, tzName) {
+						changed = true
+					}
+				}
+			}
+			c.Set(TimezoneChangedKey, changed)
 
 			// Calculate "now" in the user's timezone, then get start of day
 			// For date comparisons, we want to compare against the START of the user's current day
@@ -42,6 +70,20 @@ func TimezoneMiddleware() echo.MiddlewareFunc {
 	}
 }
 
+// IsTimezoneChanged returns true when the user's timezone header differs from
+// the previously observed value. Handlers should only persist the timezone to
+// DB when this returns true.
+func IsTimezoneChanged(c echo.Context) bool {
+	val, ok := c.Get(TimezoneChangedKey).(bool)
+	return ok && val
+}
+
+// GetTimezoneName returns the raw timezone string from the request header.
+func GetTimezoneName(c echo.Context) string {
+	val, _ := c.Get(TimezoneNameKey).(string)
+	return val
+}
+
 // parseTimezone parses a timezone string and returns a *time.Location.
 // Supports IANA timezone names (e.g., "America/Los_Angeles") and
 // UTC offsets (e.g., "-08:00", "+05:30").

internal/middleware/user_cache.go

@@ -0,0 +1,113 @@
+package middleware
+
+import (
+	"sync"
+	"time"
+
+	"github.com/treytartt/honeydue-api/internal/models"
+)
+
+// userCacheEntry holds a cached user record with an expiration time.
+type userCacheEntry struct {
+	user      *models.User
+	expiresAt time.Time
+}
+
+// UserCache is a concurrency-safe in-memory cache for User records, keyed by
+// user ID. Entries expire after a configurable TTL. The cache uses a sync.Map
+// for lock-free reads on the hot path, with periodic lazy eviction of stale
+// entries during Set operations.
+type UserCache struct {
+	store   sync.Map
+	ttl     time.Duration
+	lastGC  time.Time
+	gcMu    sync.Mutex
+	gcEvery time.Duration
+}
+
+// NewUserCache creates a UserCache with the given TTL for entries.
+func NewUserCache(ttl time.Duration) *UserCache {
+	return &UserCache{
+		ttl:     ttl,
+		lastGC:  time.Now(),
+		gcEvery: 2 * time.Minute,
+	}
+}
+
+// Get returns a cached user by ID, or nil if not found or expired.
+func (c *UserCache) Get(userID uint) *models.User {
+	val, ok := c.store.Load(userID)
+	if !ok {
+		return nil
+	}
+	entry := val.(*userCacheEntry)
+	if time.Now().After(entry.expiresAt) {
+		c.store.Delete(userID)
+		return nil
+	}
+	// Return a shallow copy so callers cannot mutate the cached value.
+	user := *entry.user
+	return &user
+}
+
+// Set stores a user in the cache. It also triggers a background garbage-
+// collection sweep if enough time has elapsed since the last one.
+func (c *UserCache) Set(user *models.User) {
+	// Store a copy to prevent external mutation of the cached object.
+	copied := *user
+	c.store.Store(user.ID, &userCacheEntry{
+		user:      &copied,
+		expiresAt: time.Now().Add(c.ttl),
+	})
+	c.maybeGC()
+}
+
+// Invalidate removes a user from the cache by ID.
+func (c *UserCache) Invalidate(userID uint) {
+	c.store.Delete(userID)
+}
+
+// maybeGC lazily sweeps expired entries at most once per gcEvery interval.
+func (c *UserCache) maybeGC() {
+	c.gcMu.Lock()
+	if time.Since(c.lastGC) < c.gcEvery {
+		c.gcMu.Unlock()
+		return
+	}
+	c.lastGC = time.Now()
+	c.gcMu.Unlock()
+
+	now := time.Now()
+	c.store.Range(func(key, value any) bool {
+		entry := value.(*userCacheEntry)
+		if now.After(entry.expiresAt) {
+			c.store.Delete(key)
+		}
+		return true
+	})
+}
+
+// TimezoneCache tracks the last-known timezone per user ID so the timezone
+// middleware only writes to the database when the value actually changes.
+type TimezoneCache struct {
+	store sync.Map
+}
+
+// NewTimezoneCache creates a new TimezoneCache.
+func NewTimezoneCache() *TimezoneCache {
+	return &TimezoneCache{}
+}
+
+// GetAndCompare returns true if the cached timezone for the user matches tz.
+// If the timezone is different (or not yet cached), it updates the cache and
+// returns false, signaling that a DB write is needed.
+func (tc *TimezoneCache) GetAndCompare(userID uint, tz string) (unchanged bool) {
+	val, loaded := tc.store.Load(userID)
+	if loaded {
+		if cached, ok := val.(string); ok && cached == tz {
+			return true
+		}
+	}
+	tc.store.Store(userID, tz)
+	return false
+}