admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rebrand from Casera/MyCrib to honeyDue

Browse Source 
Total rebrand across all Go API source files:
- Go module path: casera-api -> honeydue-api
- All imports updated (130+ files)
- Docker: containers, images, networks renamed
- Email templates: support email, noreply, icon URL
- Domains: casera.app/mycrib.treytartt.com -> honeyDue.treytartt.com
- Bundle IDs: com.tt.casera -> com.tt.honeyDue
- IAP product IDs updated
- Landing page, admin panel, config defaults
- Seeds, CI workflows, Makefile, docs
- Database table names preserved (no migration needed)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-03-07 06:33:38 -06:00
parent 793e50ce52
commit 4976eafc6c
189 changed files with 831 additions and 831 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/AUDIT_FINDINGS.md
View File

@@ -1,7 +1,7 @@
# MyCrib Go Backend — Deep Audit Findings
# HoneyDue Go Backend — Deep Audit Findings
**Date**: 2026-03-01
**Scope**: All non-test `.go` files under `myCribAPI-go/`
**Scope**: All non-test `.go` files under `honeyDueAPI-go/`
**Agents**: 9 parallel audit agents covering security, authorization, data integrity, concurrency, performance, error handling, architecture compliance, API contracts, and cross-cutting logic
---
@@ -42,7 +42,7 @@
### SEC-04 | CRITICAL | Next.js admin password reset to "admin123" on every migration
- **File**: `internal/database/database.go:447-463`
- **What**: Lines 458-463 unconditionally update the admin@mycrib.com password to the bcrypt hash of "admin123" on every migration. The log message on line 463 even says "Updated admin@mycrib.com password to admin123."
- **What**: Lines 458-463 unconditionally update the admin@honeydue.com password to the bcrypt hash of "admin123" on every migration. The log message on line 463 even says "Updated admin@honeydue.com password to admin123."
- **Impact**: The admin API is permanently accessible with hardcoded credentials. Any attacker who discovers the endpoint can access full admin functionality.
### SEC-05 | CRITICAL | SQL injection via SortBy in all admin list endpoints
@@ -236,7 +236,7 @@
### AUTH-06 | CRITICAL | Hardcoded admin credentials reset on every migration
- **File**: `internal/database/database.go:372-382,447-463`
- **What**: Hardcoded admin credentials (`admin@mycrib.com` / `admin123` and GoAdmin password of `admin`) are re-applied on every server restart/migration, overwriting any password changes.
- **What**: Hardcoded admin credentials (`admin@honeydue.com` / `admin123` and GoAdmin password of `admin`) are re-applied on every server restart/migration, overwriting any password changes.
- **Impact**: If these endpoints are accessible in production, any attacker with knowledge of these default credentials can gain full admin access.
### AUTH-07 | BUG | User-controlled category parameter enables storage path manipulation
@@ -350,7 +350,7 @@
### DATA-07 | CRITICAL | Next.js admin password reset on every migration run
- **File**: `internal/database/database.go:458-463`
- **What**: Unconditionally updates admin@mycrib.com password to "admin123" on every migration.
- **What**: Unconditionally updates admin@honeydue.com password to "admin123" on every migration.
- **Impact**: Same persistent backdoor.
### DATA-08 | BUG | GetAllUsers/HasAccess silently wrong when associations not preloaded