Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/monitoring/collector.go

@@ -52,14 +52,18 @@ func (c *Collector) Collect() SystemStats {
 	// CPU stats
 	c.collectCPU(&stats)
 
+	// Read Go runtime memory stats once (used by both memory and runtime collectors)
+	var memStats runtime.MemStats
+	runtime.ReadMemStats(&memStats)
+
 	// Memory stats (system + Go runtime)
-	c.collectMemory(&stats)
+	c.collectMemory(&stats, &memStats)
 
 	// Disk stats
 	c.collectDisk(&stats)
 
 	// Go runtime stats
-	c.collectRuntime(&stats)
+	c.collectRuntime(&stats, &memStats)
 
 	// HTTP stats (API only)
 	if c.httpCollector != nil {
@@ -77,9 +81,9 @@ func (c *Collector) Collect() SystemStats {
 }
 
 func (c *Collector) collectCPU(stats *SystemStats) {
-	// Get CPU usage percentage (blocks for 1 second to get accurate sample)
-	// Shorter intervals can give inaccurate readings
-	if cpuPercent, err := cpu.Percent(time.Second, false); err == nil && len(cpuPercent) > 0 {
+	// Get CPU usage percentage (blocks for 200ms to sample)
+	// This is called periodically, so a shorter window is acceptable
+	if cpuPercent, err := cpu.Percent(200*time.Millisecond, false); err == nil && len(cpuPercent) > 0 {
 		stats.CPU.UsagePercent = cpuPercent[0]
 	}
 
@@ -93,7 +97,7 @@ func (c *Collector) collectCPU(stats *SystemStats) {
 	}
 }
 
-func (c *Collector) collectMemory(stats *SystemStats) {
+func (c *Collector) collectMemory(stats *SystemStats, m *runtime.MemStats) {
 	// System memory
 	if vmem, err := mem.VirtualMemory(); err == nil {
 		stats.Memory.UsedBytes = vmem.Used
@@ -101,9 +105,7 @@ func (c *Collector) collectMemory(stats *SystemStats) {
 		stats.Memory.UsagePercent = vmem.UsedPercent
 	}
 
-	// Go runtime memory
-	var m runtime.MemStats
-	runtime.ReadMemStats(&m)
+	// Go runtime memory (reuses pre-read MemStats)
 	stats.Memory.HeapAlloc = m.HeapAlloc
 	stats.Memory.HeapSys = m.HeapSys
 	stats.Memory.HeapInuse = m.HeapInuse
@@ -119,10 +121,7 @@ func (c *Collector) collectDisk(stats *SystemStats) {
 	}
 }
 
-func (c *Collector) collectRuntime(stats *SystemStats) {
-	var m runtime.MemStats
-	runtime.ReadMemStats(&m)
-
+func (c *Collector) collectRuntime(stats *SystemStats, m *runtime.MemStats) {
 	stats.Runtime.Goroutines = runtime.NumGoroutine()
 	stats.Runtime.NumGC = m.NumGC
 	if m.NumGC > 0 {

internal/monitoring/handler.go

@@ -17,8 +17,13 @@ var upgrader = websocket.Upgrader{
 	ReadBufferSize:  1024,
 	WriteBufferSize: 1024,
 	CheckOrigin: func(r *http.Request) bool {
-		// Allow connections from admin panel
-		return true
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			// Same-origin requests may omit the Origin header
+			return true
+		}
+		// Allow if origin matches the request host
+		return strings.HasPrefix(origin, "https://"+r.Host) || strings.HasPrefix(origin, "http://"+r.Host)
 	},
 }
 
@@ -116,6 +121,7 @@ func (h *Handler) WebSocket(c echo.Context) error {
 	conn, err := upgrader.Upgrade(c.Response().Writer, c.Request(), nil)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to upgrade WebSocket connection")
+		return err
 	}
 	defer conn.Close()
 
@@ -174,6 +180,7 @@ func (h *Handler) WebSocket(c echo.Context) error {
 			h.sendStats(conn, &wsMu)
 
 		case <-ctx.Done():
+			return nil
 		}
 	}
 }

internal/monitoring/service.go

@@ -108,6 +108,10 @@ func (s *Service) Stop() {
 	close(s.settingsStopCh)
 
 	s.collector.Stop()
+
+	// Flush and close the log writer's background goroutine
+	s.logWriter.Close()
+
 	log.Info().Str("process", s.process).Msg("Monitoring service stopped")
 }
 

internal/monitoring/writer.go

@@ -8,23 +8,56 @@ import (
 	"github.com/google/uuid"
 )
 
-// RedisLogWriter implements io.Writer to capture zerolog output to Redis
+const (
+	// writerChannelSize is the buffer size for the async log write channel.
+	// Entries beyond this limit are dropped to prevent unbounded memory growth.
+	writerChannelSize = 256
+)
+
+// RedisLogWriter implements io.Writer to capture zerolog output to Redis.
+// It uses a single background goroutine with a buffered channel instead of
+// spawning a new goroutine per log line, preventing unbounded goroutine growth.
 type RedisLogWriter struct {
 	buffer  *LogBuffer
 	process string
 	enabled atomic.Bool
+	ch      chan LogEntry
+	done    chan struct{}
 }
 
-// NewRedisLogWriter creates a new writer that captures logs to Redis
+// NewRedisLogWriter creates a new writer that captures logs to Redis.
+// It starts a single background goroutine that drains the buffered channel.
 func NewRedisLogWriter(buffer *LogBuffer, process string) *RedisLogWriter {
 	w := &RedisLogWriter{
 		buffer:  buffer,
 		process: process,
+		ch:      make(chan LogEntry, writerChannelSize),
+		done:    make(chan struct{}),
 	}
 	w.enabled.Store(true) // enabled by default
+
+	// Single background goroutine drains the channel
+	go w.drainLoop()
+
 	return w
 }
 
+// drainLoop reads entries from the buffered channel and pushes them to Redis.
+// It runs in a single goroutine for the lifetime of the writer.
+func (w *RedisLogWriter) drainLoop() {
+	defer close(w.done)
+	for entry := range w.ch {
+		_ = w.buffer.Push(entry) // Ignore errors to avoid blocking log output
+	}
+}
+
+// Close shuts down the background goroutine. It should be called during
+// graceful shutdown to ensure all buffered entries are flushed.
+func (w *RedisLogWriter) Close() {
+	close(w.ch)
+	<-w.done // Wait for drain to finish
+}
+
 // SetEnabled enables or disables log capture to Redis
 func (w *RedisLogWriter) SetEnabled(enabled bool) {
 	w.enabled.Store(enabled)
@@ -35,8 +68,10 @@ func (w *RedisLogWriter) IsEnabled() bool {
 	return w.enabled.Load()
 }
 
-// Write implements io.Writer interface
-// It parses zerolog JSON output and writes to Redis asynchronously
+// Write implements io.Writer interface.
+// It parses zerolog JSON output and sends it to the buffered channel for
+// async Redis writes. If the channel is full, the entry is dropped to
+// avoid blocking the caller (back-pressure shedding).
 func (w *RedisLogWriter) Write(p []byte) (n int, err error) {
 	// Skip if monitoring is disabled
 	if !w.enabled.Load() {
@@ -86,10 +121,14 @@ func (w *RedisLogWriter) Write(p []byte) (n int, err error) {
 		}
 	}
 
-	// Write to Redis asynchronously to avoid blocking
-	go func() {
-		_ = w.buffer.Push(entry) // Ignore errors to avoid blocking log output
-	}()
+	// Non-blocking send: drop entries if channel is full rather than
+	// spawning unbounded goroutines or blocking the logger
+	select {
+	case w.ch <- entry:
+		// Sent successfully
+	default:
+		// Channel full — drop this entry to avoid back-pressure on the logger
+	}
 
 	return len(p), nil
 }