# Digest 5: handlers (remaining), i18n, middleware, models (first half)

### handlers/task_handler.go (440 lines)
- Line 35+: Unchecked type assertions (18 locations)
- Line 42: Fire-and-forget goroutine for UpdateUserTimezone — no error handling, no context
- Lines 112-115, 134-137: Missing c.Validate() calls
- Line 317: 32MB multipart limit with no per-file size check

### handlers/task_template_handler.go (98 lines)
- Line 59: No max length on search query — slow LIKE queries possible

### handlers/tracking_handler.go (46 lines)
- Line 25: Package-level base64 decode error discarded
- Lines 34-36: Fire-and-forget goroutine — violates no-goroutines rule

### handlers/upload_handler.go (93 lines)
- Line 31: User-controlled `category` param passed to storage — potential path traversal
- Line 80: `binding` tag instead of `validate`
- No file type or size validation at handler level

### handlers/user_handler.go (76 lines) - Unchecked type assertions

### i18n/i18n.go (87 lines)
- Line 16: Global Bundle is nil until Init() — NewLocalizer dereferences without nil check
- Line 37: MustParseMessageFileBytes panics on malformed translation files
- Line 83: MustT panics on missing translations

### i18n/middleware.go (127 lines) - Clean

### middleware/admin_auth.go (133 lines)
- **SECURITY**: Line 50: Admin JWT accepted via query param — tokens leak into server/proxy logs
- Line 124: Unchecked type assertion

### middleware/auth.go (229 lines)
- **BUG**: Line 66: `token[:8]` panics if token is fewer than 8 characters
- Line 104: cacheUserID error silently discarded
- Line 209: Unchecked type assertion

### middleware/logger.go (54 lines) - Clean
### middleware/request_id.go (44 lines) - Line 21: Client-supplied X-Request-ID accepted without validation (log injection)
### middleware/timezone.go (101 lines) - Lines 88, 99: Unchecked type assertions

### models/admin.go (64 lines) - Line 38: No max password length check; bcrypt truncates at 72 bytes
### models/base.go (39 lines) - Clean GORM hooks
### models/contractor.go (54 lines) - *float64 mapped to decimal(2,1) — minor precision mismatch