Files

Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-02 09:48:01 -06:00

2.0 KiB

Raw Blame History

Digest 1: cmd/, admin/dto, admin/handlers (first 15 files)

Systemic Issues (across all admin handlers)

SQL Injection via SortBy: Every admin list handler concatenates filters.SortBy directly into GORM Order() without allowlist validation
Unchecked Count() errors: Every paginated handler ignores GORM Count error returns
Unchecked post-mutation Preload errors: After Save/Create, handlers reload with Preload but ignore errors
binding vs validate tag mismatch: Some request DTOs use binding (Gin) instead of validate (Echo)
Direct DB access: All admin handlers bypass Service layer, accessing *gorm.DB directly
Unsafe type assertions: c.Get(key).(*models.AdminUser) without comma-ok

Per-File Highlights

cmd/api/main.go - App entry point, wires dependencies

cmd/worker/main.go - Background worker entry point

admin/handlers/admin_user_handler.go (347 lines)

N+1 query: toUserResponse does 2 extra DB queries per user (residence count, task count)
Line 64: SortBy SQL injection
Line 173: Unchecked profile creation error (user created without profile)

Same systemic SQL injection and unchecked errors

admin/handlers/auth_handler.go - Admin login/session management

admin/handlers/auth_token_handler.go - Auth token CRUD

admin/handlers/completion_handler.go - Task completion CRUD

admin/handlers/completion_image_handler.go - Completion image CRUD

admin/handlers/confirmation_code_handler.go - Email confirmation code CRUD

admin/handlers/contractor_handler.go - Contractor CRUD

admin/handlers/dashboard_handler.go - Admin dashboard stats

admin/handlers/device_handler.go (317 lines)

Exposes device push tokens (RegistrationID) in API responses
Lines 293-296: Unchecked Count errors in GetStats

admin/handlers/document_handler.go (394 lines)

Lines 176-183: Date parsing errors silently ignored
Line 379: Precision loss from decimal.Float64() discarded

2.0 KiB Raw Blame History

Digest 1: cmd/, admin/dto, admin/handlers (first 15 files)

Systemic Issues (across all admin handlers)

Per-File Highlights

cmd/api/main.go - App entry point, wires dependencies

cmd/worker/main.go - Background worker entry point

admin/handlers/admin_user_handler.go (347 lines)

admin/handlers/apple_social_auth_handler.go - CRUD for Apple social auth records

admin/handlers/auth_handler.go - Admin login/session management

admin/handlers/auth_token_handler.go - Auth token CRUD

admin/handlers/completion_handler.go - Task completion CRUD

admin/handlers/completion_image_handler.go - Completion image CRUD

admin/handlers/confirmation_code_handler.go - Email confirmation code CRUD

admin/handlers/contractor_handler.go - Contractor CRUD

admin/handlers/dashboard_handler.go - Admin dashboard stats

admin/handlers/device_handler.go (317 lines)

admin/handlers/document_handler.go (394 lines)

2.0 KiB

Raw Blame History