Files

Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-02 09:48:01 -06:00

2.1 KiB

Raw Blame History

Digest 5: handlers (remaining), i18n, middleware, models (first half)

handlers/task_handler.go (440 lines)

Line 35+: Unchecked type assertions (18 locations)
Line 42: Fire-and-forget goroutine for UpdateUserTimezone — no error handling, no context
Lines 112-115, 134-137: Missing c.Validate() calls
Line 317: 32MB multipart limit with no per-file size check

handlers/task_template_handler.go (98 lines)

Line 59: No max length on search query — slow LIKE queries possible

handlers/tracking_handler.go (46 lines)

Line 25: Package-level base64 decode error discarded
Lines 34-36: Fire-and-forget goroutine — violates no-goroutines rule

handlers/upload_handler.go (93 lines)

Line 31: User-controlled category param passed to storage — potential path traversal
Line 80: binding tag instead of validate
No file type or size validation at handler level

handlers/user_handler.go (76 lines) - Unchecked type assertions

i18n/i18n.go (87 lines)

Line 16: Global Bundle is nil until Init() — NewLocalizer dereferences without nil check
Line 37: MustParseMessageFileBytes panics on malformed translation files
Line 83: MustT panics on missing translations

i18n/middleware.go (127 lines) - Clean

middleware/admin_auth.go (133 lines)

SECURITY: Line 50: Admin JWT accepted via query param — tokens leak into server/proxy logs
Line 124: Unchecked type assertion

middleware/auth.go (229 lines)

BUG: Line 66: token[:8] panics if token is fewer than 8 characters
Line 104: cacheUserID error silently discarded
Line 209: Unchecked type assertion

2.1 KiB

Raw Blame History

Digest 5: handlers (remaining), i18n, middleware, models (first half)

handlers/task_handler.go (440 lines)

handlers/task_template_handler.go (98 lines)

handlers/tracking_handler.go (46 lines)

handlers/upload_handler.go (93 lines)

handlers/user_handler.go (76 lines) - Unchecked type assertions

i18n/i18n.go (87 lines)

i18n/middleware.go (127 lines) - Clean

middleware/admin_auth.go (133 lines)

middleware/auth.go (229 lines)

middleware/logger.go (54 lines) - Clean

middleware/request_id.go (44 lines) - Line 21: Client-supplied X-Request-ID accepted without validation (log injection)

middleware/timezone.go (101 lines) - Lines 88, 99: Unchecked type assertions

models/admin.go (64 lines) - Line 38: No max password length check; bcrypt truncates at 72 bytes

models/base.go (39 lines) - Clean GORM hooks

models/contractor.go (54 lines) - *float64 mapped to decimal(2,1) — minor precision mismatch

2.1 KiB Raw Blame History

Digest 5: handlers (remaining), i18n, middleware, models (first half)

handlers/task_handler.go (440 lines)

handlers/task_template_handler.go (98 lines)

handlers/tracking_handler.go (46 lines)

handlers/upload_handler.go (93 lines)

handlers/user_handler.go (76 lines) - Unchecked type assertions

i18n/i18n.go (87 lines)

i18n/middleware.go (127 lines) - Clean

middleware/admin_auth.go (133 lines)

middleware/auth.go (229 lines)

middleware/logger.go (54 lines) - Clean

middleware/request_id.go (44 lines) - Line 21: Client-supplied X-Request-ID accepted without validation (log injection)

middleware/timezone.go (101 lines) - Lines 88, 99: Unchecked type assertions

models/admin.go (64 lines) - Line 38: No max password length check; bcrypt truncates at 72 bytes

models/base.go (39 lines) - Clean GORM hooks

models/contractor.go (54 lines) - *float64 mapped to decimal(2,1) — minor precision mismatch

2.1 KiB

Raw Blame History