admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6dcf7976137e283ff8faf7d1054591d6a36235d0
honeyDueAPI/internal/handlers/tracking_handler.go
Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 09:48:01 -06:00

54 lines
1.7 KiB
Go
Raw Blame History

package handlers
import (
"encoding/base64"
"net/http"
"github.com/labstack/echo/v4"
"github.com/rs/zerolog/log"
"github.com/treytartt/casera-api/internal/services"
)
// TrackingHandler handles email tracking endpoints
type TrackingHandler struct {
onboardingService *services.OnboardingEmailService
}
// NewTrackingHandler creates a new tracking handler
func NewTrackingHandler(onboardingService *services.OnboardingEmailService) *TrackingHandler {
return &TrackingHandler{
onboardingService: onboardingService,
}
}
// 1x1 transparent GIF (43 bytes)
var transparentGIF, _ = base64.StdEncoding.DecodeString("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7")
// TrackEmailOpen handles email open tracking via tracking pixel
// GET /api/track/open/:trackingID
func (h *TrackingHandler) TrackEmailOpen(c echo.Context) error {
trackingID := c.Param("trackingID")
if trackingID != "" && h.onboardingService != nil {
// Record the open (async, don't block response)
go func() {
defer func() {
if r := recover(); r != nil {
log.Error().Interface("panic", r).Str("tracking_id", trackingID).Msg("Panic in email open tracking goroutine")
}
}()
if err := h.onboardingService.RecordEmailOpened(trackingID); err != nil {
log.Error().Err(err).Str("tracking_id", trackingID).Msg("Failed to record email open")
}
}()
}
// Return 1x1 transparent GIF
c.Response().Header().Set("Content-Type", "image/gif")
c.Response().Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
c.Response().Header().Set("Pragma", "no-cache")
c.Response().Header().Set("Expires", "0")
return c.Blob(http.StatusOK, "image/gif", transparentGIF)
}
Reference in New Issue View Git Blame Copy Permalink