admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72db9050f8772d2851e743b0a22cbf2413ea98e8
honeyDueAPI/internal/middleware/timezone.go
Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 09:48:01 -06:00

109 lines
3.1 KiB
Go
Raw Blame History

package middleware
import (
"time"
"github.com/labstack/echo/v4"
)
const (
// TimezoneKey is the key used to store the user's timezone in the context
TimezoneKey = "user_timezone"
// UserNowKey is the key used to store the timezone-aware "now" time in the context
UserNowKey = "user_now"
// TimezoneHeader is the HTTP header name for the user's timezone
TimezoneHeader = "X-Timezone"
)
// TimezoneMiddleware extracts the user's timezone from the request header
// and stores a timezone-aware "now" time in the context.
//
// The timezone should be an IANA timezone name (e.g., "America/Los_Angeles", "Europe/London")
// or a UTC offset (e.g., "-08:00", "+05:30").
//
// If no timezone is provided or it's invalid, UTC is used as the default.
func TimezoneMiddleware() echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
tzName := c.Request().Header.Get(TimezoneHeader)
loc := parseTimezone(tzName)
// Store the location and the current time in that timezone
c.Set(TimezoneKey, loc)
// Calculate "now" in the user's timezone, then get start of day
// For date comparisons, we want to compare against the START of the user's current day
userNow := time.Now().In(loc)
startOfDay := time.Date(userNow.Year(), userNow.Month(), userNow.Day(), 0, 0, 0, 0, loc)
c.Set(UserNowKey, startOfDay)
return next(c)
}
}
}
// parseTimezone parses a timezone string and returns a *time.Location.
// Supports IANA timezone names (e.g., "America/Los_Angeles") and
// UTC offsets (e.g., "-08:00", "+05:30").
// Returns UTC if the timezone is invalid or empty.
func parseTimezone(tz string) *time.Location {
if tz == "" {
return time.UTC
}
// Try parsing as IANA timezone name first
loc, err := time.LoadLocation(tz)
if err == nil {
return loc
}
// Try parsing as UTC offset (e.g., "-08:00", "+05:30")
// We parse a reference time with the given offset to extract the offset value
t, err := time.Parse("-07:00", tz)
if err == nil {
// time.Parse returns a time, we need to extract the offset
// The parsed time will have the offset embedded
_, offset := t.Zone()
return time.FixedZone(tz, offset)
}
// Also try without colon (e.g., "-0800")
t, err = time.Parse("-0700", tz)
if err == nil {
_, offset := t.Zone()
return time.FixedZone(tz, offset)
}
// Default to UTC
return time.UTC
}
// GetUserTimezone retrieves the user's timezone from the Echo context.
// Returns UTC if not set or if the stored value is not a *time.Location.
func GetUserTimezone(c echo.Context) *time.Location {
val := c.Get(TimezoneKey)
if val == nil {
return time.UTC
}
loc, ok := val.(*time.Location)
if !ok {
return time.UTC
}
return loc
}
// GetUserNow retrieves the timezone-aware "now" time from the Echo context.
// This represents the start of the current day in the user's timezone.
// Returns time.Now().UTC() if not set or if the stored value is not a time.Time.
func GetUserNow(c echo.Context) time.Time {
val := c.Get(UserNowKey)
if val == nil {
return time.Now().UTC()
}
now, ok := val.(time.Time)
if !ok {
return time.Now().UTC()
}
return now
}
Reference in New Issue View Git Blame Copy Permalink