Files

Trey t 7690f07a2b Harden API security: input validation, safe auth extraction, new tests, and deploy config

Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-02 09:48:01 -06:00

1.9 KiB

Raw Blame History

Digest 6: models (remaining), monitoring

models/document.go (100 lines) - Clean

models/notification.go (141 lines) - Clean

models/onboarding_email.go (35 lines) - Clean

models/reminder_log.go (92 lines) - Clean

models/residence.go (106 lines)

Lines 65-70: GetAllUsers/HasAccess assumes Owner and Users are preloaded — returns wrong results if not

models/subscription.go (169 lines)

Lines 57-65: IsActive()/IsPro() don't account for IsFree admin override field — misleading method names

models/task_template.go (23 lines) - Clean

models/task.go (317 lines)

Lines 189-264: GetKanbanColumnWithTimezone duplicates categorization chain logic — maintenance drift risk
Lines 158-182: IsDueSoon uses time.Now() internally — non-deterministic, harder to test

models/user.go (268 lines)

Line 101: crypto/rand.Read error unchecked (safe in practice since Go 1.20)
Line 164-172: GenerateConfirmationCode has slight distribution bias (negligible)

monitoring/buffer.go (166 lines) - Line 75: Corrupted Redis data silently dropped

monitoring/collector.go (201 lines)

Line 82: cpu.Percent blocks 1 second per collection
Line 96-110: ReadMemStats called TWICE per cycle (also in collectRuntime)

monitoring/handler.go (195 lines)

SECURITY: Line 19-22: WebSocket CheckOrigin always returns true
BUG: Line 117-119: After upgrader.Upgrade fails, execution continues to conn.Close() — nil pointer panic
BUG: Line 177: Missing return after ctx.Done() — goroutine spins
Lines 183-184: GetAllStats error silently ignored
Line 192: WriteJSON error unchecked

monitoring/middleware.go (220 lines) - Clean

monitoring/models.go (129 lines) - Clean

monitoring/service.go (196 lines)

Line 121: Hardcoded primary key 1 for singleton settings row
Line 191-194: MetricsMiddleware returns nil when httpCollector is nil — caller must nil-check

1.9 KiB Raw Blame History

Digest 6: models (remaining), monitoring

models/document.go (100 lines) - Clean

models/notification.go (141 lines) - Clean

models/onboarding_email.go (35 lines) - Clean

models/reminder_log.go (92 lines) - Clean

models/residence.go (106 lines)

models/subscription.go (169 lines)

models/task_template.go (23 lines) - Clean

models/task.go (317 lines)

models/user.go (268 lines)

monitoring/buffer.go (166 lines) - Line 75: Corrupted Redis data silently dropped

monitoring/collector.go (201 lines)

monitoring/handler.go (195 lines)

monitoring/middleware.go (220 lines) - Clean

monitoring/models.go (129 lines) - Clean

monitoring/service.go (196 lines)

1.9 KiB

Raw Blame History