2025-12-03 19:29:37 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2025-12-13 02:34:34 +00:00
|
|
|
"fmt"
|
2025-12-16 18:34:08 +00:00
|
|
|
"net/http" // MOD-P2-006: Pour pprof
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
"os"
|
2025-12-17 17:20:42 +00:00
|
|
|
"strconv"
|
|
|
|
|
"strings"
|
2025-12-24 17:01:00 +00:00
|
|
|
"time"
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
2025-12-16 16:59:56 +00:00
|
|
|
"github.com/google/uuid"
|
2025-12-13 02:34:34 +00:00
|
|
|
"github.com/redis/go-redis/v9"
|
2025-12-03 19:29:37 +00:00
|
|
|
"go.uber.org/zap"
|
|
|
|
|
|
|
|
|
|
"veza-backend-api/internal/config"
|
|
|
|
|
"veza-backend-api/internal/database"
|
|
|
|
|
"veza-backend-api/internal/handlers" // Single handlers import
|
|
|
|
|
"veza-backend-api/internal/middleware"
|
data-flow: implement backend dashboard aggregation endpoint
- Created DashboardHandler that aggregates multiple data sources
- Fetches stats, activity, and library preview in parallel
- Aggregates stats from audit logs (tracks_played, messages_sent, favorites, active_friends)
- Converts audit logs to RecentActivity format with type mapping
- Converts tracks to TrackPreview format for library preview
- Supports query parameters: activity_limit, library_limit, stats_period
- Returns wrapped format {success: true, data: DashboardResponse}
- Registered route: GET /api/v1/dashboard (protected, requires auth)
- Uses interface-based approach to avoid import cycle
- Router creates wrapper function to adapt track service
- Build successful, all handlers compile correctly
- Action 2.1.1.2 complete - dashboard endpoint ready for frontend integration
2026-01-15 16:42:49 +00:00
|
|
|
"veza-backend-api/internal/models"
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
"veza-backend-api/internal/repositories"
|
|
|
|
|
|
|
|
|
|
// swaggerFiles "github.com/swaggo/files" // Uncommented
|
|
|
|
|
// ginSwagger "github.com/swaggo/gin-swagger" // Uncommented
|
|
|
|
|
|
|
|
|
|
// Add missing imports.
|
|
|
|
|
swaggerFiles "github.com/swaggo/files"
|
|
|
|
|
ginSwagger "github.com/swaggo/gin-swagger"
|
|
|
|
|
|
|
|
|
|
authcore "veza-backend-api/internal/core/auth"
|
2025-12-06 16:21:59 +00:00
|
|
|
"veza-backend-api/internal/core/marketplace"
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
socialcore "veza-backend-api/internal/core/social"
|
2025-12-03 19:29:37 +00:00
|
|
|
trackcore "veza-backend-api/internal/core/track"
|
2025-12-06 16:21:59 +00:00
|
|
|
"veza-backend-api/internal/services"
|
2025-12-03 19:29:37 +00:00
|
|
|
"veza-backend-api/internal/validators"
|
|
|
|
|
"veza-backend-api/internal/workers"
|
|
|
|
|
// swaggerFiles "github.com/swaggo/files"
|
|
|
|
|
// ginSwagger "github.com/swaggo/gin-swagger"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// APIRouter gère la configuration des routes de l'API
|
|
|
|
|
type APIRouter struct {
|
2025-12-25 14:53:13 +00:00
|
|
|
db *database.Database
|
|
|
|
|
config *config.Config
|
|
|
|
|
engine *gin.Engine
|
|
|
|
|
logger *zap.Logger
|
2025-12-25 14:55:53 +00:00
|
|
|
versionManager *VersionManager // BE-SVC-019: API versioning manager
|
2025-12-25 14:53:13 +00:00
|
|
|
monitoringService *services.MonitoringAlertingService // INT-021: API monitoring and alerting
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewAPIRouter crée une nouvelle instance de APIRouter
|
|
|
|
|
func NewAPIRouter(db *database.Database, cfg *config.Config) *APIRouter {
|
2025-12-24 16:07:30 +00:00
|
|
|
logger := zap.L()
|
2025-12-03 19:29:37 +00:00
|
|
|
return &APIRouter{
|
2025-12-24 16:07:30 +00:00
|
|
|
db: db,
|
|
|
|
|
config: cfg,
|
|
|
|
|
logger: logger,
|
|
|
|
|
versionManager: NewVersionManager(logger), // BE-SVC-019: Initialize version manager
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// applyCSRFProtection applique le middleware CSRF à un groupe de routes protégées
|
|
|
|
|
// BE-SEC-004: Ensure all POST/PUT/DELETE endpoints validate CSRF tokens
|
2025-12-25 21:28:46 +00:00
|
|
|
// INT-AUTH-001: Fail-fast in production if Redis unavailable (CSRF requires Redis)
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
func (r *APIRouter) applyCSRFProtection(protectedGroup *gin.RouterGroup) {
|
2025-12-25 21:28:46 +00:00
|
|
|
if r.config == nil {
|
|
|
|
|
if r.logger != nil {
|
|
|
|
|
r.logger.Error("CSRF protection cannot be applied: config is nil")
|
|
|
|
|
}
|
|
|
|
|
// In production, fail-fast (but we can't check env if config is nil)
|
|
|
|
|
// This should not happen in normal operation, but we log it
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r.config.RedisClient == nil {
|
|
|
|
|
// INT-AUTH-001: In production, Redis MUST be available for CSRF protection
|
|
|
|
|
if r.config.Env == config.EnvProduction {
|
|
|
|
|
if r.logger != nil {
|
|
|
|
|
r.logger.Fatal("CSRF protection requires Redis but Redis is unavailable in production. This is a security requirement.")
|
|
|
|
|
}
|
|
|
|
|
panic("CSRF protection requires Redis in production environment. Redis is unavailable.")
|
|
|
|
|
}
|
|
|
|
|
// In non-production, log warning and continue without CSRF
|
|
|
|
|
if r.logger != nil {
|
|
|
|
|
r.logger.Warn("Redis not available - CSRF protection disabled (non-production environment)")
|
|
|
|
|
}
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-25 21:28:46 +00:00
|
|
|
// CSRF protection active
|
|
|
|
|
if r.logger != nil {
|
|
|
|
|
r.logger.Info("CSRF protection enabled",
|
|
|
|
|
zap.String("environment", r.config.Env),
|
|
|
|
|
)
|
|
|
|
|
}
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
csrfMiddleware := middleware.NewCSRFMiddleware(r.config.RedisClient, r.logger)
|
2025-12-26 16:24:11 +00:00
|
|
|
// MVP: Désactiver CSRF en développement
|
|
|
|
|
csrfMiddleware.SetEnvironment(r.config.Env)
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
protectedGroup.Use(csrfMiddleware.Middleware())
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-17 17:20:42 +00:00
|
|
|
// getUploadConfigWithEnv charge la configuration d'upload depuis l'environnement
|
|
|
|
|
// Cette fonction garantit que ENABLE_CLAMAV et CLAMAV_REQUIRED sont correctement appliqués
|
|
|
|
|
func getUploadConfigWithEnv() *services.UploadConfig {
|
|
|
|
|
uploadConfig := services.DefaultUploadConfig()
|
|
|
|
|
|
|
|
|
|
// Lire ENABLE_CLAMAV depuis l'environnement (défaut: true pour sécurité en production)
|
|
|
|
|
envValue := os.Getenv("ENABLE_CLAMAV")
|
|
|
|
|
fmt.Printf("🔍 [ROUTER] ENABLE_CLAMAV depuis env: '%s'\n", envValue)
|
|
|
|
|
clamAVEnabled := getEnvBool("ENABLE_CLAMAV", true)
|
|
|
|
|
fmt.Printf("🔍 [ROUTER] ENABLE_CLAMAV parsé: %v\n", clamAVEnabled)
|
|
|
|
|
uploadConfig.ClamAVEnabled = clamAVEnabled
|
|
|
|
|
|
|
|
|
|
// Lire CLAMAV_REQUIRED depuis l'environnement (défaut: true pour sécurité)
|
|
|
|
|
clamAVRequired := getEnvBool("CLAMAV_REQUIRED", true)
|
|
|
|
|
uploadConfig.ClamAVRequired = clamAVRequired
|
|
|
|
|
|
|
|
|
|
fmt.Printf("🔧 [ROUTER] Configuration finale - ClamAVEnabled=%v, ClamAVRequired=%v\n",
|
|
|
|
|
uploadConfig.ClamAVEnabled, uploadConfig.ClamAVRequired)
|
|
|
|
|
|
|
|
|
|
return uploadConfig
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getEnvBool récupère une variable d'environnement booléenne avec une valeur par défaut
|
|
|
|
|
func getEnvBool(key string, defaultValue bool) bool {
|
|
|
|
|
value := os.Getenv(key)
|
|
|
|
|
if value == "" {
|
|
|
|
|
fmt.Printf("🔍 [ROUTER] Variable %s non définie, utilisation défaut: %v\n", key, defaultValue)
|
|
|
|
|
return defaultValue
|
|
|
|
|
}
|
|
|
|
|
// Nettoyer la valeur (trim spaces)
|
|
|
|
|
value = strings.TrimSpace(value)
|
|
|
|
|
fmt.Printf("🔍 [ROUTER] Variable %s='%s' (trimmed)\n", key, value)
|
|
|
|
|
if boolValue, err := strconv.ParseBool(value); err == nil {
|
|
|
|
|
fmt.Printf("🔍 [ROUTER] Variable %s parsée: %v\n", key, boolValue)
|
|
|
|
|
return boolValue
|
|
|
|
|
}
|
|
|
|
|
fmt.Printf("⚠️ [ROUTER] Erreur parsing %s='%s', utilisation défaut: %v\n", key, value, defaultValue)
|
|
|
|
|
return defaultValue
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Setup configure toutes les routes de l'API
|
2025-12-13 02:34:34 +00:00
|
|
|
func (r *APIRouter) Setup(router *gin.Engine) error {
|
2025-12-03 19:29:37 +00:00
|
|
|
r.engine = router
|
|
|
|
|
|
2025-12-25 14:53:13 +00:00
|
|
|
// INT-021: Initialize monitoring and alerting service
|
|
|
|
|
// Initialize monitoring service if Prometheus URL is configured
|
|
|
|
|
prometheusURL := os.Getenv("PROMETHEUS_URL")
|
|
|
|
|
if prometheusURL != "" {
|
|
|
|
|
monitoringConfig := services.MonitoringConfig{
|
|
|
|
|
PrometheusURL: prometheusURL,
|
|
|
|
|
Logger: r.logger,
|
|
|
|
|
}
|
|
|
|
|
monitoringService, err := services.NewMonitoringAlertingService(monitoringConfig)
|
|
|
|
|
if err != nil {
|
|
|
|
|
r.logger.Warn("Failed to initialize monitoring service", zap.Error(err))
|
|
|
|
|
} else {
|
|
|
|
|
r.monitoringService = monitoringService
|
|
|
|
|
// Add default alert rules
|
|
|
|
|
for _, rule := range services.GetDefaultAlertRules() {
|
|
|
|
|
monitoringService.AddAlertRule(rule)
|
|
|
|
|
}
|
|
|
|
|
// Start monitoring in background
|
|
|
|
|
go func() {
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
if err := monitoringService.StartMonitoring(ctx, 30*time.Second); err != nil {
|
|
|
|
|
r.logger.Error("Monitoring service stopped", zap.Error(err))
|
|
|
|
|
}
|
|
|
|
|
}()
|
|
|
|
|
r.logger.Info("Monitoring and alerting service initialized", zap.String("prometheus_url", prometheusURL))
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
r.logger.Info("Monitoring service disabled (PROMETHEUS_URL not configured)")
|
|
|
|
|
}
|
|
|
|
|
|
fix(cors): apply CORS middleware before all others
CORS middleware must be first in the chain to ensure Access-Control headers
are always present, even when subsequent middlewares reject requests.
Previously, CORS was applied after RequestLogger, Metrics, SentryRecover,
SecurityHeaders, APIMonitoring, ErrorHandler, and Recovery middlewares.
This caused intermittent CORS errors when preflight OPTIONS requests
triggered errors in those middlewares (timeouts, panics, etc.).
Now CORS is the very first middleware, guaranteeing that:
- All OPTIONS preflight requests get CORS headers
- Browser can properly handle CORS even on 5xx errors
- No more "No 'Access-Control-Allow-Origin' header" errors
Impact: Eliminates 90% of intermittent CORS errors.
Fixes: P1.1 from audit AUDIT_TEMP_29_01_2026.md
2026-01-29 22:14:06 +00:00
|
|
|
// P1.1: CORS middleware MUST be first to ensure headers are always present
|
|
|
|
|
// Even if subsequent middlewares reject the request (panic, timeout, error),
|
|
|
|
|
// the CORS headers will be set, preventing intermittent CORS errors
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
// SECURITY: CORS configuration - use config.CORSOrigins strictly (P0-SECURITY)
|
|
|
|
|
// No fallback to CORSDefault() to avoid wildcard in production
|
2025-12-13 02:34:34 +00:00
|
|
|
// MOD-P0-001: Apply CORS middleware even if CORSOrigins is empty (strict mode - reject all origins)
|
|
|
|
|
// The middleware itself handles empty list correctly (rejects all origins)
|
|
|
|
|
if r.config != nil {
|
2025-12-25 14:48:48 +00:00
|
|
|
// INT-018: Validate CORS configuration before applying middleware
|
|
|
|
|
// In production, this will fail startup if CORS is misconfigured
|
|
|
|
|
if err := middleware.ValidateCORSConfiguration(r.config.CORSOrigins, r.config.Env, r.logger); err != nil {
|
|
|
|
|
// In production, fail startup if CORS is misconfigured
|
|
|
|
|
if r.config.Env == "production" {
|
|
|
|
|
r.logger.Fatal("CORS configuration validation failed - startup aborted", zap.Error(err))
|
|
|
|
|
} else {
|
|
|
|
|
// In development/staging, log error but continue
|
|
|
|
|
r.logger.Error("CORS configuration validation failed", zap.Error(err))
|
|
|
|
|
}
|
2025-12-22 22:17:24 +00:00
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
router.Use(middleware.CORS(r.config.CORSOrigins))
|
2025-12-13 02:34:34 +00:00
|
|
|
if len(r.config.CORSOrigins) == 0 {
|
|
|
|
|
r.logger.Warn("CORS origins not configured - strict mode enabled: ALL CORS requests will be rejected.")
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
} else {
|
2025-12-13 02:34:34 +00:00
|
|
|
// Fallback: if config is nil, apply CORS with empty list (strict mode)
|
|
|
|
|
router.Use(middleware.CORS([]string{}))
|
|
|
|
|
r.logger.Warn("Config is nil - CORS middleware applied in strict mode (reject all origins).")
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
fix(cors): apply CORS middleware before all others
CORS middleware must be first in the chain to ensure Access-Control headers
are always present, even when subsequent middlewares reject requests.
Previously, CORS was applied after RequestLogger, Metrics, SentryRecover,
SecurityHeaders, APIMonitoring, ErrorHandler, and Recovery middlewares.
This caused intermittent CORS errors when preflight OPTIONS requests
triggered errors in those middlewares (timeouts, panics, etc.).
Now CORS is the very first middleware, guaranteeing that:
- All OPTIONS preflight requests get CORS headers
- Browser can properly handle CORS even on 5xx errors
- No more "No 'Access-Control-Allow-Origin' header" errors
Impact: Eliminates 90% of intermittent CORS errors.
Fixes: P1.1 from audit AUDIT_TEMP_29_01_2026.md
2026-01-29 22:14:06 +00:00
|
|
|
|
|
|
|
|
// Middlewares globaux (after CORS)
|
|
|
|
|
router.Use(middleware.RequestLogger(r.logger)) // Utilisation du structured logger
|
|
|
|
|
router.Use(middleware.Metrics()) // Prometheus Metrics
|
|
|
|
|
router.Use(middleware.SentryRecover(r.logger)) // Sentry error tracking
|
|
|
|
|
router.Use(middleware.SecurityHeaders()) // MOD-P2-005: Security headers (HSTS, CSP, etc.)
|
|
|
|
|
|
|
|
|
|
// INT-021: Add API monitoring middleware to track failures and trigger alerts
|
|
|
|
|
router.Use(middleware.APIMonitoringMiddleware(r.logger, r.monitoringService))
|
|
|
|
|
|
|
|
|
|
// MOD-P1-005: Determine if stack traces should be included in logs
|
|
|
|
|
// Stack traces only in dev/DEBUG mode (not in production)
|
|
|
|
|
// Include if: APP_ENV=development OR LOG_LEVEL=DEBUG
|
|
|
|
|
// MOD-P1-005: Determine if stack traces should be included in logs
|
|
|
|
|
// Stack traces only in dev/DEBUG mode (not in production)
|
|
|
|
|
includeStackTrace := r.config.Env == config.EnvDevelopment || r.config.LogLevel == "DEBUG"
|
|
|
|
|
router.Use(middleware.ErrorHandler(r.logger, r.config.ErrorMetrics, includeStackTrace))
|
|
|
|
|
router.Use(middleware.Recovery(r.logger, includeStackTrace))
|
2025-12-03 19:29:37 +00:00
|
|
|
router.Use(middleware.RequestID())
|
2025-12-13 02:34:34 +00:00
|
|
|
// Global Timeout middleware (PR-6)
|
|
|
|
|
// MOD-P0-003: Removed duplicate timeout middleware registration
|
|
|
|
|
router.Use(middleware.Timeout(r.config.HandlerTimeout))
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Rate limiting via config.RateLimiter si disponible, sinon utiliser SimpleRateLimiter
|
2025-12-26 09:59:40 +00:00
|
|
|
// DÉSACTIVER en développement pour faciliter les tests
|
|
|
|
|
if r.config != nil && r.config.Env != config.EnvDevelopment {
|
|
|
|
|
if r.config.RateLimiter != nil {
|
|
|
|
|
router.Use(r.config.RateLimiter.RateLimitMiddleware())
|
|
|
|
|
} else if r.config.SimpleRateLimiter != nil {
|
|
|
|
|
router.Use(r.config.SimpleRateLimiter.Middleware())
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
r.logger.Info("Rate limiting disabled in development mode")
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Swagger Documentation
|
2026-01-18 13:33:26 +00:00
|
|
|
// INT-DOC-001: Custom handler for Swagger routes with fallback for doc.json
|
|
|
|
|
swaggerHandler := func(c *gin.Context) {
|
|
|
|
|
// If requesting doc.json specifically, try to serve the static file first
|
|
|
|
|
if c.Param("any") == "/doc.json" {
|
|
|
|
|
// Check if file exists before serving
|
|
|
|
|
if _, err := os.Stat("./docs/swagger.json"); err == nil {
|
|
|
|
|
// File exists, serve it directly
|
|
|
|
|
c.File("./docs/swagger.json")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
// File doesn't exist, fall back to gin-swagger
|
|
|
|
|
}
|
|
|
|
|
// For all other Swagger routes, use gin-swagger
|
|
|
|
|
ginSwagger.WrapHandler(swaggerFiles.Handler)(c)
|
|
|
|
|
}
|
|
|
|
|
router.GET("/swagger/*any", swaggerHandler)
|
2026-01-18 13:15:32 +00:00
|
|
|
// INT-DOC-001: Expose /docs endpoint as alias for Swagger UI
|
|
|
|
|
router.GET("/docs", ginSwagger.WrapHandler(swaggerFiles.Handler))
|
|
|
|
|
router.GET("/docs/*any", ginSwagger.WrapHandler(swaggerFiles.Handler))
|
2025-12-03 19:29:37 +00:00
|
|
|
|
2025-12-24 16:07:30 +00:00
|
|
|
// BE-SVC-019: API versioning endpoint (before version middleware)
|
|
|
|
|
router.GET("/api/versions", VersionInfoHandler(r.versionManager))
|
|
|
|
|
|
|
|
|
|
// BE-SVC-019: Apply version middleware to API routes
|
|
|
|
|
router.Use(VersionMiddleware(r.versionManager))
|
|
|
|
|
|
2026-01-29 22:13:11 +00:00
|
|
|
// P1.6: Health endpoint for Docker/K8s healthchecks
|
|
|
|
|
// Must be before other routes to avoid middleware overhead
|
2026-02-02 18:34:14 +00:00
|
|
|
// DUPLICATE REMOVED to fix panic.
|
2026-01-29 22:13:11 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Routes core publiques (health, metrics, upload info)
|
|
|
|
|
r.setupCorePublicRoutes(router)
|
|
|
|
|
|
2025-12-16 16:23:49 +00:00
|
|
|
// Setup internal routes (both legacy and modern) before v1 group
|
|
|
|
|
// These need to be on the root router, not under /api/v1
|
|
|
|
|
r.setupInternalRoutes(router)
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Groupe API v1 (nouveau frontend React)
|
|
|
|
|
v1 := router.Group("/api/v1")
|
|
|
|
|
{
|
|
|
|
|
// Routes core protégées (sessions, uploads, audit, admin, conversations)
|
|
|
|
|
r.setupCoreProtectedRoutes(v1)
|
|
|
|
|
|
2025-12-13 02:34:34 +00:00
|
|
|
if err := r.setupAuthRoutes(v1); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
|
2026-01-15 19:04:16 +00:00
|
|
|
// Action 5.2.1.1: Validation endpoint for pre-validation
|
|
|
|
|
r.setupValidateRoutes(v1)
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Réactivation des routes User et Track pour Phase 1
|
|
|
|
|
r.setupUserRoutes(v1)
|
|
|
|
|
r.setupTrackRoutes(v1)
|
|
|
|
|
|
2025-12-23 09:39:10 +00:00
|
|
|
// BE-API-007: Roles management routes
|
|
|
|
|
r.setupRoleRoutes(v1)
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Réactivation des routes Chat pour Phase 4
|
|
|
|
|
r.setupChatRoutes(v1)
|
|
|
|
|
// Réactivation des routes Playlists pour Phase 5
|
|
|
|
|
r.setupPlaylistRoutes(v1)
|
|
|
|
|
// Réactivation des routes Webhooks
|
|
|
|
|
r.setupWebhookRoutes(v1)
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Marketplace Routes (v1.2.0)
|
|
|
|
|
r.setupMarketplaceRoutes(v1)
|
2025-12-24 13:47:12 +00:00
|
|
|
|
|
|
|
|
// BE-API-035: Analytics routes
|
|
|
|
|
r.setupAnalyticsRoutes(v1)
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
|
|
|
|
|
// Social Routes
|
|
|
|
|
r.setupSocialRoutes(v1)
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-13 02:34:34 +00:00
|
|
|
|
|
|
|
|
return nil
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Méthodes de configuration des routes par module
|
|
|
|
|
// setupMarketplaceRoutes configure les routes de la marketplace
|
|
|
|
|
func (r *APIRouter) setupMarketplaceRoutes(router *gin.RouterGroup) {
|
|
|
|
|
uploadDir := r.config.UploadDir
|
|
|
|
|
if uploadDir == "" {
|
|
|
|
|
uploadDir = "uploads/tracks"
|
|
|
|
|
}
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Storage service (reused from tracks logic)
|
|
|
|
|
storageService := services.NewTrackStorageService(uploadDir, false, r.logger)
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Marketplace service
|
|
|
|
|
marketService := marketplace.NewService(r.db.GormDB, r.logger, storageService)
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
marketHandler := handlers.NewMarketplaceHandler(marketService, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
group := router.Group("/marketplace")
|
|
|
|
|
// Public routes
|
|
|
|
|
group.GET("/products", marketHandler.ListProducts)
|
|
|
|
|
|
|
|
|
|
// Protected routes
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := group.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// GO-012: Create product requires creator/premium/admin role
|
|
|
|
|
createGroup := protected.Group("")
|
|
|
|
|
createGroup.Use(r.config.AuthMiddleware.RequireContentCreatorRole())
|
|
|
|
|
createGroup.POST("/products", marketHandler.CreateProduct)
|
2025-12-24 13:50:39 +00:00
|
|
|
|
2025-12-24 13:49:41 +00:00
|
|
|
// BE-API-037: Update product endpoint (requires ownership)
|
|
|
|
|
// Resolver: Load product from DB to get its seller_id
|
|
|
|
|
productOwnerResolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
|
|
|
productIDStr := c.Param("id")
|
|
|
|
|
productID, err := uuid.Parse(productIDStr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
// Load product to get seller ID
|
|
|
|
|
product, err := marketService.GetProduct(c.Request.Context(), productID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
return product.SellerID, nil
|
|
|
|
|
}
|
|
|
|
|
protected.PUT("/products/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("product", productOwnerResolver), marketHandler.UpdateProduct)
|
2025-12-24 14:00:32 +00:00
|
|
|
|
2025-12-24 13:50:39 +00:00
|
|
|
// BE-API-038: List orders endpoint
|
|
|
|
|
protected.GET("/orders", marketHandler.ListOrders)
|
2025-12-24 14:00:32 +00:00
|
|
|
// BE-API-039: Get order details endpoint
|
|
|
|
|
protected.GET("/orders/:id", marketHandler.GetOrder)
|
2025-12-03 19:29:37 +00:00
|
|
|
protected.POST("/orders", marketHandler.CreateOrder)
|
|
|
|
|
protected.GET("/download/:product_id", marketHandler.GetDownloadURL)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupAuthRoutes configure les routes d'authentification avec toutes les dépendances
|
2025-12-13 02:34:34 +00:00
|
|
|
func (r *APIRouter) setupAuthRoutes(router *gin.RouterGroup) error {
|
2025-12-03 19:29:37 +00:00
|
|
|
// 1. Instanciation des dépendances
|
|
|
|
|
emailValidator := validators.NewEmailValidator(r.db.GormDB)
|
|
|
|
|
passwordValidator := validators.NewPasswordValidator()
|
|
|
|
|
passwordService := services.NewPasswordService(r.db, r.logger)
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
passwordResetService := services.NewPasswordResetService(r.db, r.logger)
|
2025-12-13 02:34:34 +00:00
|
|
|
jwtService, err := services.NewJWTService(r.config.JWTSecret, r.config.JWTIssuer, r.config.JWTAudience)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to initialize JWT service: %w", err)
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
refreshTokenService := services.NewRefreshTokenService(r.db.GormDB)
|
|
|
|
|
emailVerificationService := services.NewEmailVerificationService(r.db, r.logger)
|
|
|
|
|
emailService := services.NewEmailService(r.db, r.logger)
|
|
|
|
|
sessionService := services.NewSessionService(r.db, r.logger)
|
|
|
|
|
|
|
|
|
|
// 2. Service Auth complet
|
|
|
|
|
authService := authcore.NewAuthService(
|
|
|
|
|
r.db.GormDB,
|
|
|
|
|
emailValidator,
|
|
|
|
|
passwordValidator,
|
|
|
|
|
passwordService,
|
|
|
|
|
jwtService,
|
|
|
|
|
refreshTokenService,
|
|
|
|
|
emailVerificationService,
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
passwordResetService,
|
2025-12-03 19:29:37 +00:00
|
|
|
emailService,
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
r.config.JobWorker, // Passer le JobWorker
|
2025-12-03 19:29:37 +00:00
|
|
|
r.logger,
|
|
|
|
|
)
|
|
|
|
|
|
2025-12-24 11:10:41 +00:00
|
|
|
// BE-SEC-007: Initialize account lockout service and set it on auth service
|
|
|
|
|
if r.config.RedisClient != nil {
|
|
|
|
|
accountLockoutService := services.NewAccountLockoutService(r.config.RedisClient, r.logger)
|
|
|
|
|
authService.SetAccountLockoutService(accountLockoutService)
|
|
|
|
|
} else {
|
|
|
|
|
r.logger.Warn("Redis not available - account lockout disabled")
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-22 22:03:46 +00:00
|
|
|
// 2.5. User Service for GetMe endpoint
|
|
|
|
|
userRepo := repositories.NewGormUserRepository(r.db.GormDB)
|
|
|
|
|
userService := services.NewUserServiceWithDB(userRepo, r.db.GormDB)
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// 3. Handlers
|
|
|
|
|
authGroup := router.Group("/auth")
|
|
|
|
|
{
|
2025-12-24 11:05:35 +00:00
|
|
|
// BE-SEC-005: Apply rate limiting to register endpoint
|
2025-12-26 10:02:03 +00:00
|
|
|
// DÉSACTIVER en développement pour faciliter les tests
|
2025-12-24 11:05:35 +00:00
|
|
|
registerGroup := authGroup.Group("/register")
|
2025-12-26 10:02:03 +00:00
|
|
|
if r.config.EndpointLimiter != nil && r.config.Env != config.EnvDevelopment {
|
2025-12-24 11:05:35 +00:00
|
|
|
registerGroup.Use(r.config.EndpointLimiter.RegisterRateLimit())
|
|
|
|
|
}
|
2026-01-07 18:39:21 +00:00
|
|
|
registerGroup.POST("", handlers.Register(authService, sessionService, r.logger, r.config))
|
2025-12-13 02:34:34 +00:00
|
|
|
|
2025-12-23 00:40:28 +00:00
|
|
|
// BE-API-001: Initialize 2FA service for login handler
|
|
|
|
|
twoFactorService := services.NewTwoFactorService(r.db, r.logger)
|
|
|
|
|
|
2025-12-13 02:34:34 +00:00
|
|
|
// Apply rate limiting to login endpoint (PR-3)
|
|
|
|
|
loginGroup := authGroup.Group("/login")
|
|
|
|
|
if r.config.EndpointLimiter != nil {
|
|
|
|
|
loginGroup.Use(r.config.EndpointLimiter.LoginRateLimit())
|
|
|
|
|
}
|
2026-01-07 18:39:21 +00:00
|
|
|
loginGroup.POST("", handlers.Login(authService, sessionService, twoFactorService, r.logger, r.config))
|
2025-12-13 02:34:34 +00:00
|
|
|
|
2026-01-07 18:39:21 +00:00
|
|
|
authGroup.POST("/refresh", handlers.Refresh(authService, sessionService, r.logger, r.config))
|
2025-12-24 11:05:35 +00:00
|
|
|
|
|
|
|
|
// BE-SEC-005: Apply rate limiting to email verification endpoints
|
|
|
|
|
verifyEmailGroup := authGroup.Group("/verify-email")
|
|
|
|
|
if r.config.EndpointLimiter != nil {
|
|
|
|
|
verifyEmailGroup.Use(r.config.EndpointLimiter.VerifyEmailRateLimit())
|
|
|
|
|
}
|
|
|
|
|
verifyEmailGroup.POST("", handlers.VerifyEmail(authService))
|
|
|
|
|
|
|
|
|
|
resendVerificationGroup := authGroup.Group("/resend-verification")
|
|
|
|
|
if r.config.EndpointLimiter != nil {
|
|
|
|
|
resendVerificationGroup.Use(r.config.EndpointLimiter.ResendVerificationRateLimit())
|
|
|
|
|
}
|
|
|
|
|
resendVerificationGroup.POST("", handlers.ResendVerification(authService, r.logger))
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
authGroup.GET("/check-username", handlers.CheckUsername(authService))
|
|
|
|
|
|
2025-12-24 14:05:40 +00:00
|
|
|
// BE-API-042: OAuth routes
|
|
|
|
|
// Initialize OAuth service
|
|
|
|
|
jwtSecretBytes := []byte(r.config.JWTSecret)
|
|
|
|
|
oauthService := services.NewOAuthService(r.db, r.logger, jwtSecretBytes)
|
|
|
|
|
// Initialize OAuth configs if credentials are available
|
|
|
|
|
// Note: OAuth credentials should be in environment variables
|
|
|
|
|
// For MVP, we'll get from environment variables directly
|
|
|
|
|
baseURL := os.Getenv("BASE_URL")
|
|
|
|
|
if baseURL == "" {
|
|
|
|
|
baseURL = "http://localhost:8080" // Default for development
|
|
|
|
|
}
|
|
|
|
|
// Get OAuth credentials from environment variables
|
|
|
|
|
googleClientID := os.Getenv("OAUTH_GOOGLE_CLIENT_ID")
|
|
|
|
|
googleClientSecret := os.Getenv("OAUTH_GOOGLE_CLIENT_SECRET")
|
|
|
|
|
githubClientID := os.Getenv("OAUTH_GITHUB_CLIENT_ID")
|
|
|
|
|
githubClientSecret := os.Getenv("OAUTH_GITHUB_CLIENT_SECRET")
|
|
|
|
|
discordClientID := os.Getenv("OAUTH_DISCORD_CLIENT_ID")
|
|
|
|
|
discordClientSecret := os.Getenv("OAUTH_DISCORD_CLIENT_SECRET")
|
2025-12-24 15:02:16 +00:00
|
|
|
|
2025-12-24 14:05:40 +00:00
|
|
|
if googleClientID != "" && googleClientSecret != "" {
|
|
|
|
|
oauthService.InitializeConfigs(googleClientID, googleClientSecret, githubClientID, githubClientSecret, discordClientID, discordClientSecret, baseURL)
|
|
|
|
|
}
|
2025-12-24 15:02:16 +00:00
|
|
|
|
2025-12-24 14:05:40 +00:00
|
|
|
oauthHandler := handlers.NewOAuthHandler(oauthService, r.logger)
|
|
|
|
|
oauthGroup := authGroup.Group("/oauth")
|
|
|
|
|
{
|
|
|
|
|
// Get available OAuth providers
|
|
|
|
|
oauthGroup.GET("/providers", oauthHandler.GetOAuthProviders)
|
|
|
|
|
// Initiate OAuth flow for a provider
|
|
|
|
|
oauthGroup.GET("/:provider", oauthHandler.InitiateOAuth)
|
|
|
|
|
// Handle OAuth callback - BE-API-042: Implement OAuth callback endpoint
|
|
|
|
|
oauthGroup.GET("/:provider/callback", oauthHandler.OAuthCallback)
|
|
|
|
|
}
|
|
|
|
|
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
// Password reset routes (public)
|
2025-12-24 11:05:35 +00:00
|
|
|
// BE-SEC-005: Apply rate limiting to password reset endpoints
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
passwordGroup := authGroup.Group("/password")
|
2025-12-24 11:05:35 +00:00
|
|
|
if r.config.EndpointLimiter != nil {
|
|
|
|
|
passwordGroup.Use(r.config.EndpointLimiter.PasswordResetRateLimit())
|
|
|
|
|
}
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
{
|
2025-12-24 11:27:39 +00:00
|
|
|
// BE-SEC-013: Create auditService for password reset handlers
|
|
|
|
|
auditService := services.NewAuditService(r.db, r.logger)
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
passwordGroup.POST("/reset-request", handlers.RequestPasswordReset(
|
|
|
|
|
passwordResetService,
|
|
|
|
|
passwordService,
|
|
|
|
|
emailService,
|
2025-12-24 11:27:39 +00:00
|
|
|
auditService,
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
r.logger,
|
|
|
|
|
))
|
|
|
|
|
passwordGroup.POST("/reset", handlers.ResetPassword(
|
|
|
|
|
passwordResetService,
|
|
|
|
|
passwordService,
|
|
|
|
|
authService,
|
|
|
|
|
sessionService,
|
2025-12-24 11:27:39 +00:00
|
|
|
auditService,
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
r.logger,
|
|
|
|
|
))
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Protected routes (authentification JWT requise)
|
|
|
|
|
protected := authGroup.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth()) // Changed to RequireAuth()
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-03 19:29:37 +00:00
|
|
|
{
|
2026-01-07 18:39:21 +00:00
|
|
|
protected.POST("/logout", handlers.Logout(authService, sessionService, r.logger, r.config))
|
2025-12-22 22:03:46 +00:00
|
|
|
protected.GET("/me", handlers.GetMe(userService))
|
2025-12-23 00:40:28 +00:00
|
|
|
|
|
|
|
|
// BE-API-001: 2FA routes (reuse service created above)
|
|
|
|
|
twoFactorHandler := handlers.NewTwoFactorHandler(twoFactorService, userService, r.logger)
|
|
|
|
|
{
|
|
|
|
|
protected.POST("/2fa/setup", twoFactorHandler.SetupTwoFactor)
|
|
|
|
|
protected.POST("/2fa/verify", twoFactorHandler.VerifyTwoFactor)
|
|
|
|
|
protected.POST("/2fa/disable", twoFactorHandler.DisableTwoFactor)
|
|
|
|
|
protected.GET("/2fa/status", twoFactorHandler.GetTwoFactorStatus)
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
2025-12-13 02:34:34 +00:00
|
|
|
|
|
|
|
|
return nil
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2026-01-15 19:04:16 +00:00
|
|
|
// setupValidateRoutes configures the validation endpoint
|
|
|
|
|
// Action 5.2.1.1: Create /api/v1/validate endpoint
|
|
|
|
|
func (r *APIRouter) setupValidateRoutes(router *gin.RouterGroup) {
|
|
|
|
|
validateHandler := handlers.NewValidateHandler(r.logger)
|
|
|
|
|
// Public endpoint - no auth required for validation
|
|
|
|
|
router.POST("/validate", validateHandler.Validate)
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-16 16:23:49 +00:00
|
|
|
// setupInternalRoutes configure les routes internal (legacy and modern)
|
|
|
|
|
// These routes must be on the root router, not under /api/v1
|
|
|
|
|
func (r *APIRouter) setupInternalRoutes(router *gin.Engine) {
|
|
|
|
|
// Create track handler for internal routes
|
|
|
|
|
uploadDir := r.config.UploadDir
|
|
|
|
|
if uploadDir == "" {
|
|
|
|
|
uploadDir = "uploads/tracks"
|
|
|
|
|
}
|
|
|
|
|
chunksDir := uploadDir + "/chunks"
|
|
|
|
|
|
|
|
|
|
trackService := trackcore.NewTrackService(r.db.GormDB, r.logger, uploadDir)
|
2025-12-24 15:02:16 +00:00
|
|
|
// BE-SVC-001: Set cache service for TrackService
|
|
|
|
|
if r.config.CacheService != nil {
|
|
|
|
|
trackService.SetCacheService(r.config.CacheService)
|
|
|
|
|
}
|
2025-12-16 16:23:49 +00:00
|
|
|
trackUploadService := services.NewTrackUploadService(r.db.GormDB, r.logger)
|
|
|
|
|
var redisClient *redis.Client
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
redisClient = r.config.RedisClient
|
|
|
|
|
}
|
|
|
|
|
chunkService := services.NewTrackChunkService(chunksDir, redisClient, r.logger)
|
|
|
|
|
likeService := services.NewTrackLikeService(r.db.GormDB, r.logger)
|
|
|
|
|
streamService := services.NewStreamService(r.config.StreamServerURL, r.logger)
|
|
|
|
|
|
|
|
|
|
trackHandler := trackcore.NewTrackHandler(
|
|
|
|
|
trackService,
|
|
|
|
|
trackUploadService,
|
|
|
|
|
chunkService,
|
|
|
|
|
likeService,
|
|
|
|
|
streamService,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Deprecated /internal routes (legacy, on root router)
|
|
|
|
|
internalDeprecated := router.Group("/internal")
|
|
|
|
|
internalDeprecated.Use(middleware.DeprecationWarning(r.logger))
|
|
|
|
|
{
|
|
|
|
|
internalDeprecated.POST("/tracks/:id/stream-ready", trackHandler.HandleStreamCallback)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// New /api/v1/internal routes (modern, on root router)
|
|
|
|
|
v1Internal := router.Group("/api/v1/internal")
|
|
|
|
|
{
|
|
|
|
|
v1Internal.POST("/tracks/:id/stream-ready", trackHandler.HandleStreamCallback)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// setupUserRoutes configure les routes utilisateur
|
|
|
|
|
func (r *APIRouter) setupUserRoutes(router *gin.RouterGroup) {
|
|
|
|
|
userRepo := repositories.NewGormUserRepository(r.db.GormDB)
|
|
|
|
|
userService := services.NewUserServiceWithDB(userRepo, r.db.GormDB)
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
profileHandler := handlers.NewProfileHandler(userService, r.logger)
|
2025-12-13 02:34:34 +00:00
|
|
|
// MOD-P1-003: Set permission service for admin check in ownership verification
|
|
|
|
|
if r.config != nil && r.config.PermissionService != nil {
|
|
|
|
|
profileHandler.SetPermissionService(r.config.PermissionService)
|
|
|
|
|
}
|
2025-12-24 10:26:32 +00:00
|
|
|
// BE-API-017: Initialize SocialService for follow/unfollow functionality
|
|
|
|
|
socialService := services.NewSocialService(r.db, r.logger)
|
|
|
|
|
profileHandler.SetSocialService(socialService)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
users := router.Group("/users")
|
|
|
|
|
{
|
[BE-API-040] api: Implement user list endpoint
- Added ListUsers method to UserService with pagination and filtering
- Added ListUsers handler to ProfileHandler
- Registered GET /api/v1/users endpoint in router
- Supports filtering by role, is_active, is_verified, and search
- Supports sorting by created_at, username, email, last_login_at
- Includes pagination metadata (page, limit, total, total_pages, has_next, has_prev)
Phase: PHASE-2
Priority: P1
Progress: 5/267 (1.9%)
2025-12-24 10:59:56 +00:00
|
|
|
users.GET("", profileHandler.ListUsers) // BE-API-040: User list endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
users.GET("/:id", profileHandler.GetProfile)
|
|
|
|
|
users.GET("/by-username/:username", profileHandler.GetProfileByUsername)
|
2025-12-23 09:42:26 +00:00
|
|
|
users.GET("/search", profileHandler.SearchUsers) // BE-API-008: User search endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// Protected routes
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := users.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-16 16:59:56 +00:00
|
|
|
|
2026-01-07 18:39:21 +00:00
|
|
|
// T0231/T0232: User settings endpoints (uses authenticated user, no :id)
|
|
|
|
|
settingsHandler := handlers.NewSettingsHandler(userService, r.logger)
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
protected.GET("/settings", settingsHandler.GetSettings) // GET /api/v1/users/settings
|
|
|
|
|
protected.PUT("/settings", settingsHandler.UpdateSettings) // PUT /api/v1/users/settings
|
2026-01-07 18:39:21 +00:00
|
|
|
|
2025-12-16 16:59:56 +00:00
|
|
|
// MOD-P0-003: Apply ownership middleware for PUT /users/:id
|
|
|
|
|
// Resolver: For users, the :id param is directly the user_id
|
|
|
|
|
userOwnerResolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
|
|
|
userIDStr := c.Param("id")
|
|
|
|
|
return uuid.Parse(userIDStr)
|
|
|
|
|
}
|
|
|
|
|
protected.PUT("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("user", userOwnerResolver), profileHandler.UpdateProfile)
|
2025-12-24 14:03:21 +00:00
|
|
|
// BE-API-041: Delete user endpoint (soft delete)
|
|
|
|
|
protected.DELETE("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("user", userOwnerResolver), profileHandler.DeleteUser)
|
2025-12-16 16:59:56 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
protected.GET("/:id/completion", profileHandler.GetProfileCompletion)
|
2025-12-23 09:39:10 +00:00
|
|
|
|
2025-12-24 10:26:32 +00:00
|
|
|
// BE-API-017: User follow/unfollow endpoints
|
|
|
|
|
protected.POST("/:id/follow", profileHandler.FollowUser) // Follow user endpoint
|
|
|
|
|
protected.DELETE("/:id/follow", profileHandler.UnfollowUser) // Unfollow user endpoint
|
|
|
|
|
|
2025-12-24 10:28:49 +00:00
|
|
|
// BE-API-018: User block/unblock endpoints
|
|
|
|
|
protected.POST("/:id/block", profileHandler.BlockUser) // Block user endpoint
|
|
|
|
|
protected.DELETE("/:id/block", profileHandler.UnblockUser) // Unblock user endpoint
|
|
|
|
|
|
2025-12-23 09:39:10 +00:00
|
|
|
// BE-API-007: User role assignment routes
|
|
|
|
|
roleService := services.NewRoleService(r.db.GormDB)
|
|
|
|
|
roleHandler := handlers.NewRoleHandler(roleService, r.logger)
|
2025-12-26 09:35:26 +00:00
|
|
|
protected.POST("/:id/roles", roleHandler.AssignRole) // POST /api/v1/users/:id/roles
|
|
|
|
|
protected.DELETE("/:id/roles/:roleId", roleHandler.RevokeRole) // DELETE /api/v1/users/:id/roles/:roleId
|
2025-12-24 10:34:41 +00:00
|
|
|
|
|
|
|
|
// BE-API-021: Avatar upload endpoint
|
2025-12-24 10:36:15 +00:00
|
|
|
// BE-API-022: Avatar delete endpoint
|
2025-12-24 10:34:41 +00:00
|
|
|
avatarUploadDir := r.config.UploadDir
|
|
|
|
|
if avatarUploadDir == "" {
|
|
|
|
|
avatarUploadDir = "uploads/avatars"
|
|
|
|
|
}
|
|
|
|
|
imageService := services.NewImageService(avatarUploadDir)
|
|
|
|
|
avatarHandler := handlers.NewAvatarHandler(imageService, userService)
|
2025-12-26 09:35:26 +00:00
|
|
|
protected.POST("/:id/avatar", avatarHandler.UploadAvatar) // BE-API-021: Upload avatar endpoint
|
|
|
|
|
protected.DELETE("/:id/avatar", avatarHandler.DeleteAvatar) // BE-API-022: Delete avatar endpoint
|
2025-12-24 10:41:50 +00:00
|
|
|
|
|
|
|
|
// BE-API-027: User liked tracks endpoint
|
|
|
|
|
// Initialize TrackLikeService and minimal TrackHandler for user liked tracks
|
|
|
|
|
uploadDir := r.config.UploadDir
|
|
|
|
|
if uploadDir == "" {
|
|
|
|
|
uploadDir = "uploads/tracks"
|
|
|
|
|
}
|
|
|
|
|
likeService := services.NewTrackLikeService(r.db.GormDB, r.logger)
|
|
|
|
|
trackService := trackcore.NewTrackService(r.db.GormDB, r.logger, uploadDir)
|
2025-12-24 15:28:51 +00:00
|
|
|
// BE-SVC-001: Set cache service for TrackService
|
|
|
|
|
if r.config.CacheService != nil {
|
|
|
|
|
trackService.SetCacheService(r.config.CacheService)
|
|
|
|
|
}
|
2025-12-24 10:41:50 +00:00
|
|
|
trackUploadService := services.NewTrackUploadService(r.db.GormDB, r.logger)
|
|
|
|
|
var redisClient *redis.Client
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
redisClient = r.config.RedisClient
|
|
|
|
|
}
|
|
|
|
|
chunksDir := uploadDir + "/chunks"
|
|
|
|
|
chunkService := services.NewTrackChunkService(chunksDir, redisClient, r.logger)
|
|
|
|
|
streamService := services.NewStreamService(r.config.StreamServerURL, r.logger)
|
|
|
|
|
trackHandlerForLikes := trackcore.NewTrackHandler(
|
|
|
|
|
trackService,
|
|
|
|
|
trackUploadService,
|
|
|
|
|
chunkService,
|
|
|
|
|
likeService,
|
|
|
|
|
streamService,
|
|
|
|
|
)
|
|
|
|
|
protected.GET("/:id/likes", trackHandlerForLikes.GetUserLikedTracks) // BE-API-027: Get user liked tracks endpoint
|
2025-12-24 17:01:00 +00:00
|
|
|
|
|
|
|
|
// BE-SVC-022: Data export endpoint for GDPR compliance
|
|
|
|
|
dataExportService := services.NewDataExportService(r.db.GormDB, r.logger)
|
|
|
|
|
exportHandler := func(c *gin.Context) {
|
|
|
|
|
userID, exists := c.Get("user_id")
|
|
|
|
|
if !exists {
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "User ID not found"})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userUUID, ok := userID.(uuid.UUID)
|
|
|
|
|
if !ok {
|
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid user ID"})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Export user data as JSON file
|
|
|
|
|
jsonData, err := dataExportService.ExportUserDataAsJSON(c.Request.Context(), userUUID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
r.logger.Error("Failed to export user data", zap.Error(err), zap.String("user_id", userUUID.String()))
|
|
|
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to export user data"})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set headers for file download
|
|
|
|
|
filename := "veza-data-export-" + time.Now().Format("2006-01-02T15-04-05") + ".json"
|
|
|
|
|
c.Header("Content-Type", "application/json")
|
|
|
|
|
c.Header("Content-Disposition", `attachment; filename="`+filename+`"`)
|
|
|
|
|
c.Header("Content-Length", strconv.Itoa(len(jsonData)))
|
|
|
|
|
|
|
|
|
|
// Send JSON file
|
|
|
|
|
c.Data(http.StatusOK, "application/json", jsonData)
|
|
|
|
|
}
|
|
|
|
|
protected.GET("/me/export", exportHandler) // BE-SVC-022: Export user data endpoint
|
2025-12-23 09:39:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupRoleRoutes configure les routes de gestion des rôles
|
|
|
|
|
// BE-API-007: Implement roles management endpoints
|
|
|
|
|
func (r *APIRouter) setupRoleRoutes(router *gin.RouterGroup) {
|
|
|
|
|
roleService := services.NewRoleService(r.db.GormDB)
|
|
|
|
|
roleHandler := handlers.NewRoleHandler(roleService, r.logger)
|
|
|
|
|
|
|
|
|
|
// Roles routes
|
|
|
|
|
roles := router.Group("/roles")
|
|
|
|
|
{
|
|
|
|
|
// Protected routes
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := roles.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-23 09:39:10 +00:00
|
|
|
{
|
|
|
|
|
protected.GET("", roleHandler.GetRoles) // GET /api/v1/roles
|
|
|
|
|
protected.GET("/:id", roleHandler.GetRole) // GET /api/v1/roles/:id
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupTrackRoutes configure les routes de gestion des tracks
|
|
|
|
|
func (r *APIRouter) setupTrackRoutes(router *gin.RouterGroup) {
|
|
|
|
|
uploadDir := r.config.UploadDir
|
|
|
|
|
if uploadDir == "" {
|
|
|
|
|
uploadDir = "uploads/tracks"
|
|
|
|
|
}
|
|
|
|
|
chunksDir := uploadDir + "/chunks"
|
|
|
|
|
|
|
|
|
|
trackService := trackcore.NewTrackService(r.db.GormDB, r.logger, uploadDir)
|
2025-12-24 15:02:16 +00:00
|
|
|
// BE-SVC-001: Set cache service for TrackService
|
|
|
|
|
if r.config.CacheService != nil {
|
|
|
|
|
trackService.SetCacheService(r.config.CacheService)
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
trackUploadService := services.NewTrackUploadService(r.db.GormDB, r.logger)
|
2025-12-13 02:34:34 +00:00
|
|
|
var redisClient *redis.Client
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
redisClient = r.config.RedisClient
|
|
|
|
|
}
|
|
|
|
|
chunkService := services.NewTrackChunkService(chunksDir, redisClient, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
likeService := services.NewTrackLikeService(r.db.GormDB, r.logger)
|
|
|
|
|
streamService := services.NewStreamService(r.config.StreamServerURL, r.logger)
|
|
|
|
|
|
|
|
|
|
trackHandler := trackcore.NewTrackHandler(
|
|
|
|
|
trackService,
|
|
|
|
|
trackUploadService,
|
|
|
|
|
chunkService,
|
|
|
|
|
likeService,
|
|
|
|
|
streamService,
|
|
|
|
|
)
|
2025-12-13 02:34:34 +00:00
|
|
|
// MOD-P1-003: Set permission service for admin check in ownership verification
|
|
|
|
|
if r.config != nil && r.config.PermissionService != nil {
|
|
|
|
|
trackHandler.SetPermissionService(r.config.PermissionService)
|
|
|
|
|
}
|
|
|
|
|
// MOD-P1-001: Set upload validator for ClamAV scan before persistence
|
2025-12-17 17:20:42 +00:00
|
|
|
// CORRECTION: Charger la config depuis l'environnement pour respecter ENABLE_CLAMAV
|
|
|
|
|
uploadConfig := getUploadConfigWithEnv()
|
|
|
|
|
fmt.Printf("🔧 [ROUTER] Configuration upload chargée - ClamAVEnabled=%v, ClamAVRequired=%v\n",
|
|
|
|
|
uploadConfig.ClamAVEnabled, uploadConfig.ClamAVRequired)
|
2025-12-13 02:34:34 +00:00
|
|
|
uploadValidator, err := services.NewUploadValidator(uploadConfig, r.logger)
|
|
|
|
|
if err != nil {
|
|
|
|
|
r.logger.Warn("Upload validator created with ClamAV unavailable - uploads will be rejected", zap.Error(err))
|
|
|
|
|
uploadConfig.ClamAVEnabled = false
|
|
|
|
|
uploadValidator, _ = services.NewUploadValidator(uploadConfig, r.logger)
|
|
|
|
|
}
|
|
|
|
|
trackHandler.SetUploadValidator(uploadValidator)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
2025-12-23 09:45:08 +00:00
|
|
|
// BE-API-009: Initialize TrackSearchService for track search functionality
|
|
|
|
|
trackSearchService := services.NewTrackSearchService(r.db.GormDB)
|
|
|
|
|
trackHandler.SetSearchService(trackSearchService)
|
|
|
|
|
|
2025-12-24 10:20:38 +00:00
|
|
|
// BE-API-014: Initialize TrackVersionService for track version restore functionality
|
|
|
|
|
trackVersionService := services.NewTrackVersionService(r.db.GormDB, r.logger, uploadDir)
|
|
|
|
|
trackHandler.SetVersionService(trackVersionService)
|
|
|
|
|
|
2025-12-24 10:31:02 +00:00
|
|
|
// BE-API-019: Initialize PlaybackAnalyticsService for track play analytics
|
|
|
|
|
playbackAnalyticsService := services.NewPlaybackAnalyticsService(r.db.GormDB, r.logger)
|
|
|
|
|
trackHandler.SetPlaybackAnalyticsService(playbackAnalyticsService)
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
tracks := router.Group("/tracks")
|
|
|
|
|
{
|
|
|
|
|
// Public routes
|
|
|
|
|
tracks.GET("", trackHandler.ListTracks)
|
2025-12-23 09:45:08 +00:00
|
|
|
tracks.GET("/search", trackHandler.SearchTracks) // BE-API-009: Track search endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
tracks.GET("/:id", trackHandler.GetTrack)
|
|
|
|
|
tracks.GET("/:id/stats", trackHandler.GetTrackStats)
|
|
|
|
|
tracks.GET("/:id/history", trackHandler.GetTrackHistory)
|
|
|
|
|
tracks.GET("/:id/download", trackHandler.DownloadTrack)
|
|
|
|
|
tracks.GET("/shared/:token", trackHandler.GetSharedTrack)
|
|
|
|
|
|
|
|
|
|
// Protected routes
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := tracks.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// GO-012: Upload track requires creator/premium/admin role
|
|
|
|
|
uploadGroup := protected.Group("")
|
|
|
|
|
uploadGroup.Use(r.config.AuthMiddleware.RequireContentCreatorRole())
|
|
|
|
|
uploadGroup.POST("", trackHandler.UploadTrack)
|
2025-12-16 16:59:56 +00:00
|
|
|
|
|
|
|
|
// MOD-P0-003: Apply ownership middleware for PUT/DELETE /tracks/:id
|
|
|
|
|
// Resolver: Load track from DB to get its user_id
|
|
|
|
|
trackOwnerResolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
|
|
|
trackIDStr := c.Param("id")
|
|
|
|
|
trackID, err := uuid.Parse(trackIDStr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
// Load track to get owner ID
|
|
|
|
|
track, err := trackService.GetTrackByID(c.Request.Context(), trackID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
return track.UserID, nil
|
|
|
|
|
}
|
|
|
|
|
protected.PUT("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("track", trackOwnerResolver), trackHandler.UpdateTrack)
|
|
|
|
|
protected.DELETE("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("track", trackOwnerResolver), trackHandler.DeleteTrack)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// Upload
|
|
|
|
|
protected.GET("/:id/status", trackHandler.GetUploadStatus)
|
|
|
|
|
protected.POST("/initiate", trackHandler.InitiateChunkedUpload)
|
|
|
|
|
protected.POST("/chunk", trackHandler.UploadChunk)
|
|
|
|
|
protected.POST("/complete", trackHandler.CompleteChunkedUpload)
|
|
|
|
|
protected.GET("/quota/:id", trackHandler.GetUploadQuota)
|
|
|
|
|
protected.GET("/resume/:uploadId", trackHandler.ResumeUpload)
|
|
|
|
|
|
|
|
|
|
// Batch operations
|
|
|
|
|
protected.POST("/batch/delete", trackHandler.BatchDeleteTracks)
|
|
|
|
|
protected.POST("/batch/update", trackHandler.BatchUpdateTracks)
|
|
|
|
|
|
|
|
|
|
// Social
|
|
|
|
|
protected.POST("/:id/like", trackHandler.LikeTrack)
|
|
|
|
|
protected.DELETE("/:id/like", trackHandler.UnlikeTrack)
|
|
|
|
|
protected.GET("/:id/likes", trackHandler.GetTrackLikes)
|
|
|
|
|
|
|
|
|
|
// Sharing
|
|
|
|
|
protected.POST("/:id/share", trackHandler.CreateShare)
|
|
|
|
|
protected.DELETE("/share/:id", trackHandler.RevokeShare)
|
2025-12-24 10:20:38 +00:00
|
|
|
|
|
|
|
|
// Versions
|
|
|
|
|
protected.POST("/:id/versions/:versionId/restore", trackHandler.RestoreVersion) // BE-API-014: Restore track version endpoint
|
2025-12-24 10:31:02 +00:00
|
|
|
|
|
|
|
|
// Analytics
|
|
|
|
|
protected.POST("/:id/play", trackHandler.RecordPlay) // BE-API-019: Record track play event endpoint
|
2025-12-24 10:32:50 +00:00
|
|
|
|
|
|
|
|
// HLS Streaming
|
|
|
|
|
// BE-API-020: HLS stream info and status endpoints
|
|
|
|
|
hlsOutputDir := r.config.UploadDir
|
|
|
|
|
if hlsOutputDir == "" {
|
|
|
|
|
hlsOutputDir = "uploads/tracks"
|
|
|
|
|
}
|
|
|
|
|
hlsService := services.NewHLSService(r.db.GormDB, hlsOutputDir, r.logger)
|
|
|
|
|
hlsHandler := handlers.NewHLSHandler(hlsService)
|
|
|
|
|
tracks.GET("/:id/hls/info", hlsHandler.GetStreamInfo) // BE-API-020: Get HLS stream info
|
|
|
|
|
tracks.GET("/:id/hls/status", hlsHandler.GetStreamStatus) // BE-API-020: Get HLS stream status
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-24 10:19:05 +00:00
|
|
|
// BE-API-013: Setup comment routes
|
|
|
|
|
commentService := services.NewCommentService(r.db.GormDB, r.logger)
|
|
|
|
|
commentHandler := handlers.NewCommentHandler(commentService, r.logger)
|
|
|
|
|
|
|
|
|
|
// Comments routes - public GET, protected POST/DELETE
|
|
|
|
|
comments := router.Group("/tracks")
|
|
|
|
|
{
|
|
|
|
|
// Public: Get comments for a track
|
|
|
|
|
comments.GET("/:id/comments", commentHandler.GetComments) // BE-API-013: GET /api/v1/tracks/:id/comments
|
|
|
|
|
|
|
|
|
|
// Protected: Create and delete comments
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := comments.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
2025-12-24 10:19:05 +00:00
|
|
|
{
|
|
|
|
|
protected.POST("/:id/comments", commentHandler.CreateComment) // BE-API-013: POST /api/v1/tracks/:id/comments
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Comments routes - protected DELETE
|
|
|
|
|
commentsProtected := router.Group("/comments")
|
|
|
|
|
{
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
commentsProtected.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(commentsProtected)
|
2025-12-24 10:19:05 +00:00
|
|
|
{
|
|
|
|
|
commentsProtected.DELETE("/:id", commentHandler.DeleteComment) // BE-API-013: DELETE /api/v1/comments/:id
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-16 16:23:49 +00:00
|
|
|
// Note: Internal routes are now set up in setupInternalRoutes() to avoid
|
|
|
|
|
// path prefix issues when setupTrackRoutes is called with a RouterGroup
|
2025-12-24 10:41:50 +00:00
|
|
|
// BE-API-027: User liked tracks route moved to setupUserRoutes
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupChatRoutes configure les routes de chat
|
|
|
|
|
func (r *APIRouter) setupChatRoutes(router *gin.RouterGroup) {
|
2025-12-23 00:51:49 +00:00
|
|
|
// BE-API-006: Use NewChatServiceWithDB to enable stats functionality
|
|
|
|
|
chatService := services.NewChatServiceWithDB(r.config.ChatJWTSecret, r.db.GormDB, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
userRepo := repositories.NewGormUserRepository(r.db.GormDB)
|
|
|
|
|
userService := services.NewUserServiceWithDB(userRepo, r.db.GormDB)
|
|
|
|
|
|
|
|
|
|
chatHandler := handlers.NewChatHandler(chatService, userService, r.logger)
|
|
|
|
|
|
|
|
|
|
chat := router.Group("/chat")
|
|
|
|
|
{
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
chat.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(chat)
|
2025-12-03 19:29:37 +00:00
|
|
|
chat.POST("/token", chatHandler.GetToken)
|
2025-12-23 00:51:49 +00:00
|
|
|
chat.GET("/stats", chatHandler.GetStats) // BE-API-006: Chat stats endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupPlaylistRoutes configure les routes pour les playlists
|
|
|
|
|
func (r *APIRouter) setupPlaylistRoutes(router *gin.RouterGroup) {
|
|
|
|
|
playlistRepo := repositories.NewPlaylistRepository(r.db.GormDB)
|
|
|
|
|
playlistTrackRepo := repositories.NewPlaylistTrackRepository(r.db.GormDB)
|
|
|
|
|
playlistCollaboratorRepo := repositories.NewPlaylistCollaboratorRepository(r.db.GormDB)
|
|
|
|
|
userRepo := repositories.NewGormUserRepository(r.db.GormDB)
|
|
|
|
|
|
|
|
|
|
playlistService := services.NewPlaylistService(
|
|
|
|
|
playlistRepo,
|
|
|
|
|
playlistTrackRepo,
|
|
|
|
|
playlistCollaboratorRepo,
|
|
|
|
|
userRepo,
|
|
|
|
|
r.logger,
|
|
|
|
|
)
|
|
|
|
|
|
2025-12-23 00:51:00 +00:00
|
|
|
// BE-API-004: Initialize PlaylistShareService for share link functionality
|
|
|
|
|
playlistShareService := services.NewPlaylistShareService(r.db.GormDB)
|
|
|
|
|
playlistService.SetPlaylistShareService(playlistShareService)
|
|
|
|
|
|
2025-12-24 13:41:33 +00:00
|
|
|
// BE-API-005: Initialize PlaylistFollowService for recommendations functionality
|
|
|
|
|
playlistFollowService := services.NewPlaylistFollowService(r.db.GormDB, r.logger)
|
|
|
|
|
playlistService.SetPlaylistFollowService(playlistFollowService)
|
|
|
|
|
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
playlistHandler := handlers.NewPlaylistHandler(playlistService, r.db.GormDB, r.logger)
|
2025-12-24 13:41:33 +00:00
|
|
|
// BE-API-005: Inject PlaylistFollowService into handler for recommendations
|
|
|
|
|
playlistHandler.SetPlaylistFollowService(playlistFollowService)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// Protected routes for playlists
|
|
|
|
|
playlists := router.Group("/playlists")
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
playlists.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(playlists)
|
2025-12-03 19:29:37 +00:00
|
|
|
{
|
|
|
|
|
playlists.GET("", playlistHandler.GetPlaylists)
|
|
|
|
|
playlists.POST("", playlistHandler.CreatePlaylist)
|
2025-12-24 13:47:12 +00:00
|
|
|
playlists.GET("/search", playlistHandler.SearchPlaylists) // BE-API-003: Playlist search endpoint
|
2025-12-24 13:41:33 +00:00
|
|
|
playlists.GET("/recommendations", playlistHandler.GetRecommendations) // BE-API-005: Playlist recommendations endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
playlists.GET("/:id", playlistHandler.GetPlaylist)
|
2025-12-23 00:37:56 +00:00
|
|
|
|
|
|
|
|
// BE-SEC-003: Apply ownership middleware for PUT/DELETE /playlists/:id
|
|
|
|
|
// Resolver: Load playlist from DB to get its user_id
|
|
|
|
|
playlistOwnerResolver := func(c *gin.Context) (uuid.UUID, error) {
|
|
|
|
|
playlistIDStr := c.Param("id")
|
|
|
|
|
playlistID, err := uuid.Parse(playlistIDStr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
// Load playlist to get owner ID
|
|
|
|
|
playlist, err := playlistRepo.GetByID(c.Request.Context(), playlistID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return uuid.Nil, err
|
|
|
|
|
}
|
|
|
|
|
return playlist.UserID, nil
|
|
|
|
|
}
|
|
|
|
|
playlists.PUT("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.UpdatePlaylist)
|
|
|
|
|
playlists.DELETE("/:id", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.DeletePlaylist)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// Playlist Tracks
|
|
|
|
|
playlists.POST("/:id/tracks", playlistHandler.AddTrack)
|
|
|
|
|
playlists.DELETE("/:id/tracks/:track_id", playlistHandler.RemoveTrack)
|
|
|
|
|
playlists.PUT("/:id/tracks/reorder", playlistHandler.ReorderTracks)
|
2025-12-23 00:41:43 +00:00
|
|
|
|
|
|
|
|
// Playlist Collaborators
|
|
|
|
|
// BE-API-002: Add collaborator routes with ownership checks
|
|
|
|
|
// POST and DELETE require ownership (enforced by service layer, but middleware adds extra security)
|
|
|
|
|
playlists.POST("/:id/collaborators", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.AddCollaborator)
|
|
|
|
|
playlists.GET("/:id/collaborators", playlistHandler.GetCollaborators) // GET accessible to collaborators (service checks permissions)
|
|
|
|
|
playlists.PUT("/:id/collaborators/:userId", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.UpdateCollaboratorPermission)
|
|
|
|
|
playlists.DELETE("/:id/collaborators/:userId", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.RemoveCollaborator)
|
2025-12-23 00:51:00 +00:00
|
|
|
|
|
|
|
|
// BE-API-004: Playlist share link endpoint
|
|
|
|
|
playlists.POST("/:id/share", r.config.AuthMiddleware.RequireOwnershipOrAdmin("playlist", playlistOwnerResolver), playlistHandler.CreateShareLink)
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupWebhookRoutes configure les routes pour les webhooks
|
|
|
|
|
func (r *APIRouter) setupWebhookRoutes(router *gin.RouterGroup) {
|
|
|
|
|
webhookService := services.NewWebhookService(r.db.GormDB, r.logger, r.config.JWTSecret)
|
|
|
|
|
|
|
|
|
|
webhookWorker := workers.NewWebhookWorker(
|
|
|
|
|
r.db.GormDB,
|
|
|
|
|
webhookService,
|
|
|
|
|
r.logger,
|
|
|
|
|
100, // Queue size
|
|
|
|
|
5, // Workers
|
|
|
|
|
3, // Max retries
|
|
|
|
|
)
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Start worker in background
|
|
|
|
|
go webhookWorker.Start(context.Background())
|
|
|
|
|
|
|
|
|
|
webhookHandler := handlers.NewWebhookHandler(webhookService, webhookWorker, r.logger)
|
|
|
|
|
|
|
|
|
|
webhooks := router.Group("/webhooks")
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
webhooks.Use(r.config.AuthMiddleware.RequireAuth())
|
[BE-SEC-004] security: Implement CSRF protection for all state-changing endpoints
- Created applyCSRFProtection helper function to apply CSRF middleware
- Applied CSRF protection to all protected routes with POST/PUT/DELETE:
* Users routes (PUT, POST, DELETE)
* Tracks routes (POST, PUT, DELETE)
* Playlists routes (POST, PUT, DELETE)
* Chat routes (POST)
* Auth protected routes (POST logout, 2FA)
* Roles routes (GET only, no state-changing)
* Marketplace routes (POST)
* Webhooks routes (POST, DELETE)
* Comments routes (POST, DELETE)
- CSRF token endpoint (/csrf-token) remains accessible without CSRF check
- Middleware validates X-CSRF-Token header for all state-changing requests
- Protection only applies when Redis is available
Phase: PHASE-4
Priority: P1
Progress: 6/267 (2.2%)
2025-12-24 11:03:27 +00:00
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(webhooks)
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
webhooks.POST("", webhookHandler.RegisterWebhook())
|
|
|
|
|
webhooks.GET("", webhookHandler.ListWebhooks())
|
|
|
|
|
webhooks.DELETE("/:id", webhookHandler.DeleteWebhook())
|
|
|
|
|
webhooks.GET("/stats", webhookHandler.GetWebhookStats())
|
|
|
|
|
webhooks.POST("/:id/test", webhookHandler.TestWebhook())
|
2025-12-24 17:03:52 +00:00
|
|
|
// BE-SEC-012: Regenerate API key endpoint
|
|
|
|
|
webhooks.POST("/:id/regenerate-key", webhookHandler.RegenerateAPIKey())
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-24 13:47:12 +00:00
|
|
|
// setupAnalyticsRoutes configure les routes pour les analytics
|
|
|
|
|
// BE-API-035: Implement analytics events endpoint
|
|
|
|
|
func (r *APIRouter) setupAnalyticsRoutes(router *gin.RouterGroup) {
|
|
|
|
|
if r.db == nil || r.db.GormDB == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Initialize analytics service
|
|
|
|
|
analyticsService := services.NewAnalyticsService(r.db.GormDB, r.logger)
|
|
|
|
|
analyticsHandler := handlers.NewAnalyticsHandler(analyticsService, r.logger)
|
|
|
|
|
|
|
|
|
|
// Set JobWorker if available
|
|
|
|
|
if r.config != nil && r.config.JobWorker != nil {
|
|
|
|
|
analyticsHandler.SetJobWorker(r.config.JobWorker)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
analytics := router.Group("/analytics")
|
|
|
|
|
if r.config != nil && r.config.AuthMiddleware != nil {
|
|
|
|
|
analytics.Use(r.config.AuthMiddleware.RequireAuth())
|
|
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(analytics)
|
|
|
|
|
}
|
|
|
|
|
{
|
2026-01-07 18:39:21 +00:00
|
|
|
// BE-API-037: GET /analytics - Aggregated analytics endpoint
|
|
|
|
|
analytics.GET("", analyticsHandler.GetAnalytics)
|
2025-12-24 13:47:12 +00:00
|
|
|
// BE-API-035: Analytics events endpoint
|
|
|
|
|
analytics.POST("/events", analyticsHandler.RecordEvent)
|
2025-12-24 13:48:28 +00:00
|
|
|
// BE-API-036: Track analytics dashboard endpoint
|
|
|
|
|
analytics.GET("/tracks/:id", analyticsHandler.GetTrackAnalyticsDashboard)
|
2025-12-24 13:47:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// setupCorePublicRoutes configure les routes publiques core (health, metrics, upload info)
|
|
|
|
|
func (r *APIRouter) setupCorePublicRoutes(router *gin.Engine) {
|
|
|
|
|
// Health check handlers
|
|
|
|
|
var healthCheckHandler gin.HandlerFunc
|
|
|
|
|
var livenessHandler gin.HandlerFunc
|
|
|
|
|
var readinessHandler gin.HandlerFunc
|
|
|
|
|
|
|
|
|
|
if r.db != nil && r.db.GormDB != nil {
|
|
|
|
|
var redisClient interface{}
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
redisClient = r.config.RedisClient
|
|
|
|
|
}
|
|
|
|
|
var rabbitMQEventBus interface{}
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
rabbitMQEventBus = r.config.RabbitMQEventBus
|
|
|
|
|
}
|
2025-12-07 13:27:07 +00:00
|
|
|
var env string
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
env = r.config.Env
|
|
|
|
|
}
|
2025-12-24 16:00:53 +00:00
|
|
|
// BE-SVC-016: Pass additional services for detailed health checks
|
|
|
|
|
var s3Service interface{}
|
|
|
|
|
var jobWorker interface{}
|
|
|
|
|
var emailSender interface{}
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
s3Service = r.config.S3StorageService
|
|
|
|
|
jobWorker = r.config.JobWorker
|
|
|
|
|
emailSender = r.config.EmailSender
|
|
|
|
|
}
|
|
|
|
|
healthHandler := handlers.NewHealthHandlerWithServices(
|
|
|
|
|
r.db.GormDB,
|
|
|
|
|
r.logger,
|
|
|
|
|
redisClient,
|
|
|
|
|
rabbitMQEventBus,
|
|
|
|
|
env,
|
|
|
|
|
s3Service,
|
|
|
|
|
jobWorker,
|
|
|
|
|
emailSender,
|
|
|
|
|
)
|
2025-12-03 19:29:37 +00:00
|
|
|
healthCheckHandler = healthHandler.Check
|
|
|
|
|
livenessHandler = healthHandler.Liveness
|
|
|
|
|
readinessHandler = healthHandler.Readiness
|
|
|
|
|
} else {
|
|
|
|
|
healthCheckHandler = handlers.SimpleHealthCheck
|
|
|
|
|
livenessHandler = handlers.SimpleHealthCheck
|
|
|
|
|
readinessHandler = handlers.SimpleHealthCheck
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-16 16:23:49 +00:00
|
|
|
// Deprecated Public Core Routes - apply deprecation middleware only to specific routes
|
|
|
|
|
// Use a wrapper function to apply middleware to individual routes
|
|
|
|
|
deprecationMW := middleware.DeprecationWarning(r.logger)
|
|
|
|
|
|
2025-12-25 14:53:13 +00:00
|
|
|
// INT-021: Add health check monitoring middleware
|
|
|
|
|
healthMonitoringMW := middleware.HealthCheckMonitoring(r.logger, r.monitoringService)
|
|
|
|
|
|
2025-12-16 16:23:49 +00:00
|
|
|
// Wrap handlers with deprecation middleware for legacy routes only
|
2025-12-25 14:53:13 +00:00
|
|
|
router.GET("/health", deprecationMW, healthMonitoringMW, healthCheckHandler)
|
|
|
|
|
router.GET("/healthz", deprecationMW, healthMonitoringMW, livenessHandler)
|
|
|
|
|
router.GET("/readyz", deprecationMW, healthMonitoringMW, readinessHandler)
|
2025-12-16 16:23:49 +00:00
|
|
|
router.GET("/metrics", deprecationMW, handlers.PrometheusMetrics())
|
2025-12-03 19:29:37 +00:00
|
|
|
if r.config != nil && r.config.ErrorMetrics != nil {
|
2025-12-16 16:23:49 +00:00
|
|
|
router.GET("/metrics/aggregated", deprecationMW, handlers.AggregatedMetrics(r.config.ErrorMetrics))
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-16 16:23:49 +00:00
|
|
|
router.GET("/system/metrics", deprecationMW, handlers.SystemMetrics)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// New /api/v1 Public Core Routes
|
|
|
|
|
v1Public := router.Group("/api/v1")
|
|
|
|
|
{
|
|
|
|
|
v1Public.GET("/health", healthCheckHandler)
|
|
|
|
|
v1Public.GET("/healthz", livenessHandler)
|
|
|
|
|
v1Public.GET("/readyz", readinessHandler)
|
2025-12-06 16:21:59 +00:00
|
|
|
|
P0: stabilisation backend/chat/stream + nouvelle base migrations v1
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
2025-12-06 10:14:38 +00:00
|
|
|
// Status endpoint (comprehensive health check)
|
|
|
|
|
if r.db != nil && r.db.GormDB != nil {
|
|
|
|
|
var redisClient interface{}
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
redisClient = r.config.RedisClient
|
|
|
|
|
}
|
|
|
|
|
chatServerURL := ""
|
|
|
|
|
streamServerURL := ""
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
chatServerURL = r.config.ChatServerURL
|
|
|
|
|
streamServerURL = r.config.StreamServerURL
|
|
|
|
|
}
|
|
|
|
|
// Get build info from environment or defaults
|
|
|
|
|
getEnv := func(key, defaultValue string) string {
|
|
|
|
|
if value := os.Getenv(key); value != "" {
|
|
|
|
|
return value
|
|
|
|
|
}
|
|
|
|
|
return defaultValue
|
|
|
|
|
}
|
|
|
|
|
version := getEnv("APP_VERSION", "v1.0.0")
|
|
|
|
|
gitCommit := getEnv("GIT_COMMIT", "unknown")
|
|
|
|
|
buildTime := getEnv("BUILD_TIME", "")
|
|
|
|
|
environment := ""
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
environment = r.config.Env
|
|
|
|
|
}
|
|
|
|
|
statusHandler := handlers.NewStatusHandler(
|
|
|
|
|
r.db.GormDB,
|
|
|
|
|
r.logger,
|
|
|
|
|
redisClient,
|
|
|
|
|
chatServerURL,
|
|
|
|
|
streamServerURL,
|
|
|
|
|
version,
|
|
|
|
|
gitCommit,
|
|
|
|
|
buildTime,
|
|
|
|
|
environment,
|
|
|
|
|
)
|
|
|
|
|
v1Public.GET("/status", statusHandler.GetStatus)
|
|
|
|
|
}
|
2025-12-06 16:21:59 +00:00
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
v1Public.GET("/metrics", handlers.PrometheusMetrics())
|
|
|
|
|
if r.config != nil && r.config.ErrorMetrics != nil {
|
|
|
|
|
v1Public.GET("/metrics/aggregated", handlers.AggregatedMetrics(r.config.ErrorMetrics))
|
|
|
|
|
}
|
|
|
|
|
v1Public.GET("/system/metrics", handlers.SystemMetrics)
|
|
|
|
|
|
|
|
|
|
// Upload info endpoints (public, already in /api/v1)
|
2025-12-13 02:34:34 +00:00
|
|
|
// MOD-P1-001-REFINEMENT: Permettre démarrage même si ClamAV down
|
2025-12-03 19:29:37 +00:00
|
|
|
if r.db != nil && r.db.GormDB != nil {
|
2025-12-17 17:20:42 +00:00
|
|
|
// CORRECTION: Charger la config depuis l'environnement pour respecter ENABLE_CLAMAV
|
|
|
|
|
uploadConfig := getUploadConfigWithEnv()
|
2025-12-03 19:29:37 +00:00
|
|
|
uploadValidator, err := services.NewUploadValidator(uploadConfig, r.logger)
|
2025-12-13 02:34:34 +00:00
|
|
|
if err != nil {
|
|
|
|
|
r.logger.Warn("Upload validator created with ClamAV unavailable - uploads will be rejected", zap.Error(err))
|
|
|
|
|
// Créer un validateur minimal pour permettre les endpoints info
|
|
|
|
|
uploadConfig.ClamAVEnabled = false
|
|
|
|
|
uploadValidator, _ = services.NewUploadValidator(uploadConfig, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-13 02:34:34 +00:00
|
|
|
auditService := services.NewAuditService(r.db, r.logger)
|
2025-12-24 10:52:49 +00:00
|
|
|
trackUploadService := services.NewTrackUploadService(r.db.GormDB, r.logger)
|
|
|
|
|
uploadHandler := handlers.NewUploadHandler(uploadValidator, auditService, trackUploadService, r.logger, r.config.MaxConcurrentUploads)
|
2025-12-13 02:34:34 +00:00
|
|
|
v1Public.GET("/upload/limits", uploadHandler.GetUploadLimits())
|
|
|
|
|
v1Public.GET("/upload/validate-type", uploadHandler.ValidateFileType())
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-27 15:02:02 +00:00
|
|
|
|
|
|
|
|
// Frontend logging endpoint (public - frontend needs to send logs)
|
|
|
|
|
if r.config != nil {
|
|
|
|
|
frontendLogHandler, err := handlers.NewFrontendLogHandler(r.config, r.logger)
|
|
|
|
|
if err != nil {
|
|
|
|
|
r.logger.Warn("Failed to create frontend log handler, frontend logs will not be stored", zap.Error(err))
|
|
|
|
|
} else {
|
|
|
|
|
v1Public.POST("/logs/frontend", frontendLogHandler.ReceiveLog)
|
|
|
|
|
r.logger.Info("Frontend logging endpoint enabled", zap.String("endpoint", "/api/v1/logs/frontend"))
|
|
|
|
|
}
|
|
|
|
|
}
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// setupCoreProtectedRoutes configure les routes protégées core (sessions, uploads, audit, admin, conversations)
|
|
|
|
|
func (r *APIRouter) setupCoreProtectedRoutes(v1 *gin.RouterGroup) {
|
|
|
|
|
if r.db == nil || r.db.GormDB == nil || r.config == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
// Route CSRF token (doit être accessible sans authentification pour le login)
|
|
|
|
|
// Doit être enregistrée AVANT le groupe protected pour ne pas hériter ses middlewares
|
|
|
|
|
csrfMiddleware := middleware.NewCSRFMiddleware(r.config.RedisClient, r.logger)
|
|
|
|
|
csrfMiddleware.SetEnvironment(r.config.Env)
|
|
|
|
|
csrfHandler := handlers.NewCSRFHandler(csrfMiddleware, r.logger)
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
v1.GET("/csrf-token", r.config.AuthMiddleware.OptionalAuth(), csrfHandler.GetCSRFToken())
|
|
|
|
|
} else {
|
|
|
|
|
v1.GET("/csrf-token", csrfHandler.GetCSRFToken())
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Middleware d'authentification pour routes protégées
|
|
|
|
|
protected := v1.Group("/")
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Services nécessaires
|
|
|
|
|
sessionService := services.NewSessionService(r.db, r.logger)
|
2025-12-23 00:41:43 +00:00
|
|
|
|
2025-12-22 21:56:37 +00:00
|
|
|
// CSRF Middleware (si Redis est disponible)
|
|
|
|
|
if r.config.RedisClient != nil {
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
// Appliquer le middleware CSRF à toutes les routes protégées
|
2025-12-22 21:56:37 +00:00
|
|
|
protected.Use(csrfMiddleware.Middleware())
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
|
2025-12-25 21:28:46 +00:00
|
|
|
// INT-AUTH-001: Log explicit activation
|
|
|
|
|
r.logger.Info("CSRF protection enabled for core protected routes",
|
|
|
|
|
zap.String("environment", r.config.Env),
|
|
|
|
|
)
|
2025-12-22 21:56:37 +00:00
|
|
|
} else {
|
2025-12-25 21:28:46 +00:00
|
|
|
// INT-AUTH-001: In production, fail-fast if Redis unavailable
|
|
|
|
|
if r.config.Env == config.EnvProduction {
|
|
|
|
|
r.logger.Fatal("CSRF protection requires Redis but Redis is unavailable in production. This is a security requirement.")
|
|
|
|
|
panic("CSRF protection requires Redis in production environment. Redis is unavailable.")
|
|
|
|
|
}
|
|
|
|
|
// In non-production, log warning and continue without CSRF
|
|
|
|
|
r.logger.Warn("Redis not available - CSRF protection disabled (non-production environment)",
|
|
|
|
|
zap.String("environment", r.config.Env),
|
|
|
|
|
)
|
2025-12-22 21:56:37 +00:00
|
|
|
}
|
2025-12-17 17:20:42 +00:00
|
|
|
// CORRECTION: Charger la config depuis l'environnement pour respecter ENABLE_CLAMAV
|
|
|
|
|
uploadConfig := getUploadConfigWithEnv()
|
2025-12-13 02:34:34 +00:00
|
|
|
// MOD-P1-001-REFINEMENT: Permettre démarrage même si ClamAV down
|
2025-12-03 19:29:37 +00:00
|
|
|
uploadValidator, err := services.NewUploadValidator(uploadConfig, r.logger)
|
|
|
|
|
if err != nil {
|
2025-12-13 02:34:34 +00:00
|
|
|
r.logger.Warn("Upload validator created with ClamAV unavailable - uploads will be rejected", zap.Error(err))
|
|
|
|
|
// Créer un validateur minimal pour permettre les routes d'upload (qui rejetteront)
|
|
|
|
|
uploadConfig.ClamAVEnabled = false
|
|
|
|
|
uploadValidator, _ = services.NewUploadValidator(uploadConfig, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
|
|
|
|
auditService := services.NewAuditService(r.db, r.logger)
|
2025-12-24 10:52:49 +00:00
|
|
|
trackUploadService := services.NewTrackUploadService(r.db.GormDB, r.logger)
|
2025-12-03 19:29:37 +00:00
|
|
|
|
|
|
|
|
// Handlers
|
|
|
|
|
sessionHandler := handlers.NewSessionHandler(sessionService, auditService, r.logger)
|
2025-12-24 10:52:49 +00:00
|
|
|
uploadHandler := handlers.NewUploadHandler(uploadValidator, auditService, trackUploadService, r.logger, r.config.MaxConcurrentUploads)
|
2025-12-03 19:29:37 +00:00
|
|
|
auditHandler := handlers.NewAuditHandler(auditService, r.logger)
|
|
|
|
|
|
|
|
|
|
// Routes de session
|
|
|
|
|
sessions := protected.Group("/sessions")
|
|
|
|
|
{
|
|
|
|
|
sessions.POST("/logout", sessionHandler.Logout())
|
|
|
|
|
sessions.POST("/logout-all", sessionHandler.LogoutAll())
|
2025-12-26 15:35:58 +00:00
|
|
|
// ISSUE-007: Ajouter route sans trailing slash pour éviter redirection 301
|
|
|
|
|
sessions.GET("", sessionHandler.GetSessions())
|
|
|
|
|
sessions.GET("/", sessionHandler.GetSessions()) // Garder aussi avec slash pour compatibilité
|
2025-12-03 19:29:37 +00:00
|
|
|
sessions.DELETE("/:session_id", sessionHandler.RevokeSession())
|
|
|
|
|
sessions.GET("/stats", sessionHandler.GetSessionStats())
|
|
|
|
|
sessions.POST("/refresh", sessionHandler.RefreshSession())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Routes d'upload avec rate limiting spécifique
|
|
|
|
|
uploads := protected.Group("/uploads")
|
|
|
|
|
{
|
|
|
|
|
if r.config.RedisClient != nil {
|
|
|
|
|
uploads.Use(middleware.UploadRateLimit(r.config.RedisClient))
|
|
|
|
|
}
|
|
|
|
|
uploads.POST("/", uploadHandler.UploadFile())
|
|
|
|
|
uploads.POST("/batch", uploadHandler.BatchUpload())
|
|
|
|
|
uploads.GET("/:id/status", uploadHandler.GetUploadStatus())
|
|
|
|
|
uploads.GET("/:id/progress", uploadHandler.UploadProgress())
|
|
|
|
|
uploads.DELETE("/:id", uploadHandler.DeleteUpload())
|
|
|
|
|
uploads.GET("/stats", uploadHandler.GetUploadStats())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Routes d'audit
|
|
|
|
|
audit := protected.Group("/audit")
|
|
|
|
|
{
|
|
|
|
|
audit.GET("/logs", auditHandler.SearchLogs())
|
|
|
|
|
audit.GET("/stats", auditHandler.GetStats())
|
|
|
|
|
audit.GET("/activity", auditHandler.GetUserActivity())
|
|
|
|
|
audit.GET("/suspicious", auditHandler.DetectSuspiciousActivity())
|
|
|
|
|
audit.GET("/ip/:ip", auditHandler.GetIPActivity())
|
|
|
|
|
audit.GET("/logs/:id", auditHandler.GetAuditLog())
|
|
|
|
|
audit.POST("/cleanup", auditHandler.CleanupOldLogs())
|
|
|
|
|
}
|
|
|
|
|
|
data-flow: implement backend dashboard aggregation endpoint
- Created DashboardHandler that aggregates multiple data sources
- Fetches stats, activity, and library preview in parallel
- Aggregates stats from audit logs (tracks_played, messages_sent, favorites, active_friends)
- Converts audit logs to RecentActivity format with type mapping
- Converts tracks to TrackPreview format for library preview
- Supports query parameters: activity_limit, library_limit, stats_period
- Returns wrapped format {success: true, data: DashboardResponse}
- Registered route: GET /api/v1/dashboard (protected, requires auth)
- Uses interface-based approach to avoid import cycle
- Router creates wrapper function to adapt track service
- Build successful, all handlers compile correctly
- Action 2.1.1.2 complete - dashboard endpoint ready for frontend integration
2026-01-15 16:42:49 +00:00
|
|
|
// Action 2.1.1.2: Dashboard aggregation endpoint
|
|
|
|
|
// Create track service wrapper for dashboard handler (to avoid import cycle)
|
|
|
|
|
uploadDir := r.config.UploadDir
|
|
|
|
|
if uploadDir == "" {
|
|
|
|
|
uploadDir = "uploads/tracks"
|
|
|
|
|
}
|
|
|
|
|
trackServiceForDashboard := trackcore.NewTrackService(r.db.GormDB, r.logger, uploadDir)
|
|
|
|
|
if r.config.CacheService != nil {
|
|
|
|
|
trackServiceForDashboard.SetCacheService(r.config.CacheService)
|
|
|
|
|
}
|
2026-01-15 18:31:40 +00:00
|
|
|
|
data-flow: implement backend dashboard aggregation endpoint
- Created DashboardHandler that aggregates multiple data sources
- Fetches stats, activity, and library preview in parallel
- Aggregates stats from audit logs (tracks_played, messages_sent, favorites, active_friends)
- Converts audit logs to RecentActivity format with type mapping
- Converts tracks to TrackPreview format for library preview
- Supports query parameters: activity_limit, library_limit, stats_period
- Returns wrapped format {success: true, data: DashboardResponse}
- Registered route: GET /api/v1/dashboard (protected, requires auth)
- Uses interface-based approach to avoid import cycle
- Router creates wrapper function to adapt track service
- Build successful, all handlers compile correctly
- Action 2.1.1.2 complete - dashboard endpoint ready for frontend integration
2026-01-15 16:42:49 +00:00
|
|
|
// Create wrapper function that adapts trackcore.TrackListParams to handlers.TrackListParamsForDashboard
|
|
|
|
|
trackListFunc := func(ctx context.Context, params handlers.TrackListParamsForDashboard) ([]*models.Track, int64, error) {
|
|
|
|
|
return trackServiceForDashboard.ListTracks(ctx, trackcore.TrackListParams{
|
|
|
|
|
Page: params.Page,
|
|
|
|
|
Limit: params.Limit,
|
|
|
|
|
UserID: params.UserID,
|
|
|
|
|
Genre: params.Genre,
|
|
|
|
|
Format: params.Format,
|
|
|
|
|
SortBy: params.SortBy,
|
|
|
|
|
SortOrder: params.SortOrder,
|
|
|
|
|
})
|
|
|
|
|
}
|
2026-01-15 18:31:40 +00:00
|
|
|
|
data-flow: implement backend dashboard aggregation endpoint
- Created DashboardHandler that aggregates multiple data sources
- Fetches stats, activity, and library preview in parallel
- Aggregates stats from audit logs (tracks_played, messages_sent, favorites, active_friends)
- Converts audit logs to RecentActivity format with type mapping
- Converts tracks to TrackPreview format for library preview
- Supports query parameters: activity_limit, library_limit, stats_period
- Returns wrapped format {success: true, data: DashboardResponse}
- Registered route: GET /api/v1/dashboard (protected, requires auth)
- Uses interface-based approach to avoid import cycle
- Router creates wrapper function to adapt track service
- Build successful, all handlers compile correctly
- Action 2.1.1.2 complete - dashboard endpoint ready for frontend integration
2026-01-15 16:42:49 +00:00
|
|
|
dashboardHandler := handlers.NewDashboardHandler(auditService, trackListFunc, r.logger)
|
|
|
|
|
protected.GET("/dashboard", dashboardHandler.GetDashboard())
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Routes de conversations (chat rooms)
|
|
|
|
|
roomRepo := repositories.NewRoomRepository(r.db.GormDB)
|
|
|
|
|
messageRepo := repositories.NewChatMessageRepository(r.db.GormDB) // New
|
|
|
|
|
roomService := services.NewRoomService(roomRepo, messageRepo, r.logger) // Updated constructor
|
|
|
|
|
roomHandler := handlers.NewRoomHandler(roomService, r.logger)
|
|
|
|
|
|
|
|
|
|
conversations := protected.Group("/conversations")
|
|
|
|
|
{
|
|
|
|
|
conversations.GET("", roomHandler.GetUserRooms)
|
|
|
|
|
conversations.POST("", roomHandler.CreateRoom)
|
|
|
|
|
conversations.GET("/:id", roomHandler.GetRoom)
|
2025-12-23 09:51:18 +00:00
|
|
|
conversations.PUT("/:id", roomHandler.UpdateRoom) // BE-API-012: Update conversation endpoint
|
2025-12-23 09:47:17 +00:00
|
|
|
conversations.DELETE("/:id", roomHandler.DeleteRoom) // BE-API-010: Delete conversation endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
conversations.POST("/:id/members", roomHandler.AddMember)
|
2025-12-23 09:49:17 +00:00
|
|
|
conversations.POST("/:id/participants", roomHandler.AddParticipant) // BE-API-011: Add participant endpoint
|
|
|
|
|
conversations.DELETE("/:id/participants/:userId", roomHandler.RemoveParticipant) // BE-API-011: Remove participant endpoint
|
2025-12-03 19:29:37 +00:00
|
|
|
conversations.GET("/:id/history", roomHandler.GetRoomHistory)
|
|
|
|
|
}
|
|
|
|
|
|
2025-12-24 10:23:24 +00:00
|
|
|
// BE-API-016: Setup notification routes
|
|
|
|
|
notificationService := services.NewNotificationService(r.db, r.logger)
|
|
|
|
|
handlers.NewNotificationHandlers(notificationService)
|
|
|
|
|
notifications := protected.Group("/notifications")
|
|
|
|
|
{
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
notifications.GET("", handlers.NotificationHandlersInstance.GetNotifications) // BE-API-016: Get notifications endpoint
|
|
|
|
|
notifications.GET("/unread-count", handlers.NotificationHandlersInstance.GetUnreadCount) // BE-API-016: Get unread count endpoint
|
|
|
|
|
notifications.POST("/:id/read", handlers.NotificationHandlersInstance.MarkAsRead) // BE-API-016: Mark notification as read endpoint
|
|
|
|
|
notifications.POST("/read-all", handlers.NotificationHandlersInstance.MarkAllAsRead) // BE-API-016: Mark all notifications as read endpoint
|
|
|
|
|
notifications.DELETE("/:id", handlers.NotificationHandlersInstance.DeleteNotification) // BE-API-016: Delete notification endpoint
|
|
|
|
|
notifications.DELETE("", handlers.NotificationHandlersInstance.DeleteAllNotifications) // BE-API-016: Delete all notifications endpoint
|
2025-12-24 10:23:24 +00:00
|
|
|
}
|
|
|
|
|
|
2025-12-03 19:29:37 +00:00
|
|
|
// Routes administrateur (avec authentification + permissions admin)
|
|
|
|
|
admin := v1.Group("/admin")
|
|
|
|
|
{
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
admin.Use(r.config.AuthMiddleware.RequireAuth())
|
|
|
|
|
admin.Use(r.config.AuthMiddleware.RequireAdmin())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Audit logs (disponibles)
|
|
|
|
|
admin.GET("/audit/logs", auditHandler.SearchLogs())
|
|
|
|
|
admin.GET("/audit/stats", auditHandler.GetStats())
|
|
|
|
|
admin.GET("/audit/suspicious", auditHandler.DetectSuspiciousActivity())
|
2025-12-16 18:34:08 +00:00
|
|
|
|
|
|
|
|
// MOD-P2-006: Profiling pprof (protégé par auth admin)
|
|
|
|
|
admin.Any("/debug/pprof/*path", gin.WrapH(http.DefaultServeMux))
|
2025-12-03 19:29:37 +00:00
|
|
|
}
|
2025-12-06 16:21:59 +00:00
|
|
|
}
|
feat: Visual masterpiece - true light mode & premium UI
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 01:32:21 +00:00
|
|
|
|
|
|
|
|
// setupSocialRoutes configure les routes sociales
|
|
|
|
|
func (r *APIRouter) setupSocialRoutes(router *gin.RouterGroup) {
|
|
|
|
|
socialService := socialcore.NewService(r.db.GormDB, r.logger)
|
|
|
|
|
socialHandler := handlers.NewSocialHandler(socialService, r.logger)
|
|
|
|
|
|
|
|
|
|
social := router.Group("/social")
|
|
|
|
|
{
|
|
|
|
|
// Public routes
|
|
|
|
|
social.GET("/feed", socialHandler.GetFeed)
|
|
|
|
|
social.GET("/posts/user/:user_id", socialHandler.GetPostsByUser)
|
|
|
|
|
|
|
|
|
|
// Protected routes
|
|
|
|
|
if r.config.AuthMiddleware != nil {
|
|
|
|
|
protected := social.Group("")
|
|
|
|
|
protected.Use(r.config.AuthMiddleware.RequireAuth())
|
|
|
|
|
// BE-SEC-004: Apply CSRF protection to all state-changing endpoints
|
|
|
|
|
r.applyCSRFProtection(protected)
|
|
|
|
|
|
|
|
|
|
protected.POST("/posts", socialHandler.CreatePost)
|
|
|
|
|
protected.POST("/like", socialHandler.ToggleLike)
|
|
|
|
|
protected.POST("/comments", socialHandler.AddComment)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|