MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)
29/30 findings remediated. 1 noted (LOW-002).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Created comprehensive Zod schemas (apiRequestSchemas.ts) for:
* LoginRequest, RegisterRequest, CreateUserRequest
* UpdateUserRequest, UpdateProfileRequest
* SendMessageRequest, UpdateMessageRequest
* CreateConversationRequest, UpdateConversationRequest
* UploadTrackRequest, UpdateTrackRequest
* PaginationParams and list/search request types
- Added validation utilities:
* validateApiRequest: Validate requests before sending
* safeValidateApiRequest: Safe validation with error handling
* validateApiRequestWithError: Validation with custom error handler
- Integrated validation into API client request interceptor
- Enhanced validatedApiClient with request validation support
- Automatic validation prevents invalid requests from being sent
- Comprehensive test suite (19 tests, all passing)
- Ensures runtime type safety for all API requests
- Removed strict() and passthrough() calls (not available on all Zod types)
- Simplified validation to use parse() directly
- Fixed type issues in clientWithValidation.ts
- Created comprehensive Zod schemas (apiSchemas.ts) for:
* User, Track, Playlist, Conversation, Message
* Session, AuditLog, Notification
* PaginationData, ApiError, ApiResponse
- Added validation utilities:
* validateApiResponse: Validate and normalize responses
* safeValidateApiResponse: Safe validation with error handling
* validateApiResponseArray: Validate arrays of items
* validatePaginatedResponse: Validate paginated responses
- Integrated validation into API client interceptor
- Created validatedApiClient for type-safe API calls
- Automatic ID normalization during validation
- Comprehensive test suite (13 tests, all passing)
- Ensures runtime type safety for all API responses
