senke
249fd99730
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files
...
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)
HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)
MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)
LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)
All tests pass. Go and Rust compile clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00
senke
29586b59da
feat(v0.11.1): F396-F399 advanced analytics service, handler and routes
...
- F396: Track listening heatmap (segment-level aggregated data)
- F397: Period comparison (week/month/quarter with % changes)
- F398: Marketplace analytics (product views, conversion rates, revenue)
- F399: Metric alerts (opt-in thresholds, preferences, CRUD)
- Unit tests for service (percent change calculations) and handler (auth, validation)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 17:12:26 +01:00
senke
256781f00d
feat(v0.11.0): F381-F385 creator analytics handler and routes
...
Add CreatorAnalyticsHandler with endpoints:
- GET /api/v1/creator/analytics/dashboard (F381)
- GET /api/v1/creator/analytics/plays (F382)
- GET /api/v1/creator/analytics/sales (F383)
- GET /api/v1/creator/analytics/discovery (F381)
- GET /api/v1/creator/analytics/geographic (F381)
- GET /api/v1/creator/analytics/audience (F384)
- GET /api/v1/creator/analytics/live/:streamId (F385)
- GET /api/v1/creator/analytics/tracks (F381)
- GET /api/v1/creator/analytics/export (F383)
All endpoints require authentication and only return data for the authenticated creator.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 16:28:22 +01:00
senke
cd974172cb
v0.9.4
2026-03-05 23:03:43 +01:00
senke
b887110214
feat(analytics): add creator export CSV/JSON (H4)
2026-02-20 17:00:36 +01:00
senke
d9fee2684b
feat(analytics): add creator charts endpoint and UI (H2)
2026-02-20 16:59:25 +01:00
senke
9ca90e6096
feat(analytics): add creator stats endpoint and UI (H1)
2026-02-20 16:57:58 +01:00
senke
e11984898d
chore: consolidate CI, E2E, backend and frontend updates
...
- CI: workflows updates (cd, ci), remove playwright.yml
- E2E: global-setup, auth/playlists/profile specs
- Remove playwright-report and test-results artifacts from tracking
- Backend: auth, handlers, services, workers, migrations
- Frontend: components, features, vite config
- Add e2e-results.json to gitignore
- Docs: REMEDIATION_PROGRESS, audit archive
- Rust: chat-server, stream-server updates
2026-02-17 16:43:21 +01:00
senke
d89d3d123b
feat(analytics): complete backend analytics, remove frontend mocks
2026-02-15 16:21:20 +01:00
senke
d847374520
refactor(backend): unify architecture - migrate analytics handler to core (ADR-001)
2026-02-15 16:18:13 +01:00
