senke
249fd99730
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files
...
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)
HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)
MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)
LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)
All tests pass. Go and Rust compile clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 00:44:46 +01:00
senke
71c15c2590
fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings
...
Security fixes implemented:
CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
tags to "-" so they are never serialized in API responses
HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check
MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)
Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 05:40:53 +01:00
senke
1d31c4065a
feat(v0.12.0): F252-F254 marketplace service enhancements
...
- F252: Enable download count decrement on GetDownloadURL
- F253: Differentiated commission rates (creator 15%, premium 10%)
- F254: Seller balance tracking, payout scheduling, manual payout request
- Enforce 14-day refund window on RefundOrder
- Credit seller balance on completed sales
- New payout handler with balance/payouts/request endpoints
- 15 new tests (payout, refund window, commission)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 18:52:06 +01:00
senke
cd974172cb
v0.9.4
2026-03-05 23:03:43 +01:00
senke
fc3585c556
test(marketplace): add refund order unit tests
2026-02-24 00:19:42 +01:00
senke
3d311ef01a
test(marketplace): add invoice generation unit tests
2026-02-24 00:19:10 +01:00
senke
63b5abe08a
test(marketplace): add product review unit tests
2026-02-24 00:18:45 +01:00
senke
0211e44a09
test(marketplace): add transfer retry worker tests
2026-02-23 23:32:59 +01:00
senke
fd357cb383
feat(marketplace): add TransferRetryWorker background goroutine
2026-02-23 23:32:03 +01:00
senke
bdfda923ae
feat(marketplace): add retry fields to SellerTransfer model
2026-02-23 23:30:51 +01:00
senke
31034f409c
test(commerce): add transfer tests — success, multi-seller, transfer-fails
2026-02-23 22:58:16 +01:00
senke
4a08a89dc5
feat(commerce): trigger seller transfers on payment succeeded
2026-02-23 22:56:01 +01:00
senke
a0a36e9d3e
feat(commerce): add TransferService interface and WithTransferService option
2026-02-23 22:55:18 +01:00
senke
e86c476d42
feat(commerce): add SellerTransfer model
2026-02-23 22:55:08 +01:00
senke
b319b60396
chore(release): v0.602 — Payout, Dette Technique & Tests E2E
...
- Stripe Connect: onboarding, balance, SellerDashboardView
- Interceptors: auth.ts, error.ts extracted, facade
- Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce)
- E2E commerce: product->order->review->invoice
- SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL
- Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603
- Fix sanitizer regex (Go no backreferences)
- Marketplace test schema: product_licenses, product_images, orders, licenses
2026-02-23 22:32:01 +01:00
senke
bcc885327b
feat(v0.501): Sprint 4 -- Cloud frontend + Gear advanced
...
- C1-09: Create CloudPage with folder tree, file list, and /cloud route
- C1-10: Create CloudUploadModal with drag-and-drop and progress
- C1-11: Create CloudFilePreview mini player inline
- C1-12: Add Cloud stories (loading, empty, populated, quota full)
- G1-01: Add is_public toggle, public gear endpoint, GearShowcase
- G1-02: Add gear image upload endpoints, GearImageGallery component
- G1-03: Add gear search with ILIKE + SearchBar in toolbar
- G1-04: Add stories for GearShowcase and GearImageGallery
2026-02-22 18:30:49 +01:00
senke
952520dd7f
feat(marketplace): add license revoked_at migration
2026-02-22 16:18:01 +01:00
senke
5b023ae895
chore(backend): add PDF library for invoices
...
feat(marketplace): add invoice generation service and download endpoint
2026-02-22 16:11:42 +01:00
senke
45cbc96fac
feat(marketplace): add avg_rating and review_count to Product
2026-02-22 16:07:06 +01:00
senke
578af84819
feat(marketplace): add ProductReview model and service
2026-02-22 16:05:16 +01:00
senke
afeec3ae65
fix(checkout): handle cancelled status in Hyperswitch webhook
2026-02-22 14:42:57 +01:00
senke
e60354f7ce
feat(checkout): add order_id to Hyperswitch return URL
2026-02-22 14:40:13 +01:00
senke
79ef2f52a0
feat(seller): add GET /sell/stats/evolution, top-products, sales, SalesEvolutionChart, real commerceService
2026-02-22 14:21:21 +01:00
senke
c977681bf8
feat(marketplace): add migration 098 product_licenses, ProductLicense model, GET /licenses/mine
2026-02-22 14:16:24 +01:00
senke
f4fff1126f
feat(marketplace): add bpm, musical_key, category filters to ListProducts
2026-02-22 14:08:41 +01:00
senke
8ecd66786d
feat(marketplace): add product images management endpoint
2026-02-22 14:08:13 +01:00
senke
8e68ca3be0
feat(marketplace): add POST /products/:id/preview for audio preview upload
2026-02-22 14:07:30 +01:00
senke
7a68e3ced2
feat(marketplace): accept bpm, musical_key, category in CreateProduct and UpdateProduct
2026-02-22 14:06:20 +01:00
senke
ef0a928ab4
feat(marketplace): add ProductPreview, ProductImage models and Product enrichment fields
2026-02-22 14:05:37 +01:00
senke
ea29927d2a
feat(seller): add GET /sell/stats and connect dashboard (F1)
2026-02-20 17:02:13 +01:00
senke
7f7b6547bc
chore: consolidate pending changes (Hyperswitch, PostCard, dashboard, stream server, etc.)
2026-02-14 21:45:15 +01:00
senke
ecac9c3b03
feat(backend): add social groups, wishlist, cart, and playlist export endpoints
...
- Add Group and GroupMember models with CRUD service methods
- Implement social group endpoints: create, list, get, join, leave
- Add WishlistItem model with get/add/remove service methods
- Add CartItem model with get/add/remove/checkout service methods
- Create handlers for marketplace wishlist and cart operations
- Register playlist export (JSON/CSV) and duplicate routes
- Enable PLAYLIST_SHARE and NOTIFICATIONS feature flags
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 22:48:50 +01:00
senke
0eca0729b5
feat: Visual masterpiece - true light mode & premium UI
...
🎨 **True Light/Dark Mode**
- Implemented proper light mode with inverted color scheme
- Smooth theme transitions (0.3s ease)
- Light mode colors: white backgrounds, dark text, vibrant accents
- System theme detection with proper class application
🌈 **Enhanced Theme System**
- 4 color themes work in both light and dark modes
- Cyber (cyan/magenta), Ocean (blue/teal), Forest (green/lime), Sunset (orange/purple)
- Theme-specific glassmorphism effects
- Proper contrast in light mode
✨ **Premium Animations**
- Float, glow-pulse, slide-in, scale-in, rotate-in animations
- Smooth page transitions
- Hover effects with depth (lift, glow, scale)
- Micro-interactions on all interactive elements
🎯 **Visual Polish**
- Enhanced glassmorphism for light/dark modes
- Custom scrollbar with theme colors
- Beautiful text selection
- Focus indicators for accessibility
- Premium utility classes
🔧 **Technical Improvements**
- Updated UIStore to properly apply light/dark classes
- Added data-theme attribute for CSS targeting
- Smooth scroll behavior
- Optimized transitions
The app is now a visual masterpiece with perfect light/dark mode support!
2026-01-11 02:32:21 +01:00
senke
d8bb2f6f6a
[BE-API-039] be-api: Implement marketplace order details endpoint
2025-12-24 15:00:32 +01:00
senke
9326a49e4a
[BE-API-038] be-api: Implement marketplace order list endpoint
2025-12-24 14:50:39 +01:00
senke
daeef2b150
[BE-API-037] be-api: Implement marketplace product update endpoint
2025-12-24 14:49:41 +01:00
okinrev
8caa2fd7ca
STABILISATION: phase 3–5 – API contract, tests & chat-server hardening
2025-12-06 17:21:59 +01:00
okinrev
2425c15b09
adding initial backend API (Go)
2025-12-03 20:29:37 +01:00
