senke
71c15c2590
fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings
...
Security fixes implemented:
CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
tags to "-" so they are never serialized in API responses
HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check
MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)
Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 05:40:53 +01:00
senke
451d11f444
[T0-006] test(backend): Ajout tests pour avatar_handler et notification_handlers
...
- Tests complets pour avatar_handler.go (15 tests)
- Tests complets pour notification_handlers.go (14 tests)
- Interfaces créées pour permettre le mock (ImageServiceInterface, UserServiceInterfaceForAvatar, NotificationServiceInterface)
- Couverture actuelle: 30.3% (objectif: 80%)
Files: veza-backend-api/internal/handlers/avatar_handler.go
veza-backend-api/internal/handlers/avatar_handler_test.go
veza-backend-api/internal/handlers/notification_handlers.go
veza-backend-api/internal/handlers/notification_handlers_test.go
VEZA_ROADMAP.json
Hours: 16 estimated, 18 actual
2026-01-04 01:44:22 +01:00
senke
feca73969c
[BE-API-022] be-api: Implement avatar delete endpoint
...
- DeleteAvatar handler was already implemented and standardized
- Added route: DELETE /users/:userId/avatar
- Handler validates user authentication and ownership
- Handler deletes avatar file from storage and updates database
- Handler uses standard API response format
Phase: PHASE-2
Priority: P1
Progress: 31/267 (11.6%)
2025-12-24 11:36:15 +01:00
senke
0b9247d5ac
[BE-API-021] be-api: Implement avatar upload endpoint
...
- Standardized UploadAvatar handler to use RespondSuccess/RespondWithAppError
- Replaced common.GetUserIDFromContext with GetUserIDUUID
- Handler accepts both :userId and :id parameters
- Added route: POST /users/:userId/avatar
- Handler validates user authentication and ownership
- Handler uses existing ImageService methods
- Handler updates avatar URL in database
Phase: PHASE-2
Priority: P1
Progress: 30/267 (11.2%)
2025-12-24 11:34:41 +01:00
okinrev
8caa2fd7ca
STABILISATION: phase 3–5 – API contract, tests & chat-server hardening
2025-12-06 17:21:59 +01:00
okinrev
2425c15b09
adding initial backend API (Go)
2025-12-03 20:29:37 +01:00
