senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
2174 commits 37 branches 94 tags 1.5 GiB
Commit graph

542 commits

Author SHA1 Message Date
senke
9fa7f3a4d2 v0.9.5 2026-03-06 10:02:53 +01:00
senke
cd974172cb v0.9.4 2026-03-05 23:03:43 +01:00
senke
2956b12645 v0.9.2 2026-03-05 19:27:34 +01:00
senke
9a93068a9b v0.9.1 2026-03-05 19:22:31 +01:00
senke
a007f4c7e4 fix(release): v1.0.2 — Conformité complète V1_SIGNOFF (21 critères)
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
Frontend CI / test (push) Failing after 0s
Details
Storybook Audit / Build & audit Storybook (push) Failing after 0s
Details 
- Couverture Go: script coverage_report.sh, 39% mesuré
- Vitest thresholds frontend 50%
- Load test WebSocket: CHAT_ORIGIN→backend, WS_URL=/api/v1/ws
- Tests: chat_service (WSUrl), password_service (hash/expired)
- V1_SIGNOFF: 14 PASS, 7 N/A documentés
- PERFORMANCE_BASELINE, RGPD, PWA tables v1.0.2
- Runbooks, Grafana, Secrets validés
 2026-03-03 21:18:53 +01:00
senke
7ede202e95 fix(release): v1.0.1 — Conformité complète ROADMAP checklist
Some checks failed
Backend API CI / test-unit (push) Failing after 0s
Details
Backend API CI / test-integration (push) Failing after 0s
Details
Stream Server CI / test (push) Failing after 0s
Details 
- Sécurité: npm 0 CRITICAL, cargo audit 0 vulnérabilités
- OpenAPI: @Param id corrigé pour /tracks/quota/{id}
- Tests: Payment E2E passe, OAuth DATABASE_URL fallback
- Migrations: 000_mark_consolidated.sql
- veza-stream-server: prometheus 0.14, validator 0.19
- docs: SECURITY_SCAN_RC1, V1_SIGNOFF, PROJECT_STATE
 2026-03-03 20:17:54 +01:00
senke
9f91c99547 feat(security): add global and per-IP DDoS rate limiting (1000/s, 100/s) 
SEC1-04: Redis sliding window 1s, excluded paths (health, swagger, auth)
 2026-03-03 09:25:08 +01:00
senke
8138723eca chore(release): v0.971 — Phantom (gamification removal, WebRTC Beta, limits doc) 2026-03-02 19:25:37 +01:00
senke
c14b08a84e chore(release): v0.951 — Loadtest (500 req/s, 1000 WS, 50 uploads, perf indexes) 2026-03-02 19:22:38 +01:00
senke
c38e915025 chore(release): v0.943 — Refactor (split track batch ops to track_batch_service) 2026-03-02 19:07:49 +01:00
senke
e2645cdaa0 chore(release): v0.942 — Compress (migration consolidation procedure, mark script) 2026-03-02 19:05:54 +01:00
senke
1b239d13ab chore(release): v0.941 — Cleanup (dead code, migrations dedup, deprecated routes) 2026-03-02 19:04:30 +01:00
senke
3c5bb018cb chore(release): v0.931 — Cursor (cursor-based pagination, performance baseline) 2026-03-02 12:35:49 +01:00
senke
c2aa0483eb chore(release): v0.922 — Greenlight (handler tests: dashboard, presence) 2026-03-02 12:30:51 +01:00
senke
4f47cec05d feat(v0.923): API contract tests, OpenAPI generation, CI type sync check 2026-02-27 20:23:10 +01:00
senke
e02031044c feat(v0.912): Cashflow - payment E2E integration tests 
- Add MarketplaceServiceOverride and AuthMiddlewareOverride to config for tests
- Wire overrides in routes_webhooks and routes_marketplace (authForMarketplaceInterface)
- payment_flow_test: cart -> checkout -> webhook -> order completed, license, transfer
- webhook_idempotency_test: 3 identical webhooks -> 1 order, 1 license
- webhook_security_test: empty secret 500, invalid sig 401, valid sig 200
- refund_flow_test: completed order -> refund -> order refunded, license revoked
- Shared computeWebhookSignature helper in webhook_test_helpers.go
- SetMaxOpenConns(1) for sqlite :memory: in idempotency test to avoid flakiness

Ref: docs/ROADMAP_V09XX_TO_V1.md v0.912 Cashflow
 2026-02-27 20:00:51 +01:00
senke
c96be67cbc feat(auth): v0.911 Keystone - OAuth and auth integration tests 
- Add access token blacklist on logout (VEZA-SEC-006)
- Extend OAuthService for mock provider injection in tests
- Add oauth_google_test.go: full OAuth Google flow with mocked provider
- Add oauth_github_test.go: OAuth GitHub flow with PKCE verification
- Add token_refresh_test.go: E2E refresh via httpOnly cookies
- Add logout_blacklist_test.go: E2E logout + token blacklist
- Fix testutils import path in resume_upload_test, track_quota_test
- Fix CreatorID -> UserID in track_quota_test
- Add test:integration script to package.json

Release: v0.911 Keystone
 2026-02-27 09:58:53 +01:00
senke
515494007f release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24 
- ORDER BY dynamiques : whitelist explicite, fallback created_at DESC
- Login/register soumis au rate limiter global
- VERSION sync + check CI
- Nettoyage références veza-chat-server
- Go 1.24 partout (Dockerfile, workflows)
- TODO/FIXME/HACK convertis en issues ou résolus
 2026-02-27 09:43:25 +01:00
senke
4c0be12465 release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET 
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL
- CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest
- OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS
- CHAT_JWT_SECRET must differ from JWT_SECRET in production
- Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens
- Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
 2026-02-26 19:49:15 +01:00
senke
6e204cc98a feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities 
- OAuth: use JWTService+SessionService, httpOnly cookies (VEZA-SEC-001)
- Remove PasswordService.GenerateJWT (VEZA-SEC-002)
- Hyperswitch webhook: mandatory verification, 500 if secret empty (VEZA-SEC-005)
- Auth middleware: TokenBlacklist.IsBlacklisted check (VEZA-SEC-006)
- Waveform: ValidateExecPath before exec (VEZA-SEC-007)
 2026-02-26 19:34:45 +01:00
senke
c2d530727a test(v0.803): unit tests for CCPA, reports, announcements, feature flags 2026-02-25 20:02:24 +01:00
senke
3edb10b567 feat(admin): feature flags CRUD with DB persistence 2026-02-25 19:56:24 +01:00
senke
d684c69439 feat(admin): global announcements CRUD and public banner endpoint 2026-02-25 19:55:21 +01:00
senke
2a9ca68763 feat(admin): maintenance mode middleware with 503 responses 2026-02-25 19:54:22 +01:00
senke
0d092466f1 feat(admin): moderation queue with reports CRUD 2026-02-25 19:53:04 +01:00
senke
0bee6e8727 feat(api): add Swagger annotations for privacy opt-out and account deletion 2026-02-25 19:51:54 +01:00
senke
29c1688786 feat(users): account deletion hardening with anonymization, S3 cleanup, session revocation 2026-02-25 19:51:21 +01:00
senke
cb0f70022e feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint 2026-02-25 19:49:25 +01:00
senke
abdf3979f7 feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE 2026-02-25 19:48:03 +01:00
senke
a3624ce4b3 feat(v0.802): frontend Cloud/Gear, MSW, docs, scope v0.803, archive 
- Cloud: CloudFileVersions, CloudShareModal, versions/share in CloudView
- Gear: GearDocumentsTab, GearRepairsTab, warranty badge, initialTab
- MSW: cloud versions/share, gear documents/repairs, tags suggest
- Stories: CloudFileVersions, CloudShareModal, GearDetailModal variants
- gearService: listDocuments, uploadDocument, deleteDocument, listRepairs, createRepair, deleteRepair
- cloudService: listVersions, restoreVersion, shareFile, getSharedFile
- gear_warranty_notifier: 24h ticker, notifications for expiring warranty
- tag_handler_test: unit tests
- docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.802
- SCOPE_CONTROL, .cursorrules: scope v0.803
- archive: V0_802_RELEASE_SCOPE, RETROSPECTIVE_V0802
 2026-02-25 14:00:58 +01:00
senke
b885392304 feat(upload): tags auto-suggest endpoint and additional audio formats 2026-02-25 13:39:59 +01:00
senke
e303e33dfc feat(cloud): GDPR data export and automatic backup cron 2026-02-25 13:35:16 +01:00
senke
301db440e5 feat(cloud): file versioning, restore, and sharing 2026-02-25 13:33:08 +01:00
senke
de96cebf26 feat(db): add migrations 119-122 for cloud versions, gear warranty/documents/repairs 2026-02-25 13:30:49 +01:00
senke
6f4c9c50ff feat(users): add user_preferences migration with appearance fields 2026-02-25 09:45:03 +01:00
senke
93666a3390 feat(v0.703): Go Live & Streaming Complet 
- Backend: room creation for live streams, permissions CanJoin/CanSend/CanRead for stream rooms
- LiveViewChat: useLiveStreamChat hook, WebSocket connection, stream_id as room
- LiveViewPlayer: real-time viewer count via polling (5s)
- Media Session: seekbackward/seekforward handlers (10s step)
- GoLiveView.stories.tsx: Default, Loading, Error, StreamKeyVisible
- Docs: API_REFERENCE, CHANGELOG, PROJECT_STATE, FEATURE_STATUS, RETROSPECTIVE_V0703
- SCOPE_CONTROL, .cursorrules: update to v0.801
- Archive V0_703_RELEASE_SCOPE.md
 2026-02-25 09:35:22 +01:00
senke
feed95fccd test(live): add live stream service unit tests 
Use serializer:json for LiveStream.Tags to support SQLite in-memory tests.
 2026-02-24 09:56:08 +01:00
senke
dd6dd69e7e feat(monitoring): add live stream Prometheus metrics 2026-02-24 09:53:29 +01:00
senke
75786acb03 feat(live): add handler endpoints for Go Live (me, key, regenerate, update) 2026-02-24 09:53:01 +01:00
senke
d386a98810 feat(live): stream key generation, ListByUser, RegenerateStreamKey 2026-02-24 09:52:04 +01:00
senke
4807f64c32 feat(live): add migration 117 and model fields for Go Live 2026-02-24 09:51:21 +01:00
senke
fc3585c556 test(marketplace): add refund order unit tests 2026-02-24 00:19:42 +01:00
senke
3d311ef01a test(marketplace): add invoice generation unit tests 2026-02-24 00:19:10 +01:00
senke
63b5abe08a test(marketplace): add product review unit tests 2026-02-24 00:18:45 +01:00
senke
022770ef9f feat(v0.701): AdminTransfers page/route, MSW, stories, Deep Health, API ref, docs, scope v0.702 
- Step 13: AdminTransfersPage, LazyAdminTransfers, route /admin/transfers
- Step 14: MSW handlers admin transfers
- Step 15: AdminTransfersView stories (Default, Empty, WithFailedTransfers, Error, Loading)
- Step 16-17: DeepHealth handler (disk, config), GET /health/deep
- Step 19: health_deep_test.go (4 tests)
- Step 20: docs/API_REFERENCE.md
- Step 21: Archive V0_604, MIGRATIONS.md migration 116
- Step 22: CHANGELOG, PROJECT_STATE, FEATURE_STATUS v0.701
- Step 23: RETROSPECTIVE_V0701, V0_702 placeholder, SCOPE_CONTROL, .cursorrules
- Step 24: Archive V0_701_RELEASE_SCOPE
- Fix: AdminTransfersView Select component (use options API)
 2026-02-23 23:42:02 +01:00
senke
56f2e9f9c3 test(admin): add admin transfer handler tests 2026-02-23 23:35:11 +01:00
senke
7fed717c9b feat(routes): wire admin transfer endpoints in /admin group 2026-02-23 23:33:54 +01:00
senke
8375466af9 feat(admin): add admin transfer handler (GET list, POST retry) 2026-02-23 23:33:35 +01:00
senke
0211e44a09 test(marketplace): add transfer retry worker tests 2026-02-23 23:32:59 +01:00
senke
1b66260c22 feat(server): start TransferRetryWorker on boot (v0.701) 2026-02-23 23:32:23 +01:00
senke
fd357cb383 feat(marketplace): add TransferRetryWorker background goroutine 2026-02-23 23:32:03 +01:00
senke
ab12f5d1fe feat(monitoring): add transfer retry Prometheus metrics 2026-02-23 23:31:35 +01:00
senke
3261d0fb44 feat(config): add transfer retry configuration (v0.701) 2026-02-23 23:31:09 +01:00
senke
bdfda923ae feat(marketplace): add retry fields to SellerTransfer model 2026-02-23 23:30:51 +01:00
senke
db0f40815a feat(marketplace): add migration 116 — retry columns for seller_transfers 2026-02-23 23:30:41 +01:00
senke
31034f409c test(commerce): add transfer tests — success, multi-seller, transfer-fails 2026-02-23 22:58:16 +01:00
senke
81fccda396 feat(seller): add transfers history card to SellerDashboard 2026-02-23 22:57:28 +01:00
senke
c2d5073a6e feat(commerce): add GET /sell/transfers endpoint 2026-02-23 22:56:26 +01:00
senke
4a08a89dc5 feat(commerce): trigger seller transfers on payment succeeded 2026-02-23 22:56:01 +01:00
senke
51dd867bdf feat(commerce): wire TransferService in marketplace and webhook routes 2026-02-23 22:55:39 +01:00
senke
a0a36e9d3e feat(commerce): add TransferService interface and WithTransferService option 2026-02-23 22:55:18 +01:00
senke
e86c476d42 feat(commerce): add SellerTransfer model 2026-02-23 22:55:08 +01:00
senke
4b07957d1a feat(commerce): add 115_seller_transfers migration 2026-02-23 22:54:56 +01:00
senke
979658165c feat(commerce): add PLATFORM_FEE_RATE config (default 10%) 2026-02-23 22:54:50 +01:00
senke
b319b60396 chore(release): v0.602 — Payout, Dette Technique & Tests E2E 
- Stripe Connect: onboarding, balance, SellerDashboardView
- Interceptors: auth.ts, error.ts extracted, facade
- Grafana: dashboards enriched (p50, top endpoints, 4xx, WS, commerce)
- E2E commerce: product->order->review->invoice
- SMOKE_TEST_V0602, RETROSPECTIVE_V0602, PAYOUT_MANUAL
- Archive V0_602 scope, V0_603 placeholder, SCOPE_CONTROL v0.603
- Fix sanitizer regex (Go no backreferences)
- Marketplace test schema: product_licenses, product_images, orders, licenses
 2026-02-23 22:32:01 +01:00
senke
a5d2951ec5 feat(seller): add seller_stripe_accounts migration and model 2026-02-23 22:11:11 +01:00
senke
cb9b418286 feat(seller): add Stripe Connect config 2026-02-23 22:09:23 +01:00
senke
06e3de98b9 feat(commerce): Hyperswitch LIVE_MODE configuration 
- config: HyperswitchLiveMode (HYPERSWITCH_LIVE_MODE)
- routes_marketplace: warn when production + LiveMode=false
- docker-compose.prod: HYPERSWITCH_LIVE_MODE env var
 2026-02-23 19:56:52 +01:00
senke
8f6a6b0b13 feat(streaming): wire HLS pipeline end-to-end with serving routes 
- Add HLSEnabled and HLSStorageDir to backend config (HLS_STREAMING env)
- Register HLS serving routes (master.m3u8, quality playlist, segments)
  behind HLSEnabled feature flag on existing track routes
- Add GetHLSStatus and TriggerHLSTranscode methods to StreamService
  for stream server communication
- Update docker-compose (dev, staging, prod) with HLS env vars and
  shared hls-data volume between backend and stream-server
- Stream callback already correctly updates stream_manifest_url
 2026-02-22 21:20:35 +01:00
senke
d3e3ba9b33 feat(chat): Redis rate limiter, persistent presence, PostgreSQL full-text search 
- Rewrite chat rate limiter with Redis sliding window (sorted sets) and
  automatic in-memory fallback when Redis is unavailable
- Add ChatPresenceService with Redis-backed online/offline/heartbeat
  tracking (2min TTL), integrated into Hub register/unregister
- Add migration 113: tsvector column with GIN index and auto-update
  trigger on messages table for full-text search
- Update Search repository method to use ts_rank ordering instead of ILIKE
- Wire Redis client into chat WebSocket setup in router.go
- Add comprehensive tests: rate limiter, presence, 100-user concurrent benchmark
 2026-02-22 21:17:51 +01:00
senke
25e7345a6a test(chat): Sprint 5 -- unit tests, E2E tests, feature parity validation 
- Add hub_test.go: register/unregister, join/leave room, broadcast, exclude sender,
  send to user, multiple clients same user (6 tests)
- Add handler_messages_test.go: send message, missing fields, edit ownership check,
  soft delete (4 tests)
- Add handler_realtime_test.go: typing broadcast, read receipts, reactions add/remove,
  delivered status (5 tests)
- Add e2e_chat_ws_test.go: auth valid, missing token, invalid token, ping/pong
- Add e2e_chat_messages_test.go: 2-client message flow, typing indicator
- Create CHAT_FEATURE_PARITY.md: 25-feature checklist (all OK or IMPROVED)
 2026-02-22 20:49:32 +01:00
senke
603eb06dae feat(chat): Sprint 3 -- message handlers, real-time features, permissions 
- Implement full MessageHandler dispatch with all 18 incoming message types
- Add handler_messages.go: SendMessage, EditMessage, DeleteMessage with ownership checks
- Add handler_rooms.go: JoinConversation, LeaveConversation
- Add handler_history.go: FetchHistory (cursor-based), SearchMessages (ILIKE), SyncMessages
- Add handler_realtime.go: Typing, MarkAsRead, Delivered, AddReaction, RemoveReaction
- Add handler_calls.go: WebRTC signaling relay (CallOffer/Answer/ICE/Hangup/Reject)
- Add PermissionService: CanRead/CanSend/CanJoin/CanModerate based on room_members
- Add RateLimiter: per-user per-action sliding window (in-memory)
- Wire all dependencies in router.go setupChatWebSocket
 2026-02-22 20:43:44 +01:00
senke
3baeef30dd feat(chat): Sprint 2 -- WebSocket hub, client, message types, route 
- Create Hub with register/unregister/broadcast, room/user index
- Create Client with readPump/writePump goroutines, 30s ping keepalive
- Define all 18 incoming + 18 outgoing message types matching Rust protocol
- Add ValidateChatToken to ChatService for JWT validation
- Update WSUrl from /ws to /api/v1/ws
- Register GET /api/v1/ws endpoint in router
- Create ChatWebSocketHandler for WebSocket upgrade and auth
 2026-02-22 20:41:39 +01:00
senke
2ee63b9b11 feat(chat): Sprint 1 -- migrations, models, repositories for chat rewrite 
- Add migrations 109-112: read_receipts, delivered_status, message_reactions, messages extra columns
- Create ReadReceipt, DeliveredStatus, MessageReaction GORM models
- Update Message model with EditedAt, Status, IsPinned, Metadata fields
- Enrich ChatMessageRepository with cursor pagination, search, soft delete
- Create ReadReceiptRepository, DeliveredStatusRepository, ReactionRepository
- Create ChatPubSubService with Redis PubSub and in-memory fallback
 2026-02-22 20:38:20 +01:00
senke
28136f2897 feat(v0.501): Sprint 5 -- integration, tests, and cleanup 
- INT-01: Add E2E streaming tests (upload -> HLS auth)
- INT-02: Add E2E cloud tests (CRUD auth, public gear)
- INT-03: Split track/handler.go into 4 focused sub-handlers
- INT-04: Create migration squash script + MIGRATIONS.md
- INT-05: Add Trivy container image scanning CI workflow
- INT-06: Replace production console.log with structured logger
 2026-02-22 18:40:07 +01:00
senke
bcc885327b feat(v0.501): Sprint 4 -- Cloud frontend + Gear advanced 
- C1-09: Create CloudPage with folder tree, file list, and /cloud route
- C1-10: Create CloudUploadModal with drag-and-drop and progress
- C1-11: Create CloudFilePreview mini player inline
- C1-12: Add Cloud stories (loading, empty, populated, quota full)
- G1-01: Add is_public toggle, public gear endpoint, GearShowcase
- G1-02: Add gear image upload endpoints, GearImageGallery component
- G1-03: Add gear search with ILIKE + SearchBar in toolbar
- G1-04: Add stories for GearShowcase and GearImageGallery
 2026-02-22 18:30:49 +01:00
senke
86a0978c28 feat(v0.501): Sprint 3 -- Cloud Storage MVP backend 
- C1-01: Create CloudService with CRUD folders/files, quota, ownership
- C1-02: Create CloudHandler with 11 REST endpoints
- C1-03: Register cloud routes in Go router
- C1-04: Implement file streaming with HTTP Range support
- C1-05: Add publish cloud file as track endpoint
- C1-06: Add MSW mock handlers for cloud API
- C1-07: Auto-init 5GB storage quota on user registration
- C1-08: Add 12 unit tests for CloudService
 2026-02-22 18:23:58 +01:00
senke
465aa9e008 feat(v0.501): Sprint 2 -- HLS production-ready 
- S1-01: Add multi-bitrate streaming profiles (128k, 256k, 320k)
- S1-02: Update master.m3u8 endpoint with 3-tier quality system
- S1-03: Integrate hls.js with ABR + useHLSPlayer hook
- S1-04: Add Cache-Control headers on HLS segments and manifests
- S1-05: Create WaveformService with async generation (FFmpeg + audiowaveform)
- S1-06: Add GET /tracks/:id/waveform endpoint with Redis cache
- S1-07: Create WaveformDisplay component with story
- S1-08: Add 4 Prometheus metrics for streaming monitoring
 2026-02-22 18:16:37 +01:00
senke
1797e5c32c feat(v0.501): Sprint 1 -- infrastructure foundations 
- Add MinIO S3-compatible storage to docker-compose (dev, staging, prod)
- Create migrations 103-108 (waveform_url, user_folders, user_files,
  user_storage_quotas, gear_items.is_public, gear_images)
- Add Go models: UserFile, UserFolder, StorageQuota, GearImage
- Add WaveformURL to Track model, IsPublic + GearImages to GearItem model
 2026-02-22 18:10:25 +01:00
senke
09dc20e965 refactor(websocket): replace gorilla/websocket with coder/websocket 
INT-06: Migrated playback_websocket_handler.go from deprecated
gorilla/websocket to coder/websocket v1.8.14. Uses context-based
reads/writes and websocket.Accept instead of Upgrader.
 2026-02-22 17:53:10 +01:00
senke
43536ea3f3 fix(tests): fix 2 skipped tests, add clear skip reasons to 11 others 
INT-04: Fixed nil UserID panic in AuditService (re-enabled 2 tests).
Added INT-04 comments explaining skip reasons for tests requiring
PostgreSQL, real file headers, or external services.
 2026-02-22 17:53:00 +01:00
senke
23791095ad test: add 5 cross-service E2E integration tests 
INT-03: Tests for health endpoint, auth flow, track upload auth,
webhook HTTPS-only, and rate limit headers. Build-tagged
'integration' to avoid running in regular test suite.
 2026-02-22 17:52:50 +01:00
senke
5258b9bf17 feat(streaming): trigger HLS transcoding after track upload 
INT-02: TrackService.copyFileAsync now calls StreamService.StartProcessing
after successful file copy. Wires the stream server integration into
all track route registrations.
 2026-02-22 17:52:39 +01:00
senke
0e095d9a54 refactor(backend): replace 40 fmt.Printf calls with zap structured logging 
CLN-03: router.go, track/service.go, upload_validator.go, cors.go,
playlist_handler.go, and mfa.go now use zap.L() or local logger
for structured logging instead of fmt.Printf.
 2026-02-22 17:44:38 +01:00
senke
05daed60df refactor: remove dead code (api_manager.go, unused templates) 
CLN-01: Deleted archived api_manager.go (~789 LOC, build-tag ignore)
and dev-environment/templates/ (~806 LOC, never used by generator).
 2026-02-22 17:44:19 +01:00
senke
9752a90dfb fix(security): hash password reset tokens before database storage 
INF-10: Reset tokens are now SHA-256 hashed before INSERT. Validation
hashes the received token and compares against stored hash. Plain
tokens never persisted.
 2026-02-22 17:36:10 +01:00
senke
eb92779df2 feat(security): implement Redis-backed rate limiter with in-memory fallback 
INF-01: RedisRateLimiter uses atomic Lua script (INCR+EXPIRE) for
distributed rate limiting. Falls back to in-memory SimpleRateLimiter
when Redis is unavailable. Same X-RateLimit-* headers and 429 format.
 2026-02-22 17:35:21 +01:00
senke
4409022d55 fix(build): unify Go version to 1.24 across Dockerfile and CI 
SEC-09: go.mod declares Go 1.24.0 but Dockerfile.production used 1.23
and backend-ci.yml used 1.23. Aligned both to 1.24.
 2026-02-22 17:32:17 +01:00
senke
4efd5d1d07 fix(security): require Hyperswitch webhook secret in production when payments enabled 
SEC-08: If HYPERSWITCH_ENABLED=true in production, startup now fails
unless HYPERSWITCH_WEBHOOK_SECRET is set. This prevents webhook
signature verification from being silently bypassed.
 2026-02-22 17:31:52 +01:00
senke
142d1576be fix(security): add SSRF protection for webhook URL registration 
SEC-07: Strengthened ValidateWebhookURL to require HTTPS only (was
allowing HTTP). Private IP ranges, localhost, and cloud metadata
endpoints remain blocked.
 2026-02-22 17:31:10 +01:00
senke
72d15f60b5 fix(security): add ownership check to GetUploadStatus handler (IDOR fix) 
SEC-06: GetUploadStatus now verifies that the authenticated user owns the
upload before returning status. Returns 404 for non-owners to prevent
information disclosure.
 2026-02-22 17:30:30 +01:00
senke
de5b3bc542 feat(auth): add ephemeral stream-token endpoint for HLS and WebSocket authentication 
SEC-03: TokenStorage.getAccessToken() returns null with httpOnly cookies.
New POST /api/v1/auth/stream-token returns a 5-min JWT compatible with
both stream server (Claims struct) and chat server (JwtClaims struct).
Frontend hlsService and websocket updated to use fetchStreamToken() fallback.
 2026-02-22 17:28:00 +01:00
senke
952520dd7f feat(marketplace): add license revoked_at migration 2026-02-22 16:18:01 +01:00
senke
bf57d58f5a feat(hyperswitch): add CreateRefund to client 2026-02-22 16:17:54 +01:00
senke
5b023ae895 chore(backend): add PDF library for invoices 
feat(marketplace): add invoice generation service and download endpoint
 2026-02-22 16:11:42 +01:00
senke
45cbc96fac feat(marketplace): add avg_rating and review_count to Product 2026-02-22 16:07:06 +01:00
senke
25eee5bf91 feat(marketplace): add create and list reviews endpoints 2026-02-22 16:06:18 +01:00
senke
578af84819 feat(marketplace): add ProductReview model and service 2026-02-22 16:05:16 +01:00
senke
c3b8d9198a feat(marketplace): add product_reviews migration 2026-02-22 16:04:14 +01:00
senke
afeec3ae65 fix(checkout): handle cancelled status in Hyperswitch webhook 2026-02-22 14:42:57 +01:00