senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
2358 commits 37 branches 94 tags 1.5 GiB
Commit graph

10 commits

Author SHA1 Message Date
senke
9cd0da0046 fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files 
CRITICAL fixes:
- Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002)
- IDOR on analytics endpoint — ownership check enforced (CRITICAL-003)
- CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004)
- Mass assignment on user self-update — strip privileged fields (CRITICAL-005)

HIGH fixes:
- Path traversal in marketplace upload — UUID filenames (HIGH-001)
- IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002)
- Popularity metrics (followers, likes) set to json:"-" (HIGH-003)
- bcrypt cost hardened to 12 everywhere (HIGH-004)
- Refresh token lock made mandatory (HIGH-005)
- Stream token replay prevention with access_count (HIGH-006)
- Subscription trial race condition fixed (HIGH-007)
- License download expiration check (HIGH-008)
- Webhook amount validation (HIGH-009)
- pprof endpoint removed from production (HIGH-010)

MEDIUM fixes:
- WebSocket message size limit 64KB (MEDIUM-010)
- HSTS header in nginx production (MEDIUM-001)
- CORS origin restricted in nginx-rtmp (MEDIUM-002)
- Docker alpine pinned to 3.21 (MEDIUM-003/004)
- Redis authentication enforced (MEDIUM-005)
- GDPR account deletion expanded (MEDIUM-006)
- .gitignore hardened (MEDIUM-007)

LOW/INFO fixes:
- GitHub Actions SHA pinning on all workflows (LOW-001)
- .env.example security documentation (INFO-001)
- Production CORS set to HTTPS (LOW-002)

All tests pass. Go and Rust compile clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 00:44:46 +01:00
senke
2ed2bb9dcf v0.9.4 2026-03-05 23:03:43 +01:00
senke
3f56e49791 feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint 2026-02-25 19:49:25 +01:00
senke
d161a3739d feat(users): add user_preferences migration with appearance fields 2026-02-25 09:45:03 +01:00
senke
76d95ecfb4 incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
senke
b28d0e7eac [T0-006] test(backend): Ajout tests pour frontend_log_handler 
- Tests complets pour frontend_log_handler.go (12 tests)
- Tests couvrent NewFrontendLogHandler et ReceiveLog
- Tests pour tous les niveaux de log (DEBUG, INFO, WARN, ERROR)
- Tests pour gestion des erreurs et validation JSON
- Couverture actuelle: 30.6% (objectif: 80%)

Files: veza-backend-api/internal/handlers/frontend_log_handler_test.go
       VEZA_ROADMAP.json
Hours: 16 estimated, 23 actual
 2026-01-04 01:44:22 +01:00
senke
6a4d70dc6e [T0-006] test(backend): Ajout tests handlers user - Progression couverture 
- Tests complets pour handlers user (16 tests, tous passent)
- Interface UserServiceInterface créée pour permettre mock dans tests
- Interface DataExportServiceInterface créée pour tests
- Couverture actuelle: 30.7% (objectif: 80%, +0.9%)

Files:
- veza-backend-api/internal/api/user/handler.go (modifié)
- veza-backend-api/internal/api/user/handler_test.go (créé)
- VEZA_ROADMAP.json (mis à jour)

Hours: 16 estimated, 6 actual (travail en cours)
 2026-01-04 01:44:21 +01:00
senke
b8adaf8935 [BE-SVC-022] be-svc: Implement data export service 
- Created DataExportService for comprehensive user data export (GDPR compliance)
- Exports all user data: profile, settings, tracks, playlists, comments, likes, analytics, federated identities, roles
- Added ExportUserData method to retrieve all user data from database
- Added ExportUserDataAsJSON method to export as downloadable JSON file
- Added endpoint GET /api/v1/users/me/export that returns JSON file download
- Comprehensive unit tests for export service
- Proper error handling and logging

Phase: PHASE-6
Priority: P2
Progress: 118/267 (44.19%)
 2025-12-24 18:01:00 +01:00
senke
2dfde29f7d refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
okinrev
2425c15b09 adding initial backend API (Go) 2025-12-03 20:29:37 +01:00