senke/veza - Talas Project: Beyond coding. We Forge.

senke/veza

Fork 0

Commit graph

Author	SHA1	Message	Date
senke	ebb28c77a0	fix(backend): J4 — GDPR-compliant hard delete with Redis and ES cleanup Some checks failed Veza CI / Notify on failure (push) Blocked by required conditions Details Backend API CI / test-unit (push) Failing after 14m36s Details Backend API CI / test-integration (push) Failing after 18m52s Details Veza CI / Frontend (Web) (push) Has been cancelled Details Veza CI / Rust (Stream Server) (push) Has been cancelled Details Veza CI / Backend (Go) (push) Has been cancelled Details Security Scan / Secret Scanning (gitleaks) (push) Has been cancelled Details Closes TODO(HIGH-007). When the hard-delete worker anonymizes a user past their recovery deadline, it now also cleans the user's residual data from Redis and Elasticsearch, not just PostgreSQL. Without this, a user who invoked their right to erasure would still appear in cached feed/profile responses and in ES search results for up to the next reindex cycle. Worker changes (internal/workers/hard_delete_worker.go): WithRedis / WithElasticsearch builder methods inject the clients. Both are optional: if either is nil (feature disabled or unreachable), the corresponding cleanup is skipped with a debug log and the worker keeps going. Partial progress beats panic. cleanRedisKeys uses SCAN with a cursor loop (COUNT 100), NEVER KEYS — KEYS would block the Redis server on multi-million-key deployments. Pattern is user:{id}:. Transient SCAN errors retry up to 3 times with 100ms retry linear backoff; persistent errors return without panic. DEL errors on a batch are logged but non-fatal so subsequent batches are still attempted. cleanESDocs hits three indices independently: - users index: DELETE doc by _id (the user UUID); 404 treated as success (already gone = desired state) - tracks index: DeleteByQuery with a terms filter on _id, using the list of track IDs collected from PostgreSQL BEFORE anonymization - playlists index: same pattern as tracks A failure on one index does not prevent the others from being tried; the first error is returned so the caller can log. Track/playlist IDs are pre-collected (collectTrackIDs, collectPlaylistIDs) before the UPDATE anonymization runs, because the anonymization does NOT cascade (no DELETE on users), so tracks and playlists rows remain with their creator_id / user_id intact and resolvable at query time. Wiring (cmd/api/main.go): The worker now receives cfg.RedisClient directly, and an optional ES client built from elasticsearch.LoadConfig() + NewClient. If ES is disabled or unreachable at startup, the worker logs a warning and proceeds with Redis-only cleanup. Tests (internal/workers/hard_delete_worker_test.go, +260 lines): Pure-function unit tests: - TestUUIDsToStrings - TestEsIndexNameFor Nil-client safety tests: - TestCleanRedisKeys_NilClientIsNoop - TestCleanESDocs_NilClientIsNoop ES mock-server tests (httptest.Server mimicking /_doc and /_delete_by_query endpoints with valid ES 8.11 responses): - TestCleanESDocs_CallsAllThreeIndices — verifies the three expected HTTP calls land with the right paths and request bodies containing the provided UUIDs - TestCleanESDocs_SkipsEmptyIDLists — verifies no DeleteByQuery is issued when the ID lists are empty Redis testcontainer integration test (gated by VEZA_SKIP_INTEGRATION): - TestCleanRedisKeys_Integration — seeds 154 keys (4 fixed + 150 bulk to force the SCAN loop past a single batch) plus 4 unrelated keys from another user / global, runs cleanRedisKeys, asserts all 154 own keys are gone and all 4 unrelated keys remain. Verification: go build ./... OK go vet ./... OK VEZA_SKIP_INTEGRATION=1 go test ./internal/workers/... short OK go test ./internal/workers/ -run TestCleanRedisKeys_Integration → testcontainers spins redis:7-alpine, test passes in 1.34s Out of J4 scope (noted for a follow-up): - No "activity" ES index exists in the codebase today (the audit plan mentioned it as a possible target). The three real indices with user data — users, tracks, playlists — are all now cleaned. - Track artist strings (free-form) may still contain the user's display name as a cached value in the tracks index after this cleanup. Actual user-owned tracks are deleted here, but if a third party's track referenced the removed user in its artist field, that reference is not touched. Strict RGPD on that edge case is a separate ticket. Refs: AUDIT_REPORT.md §8.5, §10 P5, §12 item 1	2026-04-15 12:25:39 +02:00
senke	71c15c2590	fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings Security fixes implemented: CRITICAL: - CRIT-001: IDOR on chat rooms — added IsRoomMember check before returning room data or message history (returns 404, not 403) - CRIT-002: play_count/like_count exposed publicly — changed JSON tags to "-" so they are never serialized in API responses HIGH: - HIGH-001: TOCTOU race on marketplace downloads — transaction + SELECT FOR UPDATE on GetDownloadURL - HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256) - HIGH-003: context.Background() bypass in user repository — full context propagation from handlers → services → repository (29 files) - HIGH-004: Race condition on promo codes — SELECT FOR UPDATE - HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE - HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default - HIGH-007: RGPD hard delete incomplete — added cleanup for sessions, settings, follows, notifications, audit_logs anonymization - HIGH-008: RTMP callback auth weak — fail-closed when unconfigured, header-only (no query param), constant-time compare - HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn and verifies IsHost before processing - HIGH-010: Moderator self-strike — added issuedBy != userID check MEDIUM: - MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand - MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256) Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-12 05:40:53 +01:00
senke	f2881ad865	feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron Some checks failed Backend API CI / test-unit (push) Failing after 1s Details Frontend CI / test (push) Failing after 3s Details Storybook Audit / Build & audit Storybook (push) Failing after 2s Details Backend API CI / test-integration (push) Failing after 6s Details - Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history - Notification email quand ZIP prêt, rate limit 3/jour - Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles) - HardDeleteWorker: final anonymization après 30 jours - Frontend: POST export, checkbox keep_public_tracks - MSW handlers pour Storybook	2026-03-10 13:57:04 +01:00

Author

SHA1

Message

Date

senke

ebb28c77a0

fix(backend): J4 — GDPR-compliant hard delete with Redis and ES cleanup

Veza CI / Notify on failure (push) Blocked by required conditions

Details

Backend API CI / test-unit (push) Failing after 14m36s

Details

Backend API CI / test-integration (push) Failing after 18m52s

Details

Veza CI / Frontend (Web) (push) Has been cancelled

Details

Veza CI / Rust (Stream Server) (push) Has been cancelled

Details

Veza CI / Backend (Go) (push) Has been cancelled

Details

Security Scan / Secret Scanning (gitleaks) (push) Has been cancelled

Details

Closes TODO(HIGH-007). When the hard-delete worker anonymizes a user past
their recovery deadline, it now also cleans the user's residual data from
Redis and Elasticsearch, not just PostgreSQL. Without this, a user who
invoked their right to erasure would still appear in cached feed/profile
responses and in ES search results for up to the next reindex cycle.

Worker changes (internal/workers/hard_delete_worker.go):

  WithRedis / WithElasticsearch builder methods inject the clients. Both
  are optional: if either is nil (feature disabled or unreachable), the
  corresponding cleanup is skipped with a debug log and the worker keeps
  going. Partial progress beats panic.

  cleanRedisKeys uses SCAN with a cursor loop (COUNT 100), NEVER KEYS —
  KEYS would block the Redis server on multi-million-key deployments.
  Pattern is user:{id}:*. Transient SCAN errors retry up to 3 times with
  100ms * retry linear backoff; persistent errors return without panic.
  DEL errors on a batch are logged but non-fatal so subsequent batches
  are still attempted.

  cleanESDocs hits three indices independently:
    - users index: DELETE doc by _id (the user UUID); 404 treated as
      success (already gone = desired state)
    - tracks index: DeleteByQuery with a terms filter on _id, using the
      list of track IDs collected from PostgreSQL BEFORE anonymization
    - playlists index: same pattern as tracks
  A failure on one index does not prevent the others from being tried;
  the first error is returned so the caller can log.

  Track/playlist IDs are pre-collected (collectTrackIDs, collectPlaylistIDs)
  before the UPDATE anonymization runs, because the anonymization does NOT
  cascade (no DELETE on users), so tracks and playlists rows remain with
  their creator_id / user_id intact and resolvable at query time.

Wiring (cmd/api/main.go):

  The worker now receives cfg.RedisClient directly, and an optional ES
  client built from elasticsearch.LoadConfig() + NewClient. If ES is
  disabled or unreachable at startup, the worker logs a warning and
  proceeds with Redis-only cleanup.

Tests (internal/workers/hard_delete_worker_test.go, +260 lines):

  Pure-function unit tests:
    - TestUUIDsToStrings
    - TestEsIndexNameFor
  Nil-client safety tests:
    - TestCleanRedisKeys_NilClientIsNoop
    - TestCleanESDocs_NilClientIsNoop
  ES mock-server tests (httptest.Server mimicking /_doc and
  /_delete_by_query endpoints with valid ES 8.11 responses):
    - TestCleanESDocs_CallsAllThreeIndices — verifies the three expected
      HTTP calls land with the right paths and request bodies containing
      the provided UUIDs
    - TestCleanESDocs_SkipsEmptyIDLists — verifies no DeleteByQuery is
      issued when the ID lists are empty
  Redis testcontainer integration test (gated by VEZA_SKIP_INTEGRATION):
    - TestCleanRedisKeys_Integration — seeds 154 keys (4 fixed + 150 bulk
      to force the SCAN loop past a single batch) plus 4 unrelated keys
      from another user / global, runs cleanRedisKeys, asserts all 154
      own keys are gone and all 4 unrelated keys remain.

Verification:
  go build ./...                                                OK
  go vet ./...                                                  OK
  VEZA_SKIP_INTEGRATION=1 go test ./internal/workers/... short  OK
  go test ./internal/workers/ -run TestCleanRedisKeys_Integration
    → testcontainers spins redis:7-alpine, test passes in 1.34s

Out of J4 scope (noted for a follow-up):
  - No "activity" ES index exists in the codebase today (the audit plan
    mentioned it as a possible target). The three real indices with user
    data — users, tracks, playlists — are all now cleaned.
  - Track artist strings (free-form) may still contain the user's
    display name as a cached value in the tracks index after this
    cleanup. Actual user-owned tracks are deleted here, but if a third
    party's track referenced the removed user in its artist field, that
    reference is not touched. Strict RGPD on that edge case is a
    separate ticket.

Refs: AUDIT_REPORT.md §8.5, §10 P5, §12 item 1

2026-04-15 12:25:39 +02:00

senke

71c15c2590

fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings

Security fixes implemented:

CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
  returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
  tags to "-" so they are never serialized in API responses

HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
  SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
  with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
  context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
  settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
  header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
  and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check

MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)

Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-12 05:40:53 +01:00

senke

f2881ad865

feat(gdpr): v0.10.8 portabilité données - export ZIP async, suppression compte, hard delete cron

Backend API CI / test-unit (push) Failing after 1s

Details

Frontend CI / test (push) Failing after 3s

Details

Storybook Audit / Build & audit Storybook (push) Failing after 2s

Details

Backend API CI / test-integration (push) Failing after 6s

Details

- Export: table data_exports, POST /me/export (202), GET /me/exports, messages+playback_history
- Notification email quand ZIP prêt, rate limit 3/jour
- Suppression: keep_public_tracks, anonymisation PII complète (users, user_profiles)
- HardDeleteWorker: final anonymization après 30 jours
- Frontend: POST export, checkbox keep_public_tracks
- MSW handlers pour Storybook

2026-03-10 13:57:04 +01:00

3 commits