24b29d229d
Security fixes implemented:
CRITICAL:
- CRIT-001: IDOR on chat rooms — added IsRoomMember check before
returning room data or message history (returns 404, not 403)
- CRIT-002: play_count/like_count exposed publicly — changed JSON
tags to "-" so they are never serialized in API responses
HIGH:
- HIGH-001: TOCTOU race on marketplace downloads — transaction +
SELECT FOR UPDATE on GetDownloadURL
- HIGH-002: HS256 in production docker-compose — replaced JWT_SECRET
with JWT_PRIVATE_KEY_PATH / JWT_PUBLIC_KEY_PATH (RS256)
- HIGH-003: context.Background() bypass in user repository — full
context propagation from handlers → services → repository (29 files)
- HIGH-004: Race condition on promo codes — SELECT FOR UPDATE
- HIGH-005: Race condition on exclusive licenses — SELECT FOR UPDATE
- HIGH-006: Rate limiter IP spoofing — SetTrustedProxies(nil) default
- HIGH-007: RGPD hard delete incomplete — added cleanup for sessions,
settings, follows, notifications, audit_logs anonymization
- HIGH-008: RTMP callback auth weak — fail-closed when unconfigured,
header-only (no query param), constant-time compare
- HIGH-009: Co-listening host hijack — UpdateHostState now takes *Conn
and verifies IsHost before processing
- HIGH-010: Moderator self-strike — added issuedBy != userID check
MEDIUM:
- MEDIUM-001: Recovery codes used math/rand — replaced with crypto/rand
- MEDIUM-005: Stream token forgeable — resolved by HIGH-002 (RS256)
Updated REMEDIATION_MATRIX: 14 findings marked ✅ CORRIGÉ.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
68 lines
4 KiB
Go
68 lines
4 KiB
Go
package models
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/lib/pq"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
// Track représente une piste audio dans le système
|
|
// MIGRATION UUID: Completée. ID et UserID sont des UUIDs.
|
|
type Track struct {
|
|
ID uuid.UUID `gorm:"type:uuid;primaryKey" json:"id" db:"id"`
|
|
UserID uuid.UUID `gorm:"type:uuid;not null;column:creator_id" json:"creator_id" db:"creator_id"`
|
|
FileID *uuid.UUID `gorm:"type:uuid" json:"file_id,omitempty" db:"file_id"` // NULL temporairement avant création fichier
|
|
Title string `gorm:"not null;size:255" json:"title" db:"title"`
|
|
Artist string `gorm:"size:255" json:"artist" db:"artist"`
|
|
Album string `gorm:"size:255" json:"album" db:"album"`
|
|
Duration int `gorm:"not null" json:"duration" db:"duration"` // seconds
|
|
Genre string `gorm:"size:100" json:"genre" db:"genre"`
|
|
Tags pq.StringArray `gorm:"type:text[]" json:"tags,omitempty" db:"tags"`
|
|
Year int `gorm:"default:0" json:"year" db:"year"`
|
|
BPM *int `gorm:"column:bpm" json:"bpm,omitempty" db:"bpm"`
|
|
MusicalKey string `gorm:"size:10" json:"musical_key,omitempty" db:"musical_key"`
|
|
FilePath string `gorm:"not null;size:500" json:"file_path" db:"file_path"`
|
|
FileSize int64 `gorm:"not null" json:"file_size" db:"file_size"` // bytes
|
|
Format string `gorm:"size:10" json:"format" db:"format"` // mp3, flac, wav, etc.
|
|
Bitrate int `gorm:"default:0" json:"bitrate" db:"bitrate"` // kbps
|
|
SampleRate int `gorm:"default:0" json:"sample_rate" db:"sample_rate"` // Hz
|
|
WaveformPath string `gorm:"size:500" json:"waveform_path" db:"waveform_path"`
|
|
WaveformURL *string `gorm:"size:500" json:"waveform_url,omitempty" db:"waveform_url"`
|
|
CoverArtPath string `gorm:"size:500" json:"cover_art_path" db:"cover_art_path"`
|
|
IsPublic bool `gorm:"default:true" json:"is_public" db:"is_public"`
|
|
Status TrackStatus `gorm:"default:'uploading'" json:"status" db:"status"`
|
|
StatusMessage string `gorm:"type:text" json:"status_message,omitempty" db:"status_message"`
|
|
StreamStatus string `gorm:"default:'pending'" json:"stream_status" db:"stream_status"` // pending, processing, ready, error
|
|
StreamManifestURL string `gorm:"size:500" json:"stream_manifest_url" db:"stream_manifest_url"`
|
|
// SECURITY(CRIT-002): play_count and like_count are PRIVATE — visible only to the creator
|
|
// in their analytics dashboard. Never exposed in public API responses.
|
|
// Ref: CLAUDE.md rule #4, ORIGIN_UI_UX_SYSTEM.md §13
|
|
PlayCount int64 `gorm:"default:0" json:"-" db:"play_count"`
|
|
LikeCount int64 `gorm:"default:0" json:"-" db:"like_count"`
|
|
CreatedAt time.Time `gorm:"autoCreateTime" json:"created_at" db:"created_at"`
|
|
UpdatedAt time.Time `gorm:"autoUpdateTime" json:"updated_at" db:"updated_at"`
|
|
DeletedAt gorm.DeletedAt `json:"-" db:"deleted_at"`
|
|
|
|
// Relations
|
|
User User `gorm:"foreignKey:UserID;constraint:OnDelete:CASCADE" json:"-"`
|
|
Playlists []Playlist `gorm:"many2many:playlist_tracks;" json:"-"`
|
|
Likes []TrackLike `gorm:"foreignKey:TrackID;constraint:OnDelete:CASCADE" json:"-"`
|
|
Shares []TrackShare `gorm:"foreignKey:TrackID;constraint:OnDelete:CASCADE" json:"-"`
|
|
Versions []TrackVersion `gorm:"foreignKey:TrackID;constraint:OnDelete:CASCADE" json:"-"`
|
|
HLSStreams []HLSStream `gorm:"foreignKey:TrackID;constraint:OnDelete:CASCADE" json:"-"`
|
|
}
|
|
|
|
// TableName définit le nom de la table pour GORM
|
|
func (Track) TableName() string {
|
|
return "tracks"
|
|
}
|
|
|
|
// BeforeCreate hook GORM pour générer UUID si non défini
|
|
func (m *Track) BeforeCreate(tx *gorm.DB) error {
|
|
if m.ID == uuid.Nil {
|
|
m.ID = uuid.New()
|
|
}
|
|
return nil
|
|
}
|