senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/internal/middleware
History
senke dda71cad80 fix(middleware): bypass response cache for range-aware media endpoints 
Surfaced by the v1.0.5 browser smoke test. ResponseCache captures the
entire body into a bytes.Buffer, JSON-serializes it (escaping non-UTF-8
bytes), and replays via c.Data for subsequent hits. For audio/video
streams this has two failure modes:

  1. Range headers are never honored — the cache replays the *full body*
     on every request, strips the Accept-Ranges header, and leaves the
     <audio> element unable to seek. The smoke test caught this when a
     `Range: bytes=100-299` request got back 200 OK with 48944 bytes
     instead of 206 Partial Content with 200 bytes.
  2. Non-UTF-8 bytes get escaped through the JSON round-trip (`\uFFFD`
     substitution etc.), corrupting the MP3 payload so even full plays
     can fail mid-stream.

Minimum-invasive fix: skip the cache entirely for any path containing
`/stream`, `/download`, or `/hls/`, and for any request that carries a
`Range` header (belt-and-suspenders for any future media endpoint). All
other anonymous GETs keep their 5-minute TTL.

Verified live: `GET /api/v1/tracks/:id/stream` returns
  - full: 200 OK, Accept-Ranges: bytes, Content-Length matches disk,
    body MD5 matches source file byte-for-byte
  - range: 206 Partial Content, Content-Range: bytes 100-299/48944,
    exactly 200 bytes
Browser <audio> plays end-to-end with currentTime progressing from 0 to
duration and seek to 1.5s succeeding (readyState=4, no error).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 16:13:02 +02:00
..
api_key_rate_limiter.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
api_key_rate_limiter_test.go feat(v0.12.8): documentation & API publique — rate limiting, scopes, OpenAPI 2026-03-12 18:44:09 +01:00
api_key_scope.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
api_key_scope_test.go feat(v0.12.8): documentation & API publique — rate limiting, scopes, OpenAPI 2026-03-12 18:44:09 +01:00
audit.go feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE 2026-02-25 19:48:03 +01:00
audit_test.go feat(audit): HTTP audit middleware for auto-logging POST/PUT/DELETE 2026-02-25 19:48:03 +01:00
auth.go feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days 2026-03-12 06:53:27 +01:00
auth_middleware_test.go fix(v0.12.6.1): remediate 2 CRITICAL + 10 HIGH + 1 MEDIUM pentest findings 2026-03-12 05:40:53 +01:00
cache_headers.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
cache_headers_test.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
captcha.go feat(v0.13.0): conformité features partielles — CAPTCHA, password history, login history, SMS 2FA 2026-03-12 09:31:50 +01:00
captcha_test.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
ccpa.go feat(compliance): CCPA Do Not Sell middleware and opt-out endpoint 2026-02-25 19:49:25 +01:00
ccpa_test.go test(v0.803): unit tests for CCPA, reports, announcements, feature flags 2026-02-25 20:02:24 +01:00
context_propagation.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
cors.go refactor(backend): replace 40 fmt.Printf calls with zap structured logging 2026-02-22 17:44:38 +01:00
cors_test.go chore(v0.102): consolidate remaining changes — docs, frontend, backend 2026-02-20 13:02:12 +01:00
csrf.go v0.9.8 2026-03-06 19:13:16 +01:00
csrf_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
endpoint_limiter.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
error_handler.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
error_handler_metrics_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
error_handler_structured_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
error_handler_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
general.go [INT-020] int: Add API endpoint deprecation strategy 2025-12-25 15:51:14 +01:00
maintenance.go fix(middleware): persist maintenance flag via platform_settings table 2026-04-16 14:57:06 +02:00
maintenance_test.go fix(middleware): persist maintenance flag via platform_settings table 2026-04-16 14:57:06 +02:00
metrics.go fix(backend-tests): enable room_handler_test and resolve metric collisions 2025-12-06 12:53:15 +01:00
metrics_protection.go fix(v0.12.6.1): remediate remaining 15 MEDIUM + LOW pentest findings 2026-03-12 06:13:38 +01:00
metrics_protection_test.go v0.9.2 2026-03-05 19:27:34 +01:00
metrics_test.go report generation and future tasks selection 2025-12-08 19:57:54 +01:00
mfa_enforcement_test.go feat(v0.12.6.2): enforce MFA for admin/moderator + align refresh token TTL to 7 days 2026-03-12 06:53:27 +01:00
monitoring.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
ownership_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
playlist_permission.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
playlist_permission_test.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
rate_limit_login_test.go chore(v0.102): consolidate remaining changes — docs, frontend, backend 2026-02-20 13:02:12 +01:00
rate_limiter.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
rate_limiting_integration_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
ratelimit.go feat: backend, stream server & infra improvements 2026-03-18 11:36:06 +01:00
ratelimit_redis.go v0.9.8 2026-03-06 19:13:16 +01:00
ratelimit_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
rbac_auth_middleware_test.go feat(security): v0.901 Ironclad - fix 5 critical/high vulnerabilities 2026-02-26 19:34:45 +01:00
rbac_middleware.go stabilizing apps/web: THIRD BATCH - FIXED Playwright 2025-12-21 18:55:51 -05:00
rbac_middleware_test.go [T0-002] fix(rust): Corriger erreurs compilation Rust 2026-01-04 01:44:20 +01:00
recovery.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
recovery_env_test.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
recovery_test.go stabilizing veza-backend-api: phase 1 2025-12-16 11:23:49 -05:00
request_id.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
request_id_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
request_logger.go v0.9.8 2026-03-06 19:13:16 +01:00
request_logger_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
response_cache.go fix(middleware): bypass response cache for range-aware media endpoints 2026-04-16 16:13:02 +02:00
response_cache_test.go feat(v0.12.4): Redis response cache and CDN cache headers middleware 2026-03-11 09:57:06 +01:00
security_headers.go style(backend): gofmt -w on 85 files (whitespace only) 2026-04-14 12:22:14 +02:00
security_headers_test.go [FE-PAGE-001] fe-page: Complete Dashboard page implementation 2025-12-24 12:35:38 +01:00
sentry_recover.go STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
stream_callback_auth.go Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy 2026-02-14 17:23:32 +01:00
timeout.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
timeout_goroutine_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
timeout_test.go refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
tracing.go [BE-SVC-018] be-svc: Implement request tracing 2025-12-24 17:05:32 +01:00
tracing_test.go [T0-002] fix(rust): Corriger erreurs compilation Rust 2026-01-04 01:44:20 +01:00
upload_rate_limit_test.go adding initial backend API (Go) 2025-12-03 20:29:37 +01:00
user_rate_limiter.go v0.9.8 2026-03-06 19:13:16 +01:00
validation.go v0.9.4 2026-03-05 23:03:43 +01:00
validation_test.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00
versioning.go v0.9.8 2026-03-06 19:13:16 +01:00
webhook_api_key.go incus deployement fully implemented, Makefile updated and make fmt ran 2026-01-13 19:47:57 +01:00