fix: address all PR #10 review findings

Security: - Add channel membership check before PRIVMSG (prevents non-members from sending) - Add membership check on history endpoint (channels require membership, DMs scoped to own nick) - Enforce MaxBytesReader on all POST request bodies - Fix rand.Read error being silently ignored in token generation Data integrity: - Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT Build: - Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build) Linting: - Strict .golangci.yml: only wsl disabled (deprecated in v2) - Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen - Fix linters-settings -> linters.settings for v2 config format - Fix ALL lint findings in actual code (no linter config weakening) - Wrap all external package errors (wrapcheck) - Fill struct fields or add targeted nolint:exhaustruct where appropriate - Rename short variables (ts->timestamp, n->bufIndex, etc.) - Add depguard deny policy for io/ioutil and math/rand - Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs) Tests: - Add security tests (TestNonMemberCannotSend, TestHistoryNonMember) - Split TestInsertAndPollMessages for reduced complexity - Fix parallel test safety (viper global state prevents parallelism) - Use t.Context() instead of context.Background() in tests Docker build verified passing locally.
2026-02-26 21:21:49 -08:00
parent 4b4a337a88
commit a57a73e94e
22 changed files with 2650 additions and 1903 deletions
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -11,7 +11,7 @@ import (
 	"git.eeqj.de/sneak/chat/internal/globals"
 	"git.eeqj.de/sneak/chat/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	"github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"
@@ -38,25 +38,28 @@ type Middleware struct {
 }

 // New creates a new Middleware instance.
-func New(_ fx.Lifecycle, params Params) (*Middleware, error) {
-	s := new(Middleware)
-	s.params = &params
-	s.log = params.Logger.Get()
+func New(
+	_ fx.Lifecycle, params Params,
+) (*Middleware, error) {
+	mware := &Middleware{
+		params: &params,
+		log:    params.Logger.Get(),
+	}

-	return s, nil
+	return mware, nil
 }

-func ipFromHostPort(hp string) string {
-	h, _, err := net.SplitHostPort(hp)
+func ipFromHostPort(hostPort string) string {
+	host, _, err := net.SplitHostPort(hostPort)
 	if err != nil {
 		return ""
 	}

-	if len(h) > 0 && h[0] == '[' {
-		return h[1 : len(h)-1]
+	if len(host) > 0 && host[0] == '[' {
+		return host[1 : len(host)-1]
 	}

-	return h
+	return host
 }

 type loggingResponseWriter struct {
@@ -65,9 +68,15 @@ type loggingResponseWriter struct {
 	statusCode int
 }

-// newLoggingResponseWriter wraps a ResponseWriter to capture the status code.
-func newLoggingResponseWriter(w http.ResponseWriter) *loggingResponseWriter {
-	return &loggingResponseWriter{w, http.StatusOK}
+// newLoggingResponseWriter wraps a ResponseWriter
+// to capture the status code.
+func newLoggingResponseWriter(
+	writer http.ResponseWriter,
+) *loggingResponseWriter {
+	return &loggingResponseWriter{
+		ResponseWriter: writer,
+		statusCode:     http.StatusOK,
+	}
 }

 func (lrw *loggingResponseWriter) WriteHeader(code int) {
@@ -76,43 +85,57 @@ func (lrw *loggingResponseWriter) WriteHeader(code int) {
 }

 // Logging returns middleware that logs each HTTP request.
-func (s *Middleware) Logging() func(http.Handler) http.Handler {
+func (mware *Middleware) Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			start := time.Now()
-			lrw := newLoggingResponseWriter(w)
-			ctx := r.Context()
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				start := time.Now()
+				lrw := newLoggingResponseWriter(writer)
+				ctx := request.Context()

-			defer func() {
-				latency := time.Since(start)
+				defer func() {
+					latency := time.Since(start)

-				reqID, _ := ctx.Value(middleware.RequestIDKey).(string)
+					reqID, _ := ctx.Value(
+						chimw.RequestIDKey,
+					).(string)

-				s.log.InfoContext(ctx, "request",
-					"request_start", start,
-					"method", r.Method,
-					"url", r.URL.String(),
-					"useragent", r.UserAgent(),
-					"request_id", reqID,
-					"referer", r.Referer(),
-					"proto", r.Proto,
-					"remoteIP", ipFromHostPort(r.RemoteAddr),
-					"status", lrw.statusCode,
-					"latency_ms", latency.Milliseconds(),
-				)
-			}()
+					mware.log.InfoContext(
+						ctx, "request",
+						"request_start", start,
+						"method", request.Method,
+						"url", request.URL.String(),
+						"useragent", request.UserAgent(),
+						"request_id", reqID,
+						"referer", request.Referer(),
+						"proto", request.Proto,
+						"remoteIP",
+						ipFromHostPort(request.RemoteAddr),
+						"status", lrw.statusCode,
+						"latency_ms",
+						latency.Milliseconds(),
+					)
+				}()

-			next.ServeHTTP(lrw, r)
-		})
+				next.ServeHTTP(lrw, request)
+			})
 	}
 }

 // CORS returns middleware that handles Cross-Origin Resource Sharing.
-func (s *Middleware) CORS() func(http.Handler) http.Handler {
-	return cors.Handler(cors.Options{
-		AllowedOrigins:   []string{"*"},
-		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+func (mware *Middleware) CORS() func(http.Handler) http.Handler {
+	return cors.Handler(cors.Options{ //nolint:exhaustruct // optional fields
+		AllowedOrigins: []string{"*"},
+		AllowedMethods: []string{
+			"GET", "POST", "PUT", "DELETE", "OPTIONS",
+		},
+		AllowedHeaders: []string{
+			"Accept", "Authorization",
+			"Content-Type", "X-CSRF-Token",
+		},
 		ExposedHeaders:   []string{"Link"},
 		AllowCredentials: false,
 		MaxAge:           corsMaxAge,
@@ -120,28 +143,34 @@ func (s *Middleware) CORS() func(http.Handler) http.Handler {
 }

 // Auth returns middleware that performs authentication.
-func (s *Middleware) Auth() func(http.Handler) http.Handler {
+func (mware *Middleware) Auth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			s.log.Info("AUTH: before request")
-			next.ServeHTTP(w, r)
-		})
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				mware.log.Info("AUTH: before request")
+				next.ServeHTTP(writer, request)
+			})
 	}
 }

 // Metrics returns middleware that records HTTP metrics.
-func (s *Middleware) Metrics() func(http.Handler) http.Handler {
-	mdlw := ghmm.New(ghmm.Config{
-		Recorder: metrics.NewRecorder(metrics.Config{}),
+func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
+	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
+		Recorder: metrics.NewRecorder(
+			metrics.Config{}, //nolint:exhaustruct // defaults
+		),
 	})

 	return func(next http.Handler) http.Handler {
-		return std.Handler("", mdlw, next)
+		return std.Handler("", metricsMiddleware, next)
 	}
 }

 // MetricsAuth returns middleware that protects metrics with basic auth.
-func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler {
+func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	return basicauth.New(
 		"metrics",
 		map[string][]string{