feat: add Content-Security-Policy header for embedded web SPA

Set CSP header on all SPA-served responses to provide defense-in-depth
against XSS. The policy restricts scripts, styles, and all other
resource types to same-origin only, matching the SPA's actual behavior
(external CSS/JS files, same-origin fetch API calls, no WebSockets or
external resources).

README.md

@@ -249,8 +249,8 @@ Key properties:
 - **Ordered**: Queue entries have monotonically increasing IDs. Messages are
   always delivered in order within a client's queue.
 - **No delivery/read receipts** for channel messages. DM receipts are planned.
-- **Client output queue depth**: Server-configurable via `QUEUE_MAX_AGE`.
+- **Queue depth**: Server-configurable via `QUEUE_MAX_AGE`. Default is 48
-  Default is 30 days. Entries older than this are pruned.
+  hours. Entries older than this are pruned.
 
 ### Long-Polling
 
@@ -1624,10 +1624,6 @@ authenticity.
   termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
   Restrict this in production via reverse proxy configuration if needed.
-- **Content-Security-Policy**: The server sets a strict CSP header on all
-  responses, restricting resource loading to same-origin and disabling
-  dangerous features (object embeds, framing, base tag injection). The
-  embedded SPA works without `'unsafe-inline'` for scripts or styles.
 
 ---
 
@@ -1788,14 +1784,14 @@ skew issues) and simpler than UUIDs (integer comparison vs. string comparison).
 
 ### Data Lifecycle
 
-- **Messages**: Pruned automatically when older than `MESSAGE_MAX_AGE`
+- **Messages**: Stored indefinitely in the current implementation. Rotation
-  (default 30 days).
+  per `MAX_HISTORY` is planned.
-- **Client output queue entries**: Pruned automatically when older than
+- **Queue entries**: Stored until pruned. Pruning by `QUEUE_MAX_AGE` is
-  `QUEUE_MAX_AGE` (default 30 days).
+  planned.
 - **Channels**: Deleted when the last member leaves (ephemeral).
 - **Users/sessions**: Deleted on `QUIT` or `POST /api/v1/logout`. Idle
   sessions are automatically expired after `SESSION_IDLE_TIMEOUT` (default
-  30 days) — the server runs a background cleanup loop that parts idle users
+  24h) — the server runs a background cleanup loop that parts idle users
   from all channels, broadcasts QUIT, and releases their nicks.
 
 ---
@@ -1812,9 +1808,9 @@ directory is also loaded automatically via
 | `PORT`             | int     | `8080`                               | HTTP listen port |
 | `DBURL`            | string  | `file:///var/lib/neoirc/state.db?_journal_mode=WAL` | SQLite connection string. For file-based: `file:///path/to/db.db?_journal_mode=WAL`. For in-memory (testing): `file::memory:?cache=shared`. |
 | `DEBUG`            | bool    | `false`                              | Enable debug logging (verbose request/response logging) |
-| `MESSAGE_MAX_AGE`  | string  | `720h`                               | Maximum age of messages as a Go duration string (e.g. `720h`, `24h`). Messages older than this are pruned. Default is 30 days. |
+| `MAX_HISTORY`      | int     | `10000`                              | Maximum messages retained per channel before rotation (planned) |
-| `SESSION_IDLE_TIMEOUT` | string | `720h`                           | Session idle timeout as a Go duration string (e.g. `720h`, `24h`). Sessions with no activity for this long are expired and the nick is released. Default is 30 days. |
+| `SESSION_IDLE_TIMEOUT` | string | `24h`                            | Session idle timeout as a Go duration string (e.g. `24h`, `30m`). Sessions with no activity for this long are expired and the nick is released. |
-| `QUEUE_MAX_AGE`    | string  | `720h`                               | Maximum age of client output queue entries as a Go duration string (e.g. `720h`, `24h`). Entries older than this are pruned. Default is 30 days. |
+| `QUEUE_MAX_AGE`    | int     | `172800`                             | Maximum age of client queue entries in seconds (48h). Entries older than this are pruned (planned). |
 | `MAX_MESSAGE_SIZE` | int     | `4096`                               | Maximum message body size in bytes (planned enforcement) |
 | `LONG_POLL_TIMEOUT`| int     | `15`                                 | Default long-poll timeout in seconds (client can override via query param, server caps at 30) |
 | `MOTD`             | string  | `""`                                 | Message of the day, shown to clients via `GET /api/v1/server` |
@@ -1833,7 +1829,7 @@ SERVER_NAME=My NeoIRC Server
 MOTD=Welcome! Be excellent to each other.
 DEBUG=false
 DBURL=file:///var/lib/neoirc/state.db?_journal_mode=WAL
-SESSION_IDLE_TIMEOUT=720h
+SESSION_IDLE_TIMEOUT=24h
 ```
 
 ---
@@ -2228,8 +2224,8 @@ GET /api/v1/challenge
 ### Post-MVP (Planned)
 
 - [ ] **Hashcash proof-of-work** for session creation (abuse prevention)
-- [x] **Client output queue pruning** — delete old client output queue entries per `QUEUE_MAX_AGE`
+- [ ] **Queue pruning** — delete old queue entries per `QUEUE_MAX_AGE`
-- [x] **Message rotation** — prune messages older than `MESSAGE_MAX_AGE`
+- [ ] **Message rotation** — enforce `MAX_HISTORY` per channel
 - [ ] **Channel modes** — enforce `+i`, `+m`, `+s`, `+t`, `+n`
 - [ ] **User channel modes** — `+o` (operator), `+v` (voice)
 - [x] **MODE command** — query channel and user modes (set not yet implemented)

internal/config/config.go

@@ -38,9 +38,8 @@ type Config struct {
 	MetricsUsername    string
 	Port               int
 	SentryDSN          string
-	MessageMaxAge      string
+	MaxHistory         int
 	MaxMessageSize     int
-	QueueMaxAge        string
 	MOTD               string
 	ServerName         string
 	FederationKey      string
@@ -69,13 +68,12 @@ func New(
 	viper.SetDefault("SENTRY_DSN", "")
 	viper.SetDefault("METRICS_USERNAME", "")
 	viper.SetDefault("METRICS_PASSWORD", "")
-	viper.SetDefault("MESSAGE_MAX_AGE", "720h")
+	viper.SetDefault("MAX_HISTORY", "10000")
 	viper.SetDefault("MAX_MESSAGE_SIZE", "4096")
-	viper.SetDefault("QUEUE_MAX_AGE", "720h")
 	viper.SetDefault("MOTD", defaultMOTD)
 	viper.SetDefault("SERVER_NAME", "")
 	viper.SetDefault("FEDERATION_KEY", "")
-	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
+	viper.SetDefault("SESSION_IDLE_TIMEOUT", "24h")
 
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -94,9 +92,8 @@ func New(
 		MaintenanceMode:    viper.GetBool("MAINTENANCE_MODE"),
 		MetricsUsername:    viper.GetString("METRICS_USERNAME"),
 		MetricsPassword:    viper.GetString("METRICS_PASSWORD"),
-		MessageMaxAge:      viper.GetString("MESSAGE_MAX_AGE"),
+		MaxHistory:         viper.GetInt("MAX_HISTORY"),
 		MaxMessageSize:     viper.GetInt("MAX_MESSAGE_SIZE"),
-		QueueMaxAge:        viper.GetString("QUEUE_MAX_AGE"),
 		MOTD:               viper.GetString("MOTD"),
 		ServerName:         viper.GetString("SERVER_NAME"),
 		FederationKey:      viper.GetString("FEDERATION_KEY"),

internal/db/auth.go

@@ -64,14 +64,12 @@ func (database *Database) RegisterUser(
 
 	sessionID, _ := res.LastInsertId()
 
-	tokenHash := hashToken(token)
-
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -139,14 +137,12 @@ func (database *Database) LoginUser(
 
 	now := time.Now()
 
-	tokenHash := hashToken(token)
-
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,

internal/db/errors.go

@@ -1,20 +0,0 @@
-// Package db provides database access and migration management.
-package db
-
-import (
-	"errors"
-
-	"modernc.org/sqlite"
-	sqlite3 "modernc.org/sqlite/lib"
-)
-
-// IsUniqueConstraintError reports whether err is a SQLite
-// unique-constraint violation.
-func IsUniqueConstraintError(err error) bool {
-	var sqliteErr *sqlite.Error
-	if !errors.As(err, &sqliteErr) {
-		return false
-	}
-
-	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
-}

internal/db/queries.go

@@ -3,7 +3,6 @@ package db
 import (
 	"context"
 	"crypto/rand"
-	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
@@ -32,14 +31,6 @@ func generateToken() (string, error) {
 	return hex.EncodeToString(buf), nil
 }
 
-// hashToken returns the lowercase hex-encoded SHA-256
-// digest of a plaintext token string.
-func hashToken(token string) string {
-	sum := sha256.Sum256([]byte(token))
-
-	return hex.EncodeToString(sum[:])
-}
-
 // IRCMessage is the IRC envelope for all messages.
 type IRCMessage struct {
 	ID      string          `json:"id"`
@@ -114,14 +105,12 @@ func (database *Database) CreateSession(
 
 	sessionID, _ := res.LastInsertId()
 
-	tokenHash := hashToken(token)
-
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, token, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 
@@ -154,8 +143,6 @@ func (database *Database) GetSessionByToken(
 		nick      string
 	)
 
-	tokenHash := hashToken(token)
-
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT s.id, c.id, s.nick
@@ -163,7 +150,7 @@ func (database *Database) GetSessionByToken(
 		 INNER JOIN sessions s
 		   ON s.id = c.session_id
 		 WHERE c.token = ?`,
-		tokenHash,
+		token,
 	).Scan(&sessionID, &clientID, &nick)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
@@ -1109,160 +1096,3 @@ func (database *Database) GetSessionCreatedAt(
 
 	return createdAt, nil
 }
-
-// SetAway sets the away message for a session.
-// An empty message clears the away status.
-func (database *Database) SetAway(
-	ctx context.Context,
-	sessionID int64,
-	message string,
-) error {
-	_, err := database.conn.ExecContext(ctx,
-		"UPDATE sessions SET away_message = ? WHERE id = ?",
-		message, sessionID)
-	if err != nil {
-		return fmt.Errorf("set away: %w", err)
-	}
-
-	return nil
-}
-
-// GetAway returns the away message for a session.
-// Returns an empty string if the user is not away.
-func (database *Database) GetAway(
-	ctx context.Context,
-	sessionID int64,
-) (string, error) {
-	var msg string
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT away_message FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&msg)
-	if err != nil {
-		return "", fmt.Errorf("get away: %w", err)
-	}
-
-	return msg, nil
-}
-
-// SetTopicMeta sets the topic along with who set it and
-// when.
-func (database *Database) SetTopicMeta(
-	ctx context.Context,
-	channelName, topic, setBy string,
-) error {
-	now := time.Now()
-
-	_, err := database.conn.ExecContext(ctx,
-		`UPDATE channels
-		 SET topic = ?, topic_set_by = ?,
-		     topic_set_at = ?, updated_at = ?
-		 WHERE name = ?`,
-		topic, setBy, now, now, channelName)
-	if err != nil {
-		return fmt.Errorf("set topic meta: %w", err)
-	}
-
-	return nil
-}
-
-// TopicMeta holds topic metadata for a channel.
-type TopicMeta struct {
-	SetBy string
-	SetAt time.Time
-}
-
-// GetTopicMeta returns who set the topic and when.
-func (database *Database) GetTopicMeta(
-	ctx context.Context,
-	channelID int64,
-) (*TopicMeta, error) {
-	var (
-		setBy string
-		setAt sql.NullTime
-	)
-
-	err := database.conn.QueryRowContext(ctx,
-		`SELECT topic_set_by, topic_set_at
-		 FROM channels WHERE id = ?`,
-		channelID,
-	).Scan(&setBy, &setAt)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"get topic meta: %w", err,
-		)
-	}
-
-	if setBy == "" || !setAt.Valid {
-		return nil, nil //nolint:nilnil
-	}
-
-	return &TopicMeta{
-		SetBy: setBy,
-		SetAt: setAt.Time,
-	}, nil
-}
-
-// GetSessionLastSeen returns the last_seen time for a
-// session.
-func (database *Database) GetSessionLastSeen(
-	ctx context.Context,
-	sessionID int64,
-) (time.Time, error) {
-	var lastSeen time.Time
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT last_seen FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&lastSeen)
-	if err != nil {
-		return time.Time{}, fmt.Errorf(
-			"get session last_seen: %w", err,
-		)
-	}
-
-	return lastSeen, nil
-}
-
-// PruneOldQueueEntries deletes client output queue entries
-// older than cutoff and returns the number of rows removed.
-func (database *Database) PruneOldQueueEntries(
-	ctx context.Context,
-	cutoff time.Time,
-) (int64, error) {
-	res, err := database.conn.ExecContext(ctx,
-		"DELETE FROM client_queues WHERE created_at < ?",
-		cutoff,
-	)
-	if err != nil {
-		return 0, fmt.Errorf(
-			"prune old client output queue entries: %w", err,
-		)
-	}
-
-	deleted, _ := res.RowsAffected()
-
-	return deleted, nil
-}
-
-// PruneOldMessages deletes messages older than cutoff and
-// returns the number of rows removed.
-func (database *Database) PruneOldMessages(
-	ctx context.Context,
-	cutoff time.Time,
-) (int64, error) {
-	res, err := database.conn.ExecContext(ctx,
-		"DELETE FROM messages WHERE created_at < ?",
-		cutoff,
-	)
-	if err != nil {
-		return 0, fmt.Errorf(
-			"prune old messages: %w", err,
-		)
-	}
-
-	deleted, _ := res.RowsAffected()
-
-	return deleted, nil
-}

internal/db/schema/001_initial.sql

@@ -8,7 +8,6 @@ CREATE TABLE IF NOT EXISTS sessions (
     nick TEXT NOT NULL UNIQUE,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
-    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -31,8 +30,6 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
-    topic_set_by TEXT NOT NULL DEFAULT '',
-    topic_set_at DATETIME,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );

internal/handlers/api.go

@@ -10,7 +10,6 @@ import (
 	"strings"
 	"time"
 
-	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/irc"
 	"github.com/go-chi/chi"
 )
@@ -71,10 +70,11 @@ func (hdlr *Handlers) requireAuth(
 	sessionID, clientID, nick, err :=
 		hdlr.authSession(request)
 	if err != nil {
-		hdlr.respondJSON(writer, request, map[string]any{
+		hdlr.respondError(
-			"error":   "not registered",
+			writer, request,
-			"numeric": irc.ErrNotRegistered,
+			"unauthorized",
-		}, http.StatusUnauthorized)
+			http.StatusUnauthorized,
+		)
 
 		return 0, 0, "", false
 	}
@@ -199,7 +199,7 @@ func (hdlr *Handlers) handleCreateSessionError(
 	request *http.Request,
 	err error,
 ) {
-	if db.IsUniqueConstraintError(err) {
+	if strings.Contains(err.Error(), "UNIQUE") {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
@@ -809,11 +809,6 @@ func (hdlr *Handlers) dispatchCommand(
 	bodyLines func() []string,
 ) {
 	switch command {
-	case irc.CmdAway:
-		hdlr.handleAway(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
 	case irc.CmdPrivmsg, irc.CmdNotice:
 		hdlr.handlePrivmsg(
 			writer, request,
@@ -924,8 +919,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if target == "" {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoRecipient, nick, []string{command},
+			irc.ErrNeedMoreParams, nick, []string{command},
-			"No recipient given",
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -939,8 +934,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if len(lines) == 0 {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoTextToSend, nick, []string{command},
+			irc.ErrNeedMoreParams, nick, []string{command},
-			"No text to send",
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -1027,8 +1022,8 @@ func (hdlr *Handlers) handleChannelMsg(
 	if !isMember {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
-			irc.ErrCannotSendToChan, nick, []string{target},
+			irc.ErrNotOnChannel, nick, []string{target},
-			"Cannot send to channel",
+			"You're not on that channel",
 		)
 
 		return
@@ -1124,19 +1119,6 @@ func (hdlr *Handlers) handleDirectMsg(
 		return
 	}
 
-	// If the target is away, send RPL_AWAY to the sender.
-	awayMsg, awayErr := hdlr.params.Database.GetAway(
-		request.Context(), targetSID,
-	)
-	if awayErr == nil && awayMsg != "" {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplAway, nick,
-			[]string{target}, awayMsg,
-		)
-		hdlr.broker.Notify(sessionID)
-	}
-
 	hdlr.respondJSON(writer, request,
 		map[string]string{"id": msgUUID, "status": "sent"},
 		http.StatusOK)
@@ -1247,25 +1229,14 @@ func (hdlr *Handlers) deliverJoinNumerics(
 ) {
 	ctx := request.Context()
 
-	hdlr.deliverTopicNumerics(
+	chInfo, err := hdlr.params.Database.GetChannelByName(
-		ctx, clientID, sessionID, nick, channel, chID,
+		ctx, channel,
 	)
-
+	if err == nil {
-	hdlr.deliverNamesNumerics(
+		_ = chInfo // chInfo is the ID; topic comes from DB.
-		ctx, clientID, nick, channel, chID,
-	)
-
-	hdlr.broker.Notify(sessionID)
 	}
 
-// deliverTopicNumerics sends RPL_TOPIC or RPL_NOTOPIC,
+	// Get topic from channel info.
-// plus RPL_TOPICWHOTIME when topic metadata is available.
-func (hdlr *Handlers) deliverTopicNumerics(
-	ctx context.Context,
-	clientID, sessionID int64,
-	nick, channel string,
-	chID int64,
-) {
 	channels, listErr := hdlr.params.Database.ListChannels(
 		ctx, sessionID,
 	)
@@ -1287,39 +1258,14 @@ func (hdlr *Handlers) deliverTopicNumerics(
 			ctx, clientID, irc.RplTopic, nick,
 			[]string{channel}, topic,
 		)
-
-		topicMeta, tmErr := hdlr.params.Database.
-			GetTopicMeta(ctx, chID)
-		if tmErr == nil && topicMeta != nil {
-			hdlr.enqueueNumeric(
-				ctx, clientID,
-				irc.RplTopicWhoTime, nick,
-				[]string{
-					channel,
-					topicMeta.SetBy,
-					strconv.FormatInt(
-						topicMeta.SetAt.Unix(), 10,
-					),
-				},
-				"",
-			)
-		}
 	} else {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNoTopic, nick,
 			[]string{channel}, "No topic is set",
 		)
 	}
-}
 
-// deliverNamesNumerics sends RPL_NAMREPLY and
+	// Get member list for NAMES reply.
-// RPL_ENDOFNAMES for a channel.
-func (hdlr *Handlers) deliverNamesNumerics(
-	ctx context.Context,
-	clientID int64,
-	nick, channel string,
-	chID int64,
-) {
 	members, memErr := hdlr.params.Database.ChannelMembers(
 		ctx, chID,
 	)
@@ -1342,6 +1288,8 @@ func (hdlr *Handlers) deliverNamesNumerics(
 		ctx, clientID, irc.RplEndOfNames, nick,
 		[]string{channel}, "End of /NAMES list",
 	)
+
+	hdlr.broker.Notify(sessionID)
 }
 
 func (hdlr *Handlers) handlePart(
@@ -1479,7 +1427,7 @@ func (hdlr *Handlers) executeNickChange(
 		request.Context(), sessionID, newNick,
 	)
 	if err != nil {
-		if db.IsUniqueConstraintError(err) {
+		if strings.Contains(err.Error(), "UNIQUE") {
 			hdlr.respondIRCError(
 				writer, request, clientID, sessionID,
 				irc.ErrNicknameInUse, nick, []string{newNick},
@@ -1625,8 +1573,8 @@ func (hdlr *Handlers) executeTopic(
 	body json.RawMessage,
 	chID int64,
 ) {
-	setErr := hdlr.params.Database.SetTopicMeta(
+	setErr := hdlr.params.Database.SetTopic(
-		request.Context(), channel, topic, nick,
+		request.Context(), channel, topic,
 	)
 	if setErr != nil {
 		hdlr.log.Error(
@@ -1653,25 +1601,6 @@ func (hdlr *Handlers) executeTopic(
 		request.Context(), clientID,
 		irc.RplTopic, nick, []string{channel}, topic,
 	)
-
-	// 333 RPL_TOPICWHOTIME
-	topicMeta, tmErr := hdlr.params.Database.
-		GetTopicMeta(request.Context(), chID)
-	if tmErr == nil && topicMeta != nil {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplTopicWhoTime, nick,
-			[]string{
-				channel,
-				topicMeta.SetBy,
-				strconv.FormatInt(
-					topicMeta.SetAt.Unix(), 10,
-				),
-			},
-			"",
-		)
-	}
-
 	hdlr.broker.Notify(sessionID)
 
 	hdlr.respondJSON(writer, request,
@@ -2061,11 +1990,6 @@ func (hdlr *Handlers) executeWhois(
 		"neoirc server",
 	)
 
-	// 317 RPL_WHOISIDLE
-	hdlr.deliverWhoisIdle(
-		ctx, clientID, nick, queryNick, targetSID,
-	)
-
 	// 319 RPL_WHOISCHANNELS
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
@@ -2475,95 +2399,3 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 		}, http.StatusOK)
 	}
 }
-
-// handleAway handles the AWAY command. An empty body
-// clears the away status; a non-empty body sets it.
-func (hdlr *Handlers) handleAway(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	lines := bodyLines()
-
-	awayMsg := ""
-	if len(lines) > 0 {
-		awayMsg = strings.Join(lines, " ")
-	}
-
-	err := hdlr.params.Database.SetAway(
-		ctx, sessionID, awayMsg,
-	)
-	if err != nil {
-		hdlr.log.Error("set away failed", "error", err)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	if awayMsg == "" {
-		// 305 RPL_UNAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplUnaway, nick, nil,
-			"You are no longer marked as being away",
-		)
-	} else {
-		// 306 RPL_NOWAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplNowAway, nick, nil,
-			"You have been marked as being away",
-		)
-	}
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// deliverWhoisIdle sends RPL_WHOISIDLE (317) with idle
-// time and signon time.
-func (hdlr *Handlers) deliverWhoisIdle(
-	ctx context.Context,
-	clientID int64,
-	nick, queryNick string,
-	targetSID int64,
-) {
-	lastSeen, lsErr := hdlr.params.Database.
-		GetSessionLastSeen(ctx, targetSID)
-	if lsErr != nil {
-		return
-	}
-
-	createdAt, caErr := hdlr.params.Database.
-		GetSessionCreatedAt(ctx, targetSID)
-	if caErr != nil {
-		return
-	}
-
-	idleSeconds := int64(time.Since(lastSeen).Seconds())
-	if idleSeconds < 0 {
-		idleSeconds = 0
-	}
-
-	signonUnix := strconv.FormatInt(
-		createdAt.Unix(), 10,
-	)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplWhoisIdle, nick,
-		[]string{
-			queryNick,
-			strconv.FormatInt(idleSeconds, 10),
-			signonUnix,
-		},
-		"seconds idle, signon time",
-	)
-}

internal/handlers/api_test.go

@@ -810,9 +810,9 @@ func TestMessageMissingBody(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "412") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NOTEXTTOSEND (412), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -834,9 +834,9 @@ func TestMessageMissingTo(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "411") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NORECIPIENT (411), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -869,9 +869,9 @@ func TestNonMemberCannotSend(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(aliceToken, lastID)
 
-	if !findNumeric(msgs, "404") {
+	if !findNumeric(msgs, "442") {
 		t.Fatalf(
-			"expected ERR_CANNOTSENDTOCHAN (404), got %v",
+			"expected ERR_NOTONCHANNEL (442), got %v",
 			msgs,
 		)
 	}

internal/handlers/auth.go

@@ -4,8 +4,6 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
-
-	"git.eeqj.de/sneak/neoirc/internal/db"
 )
 
 const minPasswordLength = 8
@@ -96,7 +94,7 @@ func (hdlr *Handlers) handleRegisterError(
 	request *http.Request,
 	err error,
 ) {
-	if db.IsUniqueConstraintError(err) {
+	if strings.Contains(err.Error(), "UNIQUE") {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",

internal/handlers/handlers.go

@@ -31,7 +31,7 @@ type Params struct {
 	Healthcheck *healthcheck.Healthcheck
 }
 
-const defaultIdleTimeout = 30 * 24 * time.Hour
+const defaultIdleTimeout = 24 * time.Hour
 
 // Handlers manages HTTP request handling.
 type Handlers struct {
@@ -200,77 +200,4 @@ func (hdlr *Handlers) runCleanup(
 			"deleted", deleted,
 		)
 	}
-
-	hdlr.pruneQueuesAndMessages(ctx)
-}
-
-// parseDurationConfig parses a Go duration string,
-// returning zero on empty input and logging on error.
-func (hdlr *Handlers) parseDurationConfig(
-	name, raw string,
-) time.Duration {
-	if raw == "" {
-		return 0
-	}
-
-	dur, err := time.ParseDuration(raw)
-	if err != nil {
-		hdlr.log.Error(
-			"invalid duration config, skipping",
-			"name", name, "value", raw, "error", err,
-		)
-
-		return 0
-	}
-
-	return dur
-}
-
-// pruneQueuesAndMessages removes old client output queue
-// entries per QUEUE_MAX_AGE and old messages per
-// MESSAGE_MAX_AGE.
-func (hdlr *Handlers) pruneQueuesAndMessages(
-	ctx context.Context,
-) {
-	queueMaxAge := hdlr.parseDurationConfig(
-		"QUEUE_MAX_AGE",
-		hdlr.params.Config.QueueMaxAge,
-	)
-	if queueMaxAge > 0 {
-		queueCutoff := time.Now().Add(-queueMaxAge)
-
-		pruned, err := hdlr.params.Database.
-			PruneOldQueueEntries(ctx, queueCutoff)
-		if err != nil {
-			hdlr.log.Error(
-				"client output queue pruning failed", "error", err,
-			)
-		} else if pruned > 0 {
-			hdlr.log.Info(
-				"pruned old client output queue entries",
-				"deleted", pruned,
-			)
-		}
-	}
-
-	messageMaxAge := hdlr.parseDurationConfig(
-		"MESSAGE_MAX_AGE",
-		hdlr.params.Config.MessageMaxAge,
-	)
-	if messageMaxAge > 0 {
-		msgCutoff := time.Now().Add(-messageMaxAge)
-
-		pruned, err := hdlr.params.Database.
-			PruneOldMessages(ctx, msgCutoff)
-		if err != nil {
-			hdlr.log.Error(
-				"message pruning failed", "error", err,
-			)
-		} else if pruned > 0 {
-			hdlr.log.Info(
-				"pruned old messages",
-				"deleted", pruned,
-			)
-		}
-	}
 }

internal/irc/commands.go

@@ -2,7 +2,6 @@ package irc
 
 // IRC command names (RFC 1459 / RFC 2812).
 const (
-	CmdAway    = "AWAY"
 	CmdJoin    = "JOIN"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"

internal/middleware/middleware.go

@@ -142,6 +142,20 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }
 
+// Auth returns middleware that performs authentication.
+func (mware *Middleware) Auth() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(
+			func(
+				writer http.ResponseWriter,
+				request *http.Request,
+			) {
+				mware.log.Info("AUTH: before request")
+				next.ServeHTTP(writer, request)
+			})
+	}
+}
+
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -166,36 +180,3 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
-
-// cspPolicy is the Content-Security-Policy header value applied to all
-// responses.  The embedded SPA loads scripts and styles from same-origin
-// files only (no inline scripts or inline style attributes), so a strict
-// policy works without 'unsafe-inline'.
-const cspPolicy = "default-src 'self'; " +
-	"script-src 'self'; " +
-	"style-src 'self'; " +
-	"connect-src 'self'; " +
-	"img-src 'self'; " +
-	"font-src 'self'; " +
-	"object-src 'none'; " +
-	"frame-ancestors 'none'; " +
-	"base-uri 'self'; " +
-	"form-action 'self'"
-
-// CSP returns middleware that sets the Content-Security-Policy header on
-// every response for defense-in-depth against XSS.
-func (mware *Middleware) CSP() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(
-			func(
-				writer http.ResponseWriter,
-				request *http.Request,
-			) {
-				writer.Header().Set(
-					"Content-Security-Policy",
-					cspPolicy,
-				)
-				next.ServeHTTP(writer, request)
-			})
-	}
-}

internal/server/routes.go

@@ -16,6 +16,11 @@ import (
 
 const routeTimeout = 60 * time.Second
 
+// cspHeader is the Content-Security-Policy applied to the embedded web SPA.
+// The SPA loads external scripts and stylesheets from the same origin only;
+// all API communication uses same-origin fetch (no WebSockets).
+const cspHeader = "default-src 'self'; script-src 'self'; style-src 'self'"
+
 // SetupRoutes configures the HTTP routes and middleware.
 func (srv *Server) SetupRoutes() {
 	srv.router = chi.NewRouter()
@@ -29,7 +34,6 @@ func (srv *Server) SetupRoutes() {
 	}
 
 	srv.router.Use(srv.mw.CORS())
-	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 
 	if srv.sentryEnabled {
@@ -134,6 +138,11 @@ func (srv *Server) setupSPA() {
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
+		writer.Header().Set(
+			"Content-Security-Policy",
+			cspHeader,
+		)
+
 		readFS, ok := distFS.(fs.ReadFileFS)
 		if !ok {
 			fileServer.ServeHTTP(writer, request)