deps: migrate from go-chi/chi v1 to go-chi/chi/v5

Migrate all import paths from github.com/go-chi/chi to github.com/go-chi/chi/v5 and github.com/go-chi/chi/middleware to github.com/go-chi/chi/v5/middleware. This resolves GO-2026-4316 (open redirect vulnerability in RedirectSlashes middleware) by moving to the maintained v5 module path. Files changed: - go.mod: chi v1.5.5 → chi/v5 v5.2.1 - internal/server/server.go: updated import - internal/server/routes.go: updated imports - internal/middleware/middleware.go: updated import - internal/handlers/api.go: updated import - README.md: updated Required Libraries table
feat: store auth tokens as SHA-256 hashes instead of plaintext (#69 )
2026-03-10 07:27:26 -07:00 · 2026-03-10 12:44:29 +01:00 · 2026-03-10 11:54:27 +01:00 · 2026-03-10 11:41:43 +01:00 · 2026-03-10 11:20:15 +01:00 · 2026-03-10 11:08:13 +01:00
17 changed files with 153 additions and 545 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -21,6 +21,7 @@ node_modules/
 *.key
 # Build artifacts
 web/dist/
 /neoircd
 /bin/
 *.exe
--- a/14
+++ b/14
@@ -1,3 +1,13 @@
 # Web build stage — compile SPA from source
 # node:22-alpine, 2026-03-09
 FROM node@sha256:8094c002d08262dba12645a3b4a15cd6cd627d30bc782f53229a2ec13ee22a00 AS web-builder
 WORKDIR /web
 COPY web/package.json web/package-lock.json ./
 RUN npm ci
 COPY web/src/ src/
 COPY web/build.sh build.sh
 RUN sh build.sh
 # Lint stage — fast feedback on formatting and lint issues
 # golangci/golangci-lint:v2.1.6, 2026-03-02
 FROM golangci/golangci-lint@sha256:568ee1c1c53493575fa9494e280e579ac9ca865787bafe4df3023ae59ecf299b AS lint
@@ -5,6 +15,9 @@ WORKDIR /src
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 # Create placeholder files so //go:embed dist/* in web/embed.go resolves
 # without depending on the web-builder stage (lint should fail fast)
 RUN mkdir -p web/dist && touch web/dist/index.html web/dist/style.css web/dist/app.js
 RUN make fmt-check
 RUN make lint
@@ -21,6 +34,7 @@ COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 COPY --from=web-builder /web/dist/ web/dist/
 RUN make test
--- a/README.md
+++ b/README.md
@@ -1374,16 +1374,18 @@ Return server metadata. No authentication required.
 ```json
 {
  "name": "My NeoIRC Server",
  "version": "0.1.0",
  "motd": "Welcome! Be nice.",
  "users": 42
 }
 ```
-| Field   | Type    | Description |
+| Field     | Type    | Description |
-|---------|---------|-------------|
+|-----------|---------|-------------|
-| `name`  | string  | Server display name |
+| `name`    | string  | Server display name |
-| `motd`  | string  | Message of the day |
+| `version` | string  | Server version |
-| `users` | integer | Number of currently active user sessions |
+| `motd`    | string  | Message of the day |
 | `users`   | integer | Number of currently active user sessions |
 ### GET /.well-known/healthcheck.json — Health Check
@@ -1622,6 +1624,10 @@ authenticity.
  termination.
 - **CORS**: The server allows all origins by default (`Access-Control-Allow-Origin: *`).
  Restrict this in production via reverse proxy configuration if needed.
 - **Content-Security-Policy**: The server sets a strict CSP header on all
  responses, restricting resource loading to same-origin and disabling
  dangerous features (object embeds, framing, base tag injection). The
  embedded SPA works without `'unsafe-inline'` for scripts or styles.
 ---
@@ -1850,26 +1856,16 @@ docker run -p 8080:8080 \
  neoirc
 ```
-The Dockerfile is a multi-stage build:
+The Dockerfile is a four-stage build:
-1. **Build stage**: Compiles `neoircd` and `neoirc-cli` (CLI built to verify
+1. **web-builder**: Installs Node dependencies and compiles the SPA (JSX →
   bundled JS via esbuild) into `web/dist/`
 2. **lint**: Runs formatting checks and golangci-lint against the Go source
   (uses empty placeholder files for `web/dist/` so it runs independently of
   web-builder for fast feedback)
 3. **builder**: Runs tests and compiles static `neoircd` and `neoirc-cli`
   binaries with the real SPA assets from web-builder (CLI built to verify
   compilation, not included in final image)
-2. **Final stage**: Alpine Linux + `neoircd` binary only
+4. **final**: Minimal Alpine image with only the `neoircd` binary
 ```dockerfile
 FROM golang:1.24-alpine AS builder
 WORKDIR /src
 RUN apk add --no-cache make
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 RUN go build -o /neoircd ./cmd/neoircd/
 RUN go build -o /neoirc-cli ./cmd/neoirc-cli/
 FROM alpine:latest
 COPY --from=builder /neoircd /usr/local/bin/neoircd
 EXPOSE 8080
 CMD ["neoircd"]
 ```
 ### Binary
@@ -2318,10 +2314,14 @@ neoirc/
 │       └── http.go         # HTTP timeouts
 ├── web/
 │   ├── embed.go            # go:embed directive for SPA
-│   └── dist/               # Built SPA (vanilla JS, no build step)
+│   ├── build.sh            # SPA build script (esbuild, runs in Docker)
-│       ├── index.html
+│   ├── package.json        # Node dependencies (preact, esbuild)
-│       ├── style.css
+│   ├── package-lock.json
-│       └── app.js
+│   ├── src/                # SPA source files (JSX + HTML + CSS)
 │   │   ├── app.jsx
 │   │   ├── index.html
 │   │   └── style.css
 │   └── dist/               # Generated at Docker build time (not committed)
 ├── schema/                 # JSON Schema definitions (planned)
 ├── go.mod
 ├── go.sum
@@ -2336,7 +2336,7 @@ neoirc/
 | Purpose    | Library |
 |------------|---------|
 | DI         | `go.uber.org/fx` |
-| Router     | `github.com/go-chi/chi` |
+| Router     | `github.com/go-chi/chi/v5` |
 | Logging    | `log/slog` (stdlib) |
 | Config     | `github.com/spf13/viper` |
 | Env        | `github.com/joho/godotenv/autoload` |
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@@ -1,6 +1,6 @@
 ---
 title: Repository Policies
-last_modified: 2026-02-22
+last_modified: 2026-03-09
 ---
 This document covers repository structure, tooling, and workflow standards. Code
@@ -98,6 +98,13 @@ style conventions are in separate documents:
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
  a new repo.
 - **No build artifacts in version control.** Code-derived data (compiled
  bundles, minified output, generated assets) must never be committed to the
  repository if it can be avoided. The build process (e.g. Dockerfile, Makefile)
  should generate these at build time. Notable exception: Go protobuf generated
  files (`.pb.go`) ARE committed because repos need to work with `go get`, which
  downloads code but does not execute code generation.
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 - Never force-push to `main`.
@@ -144,8 +151,14 @@ style conventions are in separate documents:
 - Use SemVer.
 - Database migrations live in `internal/db/migrations/` and must be embedded in
-  the binary. Pre-1.0.0: modify existing migrations (no installed base assumed).
+  the binary.
-  Post-1.0.0: add new migration files.
+    - `000_migration.sql` — contains ONLY the creation of the migrations
      tracking table itself. Nothing else.
    - `001_schema.sql` — the full application schema.
    - **Pre-1.0.0:** never add additional migration files (002, 003, etc.).
      There is no installed base to migrate. Edit `001_schema.sql` directly.
    - **Post-1.0.0:** add new numbered migration files for each schema change.
      Never edit existing migrations after release.
 - All repos should have an `.editorconfig` enforcing the project's indentation
  settings.
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
--- a/go.sum
+++ b/go.sum
@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
--- a/internal/db/auth.go
+++ b/internal/db/auth.go
@@ -64,12 +64,14 @@ func (database *Database) RegisterUser(
 	sessionID, _ := res.LastInsertId()
 	tokenHash := hashToken(token)
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -137,12 +139,14 @@ func (database *Database) LoginUser(
 	now := time.Now()
 	tokenHash := hashToken(token)
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,
--- a/internal/db/errors.go
+++ b/internal/db/errors.go
@@ -0,0 +1,20 @@
 // Package db provides database access and migration management.
 package db
 import (
 	"errors"
 	"modernc.org/sqlite"
 	sqlite3 "modernc.org/sqlite/lib"
 )
 // IsUniqueConstraintError reports whether err is a SQLite
 // unique-constraint violation.
 func IsUniqueConstraintError(err error) bool {
 	var sqliteErr *sqlite.Error
 	if !errors.As(err, &sqliteErr) {
 		return false
 	}
 	return sqliteErr.Code() == sqlite3.SQLITE_CONSTRAINT_UNIQUE
 }
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
@@ -31,6 +32,14 @@ func generateToken() (string, error) {
 	return hex.EncodeToString(buf), nil
 }
 // hashToken returns the lowercase hex-encoded SHA-256
 // digest of a plaintext token string.
 func hashToken(token string) string {
 	sum := sha256.Sum256([]byte(token))
 	return hex.EncodeToString(sum[:])
 }
 // IRCMessage is the IRC envelope for all messages.
 type IRCMessage struct {
 	ID      string          `json:"id"`
@@ -105,12 +114,14 @@ func (database *Database) CreateSession(
 	sessionID, _ := res.LastInsertId()
 	tokenHash := hashToken(token)
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, token, now, now)
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -143,6 +154,8 @@ func (database *Database) GetSessionByToken(
 		nick      string
 	)
 	tokenHash := hashToken(token)
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT s.id, c.id, s.nick
@@ -150,7 +163,7 @@ func (database *Database) GetSessionByToken(
 		 INNER JOIN sessions s
 		   ON s.id = c.session_id
 		 WHERE c.token = ?`,
-		token,
+		tokenHash,
 	).Scan(&sessionID, &clientID, &nick)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -10,8 +10,9 @@ import (
 	"strings"
 	"time"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/internal/irc"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 )
 var validNickRe = regexp.MustCompile(
@@ -199,7 +200,7 @@ func (hdlr *Handlers) handleCreateSessionError(
 	request *http.Request,
 	err error,
 ) {
-	if strings.Contains(err.Error(), "UNIQUE") {
+	if db.IsUniqueConstraintError(err) {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
@@ -1427,7 +1428,7 @@ func (hdlr *Handlers) executeNickChange(
 		request.Context(), sessionID, newNick,
 	)
 	if err != nil {
-		if strings.Contains(err.Error(), "UNIQUE") {
+		if db.IsUniqueConstraintError(err) {
 			hdlr.respondIRCError(
 				writer, request, clientID, sessionID,
 				irc.ErrNicknameInUse, nick, []string{newNick},
@@ -2392,9 +2393,10 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 		}
 		hdlr.respondJSON(writer, request, map[string]any{
-			"name":  hdlr.params.Config.ServerName,
+			"name":    hdlr.params.Config.ServerName,
-			"motd":  hdlr.params.Config.MOTD,
+			"version": hdlr.params.Globals.Version,
-			"users": users,
+			"motd":    hdlr.params.Config.MOTD,
 			"users":   users,
 		}, http.StatusOK)
 	}
 }
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"net/http"
 	"strings"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 )
 const minPasswordLength = 8
@@ -94,7 +96,7 @@ func (hdlr *Handlers) handleRegisterError(
 	request *http.Request,
 	err error,
 ) {
-	if strings.Contains(err.Error(), "UNIQUE") {
+	if db.IsUniqueConstraintError(err) {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -11,7 +11,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"
@@ -142,20 +142,6 @@ func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	})
 }
 // Auth returns middleware that performs authentication.
 func (mware *Middleware) Auth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(
 			func(
 				writer http.ResponseWriter,
 				request *http.Request,
 			) {
 				mware.log.Info("AUTH: before request")
 				next.ServeHTTP(writer, request)
 			})
 	}
 }
 // Metrics returns middleware that records HTTP metrics.
 func (mware *Middleware) Metrics() func(http.Handler) http.Handler {
 	metricsMiddleware := ghmm.New(ghmm.Config{ //nolint:exhaustruct // optional fields
@@ -180,3 +166,36 @@ func (mware *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 		},
 	)
 }
 // cspPolicy is the Content-Security-Policy header value applied to all
 // responses.  The embedded SPA loads scripts and styles from same-origin
 // files only (no inline scripts or inline style attributes), so a strict
 // policy works without 'unsafe-inline'.
 const cspPolicy = "default-src 'self'; " +
 	"script-src 'self'; " +
 	"style-src 'self'; " +
 	"connect-src 'self'; " +
 	"img-src 'self'; " +
 	"font-src 'self'; " +
 	"object-src 'none'; " +
 	"frame-ancestors 'none'; " +
 	"base-uri 'self'; " +
 	"form-action 'self'"
 // CSP returns middleware that sets the Content-Security-Policy header on
 // every response for defense-in-depth against XSS.
 func (mware *Middleware) CSP() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(
 			func(
 				writer http.ResponseWriter,
 				request *http.Request,
 			) {
 				writer.Header().Set(
 					"Content-Security-Policy",
 					cspPolicy,
 				)
 				next.ServeHTTP(writer, request)
 			})
 	}
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -8,8 +8,8 @@ import (
 	"git.eeqj.de/sneak/neoirc/web"
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )
@@ -29,6 +29,7 @@ func (srv *Server) SetupRoutes() {
 	}
 	srv.router.Use(srv.mw.CORS())
 	srv.router.Use(srv.mw.CSP())
 	srv.router.Use(middleware.Timeout(routeTimeout))
 	if srv.sentryEnabled {
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -20,7 +20,7 @@ import (
 	"go.uber.org/fx"
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )
--- a/web/dist/app.js
+++ b/web/dist/app.js
--- a/web/dist/index.html
+++ b/web/dist/index.html
@@ -1,13 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>NeoIRC</title>
  <link rel="stylesheet" href="/style.css">
 </head>
 <body>
  <div id="root"></div>
  <script type="module" src="/app.js"></script>
 </body>
 </html>
--- a/web/dist/style.css
+++ b/web/dist/style.css
@@ -1,466 +0,0 @@
 * {
  margin: 0;
  padding: 0;
  box-sizing: border-box;
 }
 :root {
  --bg: #0a0e14;
  --bg-panel: #0d1117;
  --bg-input: #0d1117;
  --bg-tab: #161b22;
  --bg-tab-active: #0d1117;
  --bg-topic: #0d1117;
  --text: #c9d1d9;
  --text-dim: #6e7681;
  --text-bright: #e6edf3;
  --accent: #58a6ff;
  --accent-dim: #1f6feb;
  --border: #21262d;
  --system: #7d8590;
  --action: #d2a8ff;
  --warn: #d29922;
  --error: #f85149;
  --unread: #f0883e;
  --nick-brackets: #6e7681;
  --timestamp: #484f58;
  --input-bg: #161b22;
  --prompt: #3fb950;
  --tab-indicator: #58a6ff;
  --user-list-bg: #0d1117;
  --user-list-header: #484f58;
 }
 html,
 body,
 #root {
  height: 100%;
  font-family: "JetBrains Mono", "Cascadia Code", "Fira Code", "SF Mono",
    "Consolas", "Liberation Mono", "Courier New", monospace;
  font-size: 13px;
  background: var(--bg);
  color: var(--text);
  overflow: hidden;
 }
 /* ============================================
   Login Screen
   ============================================ */
 .login-screen {
  display: flex;
  align-items: center;
  justify-content: center;
  height: 100%;
  background: var(--bg);
 }
 .login-box {
  text-align: center;
  max-width: 360px;
  width: 100%;
  padding: 32px;
 }
 .login-box h1 {
  color: var(--accent);
  font-size: 1.8em;
  margin-bottom: 16px;
  font-weight: 400;
 }
 .login-box .motd {
  color: var(--accent);
  font-size: 11px;
  margin-bottom: 20px;
  text-align: left;
  white-space: pre;
  font-family: inherit;
  line-height: 1.2;
  overflow-x: auto;
 }
 .login-box form {
  display: flex;
  flex-direction: column;
  gap: 8px;
  align-items: stretch;
 }
 .login-box label {
  color: var(--text-dim);
  text-align: left;
  font-size: 12px;
 }
 .login-box input {
  padding: 8px 12px;
  font-family: inherit;
  font-size: 14px;
  background: var(--input-bg);
  border: 1px solid var(--border);
  color: var(--text-bright);
  border-radius: 3px;
  outline: none;
 }
 .login-box input:focus {
  border-color: var(--accent-dim);
 }
 .login-box button {
  padding: 8px 16px;
  font-family: inherit;
  font-size: 14px;
  background: var(--accent-dim);
  border: none;
  color: var(--text-bright);
  border-radius: 3px;
  cursor: pointer;
  margin-top: 4px;
 }
 .login-box button:hover {
  background: var(--accent);
 }
 .login-box .error {
  color: var(--error);
  font-size: 12px;
  margin-top: 8px;
 }
 /* ============================================
   IRC App Layout
   ============================================ */
 .irc-app {
  display: flex;
  flex-direction: column;
  height: 100%;
  overflow: hidden;
 }
 /* ============================================
   Tab Bar
   ============================================ */
 .tab-bar {
  display: flex;
  background: var(--bg-tab);
  border-bottom: 1px solid var(--border);
  flex-shrink: 0;
  height: 32px;
  align-items: stretch;
 }
 .tabs {
  display: flex;
  overflow-x: auto;
  flex: 1;
  scrollbar-width: none;
 }
 .tabs::-webkit-scrollbar {
  display: none;
 }
 .tab {
  display: flex;
  align-items: center;
  padding: 0 12px;
  cursor: pointer;
  color: var(--text-dim);
  white-space: nowrap;
  user-select: none;
  border-right: 1px solid var(--border);
  font-size: 12px;
  gap: 4px;
  position: relative;
 }
 .tab:hover {
  color: var(--text);
  background: rgba(255, 255, 255, 0.03);
 }
 .tab.active {
  color: var(--text-bright);
  background: var(--bg-tab-active);
  border-bottom: 2px solid var(--tab-indicator);
  margin-bottom: -1px;
 }
 .tab.has-unread .tab-label {
  color: var(--unread);
  font-weight: bold;
 }
 .tab .unread-count {
  color: var(--unread);
  font-size: 11px;
  font-weight: bold;
 }
 .tab-close {
  color: var(--text-dim);
  font-size: 14px;
  line-height: 1;
  margin-left: 2px;
 }
 .tab-close:hover {
  color: var(--error);
 }
 .status-area {
  display: flex;
  align-items: center;
  gap: 10px;
  padding: 0 12px;
  flex-shrink: 0;
  font-size: 12px;
 }
 .status-nick {
  color: var(--accent);
  font-weight: bold;
 }
 .status-warn {
  color: var(--warn);
  animation: blink 1.5s ease-in-out infinite;
 }
@keyframes blink {
  0%,
  100% {
    opacity: 1;
  }
  50% {
    opacity: 0.4;
  }
 }
 /* ============================================
   Topic Bar
   ============================================ */
 .topic-bar {
  padding: 4px 12px;
  background: var(--bg-topic);
  border-bottom: 1px solid var(--border);
  font-size: 12px;
  white-space: nowrap;
  overflow: hidden;
  text-overflow: ellipsis;
  flex-shrink: 0;
  line-height: 1.5;
 }
 .topic-label {
  color: var(--text-dim);
 }
 .topic-text {
  color: var(--text);
 }
 /* ============================================
   Main Content Area
   ============================================ */
 .main-area {
  display: flex;
  flex: 1;
  overflow: hidden;
  min-height: 0;
 }
 /* ============================================
   Messages Panel
   ============================================ */
 .messages-panel {
  flex: 1;
  display: flex;
  flex-direction: column;
  overflow: hidden;
  min-width: 0;
 }
 .messages-scroll {
  flex: 1;
  overflow-y: auto;
  padding: 4px 8px;
  scrollbar-width: thin;
  scrollbar-color: var(--border) transparent;
 }
 .messages-scroll::-webkit-scrollbar {
  width: 8px;
 }
 .messages-scroll::-webkit-scrollbar-track {
  background: transparent;
 }
 .messages-scroll::-webkit-scrollbar-thumb {
  background: var(--border);
  border-radius: 4px;
 }
 /* ============================================
   Message Lines
   ============================================ */
 .message {
  padding: 1px 0;
  line-height: 1.4;
  white-space: pre-wrap;
  word-wrap: break-word;
  font-size: 13px;
 }
 .message .timestamp {
  color: var(--timestamp);
  font-size: 12px;
 }
 .message .nick {
  font-weight: bold;
 }
 .message .content {
  color: var(--text);
 }
 /* System messages (joins, parts, quits, etc.) */
 .system-message {
  color: var(--system);
 }
 .system-message .system-text {
  color: var(--system);
 }
 /* /me action messages */
 .action-message .action-text {
  color: var(--action);
 }
 /* ============================================
   User List (Right Panel)
   ============================================ */
 .user-list {
  width: 160px;
  background: var(--user-list-bg);
  border-left: 1px solid var(--border);
  display: flex;
  flex-direction: column;
  flex-shrink: 0;
  overflow: hidden;
 }
 .user-list-header {
  padding: 6px 10px;
  color: var(--user-list-header);
  font-size: 11px;
  text-transform: uppercase;
  letter-spacing: 0.5px;
  border-bottom: 1px solid var(--border);
  flex-shrink: 0;
 }
 .user-list-entries {
  overflow-y: auto;
  padding: 4px 0;
  flex: 1;
  scrollbar-width: thin;
  scrollbar-color: var(--border) transparent;
 }
 .nick-entry {
  padding: 2px 10px;
  font-size: 12px;
  cursor: pointer;
  white-space: nowrap;
  overflow: hidden;
  text-overflow: ellipsis;
  line-height: 1.5;
 }
 .nick-entry:hover {
  background: rgba(255, 255, 255, 0.04);
 }
 .nick-prefix {
  color: var(--text-dim);
  display: inline-block;
  width: 1ch;
  text-align: right;
  margin-right: 1px;
 }
 .nick-name {
  font-weight: normal;
 }
 /* ============================================
   Input Line (Bottom)
   ============================================ */
 .input-line {
  display: flex;
  align-items: center;
  background: var(--input-bg);
  border-top: 1px solid var(--border);
  flex-shrink: 0;
  height: 36px;
  padding: 0 8px;
  gap: 6px;
 }
 .input-prompt {
  color: var(--prompt);
  font-size: 13px;
  flex-shrink: 0;
  white-space: nowrap;
 }
 .input-line input {
  flex: 1;
  padding: 4px 0;
  font-family: inherit;
  font-size: 13px;
  background: transparent;
  border: none;
  color: var(--text-bright);
  outline: none;
  caret-color: var(--accent);
 }
 .input-line input::placeholder {
  color: var(--text-dim);
  font-style: italic;
 }
 /* ============================================
   Responsive
   ============================================ */
@media (max-width: 600px) {
  .user-list {
    display: none;
  }
  .tab {
    padding: 0 8px;
    font-size: 11px;
  }
  .input-prompt {
    font-size: 12px;
  }
 }
Author	SHA1	Message	Date
clawbot	73cae71171	deps: migrate from go-chi/chi v1 to go-chi/chi/v5 All checks were successful check / check (push) Successful in 1m2s Details Migrate all import paths from github.com/go-chi/chi to github.com/go-chi/chi/v5 and github.com/go-chi/chi/middleware to github.com/go-chi/chi/v5/middleware. This resolves GO-2026-4316 (open redirect vulnerability in RedirectSlashes middleware) by moving to the maintained v5 module path. Files changed: - go.mod: chi v1.5.5 → chi/v5 v5.2.1 - internal/server/server.go: updated import - internal/server/routes.go: updated imports - internal/middleware/middleware.go: updated import - internal/handlers/api.go: updated import - README.md: updated Required Libraries table	2026-03-10 07:27:26 -07:00
clawbot	67446b36a1	feat: store auth tokens as SHA-256 hashes instead of plaintext (#69 ) All checks were successful check / check (push) Successful in 5s Details ## Summary Hash client auth tokens with SHA-256 before storing in the database. When validating tokens, hash the incoming token and compare against the stored hash. This prevents token exposure if the database is compromised. Existing plaintext tokens are implicitly invalidated since they will not match the new hashed lookups — users will need to create new sessions. ## Changes - `internal/db/queries.go`: Added `hashToken()` helper using `crypto/sha256`. Updated `CreateSession` to store hashed token. Updated `GetSessionByToken` to hash the incoming token before querying. - `internal/db/auth.go`: Updated `RegisterUser` and `LoginUser` to store hashed tokens. ## Migration No schema changes needed. The `token` column remains `TEXT` but now stores 64-char hex SHA-256 digests instead of 64-char hex random tokens. Existing plaintext tokens are effectively invalidated. closes #34 Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #69 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 12:44:29 +01:00
clawbot	b1fd2f1b96	Replace string-matching error detection with typed SQLite errors (closes #39 ) (#66 ) All checks were successful check / check (push) Successful in 4s Details ## Summary Replaces fragile `strings.Contains(err.Error(), "UNIQUE")` checks with typed error detection using `errors.As` and the SQLite driver's `sqlite.Error` type. ## Changes - `internal/db/errors.go`* (new): Adds `IsUniqueConstraintError(err)` helper that uses `errors.As` to unwrap the error into `sqlite.Error` and checks for `SQLITE_CONSTRAINT_UNIQUE` (code 2067). - `internal/handlers/api.go`: Replaces two `strings.Contains(err.Error(), "UNIQUE")` calls with `db.IsUniqueConstraintError(err)` — in `handleCreateSessionError` and `executeNickChange`. - `internal/handlers/auth.go`*: Replaces one `strings.Contains(err.Error(), "UNIQUE")` call with `db.IsUniqueConstraintError(err)` — in `handleRegisterError`. ## Why String matching on error messages is fragile — if the SQLite driver changes its error message format, the detection silently breaks. Using `errors.As` with the driver's typed error and checking the specific SQLite error code is robust, idiomatic Go, and immune to message format changes. closes #39 <!-- session: agent:sdlc-manager:subagent:3fb0b8e2-d635-4848-a5bd-131c5033cdb1 --> Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: Jeffrey Paul <sneak@noreply.example.org> Reviewed-on: #66 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 11:54:27 +01:00
clawbot	c07f94a432	Remove dead Auth() middleware method (#68 ) All checks were successful check / check (push) Successful in 5s Details Remove the unused `Auth()` method from `internal/middleware/middleware.go`. This method only logged "AUTH: before request" and passed through to the next handler — it performed no actual authentication. It was never referenced anywhere in the codebase; authentication is handled per-handler via `requireAuth` in the handlers package. closes #38 <!-- session: agent:sdlc-manager:subagent:629a7621-ec4b-49af-b7e8-03141664d682 --> Co-authored-by: user <user@Mac.lan guest wan> Reviewed-on: #68 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 11:41:43 +01:00
clawbot	a98e0ca349	feat: add Content-Security-Policy middleware (#64 ) All checks were successful check / check (push) Successful in 4s Details Add CSP header to all HTTP responses for defense-in-depth against XSS. The policy restricts all resource loading to same-origin and disables dangerous features (object embeds, framing, base tag injection). The embedded SPA requires no inline scripts or inline style attributes (Preact applies styles programmatically via DOM properties), so a strict policy without `unsafe-inline` works correctly. Directives: - `default-src 'self'` — baseline same-origin restriction - `script-src 'self'` — same-origin scripts only - `style-src 'self'` — same-origin stylesheets only - `connect-src 'self'` — same-origin fetch/XHR only - `img-src 'self'` — same-origin images only - `font-src 'self'` — same-origin fonts only - `object-src 'none'` — no plugin content - `frame-ancestors 'none'` — prevent clickjacking - `base-uri 'self'` — prevent base tag injection - `form-action 'self'` — restrict form submissions closes #41 Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #64 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 11:20:15 +01:00
clawbot	f287fdf6d1	fix: replay channel state on SPA reconnect (#61 ) All checks were successful check / check (push) Successful in 4s Details ## Summary When closing and reopening the SPA, channel tabs were not restored because the client relied on localStorage to remember joined channels and re-sent JOIN commands on reconnect. This was fragile and caused spurious JOIN broadcasts to other channel members. ## Changes ### Server (`internal/handlers/api.go`, `internal/handlers/auth.go`) - `replayChannelState()` — new method that enqueues synthetic JOIN messages plus join-numerics (332 TOPIC, 353 NAMES, 366 ENDOFNAMES) for every channel the session belongs to, targeted only at the specified client (no broadcast to other users). - `HandleState` — accepts `?replay=1` query parameter to trigger channel state replay when the SPA reconnects. - `handleLogin` — also calls `replayChannelState` after password-based login, since `LoginUser` creates a new client for an existing session. ### SPA (`web/src/app.jsx`, `web/dist/app.js`) - On resume, calls `/state?replay=1` instead of `/state` so the server enqueues channel state into the message queue. - `processMessage` now creates channel tabs when receiving a JOIN where `msg.from` matches the current nick (handles both live joins and replayed joins on reconnect). - `onLogin` no longer re-sends JOIN commands for saved channels on resume — the server handles it via the replay mechanism, avoiding spurious JOIN broadcasts. ## How It Works 1. SPA loads, finds saved token in localStorage 2. Calls `GET /api/v1/state?replay=1` — server validates token and enqueues synthetic JOIN + TOPIC + NAMES for all session channels into the client's queue 3. `onLogin(nick, true)` sets `loggedIn = true` and requests MOTD (no re-JOIN needed) 4. Poll loop starts, picks up replayed channel messages 5. `processMessage` handles the JOIN messages, creating tabs and refreshing members/topics naturally closes #60 Co-authored-by: user <user@Mac.lan guest wan> Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Co-authored-by: Jeffrey Paul <sneak@noreply.example.org> Reviewed-on: #61 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 11:08:13 +01:00
clawbot	687c958bd1	fix: add version field to /api/v1/server response (#62 ) All checks were successful check / check (push) Successful in 4s Details Add `version` field from `globals.Version` to the `handleServerInfo` response and update README documentation to include the new field. Closes #43 <!-- session: agent:sdlc-manager:subagent:35f84819-55dd-4bb6-a94b-8103777cc433 --> Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #62 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-10 11:05:10 +01:00