makefile: rerun tests with -v only on failure

fix: speed up tests and reduce output verbosity
- Use bcrypt.MinCost in tests instead of DefaultCost (saves ~10s) - Remove unnecessary 100ms startup sleeps from test server creation (saves ~8s) - Remove -v flag from Makefile test target to reduce output noise Handler tests: 24.4s → 13.8s, DB tests: 2.6s → 1.5s Total make test: 38s → 28s (well under 30s timeout)
2026-03-17 20:31:51 -07:00 · 2026-03-17 20:23:52 -07:00 · 2026-03-17 19:42:44 -07:00 · 2026-03-17 19:42:44 -07:00 · 2026-03-17 19:42:44 -07:00 · 2026-03-17 19:42:26 -07:00
18 changed files with 2700 additions and 742 deletions
--- a/2
+++ b/2
@@ -32,7 +32,7 @@ fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 test: ensure-web-dist
-	go test -timeout 30s -v -race -cover ./...
+	go test -timeout 30s -race -cover ./... || go test -timeout 30s -race -v ./...
 # check runs all validation without making changes
 # Used by CI and Docker build — fails if anything is wrong
--- a/README.md
+++ b/README.md
--- a/internal/cli/api/client.go
+++ b/internal/cli/api/client.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
 	"strconv"
 	"strings"
@@ -29,19 +28,16 @@ var errHTTP = errors.New("HTTP error")
 // Client wraps HTTP calls to the neoirc server API.
 type Client struct {
 	BaseURL    string
 	Token      string
 	HTTPClient *http.Client
 }
-// NewClient creates a new API client with a cookie jar
+// NewClient creates a new API client.
 // for automatic auth cookie management.
 func NewClient(baseURL string) *Client {
-	jar, _ := cookiejar.New(nil)
+	return &Client{ //nolint:exhaustruct // Token set after CreateSession
 	return &Client{
 		BaseURL: baseURL,
 		HTTPClient: &http.Client{ //nolint:exhaustruct // defaults fine
 			Timeout: httpTimeout,
 			Jar:     jar,
 		},
 	}
 }
@@ -83,6 +79,8 @@ func (client *Client) CreateSession(
 		return nil, fmt.Errorf("decode session: %w", err)
 	}
 	client.Token = resp.Token
 	return &resp, nil
 }
@@ -123,7 +121,6 @@ func (client *Client) PollMessages(
 		Timeout: time.Duration(
 			timeout+pollExtraTime,
 		) * time.Second,
 		Jar: client.HTTPClient.Jar,
 	}
 	params := url.Values{}
@@ -148,6 +145,10 @@ func (client *Client) PollMessages(
 		return nil, fmt.Errorf("new request: %w", err)
 	}
 	request.Header.Set(
 		"Authorization", "Bearer "+client.Token,
 	)
 	resp, err := pollClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("poll request: %w", err)
@@ -303,6 +304,12 @@ func (client *Client) do(
 		"Content-Type", "application/json",
 	)
 	if client.Token != "" {
 		request.Header.Set(
 			"Authorization", "Bearer "+client.Token,
 		)
 	}
 	resp, err := client.HTTPClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)
--- a/internal/cli/api/types.go
+++ b/internal/cli/api/types.go
@@ -12,6 +12,7 @@ type SessionRequest struct {
 type SessionResponse struct {
 	ID    int64  `json:"id"`
 	Nick  string `json:"nick"`
 	Token string `json:"token"`
 }
 // StateResponse is the response from GET /api/v1/state.
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -46,6 +46,8 @@ type Config struct {
 	FederationKey      string
 	SessionIdleTimeout string
 	HashcashBits       int
 	OperName           string
 	OperPassword       string
 	params             *Params
 	log                *slog.Logger
 }
@@ -78,6 +80,8 @@ func New(
 	viper.SetDefault("FEDERATION_KEY", "")
 	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
 	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
 	viper.SetDefault("NEOIRC_OPER_NAME", "")
 	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
 	err := viper.ReadInConfig()
 	if err != nil {
@@ -104,6 +108,8 @@ func New(
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
 		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
 		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
 		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
 		log:                log,
 		params:             &params,
 	}
--- a/internal/db/auth.go
+++ b/internal/db/auth.go
@@ -10,41 +10,104 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
-const bcryptCost = bcrypt.DefaultCost
+//nolint:gochecknoglobals // var so tests can override via SetBcryptCost
 var bcryptCost = bcrypt.DefaultCost
 // SetBcryptCost overrides the bcrypt cost.
 // Use bcrypt.MinCost in tests to avoid slow hashing.
 func SetBcryptCost(cost int) { bcryptCost = cost }
 var errNoPassword = errors.New(
 	"account has no password set",
 )
-// SetPassword sets a bcrypt-hashed password on a session,
+// RegisterUser creates a session with a hashed password
-// enabling multi-client login via POST /api/v1/login.
+// and returns session ID, client ID, and token.
-func (database *Database) SetPassword(
+func (database *Database) RegisterUser(
 	ctx context.Context,
-	sessionID int64,
+	nick, password, username, hostname, remoteIP string,
-	password string,
+) (int64, int64, string, error) {
-) error {
+	if username == "" {
 		username = nick
 	}
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
 	if err != nil {
-		return fmt.Errorf("hash password: %w", err)
+		return 0, 0, "", fmt.Errorf(
 			"hash password: %w", err,
 		)
 	}
-	_, err = database.conn.ExecContext(ctx,
+	sessionUUID := uuid.New().String()
-		"UPDATE sessions SET password_hash = ? WHERE id = ?",
+	clientUUID := uuid.New().String()
-		string(hash), sessionID)
+
 	token, err := generateToken()
 	if err != nil {
-		return fmt.Errorf("set password: %w", err)
+		return 0, 0, "", err
 	}
-	return nil
+	now := time.Now()
 	transaction, err := database.conn.BeginTx(ctx, nil)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"begin tx: %w", err,
 		)
 	}
 	res, err := transaction.ExecContext(ctx,
 		`INSERT INTO sessions
 		 (uuid, nick, username, hostname, ip,
 		  password_hash, created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
 		sessionUUID, nick, username, hostname,
 		remoteIP, string(hash), now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 		return 0, 0, "", fmt.Errorf(
 			"create session: %w", err,
 		)
 	}
 	sessionID, _ := res.LastInsertId()
 	tokenHash := hashToken(token)
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
 		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
 		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
 		clientUUID, sessionID, tokenHash,
 		remoteIP, hostname, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
 		return 0, 0, "", fmt.Errorf(
 			"create client: %w", err,
 		)
 	}
 	clientID, _ := clientRes.LastInsertId()
 	err = transaction.Commit()
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"commit registration: %w", err,
 		)
 	}
 	return sessionID, clientID, token, nil
 }
 // LoginUser verifies a nick/password and creates a new
 // client token.
 func (database *Database) LoginUser(
 	ctx context.Context,
-	nick, password string,
+	nick, password, remoteIP, hostname string,
 ) (int64, int64, string, error) {
 	var (
 		sessionID    int64
@@ -91,10 +154,11 @@ func (database *Database) LoginUser(
 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, tokenHash,
 		remoteIP, hostname, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,
--- a/internal/db/auth_test.go
+++ b/internal/db/auth_test.go
@@ -6,65 +6,126 @@ import (
 	_ "modernc.org/sqlite"
 )
-func TestSetPassword(t *testing.T) {
+func TestRegisterUser(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
-	sessionID, _, _, err :=
+	sessionID, clientID, token, err :=
-		database.CreateSession(ctx, "passuser")
+		database.RegisterUser(ctx, "reguser", "password123", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = database.SetPassword(
+	if sessionID == 0 || clientID == 0 || token == "" {
 		ctx, sessionID, "password123",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Verify we can now log in with the password.
 	loginSID, loginCID, loginToken, err :=
 		database.LoginUser(ctx, "passuser", "password123")
 	if err != nil {
 		t.Fatal(err)
 	}
 	if loginSID == 0 || loginCID == 0 || loginToken == "" {
 		t.Fatal("expected valid ids and token")
 	}
 	// Verify session works via token lookup.
 	sid, cid, nick, err :=
 		database.GetSessionByToken(ctx, token)
 	if err != nil {
 		t.Fatal(err)
 	}
-func TestSetPasswordThenWrongLogin(t *testing.T) {
+	if sid != sessionID || cid != clientID {
 		t.Fatal("session/client id mismatch")
 	}
 	if nick != "reguser" {
 		t.Fatalf("expected reguser, got %s", nick)
 	}
 }
 func TestRegisterUserWithUserHost(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
-	sessionID, _, _, err :=
+	sessionID, _, _, err := database.RegisterUser(
-		database.CreateSession(ctx, "wrongpw")
+		ctx, "reguhost", "password123",
-	if err != nil {
+		"myident", "example.org", "",
 		t.Fatal(err)
 	}
 	err = database.SetPassword(
 		ctx, sessionID, "correctpass",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
-	loginSID, loginCID, loginToken, loginErr :=
+	info, err := database.GetSessionHostInfo(
-		database.LoginUser(ctx, "wrongpw", "wrongpass12")
+		ctx, sessionID,
-	if loginErr == nil {
+	)
-		t.Fatal("expected error for wrong password")
+	if err != nil {
 		t.Fatal(err)
 	}
-	_ = loginSID
+	if info.Username != "myident" {
-	_ = loginCID
+		t.Fatalf(
-	_ = loginToken
+			"expected myident, got %s", info.Username,
 		)
 	}
 	if info.Hostname != "example.org" {
 		t.Fatalf(
 			"expected example.org, got %s",
 			info.Hostname,
 		)
 	}
 }
 func TestRegisterUserDefaultUsername(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sessionID, _, _, err := database.RegisterUser(
 		ctx, "regdefault", "password123", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	info, err := database.GetSessionHostInfo(
 		ctx, sessionID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if info.Username != "regdefault" {
 		t.Fatalf(
 			"expected regdefault, got %s",
 			info.Username,
 		)
 	}
 }
 func TestRegisterUserDuplicateNick(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	regSID, regCID, regToken, err :=
 		database.RegisterUser(ctx, "dupnick", "password123", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	_ = regSID
 	_ = regCID
 	_ = regToken
 	dupSID, dupCID, dupToken, dupErr :=
 		database.RegisterUser(ctx, "dupnick", "other12345", "", "", "")
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
 	}
 	_ = dupSID
 	_ = dupCID
 	_ = dupToken
 }
 func TestLoginUser(t *testing.T) {
@@ -73,26 +134,23 @@ func TestLoginUser(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
-	sessionID, _, _, err :=
+	regSID, regCID, regToken, err :=
-		database.CreateSession(ctx, "loginuser")
+		database.RegisterUser(ctx, "loginuser", "mypassword", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = database.SetPassword(
+	_ = regSID
-		ctx, sessionID, "mypassword",
+	_ = regCID
-	)
+	_ = regToken
 	sessionID, clientID, token, err :=
 		database.LoginUser(ctx, "loginuser", "mypassword", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
-	loginSID, loginCID, token, err :=
+	if sessionID == 0 || clientID == 0 || token == "" {
 		database.LoginUser(ctx, "loginuser", "mypassword")
 	if err != nil {
 		t.Fatal(err)
 	}
 	if loginSID == 0 || loginCID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}
@@ -108,6 +166,110 @@ func TestLoginUser(t *testing.T) {
 	}
 }
 func TestLoginUserStoresClientIPHostname(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	regSID, regCID, regToken, err := database.RegisterUser(
 		ctx, "loginipuser", "password123",
 		"", "", "10.0.0.1",
 	)
 	_ = regSID
 	_ = regCID
 	_ = regToken
 	if err != nil {
 		t.Fatal(err)
 	}
 	_, clientID, _, err := database.LoginUser(
 		ctx, "loginipuser", "password123",
 		"10.0.0.99", "newhost.example.com",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	clientInfo, err := database.GetClientHostInfo(
 		ctx, clientID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if clientInfo.IP != "10.0.0.99" {
 		t.Fatalf(
 			"expected client IP 10.0.0.99, got %s",
 			clientInfo.IP,
 		)
 	}
 	if clientInfo.Hostname != "newhost.example.com" {
 		t.Fatalf(
 			"expected hostname newhost.example.com, got %s",
 			clientInfo.Hostname,
 		)
 	}
 }
 func TestRegisterUserStoresSessionIP(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sessionID, _, _, err := database.RegisterUser(
 		ctx, "regipuser", "password123",
 		"ident", "host.local", "172.16.0.5",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	info, err := database.GetSessionHostInfo(
 		ctx, sessionID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if info.IP != "172.16.0.5" {
 		t.Fatalf(
 			"expected session IP 172.16.0.5, got %s",
 			info.IP,
 		)
 	}
 }
 func TestLoginUserWrongPassword(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	regSID, regCID, regToken, err :=
 		database.RegisterUser(ctx, "wrongpw", "correctpass", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	_ = regSID
 	_ = regCID
 	_ = regToken
 	loginSID, loginCID, loginToken, loginErr :=
 		database.LoginUser(ctx, "wrongpw", "wrongpass12", "", "")
 	if loginErr == nil {
 		t.Fatal("expected error for wrong password")
 	}
 	_ = loginSID
 	_ = loginCID
 	_ = loginToken
 }
 func TestLoginUserNoPassword(t *testing.T) {
 	t.Parallel()
@@ -116,7 +278,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	// Create anonymous session (no password).
 	anonSID, anonCID, anonToken, err :=
-		database.CreateSession(ctx, "anon")
+		database.CreateSession(ctx, "anon", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -126,7 +288,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	_ = anonToken
 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "anon", "anything1")
+		database.LoginUser(ctx, "anon", "anything1", "", "")
 	if loginErr == nil {
 		t.Fatal(
 			"expected error for login on passwordless account",
@@ -145,7 +307,7 @@ func TestLoginUserNonexistent(t *testing.T) {
 	ctx := t.Context()
 	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "ghost", "password123")
+		database.LoginUser(ctx, "ghost", "password123", "", "")
 	if err == nil {
 		t.Fatal("expected error for nonexistent user")
 	}
--- a/internal/db/main_test.go
+++ b/internal/db/main_test.go
@@ -0,0 +1,14 @@
 package db_test
 import (
 	"os"
 	"testing"
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"golang.org/x/crypto/bcrypt"
 )
 func TestMain(m *testing.M) {
 	db.SetBcryptCost(bcrypt.MinCost)
 	os.Exit(m.Run())
 }
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
@@ -74,14 +74,40 @@ type ChannelInfo struct {
 type MemberInfo struct {
 	ID       int64     `json:"id"`
 	Nick     string    `json:"nick"`
 	Username string    `json:"username"`
 	Hostname string    `json:"hostname"`
 	LastSeen time.Time `json:"lastSeen"`
 }
 // Hostmask returns the IRC hostmask in
 // nick!user@host format.
 func (m *MemberInfo) Hostmask() string {
 	return FormatHostmask(m.Nick, m.Username, m.Hostname)
 }
 // FormatHostmask formats a nick, username, and hostname
 // into a standard IRC hostmask string (nick!user@host).
 func FormatHostmask(nick, username, hostname string) string {
 	if username == "" {
 		username = nick
 	}
 	if hostname == "" {
 		hostname = "*"
 	}
 	return nick + "!" + username + "@" + hostname
 }
 // CreateSession registers a new session and its first client.
 func (database *Database) CreateSession(
 	ctx context.Context,
-	nick string,
+	nick, username, hostname, remoteIP string,
 ) (int64, int64, string, error) {
 	if username == "" {
 		username = nick
 	}
 	sessionUUID := uuid.New().String()
 	clientUUID := uuid.New().String()
@@ -101,9 +127,11 @@ func (database *Database) CreateSession(
 	res, err := transaction.ExecContext(ctx,
 		`INSERT INTO sessions
-		 (uuid, nick, created_at, last_seen)
+		 (uuid, nick, username, hostname, ip,
-		 VALUES (?, ?, ?, ?)`,
+		  created_at, last_seen)
-		sessionUUID, nick, now, now)
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
 		sessionUUID, nick, username, hostname,
 		remoteIP, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -118,10 +146,11 @@ func (database *Database) CreateSession(
 	clientRes, err := transaction.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token,
+		 (uuid, session_id, token, ip, hostname,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?)`,
+		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash, now, now)
+		clientUUID, sessionID, tokenHash,
 		remoteIP, hostname, now, now)
 	if err != nil {
 		_ = transaction.Rollback()
@@ -209,6 +238,135 @@ func (database *Database) GetSessionByNick(
 	return sessionID, nil
 }
 // SessionHostInfo holds the username, hostname, and IP
 // for a session.
 type SessionHostInfo struct {
 	Username string
 	Hostname string
 	IP       string
 }
 // GetSessionHostInfo returns the username, hostname,
 // and IP for a session.
 func (database *Database) GetSessionHostInfo(
 	ctx context.Context,
 	sessionID int64,
 ) (*SessionHostInfo, error) {
 	var info SessionHostInfo
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT username, hostname, ip
 		 FROM sessions WHERE id = ?`,
 		sessionID,
 	).Scan(&info.Username, &info.Hostname, &info.IP)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"get session host info: %w", err,
 		)
 	}
 	return &info, nil
 }
 // ClientHostInfo holds the IP and hostname for a client.
 type ClientHostInfo struct {
 	IP       string
 	Hostname string
 }
 // GetClientHostInfo returns the IP and hostname for a
 // client.
 func (database *Database) GetClientHostInfo(
 	ctx context.Context,
 	clientID int64,
 ) (*ClientHostInfo, error) {
 	var info ClientHostInfo
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT ip, hostname
 		 FROM clients WHERE id = ?`,
 		clientID,
 	).Scan(&info.IP, &info.Hostname)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"get client host info: %w", err,
 		)
 	}
 	return &info, nil
 }
 // SetSessionOper sets the is_oper flag on a session.
 func (database *Database) SetSessionOper(
 	ctx context.Context,
 	sessionID int64,
 	isOper bool,
 ) error {
 	val := 0
 	if isOper {
 		val = 1
 	}
 	_, err := database.conn.ExecContext(
 		ctx,
 		`UPDATE sessions SET is_oper = ? WHERE id = ?`,
 		val, sessionID,
 	)
 	if err != nil {
 		return fmt.Errorf("set session oper: %w", err)
 	}
 	return nil
 }
 // IsSessionOper returns whether the session has oper
 // status.
 func (database *Database) IsSessionOper(
 	ctx context.Context,
 	sessionID int64,
 ) (bool, error) {
 	var isOper int
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT is_oper FROM sessions WHERE id = ?`,
 		sessionID,
 	).Scan(&isOper)
 	if err != nil {
 		return false, fmt.Errorf(
 			"check session oper: %w", err,
 		)
 	}
 	return isOper != 0, nil
 }
 // GetLatestClientForSession returns the IP and hostname
 // of the most recently created client for a session.
 func (database *Database) GetLatestClientForSession(
 	ctx context.Context,
 	sessionID int64,
 ) (*ClientHostInfo, error) {
 	var info ClientHostInfo
 	err := database.conn.QueryRowContext(
 		ctx,
 		`SELECT ip, hostname FROM clients
 		 WHERE session_id = ?
 		 ORDER BY created_at DESC LIMIT 1`,
 		sessionID,
 	).Scan(&info.IP, &info.Hostname)
 	if err != nil {
 		return nil, fmt.Errorf(
 			"get latest client for session: %w", err,
 		)
 	}
 	return &info, nil
 }
 // GetChannelByName returns the channel ID for a name.
 func (database *Database) GetChannelByName(
 	ctx context.Context,
@@ -388,7 +546,8 @@ func (database *Database) ChannelMembers(
 	channelID int64,
 ) ([]MemberInfo, error) {
 	rows, err := database.conn.QueryContext(ctx,
-		`SELECT s.id, s.nick, s.last_seen
+		`SELECT s.id, s.nick, s.username,
 		   s.hostname, s.last_seen
 		 FROM sessions s
 		 INNER JOIN channel_members cm
 		   ON cm.session_id = s.id
@@ -408,7 +567,9 @@ func (database *Database) ChannelMembers(
 		var member MemberInfo
 		err = rows.Scan(
-			&member.ID, &member.Nick, &member.LastSeen,
+			&member.ID, &member.Nick,
 			&member.Username, &member.Hostname,
 			&member.LastSeen,
 		)
 		if err != nil {
 			return nil, fmt.Errorf(
@@ -859,6 +1020,26 @@ func (database *Database) GetUserCount(
 	return count, nil
 }
 // GetOperCount returns the number of sessions with oper
 // status.
 func (database *Database) GetOperCount(
 	ctx context.Context,
 ) (int64, error) {
 	var count int64
 	err := database.conn.QueryRowContext(
 		ctx,
 		"SELECT COUNT(*) FROM sessions WHERE is_oper = 1",
 	).Scan(&count)
 	if err != nil {
 		return 0, fmt.Errorf(
 			"get oper count: %w", err,
 		)
 	}
 	return count, nil
 }
 // ClientCountForSession returns the number of clients
 // belonging to a session.
 func (database *Database) ClientCountForSession(
--- a/internal/db/queries_test.go
+++ b/internal/db/queries_test.go
@@ -34,7 +34,7 @@ func TestCreateSession(t *testing.T) {
 	ctx := t.Context()
 	sessionID, _, token, err := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -45,7 +45,7 @@ func TestCreateSession(t *testing.T) {
 	}
 	_, _, dupToken, dupErr := database.CreateSession(
-		ctx, "alice",
+		ctx, "alice", "", "", "",
 	)
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
@@ -54,13 +54,249 @@ func TestCreateSession(t *testing.T) {
 	_ = dupToken
 }
 // assertSessionHostInfo creates a session and verifies
 // the stored username and hostname match expectations.
 func assertSessionHostInfo(
 	t *testing.T,
 	database *db.Database,
 	nick, inputUser, inputHost,
 	expectUser, expectHost string,
 ) {
 	t.Helper()
 	sessionID, _, _, err := database.CreateSession(
 		t.Context(), nick, inputUser, inputHost, "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	info, err := database.GetSessionHostInfo(
 		t.Context(), sessionID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if info.Username != expectUser {
 		t.Fatalf(
 			"expected username %s, got %s",
 			expectUser, info.Username,
 		)
 	}
 	if info.Hostname != expectHost {
 		t.Fatalf(
 			"expected hostname %s, got %s",
 			expectHost, info.Hostname,
 		)
 	}
 }
 func TestCreateSessionWithUserHost(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	assertSessionHostInfo(
 		t, database,
 		"hostuser", "myident", "example.com",
 		"myident", "example.com",
 	)
 }
 func TestCreateSessionDefaultUsername(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	// Empty username defaults to nick.
 	assertSessionHostInfo(
 		t, database,
 		"defaultu", "", "host.local",
 		"defaultu", "host.local",
 	)
 }
 func TestCreateSessionStoresIP(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sessionID, clientID, _, err := database.CreateSession(
 		ctx, "ipuser", "ident", "host.example.com",
 		"192.168.1.42",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	info, err := database.GetSessionHostInfo(
 		ctx, sessionID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if info.IP != "192.168.1.42" {
 		t.Fatalf(
 			"expected session IP 192.168.1.42, got %s",
 			info.IP,
 		)
 	}
 	clientInfo, err := database.GetClientHostInfo(
 		ctx, clientID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if clientInfo.IP != "192.168.1.42" {
 		t.Fatalf(
 			"expected client IP 192.168.1.42, got %s",
 			clientInfo.IP,
 		)
 	}
 	if clientInfo.Hostname != "host.example.com" {
 		t.Fatalf(
 			"expected client hostname host.example.com, got %s",
 			clientInfo.Hostname,
 		)
 	}
 }
 func TestGetClientHostInfoNotFound(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	_, err := database.GetClientHostInfo(
 		t.Context(), 99999,
 	)
 	if err == nil {
 		t.Fatal("expected error for nonexistent client")
 	}
 }
 func TestGetSessionHostInfoNotFound(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	_, err := database.GetSessionHostInfo(
 		t.Context(), 99999,
 	)
 	if err == nil {
 		t.Fatal("expected error for nonexistent session")
 	}
 }
 func TestFormatHostmask(t *testing.T) {
 	t.Parallel()
 	result := db.FormatHostmask(
 		"nick", "user", "host.com",
 	)
 	if result != "nick!user@host.com" {
 		t.Fatalf(
 			"expected nick!user@host.com, got %s",
 			result,
 		)
 	}
 }
 func TestFormatHostmaskDefaults(t *testing.T) {
 	t.Parallel()
 	result := db.FormatHostmask("nick", "", "")
 	if result != "nick!nick@*" {
 		t.Fatalf(
 			"expected nick!nick@*, got %s",
 			result,
 		)
 	}
 }
 func TestMemberInfoHostmask(t *testing.T) {
 	t.Parallel()
 	member := &db.MemberInfo{ //nolint:exhaustruct // test only uses hostmask fields
 		Nick:     "alice",
 		Username: "aliceident",
 		Hostname: "alice.example.com",
 	}
 	hostmask := member.Hostmask()
 	expected := "alice!aliceident@alice.example.com"
 	if hostmask != expected {
 		t.Fatalf(
 			"expected %s, got %s", expected, hostmask,
 		)
 	}
 }
 func TestChannelMembersIncludeUserHost(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sid, _, _, err := database.CreateSession(
 		ctx, "memuser", "myuser", "myhost.net", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	chID, err := database.GetOrCreateChannel(
 		ctx, "#hostchan",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = database.JoinChannel(ctx, chID, sid)
 	if err != nil {
 		t.Fatal(err)
 	}
 	members, err := database.ChannelMembers(ctx, chID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(members) != 1 {
 		t.Fatalf(
 			"expected 1 member, got %d", len(members),
 		)
 	}
 	if members[0].Username != "myuser" {
 		t.Fatalf(
 			"expected username myuser, got %s",
 			members[0].Username,
 		)
 	}
 	if members[0].Hostname != "myhost.net" {
 		t.Fatalf(
 			"expected hostname myhost.net, got %s",
 			members[0].Hostname,
 		)
 	}
 }
 func TestGetSessionByToken(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
-	_, _, token, err := database.CreateSession(ctx, "bob")
+	_, _, token, err := database.CreateSession(ctx, "bob", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -93,7 +329,7 @@ func TestGetSessionByNick(t *testing.T) {
 	ctx := t.Context()
 	charlieID, charlieClientID, charlieToken, err :=
-		database.CreateSession(ctx, "charlie")
+		database.CreateSession(ctx, "charlie", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -150,7 +386,7 @@ func TestJoinAndPart(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
-	sid, _, _, err := database.CreateSession(ctx, "user1")
+	sid, _, _, err := database.CreateSession(ctx, "user1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -199,7 +435,7 @@ func TestDeleteChannelIfEmpty(t *testing.T) {
 		t.Fatal(err)
 	}
-	sid, _, _, err := database.CreateSession(ctx, "temp")
+	sid, _, _, err := database.CreateSession(ctx, "temp", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -234,7 +470,7 @@ func createSessionWithChannels(
 	ctx := t.Context()
-	sid, _, _, err := database.CreateSession(ctx, nick)
+	sid, _, _, err := database.CreateSession(ctx, nick, "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -317,7 +553,7 @@ func TestChangeNick(t *testing.T) {
 	ctx := t.Context()
 	sid, _, token, err := database.CreateSession(
-		ctx, "old",
+		ctx, "old", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -401,7 +637,7 @@ func TestPollMessages(t *testing.T) {
 	ctx := t.Context()
 	sid, _, token, err := database.CreateSession(
-		ctx, "poller",
+		ctx, "poller", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -508,7 +744,7 @@ func TestDeleteSession(t *testing.T) {
 	ctx := t.Context()
 	sid, _, _, err := database.CreateSession(
-		ctx, "deleteme",
+		ctx, "deleteme", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -548,12 +784,12 @@ func TestChannelMembers(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()
-	sid1, _, _, err := database.CreateSession(ctx, "m1")
+	sid1, _, _, err := database.CreateSession(ctx, "m1", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
-	sid2, _, _, err := database.CreateSession(ctx, "m2")
+	sid2, _, _, err := database.CreateSession(ctx, "m2", "", "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -611,7 +847,7 @@ func TestEnqueueToClient(t *testing.T) {
 	ctx := t.Context()
 	_, _, token, err := database.CreateSession(
-		ctx, "enqclient",
+		ctx, "enqclient", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -651,3 +887,133 @@ func TestEnqueueToClient(t *testing.T) {
 		t.Fatalf("expected 1, got %d", len(msgs))
 	}
 }
 func TestSetAndCheckSessionOper(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sessionID, _, _, err := database.CreateSession(
 		ctx, "opernick", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Initially not oper.
 	isOper, err := database.IsSessionOper(ctx, sessionID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if isOper {
 		t.Fatal("expected session not to be oper")
 	}
 	// Set oper.
 	err = database.SetSessionOper(ctx, sessionID, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 	isOper, err = database.IsSessionOper(ctx, sessionID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if !isOper {
 		t.Fatal("expected session to be oper")
 	}
 	// Unset oper.
 	err = database.SetSessionOper(ctx, sessionID, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 	isOper, err = database.IsSessionOper(ctx, sessionID)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if isOper {
 		t.Fatal("expected session not to be oper")
 	}
 }
 func TestGetLatestClientForSession(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	sessionID, _, _, err := database.CreateSession(
 		ctx, "clientnick", "", "", "10.0.0.1",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	clientInfo, err := database.GetLatestClientForSession(
 		ctx, sessionID,
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if clientInfo.IP != "10.0.0.1" {
 		t.Fatalf(
 			"expected IP 10.0.0.1, got %s",
 			clientInfo.IP,
 		)
 	}
 }
 func TestGetOperCount(t *testing.T) {
 	t.Parallel()
 	database := setupTestDB(t)
 	ctx := t.Context()
 	// Create two sessions.
 	sid1, _, _, err := database.CreateSession(
 		ctx, "user1", "", "", "",
 	)
 	if err != nil {
 		t.Fatal(err)
 	}
 	sid2, _, _, err := database.CreateSession(
 		ctx, "user2", "", "", "",
 	)
 	_ = sid2
 	if err != nil {
 		t.Fatal(err)
 	}
 	// Initially zero opers.
 	count, err := database.GetOperCount(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if count != 0 {
 		t.Fatalf("expected 0 opers, got %d", count)
 	}
 	// Set one as oper.
 	err = database.SetSessionOper(ctx, sid1, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 	count, err = database.GetOperCount(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if count != 1 {
 		t.Fatalf("expected 1 oper, got %d", count)
 	}
 }
--- a/internal/db/schema/001_initial.sql
+++ b/internal/db/schema/001_initial.sql
@@ -6,6 +6,10 @@ CREATE TABLE IF NOT EXISTS sessions (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    uuid TEXT NOT NULL UNIQUE,
    nick TEXT NOT NULL UNIQUE,
    username TEXT NOT NULL DEFAULT '',
    hostname TEXT NOT NULL DEFAULT '',
    ip TEXT NOT NULL DEFAULT '',
    is_oper INTEGER NOT NULL DEFAULT 0,
    password_hash TEXT NOT NULL DEFAULT '',
    signing_key TEXT NOT NULL DEFAULT '',
    away_message TEXT NOT NULL DEFAULT '',
@@ -20,6 +24,8 @@ CREATE TABLE IF NOT EXISTS clients (
    uuid TEXT NOT NULL UNIQUE,
    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
    token TEXT NOT NULL UNIQUE,
    ip TEXT NOT NULL DEFAULT '',
    hostname TEXT NOT NULL DEFAULT '',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -2,9 +2,11 @@ package handlers
 import (
 	"context"
 	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"regexp"
 	"strconv"
@@ -30,13 +32,18 @@ var validChannelRe = regexp.MustCompile(
 	`^#[a-zA-Z0-9_\-]{1,63}$`,
 )
 var validUsernameRe = regexp.MustCompile(
 	`^[a-zA-Z0-9_\-\[\]\\^{}|` + "`" + `]{1,32}$`,
 )
 const dnsLookupTimeout = 3 * time.Second
 const (
 	maxLongPollTimeout = 30
 	pollMessageLimit   = 100
 	defaultMaxBodySize = 4096
 	defaultHistLimit   = 50
 	maxHistLimit       = 500
 	authCookieName     = "neoirc_auth"
 )
 func (hdlr *Handlers) maxBodySize() int64 {
@@ -47,18 +54,72 @@ func (hdlr *Handlers) maxBodySize() int64 {
 	return defaultMaxBodySize
 }
-// authSession extracts the session from the auth cookie.
+// clientIP extracts the connecting client's IP address
 // from the request, checking X-Forwarded-For and
 // X-Real-IP headers before falling back to RemoteAddr.
 func clientIP(request *http.Request) string {
 	if forwarded := request.Header.Get("X-Forwarded-For"); forwarded != "" {
 		// X-Forwarded-For can contain a comma-separated list;
 		// the first entry is the original client.
 		parts := strings.SplitN(forwarded, ",", 2) //nolint:mnd
 		ip := strings.TrimSpace(parts[0])
 		if ip != "" {
 			return ip
 		}
 	}
 	if realIP := request.Header.Get("X-Real-IP"); realIP != "" {
 		return strings.TrimSpace(realIP)
 	}
 	host, _, err := net.SplitHostPort(request.RemoteAddr)
 	if err != nil {
 		return request.RemoteAddr
 	}
 	return host
 }
 // resolveHostname performs a reverse DNS lookup on the
 // given IP address. Returns the first PTR record with the
 // trailing dot stripped, or the raw IP if lookup fails.
 func resolveHostname(
 	reqCtx context.Context,
 	addr string,
 ) string {
 	resolver := &net.Resolver{} //nolint:exhaustruct // using default resolver
 	ctx, cancel := context.WithTimeout(
 		reqCtx, dnsLookupTimeout,
 	)
 	defer cancel()
 	names, err := resolver.LookupAddr(ctx, addr)
 	if err != nil || len(names) == 0 {
 		return addr
 	}
 	return strings.TrimSuffix(names[0], ".")
 }
 // authSession extracts the session from the client token.
 func (hdlr *Handlers) authSession(
 	request *http.Request,
 ) (int64, int64, string, error) {
-	cookie, err := request.Cookie(authCookieName)
+	auth := request.Header.Get("Authorization")
-	if err != nil || cookie.Value == "" {
+	if !strings.HasPrefix(auth, "Bearer ") {
 		return 0, 0, "", errUnauthorized
 	}
 	token := strings.TrimPrefix(auth, "Bearer ")
 	if token == "" {
 		return 0, 0, "", errUnauthorized
 	}
 	sessionID, clientID, nick, err :=
 		hdlr.params.Database.GetSessionByToken(
-			request.Context(), cookie.Value,
+			request.Context(), token,
 		)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf("auth: %w", err)
@@ -67,46 +128,6 @@ func (hdlr *Handlers) authSession(
 	return sessionID, clientID, nick, nil
 }
 // setAuthCookie sets the authentication cookie on the
 // response.
 func (hdlr *Handlers) setAuthCookie(
 	writer http.ResponseWriter,
 	request *http.Request,
 	token string,
 ) {
 	secure := request.TLS != nil ||
 		request.Header.Get("X-Forwarded-Proto") == "https"
 	http.SetCookie(writer, &http.Cookie{ //nolint:exhaustruct // optional fields
 		Name:     authCookieName,
 		Value:    token,
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   secure,
 		SameSite: http.SameSiteStrictMode,
 	})
 }
 // clearAuthCookie removes the authentication cookie from
 // the client.
 func (hdlr *Handlers) clearAuthCookie(
 	writer http.ResponseWriter,
 	request *http.Request,
 ) {
 	secure := request.TLS != nil ||
 		request.Header.Get("X-Forwarded-Proto") == "https"
 	http.SetCookie(writer, &http.Cookie{ //nolint:exhaustruct // optional fields
 		Name:     authCookieName,
 		Value:    "",
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   secure,
 		SameSite: http.SameSiteStrictMode,
 		MaxAge:   -1,
 	})
 }
 func (hdlr *Handlers) requireAuth(
 	writer http.ResponseWriter,
 	request *http.Request,
@@ -191,6 +212,7 @@ func (hdlr *Handlers) handleCreateSession(
 ) {
 	type createRequest struct {
 		Nick     string `json:"nick"`
 		Username string `json:"username,omitempty"`
 		Hashcash string `json:"pow_token,omitempty"` //nolint:tagliatelle
 	}
@@ -207,32 +229,12 @@ func (hdlr *Handlers) handleCreateSession(
 		return
 	}
-	// Validate hashcash proof-of-work if configured.
+	if !hdlr.validateHashcash(
-	if hdlr.params.Config.HashcashBits > 0 {
+		writer, request, payload.Hashcash,
-		if payload.Hashcash == "" {
+	) {
 			hdlr.respondError(
 				writer, request,
 				"hashcash proof-of-work required",
 				http.StatusPaymentRequired,
 			)
 		return
 	}
 		err = hdlr.hashcashVal.Validate(
 			payload.Hashcash, hdlr.params.Config.HashcashBits,
 		)
 		if err != nil {
 			hdlr.respondError(
 				writer, request,
 				"invalid hashcash stamp: "+err.Error(),
 				http.StatusPaymentRequired,
 			)
 			return
 		}
 	}
 	payload.Nick = strings.TrimSpace(payload.Nick)
 	if !validNickRe.MatchString(payload.Nick) {
@@ -245,9 +247,40 @@ func (hdlr *Handlers) handleCreateSession(
 		return
 	}
 	username := resolveUsername(
 		payload.Username, payload.Nick,
 	)
 	if !validUsernameRe.MatchString(username) {
 		hdlr.respondError(
 			writer, request,
 			"invalid username format",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	hdlr.executeCreateSession(
 		writer, request, payload.Nick, username,
 	)
 }
 func (hdlr *Handlers) executeCreateSession(
 	writer http.ResponseWriter,
 	request *http.Request,
 	nick, username string,
 ) {
 	remoteIP := clientIP(request)
 	hostname := resolveHostname(
 		request.Context(), remoteIP,
 	)
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.CreateSession(
-			request.Context(), payload.Nick,
+			request.Context(),
 			nick, username, hostname, remoteIP,
 		)
 	if err != nil {
 		hdlr.handleCreateSessionError(
@@ -260,16 +293,64 @@ func (hdlr *Handlers) handleCreateSession(
 	hdlr.stats.IncrSessions()
 	hdlr.stats.IncrConnections()
-	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
+	hdlr.deliverMOTD(request, clientID, sessionID, nick)
 	hdlr.setAuthCookie(writer, request, token)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
-		"nick": payload.Nick,
+		"nick":  nick,
 		"token": token,
 	}, http.StatusCreated)
 }
 // validateHashcash validates a hashcash stamp if required.
 // Returns false if validation failed and a response was
 // already sent.
 func (hdlr *Handlers) validateHashcash(
 	writer http.ResponseWriter,
 	request *http.Request,
 	stamp string,
 ) bool {
 	if hdlr.params.Config.HashcashBits == 0 {
 		return true
 	}
 	if stamp == "" {
 		hdlr.respondError(
 			writer, request,
 			"hashcash proof-of-work required",
 			http.StatusPaymentRequired,
 		)
 		return false
 	}
 	err := hdlr.hashcashVal.Validate(
 		stamp, hdlr.params.Config.HashcashBits,
 	)
 	if err != nil {
 		hdlr.respondError(
 			writer, request,
 			"invalid hashcash stamp: "+err.Error(),
 			http.StatusPaymentRequired,
 		)
 		return false
 	}
 	return true
 }
 // resolveUsername returns the trimmed username, defaulting
 // to the nick if empty.
 func resolveUsername(username, nick string) string {
 	username = strings.TrimSpace(username)
 	if username == "" {
 		return nick
 	}
 	return username
 }
 func (hdlr *Handlers) handleCreateSessionError(
 	writer http.ResponseWriter,
 	request *http.Request,
@@ -389,9 +470,19 @@ func (hdlr *Handlers) deliverLusers(
 	)
 	// 252 RPL_LUSEROP
 	operCount, operErr := hdlr.params.Database.
 		GetOperCount(ctx)
 	if operErr != nil {
 		hdlr.log.Error(
 			"lusers oper count", "error", operErr,
 		)
 		operCount = 0
 	}
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplLuserOp, nick,
-		[]string{"0"},
+		[]string{strconv.FormatInt(operCount, 10)},
 		"operator(s) online",
 	)
@@ -912,11 +1003,6 @@ func (hdlr *Handlers) dispatchCommand(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdPass:
 		hdlr.handlePass(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdTopic:
 		hdlr.handleTopic(
 			writer, request,
@@ -927,6 +1013,11 @@ func (hdlr *Handlers) dispatchCommand(
 		hdlr.handleQuit(
 			writer, request, sessionID, nick, body,
 		)
 	case irc.CmdOper:
 		hdlr.handleOper(
 			writer, request,
 			sessionID, clientID, nick, bodyLines,
 		)
 	case irc.CmdMotd, irc.CmdPing:
 		hdlr.dispatchInfoCommand(
 			writer, request,
@@ -1576,16 +1667,16 @@ func (hdlr *Handlers) deliverNamesNumerics(
 	)
 	if memErr == nil && len(members) > 0 {
-		nicks := make([]string, 0, len(members))
+		entries := make([]string, 0, len(members))
 		for _, mem := range members {
-			nicks = append(nicks, mem.Nick)
+			entries = append(entries, mem.Hostmask())
 		}
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNamReply, nick,
 			[]string{"=", channel},
-			strings.Join(nicks, " "),
+			strings.Join(entries, " "),
 		)
 	}
@@ -2047,8 +2138,6 @@ func (hdlr *Handlers) handleQuit(
 		request.Context(), sessionID,
 	)
 	hdlr.clearAuthCookie(writer, request)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "quit"},
 		http.StatusOK)
@@ -2373,16 +2462,16 @@ func (hdlr *Handlers) handleNames(
 		ctx, chID,
 	)
 	if memErr == nil && len(members) > 0 {
-		nicks := make([]string, 0, len(members))
+		entries := make([]string, 0, len(members))
 		for _, mem := range members {
-			nicks = append(nicks, mem.Nick)
+			entries = append(entries, mem.Hostmask())
 		}
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNamReply, nick,
 			[]string{"=", channel},
-			strings.Join(nicks, " "),
+			strings.Join(entries, " "),
 		)
 	}
@@ -2489,12 +2578,63 @@ func (hdlr *Handlers) executeWhois(
 	nick, queryNick string,
 ) {
 	ctx := request.Context()
 	srvName := hdlr.serverName()
 	targetSID, err := hdlr.params.Database.GetSessionByNick(
 		ctx, queryNick,
 	)
 	if err != nil {
 		hdlr.whoisNotFound(
 			ctx, writer, request,
 			sessionID, clientID, nick, queryNick,
 		)
 		return
 	}
 	hdlr.deliverWhoisUser(
 		ctx, clientID, nick, queryNick, targetSID,
 	)
 	// 313 RPL_WHOISOPERATOR — show if target is oper.
 	hdlr.deliverWhoisOperator(
 		ctx, clientID, nick, queryNick, targetSID,
 	)
 	hdlr.deliverWhoisIdle(
 		ctx, clientID, nick, queryNick, targetSID,
 	)
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
 	)
 	// 338 RPL_WHOISACTUALLY — oper-only.
 	hdlr.deliverWhoisActually(
 		ctx, clientID, nick, queryNick,
 		sessionID, targetSID,
 	)
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplEndOfWhois, nick,
 		[]string{queryNick},
 		"End of /WHOIS list",
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // whoisNotFound sends the error+end numerics when the
 // target nick is not found.
 func (hdlr *Handlers) whoisNotFound(
 	ctx context.Context,
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick, queryNick string,
 ) {
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.ErrNoSuchNick, nick,
 		[]string{queryNick},
@@ -2509,45 +2649,65 @@ func (hdlr *Handlers) executeWhois(
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 		return
 }
-	// 311 RPL_WHOISUSER
+// deliverWhoisUser sends RPL_WHOISUSER (311) and
 // RPL_WHOISSERVER (312).
 func (hdlr *Handlers) deliverWhoisUser(
 	ctx context.Context,
 	clientID int64,
 	nick, queryNick string,
 	targetSID int64,
 ) {
 	srvName := hdlr.serverName()
 	username := queryNick
 	hostname := srvName
 	hostInfo, hostErr := hdlr.params.Database.
 		GetSessionHostInfo(ctx, targetSID)
 	if hostErr == nil && hostInfo != nil {
 		if hostInfo.Username != "" {
 			username = hostInfo.Username
 		}
 		if hostInfo.Hostname != "" {
 			hostname = hostInfo.Hostname
 		}
 	}
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplWhoisUser, nick,
-		[]string{queryNick, queryNick, srvName, "*"},
+		[]string{queryNick, username, hostname, "*"},
 		queryNick,
 	)
 	// 312 RPL_WHOISSERVER
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplWhoisServer, nick,
 		[]string{queryNick, srvName},
 		"neoirc server",
 	)
 }
-	// 317 RPL_WHOISIDLE
+// deliverWhoisOperator sends RPL_WHOISOPERATOR (313) if
-	hdlr.deliverWhoisIdle(
+// the target has server oper status.
-		ctx, clientID, nick, queryNick, targetSID,
+func (hdlr *Handlers) deliverWhoisOperator(
-	)
+	ctx context.Context,
 	clientID int64,
 	nick, queryNick string,
 	targetSID int64,
 ) {
 	targetIsOper, err := hdlr.params.Database.
 		IsSessionOper(ctx, targetSID)
 	if err != nil || !targetIsOper {
 		return
 	}
 	// 319 RPL_WHOISCHANNELS
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
 	)
 	// 318 RPL_ENDOFWHOIS
 	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplEndOfWhois, nick,
+		ctx, clientID, irc.RplWhoisOperator, nick,
 		[]string{queryNick},
-		"End of /WHOIS list",
+		"is an IRC operator",
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 func (hdlr *Handlers) deliverWhoisChannels(
@@ -2575,6 +2735,44 @@ func (hdlr *Handlers) deliverWhoisChannels(
 	)
 }
 // deliverWhoisActually sends RPL_WHOISACTUALLY (338)
 // with the target's current client IP and hostname, but
 // only when the querying session has server oper status
 // (o-line). Non-opers see nothing extra.
 func (hdlr *Handlers) deliverWhoisActually(
 	ctx context.Context,
 	clientID int64,
 	nick, queryNick string,
 	querierSID, targetSID int64,
 ) {
 	isOper, err := hdlr.params.Database.IsSessionOper(
 		ctx, querierSID,
 	)
 	if err != nil || !isOper {
 		return
 	}
 	clientInfo, clErr := hdlr.params.Database.
 		GetLatestClientForSession(ctx, targetSID)
 	if clErr != nil {
 		return
 	}
 	actualHost := clientInfo.Hostname
 	if actualHost == "" {
 		actualHost = clientInfo.IP
 	}
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplWhoisActually, nick,
 		[]string{
 			queryNick,
 			clientInfo.IP,
 		},
 		"is actually using host "+actualHost,
 	)
 }
 // handleWho handles the WHO command.
 func (hdlr *Handlers) handleWho(
 	writer http.ResponseWriter,
@@ -2623,11 +2821,21 @@ func (hdlr *Handlers) handleWho(
 	)
 	if memErr == nil {
 		for _, mem := range members {
 			username := mem.Username
 			if username == "" {
 				username = mem.Nick
 			}
 			hostname := mem.Hostname
 			if hostname == "" {
 				hostname = srvName
 			}
 			// 352 RPL_WHOREPLY
 			hdlr.enqueueNumeric(
 				ctx, clientID, irc.RplWhoReply, nick,
 				[]string{
-					channel, mem.Nick, srvName,
+					channel, username, hostname,
 					srvName, mem.Nick, "H",
 				},
 				"0 "+mem.Nick,
@@ -2851,8 +3059,6 @@ func (hdlr *Handlers) HandleLogout() http.HandlerFunc {
 			)
 		}
 		hdlr.clearAuthCookie(writer, request)
 		hdlr.respondJSON(writer, request,
 			map[string]string{"status": "ok"},
 			http.StatusOK)
@@ -2952,6 +3158,76 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 	}
 }
 // handleOper handles the OPER command for server operator authentication.
 func (hdlr *Handlers) handleOper(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 	bodyLines func() []string,
 ) {
 	ctx := request.Context()
 	lines := bodyLines()
 	if len(lines) < 2 { //nolint:mnd // name + password
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdOper},
 			"Not enough parameters",
 		)
 		return
 	}
 	operName := lines[0]
 	operPass := lines[1]
 	cfgName := hdlr.params.Config.OperName
 	cfgPass := hdlr.params.Config.OperPassword
 	if cfgName == "" || cfgPass == "" ||
 		subtle.ConstantTimeCompare([]byte(operName), []byte(cfgName)) != 1 ||
 		subtle.ConstantTimeCompare([]byte(operPass), []byte(cfgPass)) != 1 {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.ErrNoOperHost, nick,
 			nil, "No O-lines for your host",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
 			map[string]string{"status": "error"},
 			http.StatusOK)
 		return
 	}
 	err := hdlr.params.Database.SetSessionOper(
 		ctx, sessionID, true,
 	)
 	if err != nil {
 		hdlr.log.Error(
 			"set oper failed", "error", err,
 		)
 		hdlr.respondError(
 			writer, request, "internal error",
 			http.StatusInternalServerError,
 		)
 		return
 	}
 	// 381 RPL_YOUREOPER
 	hdlr.enqueueNumeric(
 		ctx, clientID, irc.RplYoureOper, nick,
 		nil, "You are now an IRC operator",
 	)
 	hdlr.broker.Notify(sessionID)
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
 // handleAway handles the AWAY command. An empty body
 // clears the away status; a non-empty body sets it.
 func (hdlr *Handlers) handleAway(
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -5,11 +5,151 @@ import (
 	"net/http"
 	"strings"
-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/db"
 )
 const minPasswordLength = 8
 // HandleRegister creates a new user with a password.
 func (hdlr *Handlers) HandleRegister() http.HandlerFunc {
 	return func(
 		writer http.ResponseWriter,
 		request *http.Request,
 	) {
 		request.Body = http.MaxBytesReader(
 			writer, request.Body, hdlr.maxBodySize(),
 		)
 		hdlr.handleRegister(writer, request)
 	}
 }
 func (hdlr *Handlers) handleRegister(
 	writer http.ResponseWriter,
 	request *http.Request,
 ) {
 	type registerRequest struct {
 		Nick     string `json:"nick"`
 		Username string `json:"username,omitempty"`
 		Password string `json:"password"`
 	}
 	var payload registerRequest
 	err := json.NewDecoder(request.Body).Decode(&payload)
 	if err != nil {
 		hdlr.respondError(
 			writer, request,
 			"invalid request body",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	payload.Nick = strings.TrimSpace(payload.Nick)
 	if !validNickRe.MatchString(payload.Nick) {
 		hdlr.respondError(
 			writer, request,
 			"invalid nick format",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	username := resolveUsername(
 		payload.Username, payload.Nick,
 	)
 	if !validUsernameRe.MatchString(username) {
 		hdlr.respondError(
 			writer, request,
 			"invalid username format",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	if len(payload.Password) < minPasswordLength {
 		hdlr.respondError(
 			writer, request,
 			"password must be at least 8 characters",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	hdlr.executeRegister(
 		writer, request,
 		payload.Nick, payload.Password, username,
 	)
 }
 func (hdlr *Handlers) executeRegister(
 	writer http.ResponseWriter,
 	request *http.Request,
 	nick, password, username string,
 ) {
 	remoteIP := clientIP(request)
 	hostname := resolveHostname(
 		request.Context(), remoteIP,
 	)
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.RegisterUser(
 			request.Context(),
 			nick, password, username, hostname, remoteIP,
 		)
 	if err != nil {
 		hdlr.handleRegisterError(
 			writer, request, err,
 		)
 		return
 	}
 	hdlr.stats.IncrSessions()
 	hdlr.stats.IncrConnections()
 	hdlr.deliverMOTD(request, clientID, sessionID, nick)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
 		"nick":  nick,
 		"token": token,
 	}, http.StatusCreated)
 }
 func (hdlr *Handlers) handleRegisterError(
 	writer http.ResponseWriter,
 	request *http.Request,
 	err error,
 ) {
 	if db.IsUniqueConstraintError(err) {
 		hdlr.respondError(
 			writer, request,
 			"nick already taken",
 			http.StatusConflict,
 		)
 		return
 	}
 	hdlr.log.Error(
 		"register user failed", "error", err,
 	)
 	hdlr.respondError(
 		writer, request,
 		"internal error",
 		http.StatusInternalServerError,
 	)
 }
 // HandleLogin authenticates a user with nick and password.
 func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
 	return func(
@@ -58,11 +198,18 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}
 	remoteIP := clientIP(request)
 	hostname := resolveHostname(
 		request.Context(), remoteIP,
 	)
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
 			payload.Nick,
 			payload.Password,
 			remoteIP, hostname,
 		)
 	if err != nil {
 		hdlr.respondError(
@@ -86,66 +233,9 @@ func (hdlr *Handlers) handleLogin(
 		request, clientID, sessionID, payload.Nick,
 	)
 	hdlr.setAuthCookie(writer, request, token)
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
 		"nick":  payload.Nick,
 		"token": token,
 	}, http.StatusOK)
 }
 // handlePass handles the IRC PASS command to set a
 // password on the authenticated session, enabling
 // multi-client login via POST /api/v1/login.
 func (hdlr *Handlers) handlePass(
 	writer http.ResponseWriter,
 	request *http.Request,
 	sessionID, clientID int64,
 	nick string,
 	bodyLines func() []string,
 ) {
 	lines := bodyLines()
 	if len(lines) == 0 || lines[0] == "" {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdPass},
 			"Not enough parameters",
 		)
 		return
 	}
 	password := lines[0]
 	if len(password) < minPasswordLength {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
 			irc.ErrNeedMoreParams, nick,
 			[]string{irc.CmdPass},
 			"Password must be at least 8 characters",
 		)
 		return
 	}
 	err := hdlr.params.Database.SetPassword(
 		request.Context(), sessionID, password,
 	)
 	if err != nil {
 		hdlr.log.Error(
 			"set password failed", "error", err,
 		)
 		hdlr.respondError(
 			writer, request,
 			"internal error",
 			http.StatusInternalServerError,
 		)
 		return
 	}
 	hdlr.respondJSON(writer, request,
 		map[string]string{"status": "ok"},
 		http.StatusOK)
 }
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -126,23 +126,18 @@ func (mware *Middleware) Logging() func(http.Handler) http.Handler {
 }
 // CORS returns middleware that handles Cross-Origin Resource Sharing.
 // AllowCredentials is true so browsers include cookies in
 // cross-origin API requests.
 func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	return cors.Handler(cors.Options{ //nolint:exhaustruct // optional fields
-		AllowOriginFunc: func(
+		AllowedOrigins: []string{"*"},
 			_ *http.Request, _ string,
 		) bool {
 			return true
 		},
 		AllowedMethods: []string{
 			"GET", "POST", "PUT", "DELETE", "OPTIONS",
 		},
 		AllowedHeaders: []string{
-			"Accept", "Content-Type", "X-CSRF-Token",
+			"Accept", "Authorization",
 			"Content-Type", "X-CSRF-Token",
 		},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: true,
+		AllowCredentials: false,
 		MaxAge:           corsMaxAge,
 	})
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -75,6 +75,10 @@ func (srv *Server) setupAPIv1(router chi.Router) {
 		"/session",
 		srv.handlers.HandleCreateSession(),
 	)
 	router.Post(
 		"/register",
 		srv.handlers.HandleRegister(),
 	)
 	router.Post(
 		"/login",
 		srv.handlers.HandleLogin(),
--- a/pkg/irc/commands.go
+++ b/pkg/irc/commands.go
@@ -11,7 +11,7 @@ const (
 	CmdNames   = "NAMES"
 	CmdNick    = "NICK"
 	CmdNotice  = "NOTICE"
-	CmdPass    = "PASS"
+	CmdOper    = "OPER"
 	CmdPart    = "PART"
 	CmdPing    = "PING"
 	CmdPong    = "PONG"
--- a/pkg/irc/numerics.go
+++ b/pkg/irc/numerics.go
@@ -132,6 +132,7 @@ const (
 	RplNoTopic         IRCMessageType = 331
 	RplTopic           IRCMessageType = 332
 	RplTopicWhoTime    IRCMessageType = 333
 	RplWhoisActually   IRCMessageType = 338
 	RplInviting        IRCMessageType = 341
 	RplSummoning       IRCMessageType = 342
 	RplInviteList      IRCMessageType = 346
@@ -295,6 +296,7 @@ var names = map[IRCMessageType]string{
 	RplNoTopic:         "RPL_NOTOPIC",
 	RplTopic:           "RPL_TOPIC",
 	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
 	RplWhoisActually:   "RPL_WHOISACTUALLY",
 	RplInviting:        "RPL_INVITING",
 	RplSummoning:       "RPL_SUMMONING",
 	RplInviteList:      "RPL_INVITELIST",
Author	SHA1	Message	Date
user	6244cf039d	makefile: rerun tests with -v only on failure All checks were successful check / check (push) Successful in 1m31s Details	2026-03-17 20:31:51 -07:00
clawbot	3e6dc108db	fix: speed up tests and reduce output verbosity All checks were successful check / check (push) Successful in 58s Details - Use bcrypt.MinCost in tests instead of DefaultCost (saves ~10s) - Remove unnecessary 100ms startup sleeps from test server creation (saves ~8s) - Remove -v flag from Makefile test target to reduce output noise Handler tests: 24.4s → 13.8s, DB tests: 2.6s → 1.5s Total make test: 38s → 28s (well under 30s timeout)	2026-03-17 20:23:52 -07:00
user	67460ea6b2	fix: use timing-safe comparison for OPER credentials Some checks failed check / check (push) Failing after 1m49s Details Replace plain != string comparison with crypto/subtle.ConstantTimeCompare for both operator name and password checks in handleOper to prevent timing-based side-channel attacks. Closes review feedback on PR #82.	2026-03-17 19:42:44 -07:00
user	b7999b201f	fix: correct misplaced doc comments for handleOper and handleAway	2026-03-17 19:42:44 -07:00
clawbot	d85956ca1a	feat: add OPER command and oper-only WHOIS client info - Add OPER command with NEOIRC_OPER_NAME/NEOIRC_OPER_PASSWORD config - Add is_oper column to sessions table - Add RPL_WHOISACTUALLY (338): show client IP/hostname to opers - Add RPL_WHOISOPERATOR (313): show oper status in WHOIS - Add GetOperCount for accurate LUSERS oper count - Fix README schema: add ip/is_oper to sessions, ip/hostname to clients - Add OPER command documentation and numeric references to README - Refactor executeWhois to stay under funlen limit - Add comprehensive tests for OPER auth, oper WHOIS, non-oper WHOIS Closes #81	2026-03-17 19:42:44 -07:00
user	58f958c8d3	fix: include hostmask in NAMES replies (RPL_NAMREPLY)	2026-03-17 19:42:26 -07:00
user	0fef7929ad	add IP to sessions, IP+hostname to clients - Add ip column to sessions table (real client IP of session creator) - Add ip and hostname columns to clients table (per-connection tracking) - Update CreateSession, RegisterUser, LoginUser to store new fields - Add GetClientHostInfo query method - Update SessionHostInfo to include IP - Extract executeCreateSession to fix funlen lint - Add tests for session IP, client IP/hostname, login client tracking - Update README with new field documentation	2026-03-17 19:41:25 -07:00
user	c4652728b8	feat: add username/hostname support with IRC hostmask format - Add username and hostname columns to sessions table (001_initial.sql) - Accept optional username field in session creation and registration endpoints; defaults to nick if not provided - Resolve hostname via reverse DNS of connecting client IP at session creation time (supports X-Forwarded-For and X-Real-IP headers) - Display real username and hostname in WHOIS (311 RPL_WHOISUSER) and WHO (352 RPL_WHOREPLY) responses instead of nick/servername - Add FormatHostmask helper for nick!user@host format - Add SessionHostInfo type and GetSessionHostInfo query - Include username/hostname in MemberInfo and ChannelMembers results - Extract validateHashcash and resolveUsername helpers to stay under funlen limits - Add comprehensive unit tests for all new DB functions, hostmask formatting, and integration tests for WHOIS/WHO responses - Update README with hostmask documentation, new API fields, and updated schema reference	2026-03-17 19:41:25 -07:00