morz-infoboard

History

Jesko Anschütz cea393c1a0 Auth Phase 1 Review: Fix 3 critical bugs in auth foundation 1. [SQL] Fix username uniqueness constraint - Changed from global unique to composite unique(tenant_id, username) - Multi-tenant apps need same usernames across tenants (e.g., each tenant can have 'admin') 2. [Go] Fix inconsistent error handling in scanSession - Now returns pgx.ErrNoRows when session not found (like scanUser) - Allows proper 404 vs 500 error distinction in handlers 3. [Go] Add missing VerifyPassword function - Implements bcrypt.CompareHashAndPassword for password verification - Enables login flow with proper error handling for missing users - Paired with existing GenerateFromPassword for secure password hashing Security checks: - SQL injection: All queries parameterized (no string interpolation) - bcrypt: Cost factor 12 (production-recommended) - Session tokens: PostgreSQL gen_random_uuid() (cryptographically secure) - Password hashes: Protected with json:"-" tag (never exposed in responses) - Error handling: Comprehensive, no silent failures Build & Vet: All checks pass (go build ./..., go vet ./...) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-23 15:37:18 +01:00
..
migrations	Auth Phase 1 Review: Fix 3 critical bugs in auth foundation	2026-03-23 15:37:18 +01:00
db.go	Baue Ebene 2: PostgreSQL-Backend, Medien-Upload und Playlist-UI	2026-03-22 22:53:00 +01:00

Jesko Anschütz cea393c1a0 Auth Phase 1 Review: Fix 3 critical bugs in auth foundation

1. [SQL] Fix username uniqueness constraint
   - Changed from global unique to composite unique(tenant_id, username)
   - Multi-tenant apps need same usernames across tenants (e.g., each tenant can have 'admin')

2. [Go] Fix inconsistent error handling in scanSession
   - Now returns pgx.ErrNoRows when session not found (like scanUser)
   - Allows proper 404 vs 500 error distinction in handlers

3. [Go] Add missing VerifyPassword function
   - Implements bcrypt.CompareHashAndPassword for password verification
   - Enables login flow with proper error handling for missing users
   - Paired with existing GenerateFromPassword for secure password hashing

Security checks:
- SQL injection: All queries parameterized (no string interpolation)
- bcrypt: Cost factor 12 (production-recommended)
- Session tokens: PostgreSQL gen_random_uuid() (cryptographically secure)
- Password hashes: Protected with json:"-" tag (never exposed in responses)
- Error handling: Comprehensive, no silent failures

Build & Vet: All checks pass (go build ./..., go vet ./...)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-23 15:37:18 +01:00

migrations

Auth Phase 1 Review: Fix 3 critical bugs in auth foundation

2026-03-23 15:37:18 +01:00

db.go

Baue Ebene 2: PostgreSQL-Backend, Medien-Upload und Playlist-UI

2026-03-22 22:53:00 +01:00