add TODO
This commit is contained in:
@@ -0,0 +1,33 @@
|
|||||||
|
# TODO — Code Logic Errors
|
||||||
|
|
||||||
|
## Critical
|
||||||
|
|
||||||
|
- [ ] **Login: nil pointer dereference** (`http.go:111`)
|
||||||
|
`CacheGetClientByName` returns `nil` on miss, then `DbSetClientByName` is called with that nil `client` → panic. Should query DB by username directly.
|
||||||
|
|
||||||
|
- [ ] **Login: password never verified** (`http.go:87–131`)
|
||||||
|
No call to `PasswordVerify`/`bcrypt.CompareHashAndPassword`. Anyone with a valid username can log in.
|
||||||
|
|
||||||
|
## High
|
||||||
|
|
||||||
|
- [ ] **Login: validates `username` length instead of `password`** (`http.go:98`)
|
||||||
|
`if len(username) < 8` should be `if len(password) < 8`. Password is never length-checked.
|
||||||
|
|
||||||
|
- [ ] **DB: missing `&` in `Scan` for `pronouns`** (`database.go:87`)
|
||||||
|
`client.Pronouns` should be `&client.Pronouns`. Compare with `DbSetClientById` which does it correctly.
|
||||||
|
|
||||||
|
- [ ] **WS: 30s context kills entire connection** (`wsServer.go:23`)
|
||||||
|
A single 30s timeout context is shared across all reads in the loop. Should use per-read deadlines or `context.Background()` for the loop.
|
||||||
|
|
||||||
|
## Medium
|
||||||
|
|
||||||
|
- [ ] **NewUser: missing `return` after bad color error** (`http.go:54–56`)
|
||||||
|
On `parseRgb` error, `http.Error` is called but execution continues with `color = [0,0,0]`.
|
||||||
|
|
||||||
|
- [ ] **WS: unauth disconnect deletes ID=0 from cache** (`wsServer.go:115`)
|
||||||
|
`closeConnection` calls `CacheDeleteClient(client.Id)` but unauthenticated clients have `Id=0`, wiping whatever sits at key 0.
|
||||||
|
|
||||||
|
## Low
|
||||||
|
|
||||||
|
- [ ] **`CacheSetGroup` is a no-op** (`cache.go:59`)
|
||||||
|
Function body is empty. The `Groups` cache is never populated, so every `CacheGetGroup` call misses and falls back to DB.
|
||||||
Reference in New Issue
Block a user