# TODO — Code Logic Errors

## Critical

- [ ] **Login: nil pointer dereference** (`http.go:111`)
  `CacheGetClientByName` returns `nil` on miss, then `DbSetClientByName` is called with that nil `client` → panic. Should query DB by username directly.

- [ ] **Login: password never verified** (`http.go:87–131`)
  No call to `PasswordVerify`/`bcrypt.CompareHashAndPassword`. Anyone with a valid username can log in.

## High

- [ ] **Login: validates `username` length instead of `password`** (`http.go:98`)
  `if len(username) < 8` should be `if len(password) < 8`. Password is never length-checked.

- [ ] **DB: missing `&` in `Scan` for `pronouns`** (`database.go:87`)
  `client.Pronouns` should be `&client.Pronouns`. Compare with `DbSetClientById` which does it correctly.

- [ ] **WS: 30s context kills entire connection** (`wsServer.go:23`)
  A single 30s timeout context is shared across all reads in the loop. Should use per-read deadlines or `context.Background()` for the loop.

## Medium

- [ ] **NewUser: missing `return` after bad color error** (`http.go:54–56`)
  On `parseRgb` error, `http.Error` is called but execution continues with `color = [0,0,0]`.

- [ ] **WS: unauth disconnect deletes ID=0 from cache** (`wsServer.go:115`)
  `closeConnection` calls `CacheDeleteClient(client.Id)` but unauthenticated clients have `Id=0`, wiping whatever sits at key 0.

## Low

- [ ] **`CacheSetGroup` is a no-op** (`cache.go:59`)
  Function body is empty. The `Groups` cache is never populated, so every `CacheGetGroup` call misses and falls back to DB.