TODO — Code Logic Errors

Critical

Login: nil pointer dereference (http.go:111) CacheGetClientByName returns nil on miss, then DbSetClientByName is called with that nil client → panic. Should query DB by username directly.
Login: password never verified (http.go:87–131) No call to PasswordVerify/bcrypt.CompareHashAndPassword. Anyone with a valid username can log in.

Login: validates username length instead of password (http.go:98) if len(username) < 8 should be if len(password) < 8. Password is never length-checked.
DB: missing & in Scan for pronouns (database.go:87) client.Pronouns should be &client.Pronouns. Compare with DbSetClientById which does it correctly.
WS: 30s context kills entire connection (wsServer.go:23) A single 30s timeout context is shared across all reads in the loop. Should use per-read deadlines or context.Background() for the loop.

NewUser: missing return after bad color error (http.go:54–56) On parseRgb error, http.Error is called but execution continues with color = [0,0,0].
WS: unauth disconnect deletes ID=0 from cache (wsServer.go:115) closeConnection calls CacheDeleteClient(client.Id) but unauthenticated clients have Id=0, wiping whatever sits at key 0.

CacheSetGroup is a no-op (cache.go:59) Function body is empty. The Groups cache is never populated, so every CacheGetGroup call misses and falls back to DB.