mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 13:29:44 +02:00
* refactor(server): make ParseUUID error-returning to prevent silent data loss (MUL-1410) util.ParseUUID previously swallowed errors and returned a zero pgtype.UUID on invalid input. When this zero UUID reached a write query (DELETE/UPDATE), the SQL matched zero rows and the handler returned 2xx success — producing silent data corruption. #1661 (DeleteIssue with identifier-style ID) was the visible symptom; PR #1680 patched that one site, this commit closes the class of bug. Changes: - util.ParseUUID now returns (pgtype.UUID, error). Add util.MustParseUUID for trusted round-trips that should panic on invalid input. - handler/handler.go: parseUUID wrapper now calls MustParseUUID — any unguarded user-input string reaching it surfaces as a recovered panic (chi middleware.Recoverer → 500) instead of silently corrupting data. Add parseUUIDOrBadRequest(w, s, fieldName) for handler entry points. - Convert every Queries.Delete*/Update* call site reachable from raw user input (autopilot, comment, project, skill, skill_file, label, pin, attachment, feedback, issue assignee, daemon runtime, workspace) to validate UUIDs explicitly with parseUUIDOrBadRequest, returning 400 on invalid input. Where a resolved entity.ID is already in scope, write queries now use it directly instead of re-parsing the URL string. - Update getWorkspaceMember + loadIssueForUser to handle invalid UUIDs gracefully (404/400 instead of panic). - Update util/middleware/cmd-level callers (subscriber_listeners, notification_listeners, activity_listeners, scope_authorizer, middleware/workspace) to use the error-returning API. - Add server/internal/util/pgx_test.go covering valid/invalid input and the MustParseUUID panic contract. - Add TestDeleteIssueByIdentifier + TestDeleteIssueRejectsInvalidUUID regression tests in handler_test.go (the original #1661 bug + the invalid-input case). - Document the handler UUID parsing convention in CLAUDE.md so the rule is enforceable in future PR review. * fix(server): address GPT-Boy review of #1748 P1 fixes from PR #1748 review: 1. Migrate remaining request-boundary UUIDs to parseUUIDOrBadRequest so malformed input returns 400 instead of panic/500. Was missing on: - issue.go: workspace_id in CreateIssue/ChildIssueProgress/ListIssues/ SearchIssues/BatchUpdateIssues/BatchDeleteIssues; project_id / parent_issue_id / lead_id / assignee_id / assignee_ids / creator_id filters; batch issue_ids and assignee/parent/project fields in BatchUpdateIssues (skip on bad input via util.ParseUUID, matching the existing per-row continue semantics). - project.go: project id + workspace_id in GetProject/UpdateProject/ DeleteProject; lead_id in CreateProject/UpdateProject; workspace_id in ListProjects + SearchProjects. - handler.go: resolveActor now uses util.ParseUUID for X-Agent-ID / X-Task-ID headers; invalid UUID falls back to "member" (matches pre-existing semantics) instead of panicking. - issue.go: validateAssigneePair returns 400 on invalid workspace_id instead of panicking. 2. Fix issue:deleted WS event payloads to emit uuidToString(issue.ID) instead of the raw URL string. After an identifier-path delete ("MUL-7"), the previous payload would have leaked the identifier to subscribers, leaving stale entries in frontend caches that key by UUID. Updated DeleteIssue (issue.go:1341) and BatchDeleteIssues (issue.go:1641). The slog "issue deleted" log line also now records the resolved UUID so logs match the WS payload. 3. Extend TestDeleteIssueByIdentifier to subscribe to the bus and assert issue:deleted.payload.issue_id is the resolved UUID, not the identifier. * fix(server): validate remaining reviewed UUID inputs * fix(server): validate remaining handler UUID inputs * fix(server): finish request boundary UUID audit * fix(server): validate remaining request body UUIDs * fix(server): validate runtime path UUIDs * fix(server): validate remaining audit UUID inputs --------- Co-authored-by: Eve <eve@multica.ai>
134 lines
4.1 KiB
Go
134 lines
4.1 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"log/slog"
|
|
"net/http"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/jackc/pgx/v5/pgtype"
|
|
"github.com/multica-ai/multica/server/internal/analytics"
|
|
"github.com/multica-ai/multica/server/internal/logger"
|
|
"github.com/multica-ai/multica/server/internal/middleware"
|
|
db "github.com/multica-ai/multica/server/pkg/db/generated"
|
|
)
|
|
|
|
// feedbackImageRegex is a coarse check for markdown image syntax .
|
|
// It exists only to set the `has_images` analytics flag — we don't need a
|
|
// full markdown parser; a false positive on a literal "![" in prose is
|
|
// acceptable for a support-triage signal.
|
|
var feedbackImageRegex = regexp.MustCompile(`!\[[^\]]*\]\([^)]+\)`)
|
|
|
|
const (
|
|
feedbackMaxMessageLen = 10000
|
|
feedbackHourlyRateLimit = 10
|
|
// feedbackBodyLimit caps the request body at 64 KiB. Message is capped at
|
|
// 10k chars separately; the extra budget covers JSON overhead plus the
|
|
// optional url/workspace_id fields without letting an authenticated client
|
|
// POST megabytes of junk into the metadata JSONB column.
|
|
feedbackBodyLimit = 64 * 1024
|
|
)
|
|
|
|
type CreateFeedbackRequest struct {
|
|
Message string `json:"message"`
|
|
URL string `json:"url"`
|
|
WorkspaceID *string `json:"workspace_id,omitempty"`
|
|
}
|
|
|
|
type FeedbackResponse struct {
|
|
ID string `json:"id"`
|
|
CreatedAt string `json:"created_at"`
|
|
}
|
|
|
|
func (h *Handler) CreateFeedback(w http.ResponseWriter, r *http.Request) {
|
|
userID, ok := requireUserID(w, r)
|
|
if !ok {
|
|
return
|
|
}
|
|
|
|
r.Body = http.MaxBytesReader(w, r.Body, feedbackBodyLimit)
|
|
var req CreateFeedbackRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeError(w, http.StatusBadRequest, "invalid request body")
|
|
return
|
|
}
|
|
|
|
message := strings.TrimSpace(req.Message)
|
|
if message == "" {
|
|
writeError(w, http.StatusBadRequest, "message is required")
|
|
return
|
|
}
|
|
if len(message) > feedbackMaxMessageLen {
|
|
writeError(w, http.StatusBadRequest, "message too long")
|
|
return
|
|
}
|
|
|
|
// Per-user rate limit: hourly cap on feedback submissions. DB-backed so it
|
|
// survives process restarts and works across multiple instances without a
|
|
// shared cache — cost is one cheap indexed count per submit.
|
|
count, err := h.Queries.CountRecentFeedbackByUser(r.Context(), parseUUID(userID))
|
|
if err != nil {
|
|
slog.Warn("count recent feedback failed", append(logger.RequestAttrs(r), "error", err)...)
|
|
writeError(w, http.StatusInternalServerError, "failed to check rate limit")
|
|
return
|
|
}
|
|
if count >= feedbackHourlyRateLimit {
|
|
writeError(w, http.StatusTooManyRequests, "too many feedback submissions, please try again later")
|
|
return
|
|
}
|
|
|
|
platform, version, clientOS := middleware.ClientMetadataFromContext(r.Context())
|
|
metadata := map[string]any{
|
|
"url": req.URL,
|
|
"platform": platform,
|
|
"version": version,
|
|
"os": clientOS,
|
|
"user_agent": r.UserAgent(),
|
|
}
|
|
metaBytes, err := json.Marshal(metadata)
|
|
if err != nil {
|
|
// Impossible in practice — map[string]any with primitive values never
|
|
// fails to marshal — but fall through with an empty object rather than
|
|
// 500ing on a non-critical field.
|
|
metaBytes = []byte("{}")
|
|
}
|
|
|
|
var workspaceID pgtype.UUID
|
|
if req.WorkspaceID != nil && *req.WorkspaceID != "" {
|
|
ws, ok := parseUUIDOrBadRequest(w, *req.WorkspaceID, "workspace_id")
|
|
if !ok {
|
|
return
|
|
}
|
|
workspaceID = ws
|
|
}
|
|
|
|
fb, err := h.Queries.CreateFeedback(r.Context(), db.CreateFeedbackParams{
|
|
UserID: parseUUID(userID),
|
|
Message: message,
|
|
Metadata: metaBytes,
|
|
WorkspaceID: workspaceID,
|
|
})
|
|
if err != nil {
|
|
slog.Warn("create feedback failed", append(logger.RequestAttrs(r), "error", err)...)
|
|
writeError(w, http.StatusInternalServerError, "failed to submit feedback")
|
|
return
|
|
}
|
|
|
|
slog.Info("feedback submitted", append(logger.RequestAttrs(r), "feedback_id", uuidToString(fb.ID))...)
|
|
|
|
h.Analytics.Capture(analytics.FeedbackSubmitted(
|
|
userID,
|
|
uuidToString(fb.WorkspaceID),
|
|
len(message),
|
|
feedbackImageRegex.MatchString(message),
|
|
platform,
|
|
version,
|
|
))
|
|
|
|
writeJSON(w, http.StatusCreated, FeedbackResponse{
|
|
ID: uuidToString(fb.ID),
|
|
CreatedAt: timestampToString(fb.CreatedAt),
|
|
})
|
|
}
|