feat: auth service + security audit fixes + cleanup legacy services

Major changes: - Add auth-svc: JWT auth, register/login/refresh, password reset - Add auth UI: modals, pages (/login, /register, /forgot-password) - Add usage tracking (usage_metrics table, daily limits) - Add tiered rate limiting (free/pro/business) - Add LLM usage limits per tier Security fixes: - All repos now require userID for Update/Delete operations - JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc - ErrNotFound/ErrForbidden errors for proper access control Cleanup: - Remove legacy TypeScript services/ directory - Remove computer-svc (to be reimplemented) - Remove old deploy/docker configs New files: - backend/cmd/auth-svc/main.go - backend/internal/auth/{types,repository}.go - backend/internal/usage/{types,repository}.go - backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go - backend/webui/src/components/auth/* - backend/webui/src/app/(auth)/* Made-with: Cursor
2026-02-28 01:33:49 +03:00
parent 120fbbaafb
commit a0e3748dde
523 changed files with 10776 additions and 59630 deletions
--- a/backend/internal/db/thread_repo.go
+++ b/backend/internal/db/thread_repo.go
@@ -4,9 +4,15 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"time"
 )

+var (
+	ErrNotFound  = errors.New("resource not found")
+	ErrForbidden = errors.New("access denied")
+)
+
 type Thread struct {
 	ID          string          `json:"id"`
 	UserID      string          `json:"userId"`
@@ -176,30 +182,63 @@ func (r *ThreadRepository) GetByUserID(ctx context.Context, userID string, limit
 	return threads, nil
 }

-func (r *ThreadRepository) Update(ctx context.Context, t *Thread) error {
+func (r *ThreadRepository) Update(ctx context.Context, t *Thread, userID string) error {
 	query := `
 		UPDATE threads 
 		SET title = $2, focus_mode = $3, is_public = $4, updated_at = NOW()
-		WHERE id = $1
+		WHERE id = $1 AND user_id = $5
 	`
-	_, err := r.db.db.ExecContext(ctx, query, t.ID, t.Title, t.FocusMode, t.IsPublic)
-	return err
+	result, err := r.db.db.ExecContext(ctx, query, t.ID, t.Title, t.FocusMode, t.IsPublic, userID)
+	if err != nil {
+		return err
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return ErrNotFound
+	}
+	return nil
 }

-func (r *ThreadRepository) SetShareID(ctx context.Context, threadID, shareID string) error {
-	_, err := r.db.db.ExecContext(ctx,
-		"UPDATE threads SET share_id = $2, is_public = true WHERE id = $1",
-		threadID, shareID,
+func (r *ThreadRepository) SetShareID(ctx context.Context, threadID, shareID, userID string) error {
+	result, err := r.db.db.ExecContext(ctx,
+		"UPDATE threads SET share_id = $2, is_public = true WHERE id = $1 AND user_id = $3",
+		threadID, shareID, userID,
 	)
-	return err
+	if err != nil {
+		return err
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return ErrNotFound
+	}
+	return nil
 }

-func (r *ThreadRepository) Delete(ctx context.Context, id string) error {
-	_, err := r.db.db.ExecContext(ctx, "DELETE FROM threads WHERE id = $1", id)
-	return err
+func (r *ThreadRepository) Delete(ctx context.Context, id, userID string) error {
+	result, err := r.db.db.ExecContext(ctx, "DELETE FROM threads WHERE id = $1 AND user_id = $2", id, userID)
+	if err != nil {
+		return err
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return ErrNotFound
+	}
+	return nil
 }

-func (r *ThreadRepository) AddMessage(ctx context.Context, msg *ThreadMessage) error {
+func (r *ThreadRepository) AddMessage(ctx context.Context, msg *ThreadMessage, userID string) error {
+	var ownerID string
+	err := r.db.db.QueryRowContext(ctx, "SELECT user_id FROM threads WHERE id = $1", msg.ThreadID).Scan(&ownerID)
+	if err == sql.ErrNoRows {
+		return ErrNotFound
+	}
+	if err != nil {
+		return err
+	}
+	if ownerID != userID {
+		return ErrForbidden
+	}
+
 	sourcesJSON, _ := json.Marshal(msg.Sources)
 	widgetsJSON, _ := json.Marshal(msg.Widgets)
 	relatedJSON, _ := json.Marshal(msg.RelatedQuestions)
@@ -209,7 +248,7 @@ func (r *ThreadRepository) AddMessage(ctx context.Context, msg *ThreadMessage) e
 		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 		RETURNING id, created_at
 	`
-	err := r.db.db.QueryRowContext(ctx, query,
+	err = r.db.db.QueryRowContext(ctx, query,
 		msg.ThreadID, msg.Role, msg.Content, sourcesJSON, widgetsJSON, relatedJSON, msg.Model, msg.TokensUsed,
 	).Scan(&msg.ID, &msg.CreatedAt)

@@ -220,7 +259,20 @@ func (r *ThreadRepository) AddMessage(ctx context.Context, msg *ThreadMessage) e
 	return err
 }

-func (r *ThreadRepository) GetMessages(ctx context.Context, threadID string, limit, offset int) ([]ThreadMessage, error) {
+func (r *ThreadRepository) GetMessages(ctx context.Context, threadID, userID string, limit, offset int) ([]ThreadMessage, error) {
+	var ownerID string
+	var isPublic bool
+	err := r.db.db.QueryRowContext(ctx, "SELECT user_id, is_public FROM threads WHERE id = $1", threadID).Scan(&ownerID, &isPublic)
+	if err == sql.ErrNoRows {
+		return nil, ErrNotFound
+	}
+	if err != nil {
+		return nil, err
+	}
+	if ownerID != userID && !isPublic {
+		return nil, ErrForbidden
+	}
+
 	query := `
 		SELECT id, thread_id, role, content, sources, widgets, related_questions, model, tokens_used, created_at
 		FROM thread_messages 
@@ -257,14 +309,21 @@ func (r *ThreadRepository) GetMessages(ctx context.Context, threadID string, lim
 	return messages, nil
 }

-func (r *ThreadRepository) GenerateTitle(ctx context.Context, threadID, firstMessage string) error {
+func (r *ThreadRepository) GenerateTitle(ctx context.Context, threadID, firstMessage, userID string) error {
 	title := firstMessage
 	if len(title) > 100 {
 		title = title[:97] + "..."
 	}
-	_, err := r.db.db.ExecContext(ctx,
-		"UPDATE threads SET title = $2 WHERE id = $1",
-		threadID, title,
+	result, err := r.db.db.ExecContext(ctx,
+		"UPDATE threads SET title = $2 WHERE id = $1 AND user_id = $3",
+		threadID, title, userID,
 	)
-	return err
+	if err != nil {
+		return err
+	}
+	rows, _ := result.RowsAffected()
+	if rows == 0 {
+		return ErrNotFound
+	}
+	return nil
 }