Hardening audit: identity N+1, PII log scrubbing, dead IsMuted column, dashboard refresh timeout#1300
Merged
Merged
Conversation
…lesAsync lookup GetUserRolesAsync issued one membership query per role in the tenant (N+1). One GetRolesAsync call now feeds a case-insensitive set lookup, matching ASP.NET Identity's normalized-name comparison semantics. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…lates PII minimization: user registration, token generation, and welcome-email failure logs now identify users by the pseudonymous UserId only. The email previously rode along in three message templates and flowed into every exported log sink. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ct, and schema The property was get-only and never set anywhere, so it always serialized as false: dead weight in the domain, ChannelMemberDto, the dashboard client type, and a chat.ChannelMembers column. Removed end-to-end with migration DropChannelMemberIsMuted. Deliberate contract change: ChannelMemberDto loses a field no consumer ever read (verified across both React apps and all tests). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…r chat error toasts - refreshAccessToken now aborts after the standard 30s timeout; a stalled refresh previously hung the shared refreshPromise and every queued 401-retry behind it (admin already had this guard). - Ticket comment composer passes the body through mutate(arg) instead of closed-over state (golden rule #9) and gains an aria-label. - Chat DM/delete/pin failure toasts now include the ProblemDetails description instead of a bare generic message. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
No codegen step exists - API types are hand-written per the frontend conventions. The dependency only created false expectations. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Output of a full-stack hardening audit (authz/tenant-isolation > performance > clean code > frontend > IaC). Five parallel audit sweeps, every finding re-verified against code before fixing. Headline: no authorization or tenant-isolation issues exist — all historical security fixes re-verified PASS, and a fresh sweep of all 168 endpoints found no gaps.
Fixes
GetUserRolesAsyncissued oneIsInRoleAsyncDB round-trip per role (N+1). Now a singleGetRolesAsyncfeeds a case-insensitive set lookup.ChannelMember.IsMutedremoved end-to-end (domain, EF config,ChannelMemberDto, dashboard client type) + migrationDropChannelMemberIsMuted.ChannelMemberDtolosesIsMuted. The property was get-only, never set, always serializedfalse; no consumer read it (verified across both apps and all tests).DbMigrator apply(dropschat.ChannelMembers.IsMuted).refreshAccessTokennow aborts after 30s — a stalled refresh previously hung the shared refresh promise and every queued 401-retry behind it (admin already had this guard). Ticket comment composer passes its body throughmutate(arg)(golden rule Advanced User & Role Based Permission Management #9) and gains anaria-label. Chat DM/delete/pin failure toasts now include the ProblemDetails description.openapi-typescriptdevDependency removed.Verified
terraform fmt -check+terraform validateclean onapp_stackDeferred (documented, unchanged)
IEventBuspublish (outbox needs BuildingBlocks/Eventing keyed-store redesign — same deferral as Pre-release hardening: close Tier 1-3 audit findings across backend modules #1273)ChannelMemberDtochange — follow-up (docs repo has uncommitted WIP on its overhaul branch)🤖 Generated with Claude Code