kato/scrum-solitare
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security Updates

Browse Source
This commit is contained in:
Daniel Legt
2026-03-06 12:30:05 +02:00
parent ffbaf0ee1d
commit ec8e8911ce
8 changed files with 277 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/handlers/room_api.go
View File

@@ -27,6 +27,7 @@ type createRoomRequest struct {
AllowSpectators bool `json:"allowSpectators"` AllowSpectators bool `json:"allowSpectators"`
AnonymousVoting bool `json:"anonymousVoting"` AnonymousVoting bool `json:"anonymousVoting"`
AutoReset bool `json:"autoReset"` AutoReset bool `json:"autoReset"`
AllowVoteChange *bool `json:"allowVoteChange"`
RevealMode string `json:"revealMode"` RevealMode string `json:"revealMode"`
VotingTimeoutSec int `json:"votingTimeoutSec"` VotingTimeoutSec int `json:"votingTimeoutSec"`
Password string `json:"password"` Password string `json:"password"`
@@ -34,6 +35,7 @@ type createRoomRequest struct {
type joinRoomRequest struct { type joinRoomRequest struct {
ParticipantID string `json:"participantId"` ParticipantID string `json:"participantId"`
SessionToken string `json:"sessionToken"`
Username string `json:"username"` Username string `json:"username"`
Role string `json:"role"` Role string `json:"role"`
Password string `json:"password"` Password string `json:"password"`
@@ -42,11 +44,13 @@ type joinRoomRequest struct {
type voteRequest struct { type voteRequest struct {
ParticipantID string `json:"participantId"` ParticipantID string `json:"participantId"`
SessionToken string `json:"sessionToken"`
Card string `json:"card"` Card string `json:"card"`
} }
type adminActionRequest struct { type adminActionRequest struct {
ParticipantID string `json:"participantId"` ParticipantID string `json:"participantId"`
SessionToken string `json:"sessionToken"`
} }
func (h *RoomAPIHandler) CreateRoom(c *gin.Context) { func (h *RoomAPIHandler) CreateRoom(c *gin.Context) {
@@ -64,6 +68,7 @@ func (h *RoomAPIHandler) CreateRoom(c *gin.Context) {
AllowSpectators: req.AllowSpectators, AllowSpectators: req.AllowSpectators,
AnonymousVoting: req.AnonymousVoting, AnonymousVoting: req.AnonymousVoting,
AutoReset: req.AutoReset, AutoReset: req.AutoReset,
AllowVoteChange: req.AllowVoteChange,
RevealMode: req.RevealMode, RevealMode: req.RevealMode,
VotingTimeoutSec: req.VotingTimeoutSec, VotingTimeoutSec: req.VotingTimeoutSec,
Password: req.Password, Password: req.Password,
@@ -85,6 +90,7 @@ func (h *RoomAPIHandler) JoinRoom(c *gin.Context) {
result, err := h.manager.JoinRoom(c.Param("roomID"), state.JoinRoomInput{ result, err := h.manager.JoinRoom(c.Param("roomID"), state.JoinRoomInput{
ParticipantID: req.ParticipantID, ParticipantID: req.ParticipantID,
SessionToken: req.SessionToken,
Username: req.Username, Username: req.Username,
Role: req.Role, Role: req.Role,
Password: req.Password, Password: req.Password,
@@ -101,12 +107,17 @@ func (h *RoomAPIHandler) JoinRoom(c *gin.Context) {
func (h *RoomAPIHandler) StreamEvents(c *gin.Context) { func (h *RoomAPIHandler) StreamEvents(c *gin.Context) {
roomID := c.Param("roomID") roomID := c.Param("roomID")
participantID := c.Query("participantId") participantID := c.Query("participantId")
sessionToken := c.Query("sessionToken")
if participantID == "" { if participantID == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "participantId is required"}) c.JSON(http.StatusBadRequest, gin.H{"error": "participantId is required"})
return return
} }
if sessionToken == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "sessionToken is required"})
return
}
stream, initial, unsubscribe, err := h.manager.Subscribe(roomID, participantID) stream, initial, unsubscribe, err := h.manager.Subscribe(roomID, participantID, sessionToken)
if err != nil { if err != nil {
h.writeStateError(c, err) h.writeStateError(c, err)
return return
@@ -169,7 +180,7 @@ func (h *RoomAPIHandler) CastVote(c *gin.Context) {
return return
} }
err := h.manager.CastVote(c.Param("roomID"), req.ParticipantID, req.Card) err := h.manager.CastVote(c.Param("roomID"), req.ParticipantID, req.SessionToken, req.Card)
if err != nil { if err != nil {
h.writeStateError(c, err) h.writeStateError(c, err)
return return
@@ -193,21 +204,21 @@ func (h *RoomAPIHandler) LeaveRoom(c *gin.Context) {
return return
} }
if err := h.manager.LeaveRoom(c.Param("roomID"), req.ParticipantID); err != nil { if err := h.manager.LeaveRoom(c.Param("roomID"), req.ParticipantID, req.SessionToken); err != nil {
h.writeStateError(c, err) h.writeStateError(c, err)
return return
} }
c.JSON(http.StatusOK, gin.H{"ok": true}) c.JSON(http.StatusOK, gin.H{"ok": true})
} }
func (h *RoomAPIHandler) handleAdminAction(c *gin.Context, fn func(string, string) error) { func (h *RoomAPIHandler) handleAdminAction(c *gin.Context, fn func(string, string, string) error) {
var req adminActionRequest var req adminActionRequest
if err := c.ShouldBindJSON(&req); err != nil { if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request payload"}) c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request payload"})
return return
} }
if err := fn(c.Param("roomID"), req.ParticipantID); err != nil { if err := fn(c.Param("roomID"), req.ParticipantID, req.SessionToken); err != nil {
h.writeStateError(c, err) h.writeStateError(c, err)
return return
} }
@@ -234,6 +245,9 @@ func (h *RoomAPIHandler) writeStateError(c *gin.Context, err error) {
case errors.Is(err, state.ErrPasswordRequired): case errors.Is(err, state.ErrPasswordRequired):
status = http.StatusUnauthorized status = http.StatusUnauthorized
message = err.Error() message = err.Error()
case errors.Is(err, state.ErrVoteChangeLocked):
status = http.StatusForbidden
message = err.Error()
case errors.Is(err, state.ErrSpectatorsBlocked), errors.Is(err, state.ErrInvalidCard), errors.Is(err, state.ErrInvalidRole): case errors.Is(err, state.ErrSpectatorsBlocked), errors.Is(err, state.ErrInvalidCard), errors.Is(err, state.ErrInvalidRole):
status = http.StatusBadRequest status = http.StatusBadRequest
message = err.Error() message = err.Error()

2
src/models/room_setup.go
View File

@@ -10,6 +10,7 @@ type RoomSetupPageData struct {
AllowSpectators bool AllowSpectators bool
AnonymousVoting bool AnonymousVoting bool
AutoResetCards bool AutoResetCards bool
AllowVoteChange bool
DefaultStatus string DefaultStatus string
} }
@@ -24,6 +25,7 @@ func DefaultRoomSetupPageData() RoomSetupPageData {
AllowSpectators: true, AllowSpectators: true,
AnonymousVoting: true, AnonymousVoting: true,
AutoResetCards: true, AutoResetCards: true,
AllowVoteChange: true,
DefaultStatus: "Ready to create room.", DefaultStatus: "Ready to create room.",
} }
} }

151
src/state/manager.go
View File

@@ -76,6 +76,10 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
adminToken := randomHex(24) adminToken := randomHex(24)
creatorID := newUUIDv4() creatorID := newUUIDv4()
now := nowUTC() now := nowUTC()
allowVoteChange := true
if input.AllowVoteChange != nil {
allowVoteChange = *input.AllowVoteChange
}
settings := RoomSettings{ settings := RoomSettings{
RoomName: roomName, RoomName: roomName,
@@ -84,6 +88,7 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
AllowSpectators: input.AllowSpectators, AllowSpectators: input.AllowSpectators,
AnonymousVoting: input.AnonymousVoting, AnonymousVoting: input.AnonymousVoting,
AutoReset: input.AutoReset, AutoReset: input.AutoReset,
AllowVoteChange: allowVoteChange,
RevealMode: revealMode, RevealMode: revealMode,
VotingTimeoutSec: max(0, input.VotingTimeoutSec), VotingTimeoutSec: max(0, input.VotingTimeoutSec),
} }
@@ -96,6 +101,7 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
creator := &Participant{ creator := &Participant{
ID: creatorID, ID: creatorID,
SessionToken: randomHex(24),
Username: creatorUsername, Username: creatorUsername,
Role: RoleParticipant, Role: RoleParticipant,
IsAdmin: true, IsAdmin: true,
@@ -139,6 +145,7 @@ func (m *Manager) CreateRoom(input CreateRoomInput) (CreateRoomResult, error) {
result := CreateRoomResult{ result := CreateRoomResult{
RoomID: roomID, RoomID: roomID,
CreatorParticipantID: creatorID, CreatorParticipantID: creatorID,
CreatorSessionToken: creator.SessionToken,
AdminToken: adminToken, AdminToken: adminToken,
ParticipantLink: "/room/" + roomID, ParticipantLink: "/room/" + roomID,
AdminLink: "/room/" + roomID + "?adminToken=" + adminToken, AdminLink: "/room/" + roomID + "?adminToken=" + adminToken,
@@ -183,6 +190,9 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
if !ok { if !ok {
return JoinRoomResult{}, ErrParticipantNotFound return JoinRoomResult{}, ErrParticipantNotFound
} }
if !secureTokenMatches(existing.SessionToken, input.SessionToken) {
return JoinRoomResult{}, ErrUnauthorized
}
wasConnected := existing.Connected wasConnected := existing.Connected
existing.Username = username existing.Username = username
@@ -203,6 +213,7 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
go m.broadcastRoom(room.ID) go m.broadcastRoom(room.ID)
return JoinRoomResult{ return JoinRoomResult{
ParticipantID: existing.ID, ParticipantID: existing.ID,
SessionToken: existing.SessionToken,
IsAdmin: existing.IsAdmin, IsAdmin: existing.IsAdmin,
Role: existing.Role, Role: existing.Role,
Username: existing.Username, Username: existing.Username,
@@ -227,6 +238,7 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
participant := &Participant{ participant := &Participant{
ID: newUUIDv4(), ID: newUUIDv4(),
SessionToken: randomHex(24),
Username: username, Username: username,
Role: role, Role: role,
IsAdmin: isAdminByToken, IsAdmin: isAdminByToken,
@@ -247,13 +259,14 @@ func (m *Manager) JoinRoom(roomID string, input JoinRoomInput) (JoinRoomResult,
go m.broadcastRoom(room.ID) go m.broadcastRoom(room.ID)
return JoinRoomResult{ return JoinRoomResult{
ParticipantID: participant.ID, ParticipantID: participant.ID,
SessionToken: participant.SessionToken,
IsAdmin: participant.IsAdmin, IsAdmin: participant.IsAdmin,
Role: participant.Role, Role: participant.Role,
Username: participant.Username, Username: participant.Username,
}, nil }, nil
} }
func (m *Manager) LeaveRoom(roomID, participantID string) error { func (m *Manager) LeaveRoom(roomID, participantID, sessionToken string) error {
room, err := m.getRoom(roomID) room, err := m.getRoom(roomID)
if err != nil { if err != nil {
return err return err
@@ -262,9 +275,9 @@ func (m *Manager) LeaveRoom(roomID, participantID string) error {
room.mu.Lock() room.mu.Lock()
defer room.mu.Unlock() defer room.mu.Unlock()
participant, ok := room.Participants[participantID] participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
if !ok { if err != nil {
return ErrParticipantNotFound return err
} }
if !participant.Connected { if !participant.Connected {
@@ -281,7 +294,7 @@ func (m *Manager) LeaveRoom(roomID, participantID string) error {
return nil return nil
} }
func (m *Manager) CastVote(roomID, participantID, card string) error { func (m *Manager) CastVote(roomID, participantID, sessionToken, card string) error {
room, err := m.getRoom(roomID) room, err := m.getRoom(roomID)
if err != nil { if err != nil {
return err return err
@@ -290,9 +303,9 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
room.mu.Lock() room.mu.Lock()
defer room.mu.Unlock() defer room.mu.Unlock()
participant, ok := room.Participants[participantID] participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
if !ok { if err != nil {
return ErrParticipantNotFound return err
} }
if participant.Role != RoleParticipant { if participant.Role != RoleParticipant {
return ErrUnauthorized return ErrUnauthorized
@@ -303,19 +316,26 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
return ErrInvalidCard return ErrInvalidCard
} }
if room.Round.Revealed { if participant.HasVoted {
if room.Settings.AutoReset { if participant.VoteValue == normalizedCard {
m.resetVotesLocked(room) return nil
} else { }
return ErrUnauthorized if !room.Settings.AllowVoteChange {
return ErrVoteChangeLocked
} }
} }
previousVote := participant.VoteValue
hadVoted := participant.HasVoted
participant.HasVoted = true participant.HasVoted = true
participant.VoteValue = normalizedCard participant.VoteValue = normalizedCard
participant.UpdatedAt = nowUTC() participant.UpdatedAt = nowUTC()
room.UpdatedAt = nowUTC() room.UpdatedAt = nowUTC()
if hadVoted {
m.appendActivityLogLocked(room, "%s changed vote from %s to %s.", participant.Username, previousVote, normalizedCard)
} else {
m.appendActivityLogLocked(room, "%s voted %s.", participant.Username, normalizedCard) m.appendActivityLogLocked(room, "%s voted %s.", participant.Username, normalizedCard)
}
if room.Settings.RevealMode == RevealModeAutoAll && allActiveParticipantsVoted(room) { if room.Settings.RevealMode == RevealModeAutoAll && allActiveParticipantsVoted(room) {
room.Round.Revealed = true room.Round.Revealed = true
@@ -330,7 +350,7 @@ func (m *Manager) CastVote(roomID, participantID, card string) error {
return nil return nil
} }
func (m *Manager) RevealVotes(roomID, participantID string) error { func (m *Manager) RevealVotes(roomID, participantID, sessionToken string) error {
room, err := m.getRoom(roomID) room, err := m.getRoom(roomID)
if err != nil { if err != nil {
return err return err
@@ -339,9 +359,9 @@ func (m *Manager) RevealVotes(roomID, participantID string) error {
room.mu.Lock() room.mu.Lock()
defer room.mu.Unlock() defer room.mu.Unlock()
participant, ok := room.Participants[participantID] participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
if !ok { if err != nil {
return ErrParticipantNotFound return err
} }
if !participant.IsAdmin { if !participant.IsAdmin {
return ErrUnauthorized return ErrUnauthorized
@@ -359,7 +379,7 @@ func (m *Manager) RevealVotes(roomID, participantID string) error {
return nil return nil
} }
func (m *Manager) ResetVotes(roomID, participantID string) error { func (m *Manager) ResetVotes(roomID, participantID, sessionToken string) error {
room, err := m.getRoom(roomID) room, err := m.getRoom(roomID)
if err != nil { if err != nil {
return err return err
@@ -368,9 +388,9 @@ func (m *Manager) ResetVotes(roomID, participantID string) error {
room.mu.Lock() room.mu.Lock()
defer room.mu.Unlock() defer room.mu.Unlock()
participant, ok := room.Participants[participantID] participant, err := m.authorizeParticipantLocked(room, participantID, sessionToken)
if !ok { if err != nil {
return ErrParticipantNotFound return err
} }
if !participant.IsAdmin { if !participant.IsAdmin {
return ErrUnauthorized return ErrUnauthorized
@@ -388,17 +408,17 @@ func (m *Manager) ResetVotes(roomID, participantID string) error {
return nil return nil
} }
func (m *Manager) Subscribe(roomID, participantID string) (<-chan []byte, []byte, func(), error) { func (m *Manager) Subscribe(roomID, participantID, sessionToken string) (<-chan []byte, []byte, func(), error) {
room, err := m.getRoom(roomID) room, err := m.getRoom(roomID)
if err != nil { if err != nil {
return nil, nil, nil, err return nil, nil, nil, err
} }
room.mu.Lock() room.mu.Lock()
participant, ok := room.Participants[participantID] participant, authErr := m.authorizeParticipantLocked(room, participantID, sessionToken)
if !ok { if authErr != nil {
room.mu.Unlock() room.mu.Unlock()
return nil, nil, nil, ErrParticipantNotFound return nil, nil, nil, authErr
} }
participant.Connected = true participant.Connected = true
@@ -466,6 +486,17 @@ func (m *Manager) getRoom(roomID string) (*Room, error) {
return room, nil return room, nil
} }
func (m *Manager) authorizeParticipantLocked(room *Room, participantID, sessionToken string) (*Participant, error) {
participant, ok := room.Participants[participantID]
if !ok {
return nil, ErrParticipantNotFound
}
if !secureTokenMatches(participant.SessionToken, sessionToken) {
return nil, ErrUnauthorized
}
return participant, nil
}
func (m *Manager) loadFromDisk() error { func (m *Manager) loadFromDisk() error {
persistedRooms, err := m.store.LoadAll() persistedRooms, err := m.store.LoadAll()
if err != nil { if err != nil {
@@ -473,20 +504,52 @@ func (m *Manager) loadFromDisk() error {
} }
for _, persisted := range persistedRooms { for _, persisted := range persistedRooms {
allowVoteChange := true
if persisted.Settings.AllowVoteChange != nil {
allowVoteChange = *persisted.Settings.AllowVoteChange
}
settings := RoomSettings{
RoomName: persisted.Settings.RoomName,
MaxPeople: persisted.Settings.MaxPeople,
Cards: append([]string(nil), persisted.Settings.Cards...),
AllowSpectators: persisted.Settings.AllowSpectators,
AnonymousVoting: persisted.Settings.AnonymousVoting,
AutoReset: persisted.Settings.AutoReset,
AllowVoteChange: allowVoteChange,
RevealMode: persisted.Settings.RevealMode,
VotingTimeoutSec: persisted.Settings.VotingTimeoutSec,
PasswordSalt: persisted.Settings.PasswordSalt,
PasswordHash: persisted.Settings.PasswordHash,
}
room := &Room{ room := &Room{
ID: persisted.ID, ID: persisted.ID,
AdminToken: persisted.AdminToken, AdminToken: persisted.AdminToken,
CreatedAt: persisted.CreatedAt, CreatedAt: persisted.CreatedAt,
UpdatedAt: persisted.UpdatedAt, UpdatedAt: persisted.UpdatedAt,
Settings: persisted.Settings, Settings: settings,
Round: persisted.Round, Round: persisted.Round,
Participants: make(map[string]*Participant, len(persisted.Participants)), Participants: make(map[string]*Participant, len(persisted.Participants)),
ActivityLog: append([]ActivityLogEntry(nil), persisted.ActivityLog...), ActivityLog: append([]ActivityLogEntry(nil), persisted.ActivityLog...),
subscribers: map[string]*subscriber{}, subscribers: map[string]*subscriber{},
} }
for _, participant := range persisted.Participants { for _, participant := range persisted.Participants {
participant.Connected = false sessionToken := participant.SessionToken
room.Participants[participant.ID] = participant if sessionToken == "" {
sessionToken = randomHex(24)
}
room.Participants[participant.ID] = &Participant{
ID: participant.ID,
SessionToken: sessionToken,
Username: participant.Username,
Role: participant.Role,
IsAdmin: participant.IsAdmin,
Connected: false,
HasVoted: participant.HasVoted,
VoteValue: participant.VoteValue,
JoinedAt: participant.JoinedAt,
UpdatedAt: participant.UpdatedAt,
}
} }
m.rooms[room.ID] = room m.rooms[room.ID] = room
@@ -496,10 +559,21 @@ func (m *Manager) loadFromDisk() error {
} }
func (room *Room) toPersisted() persistedRoom { func (room *Room) toPersisted() persistedRoom {
participants := make([]*Participant, 0, len(room.Participants)) allowVoteChange := room.Settings.AllowVoteChange
participants := make([]*persistedParticipant, 0, len(room.Participants))
for _, participant := range sortParticipants(room.Participants) { for _, participant := range sortParticipants(room.Participants) {
clone := *participant participants = append(participants, &persistedParticipant{
participants = append(participants, &clone) ID: participant.ID,
SessionToken: participant.SessionToken,
Username: participant.Username,
Role: participant.Role,
IsAdmin: participant.IsAdmin,
Connected: participant.Connected,
HasVoted: participant.HasVoted,
VoteValue: participant.VoteValue,
JoinedAt: participant.JoinedAt,
UpdatedAt: participant.UpdatedAt,
})
} }
return persistedRoom{ return persistedRoom{
@@ -507,7 +581,19 @@ func (room *Room) toPersisted() persistedRoom {
AdminToken: room.AdminToken, AdminToken: room.AdminToken,
CreatedAt: room.CreatedAt, CreatedAt: room.CreatedAt,
UpdatedAt: room.UpdatedAt, UpdatedAt: room.UpdatedAt,
Settings: room.Settings, Settings: persistedRoomSettings{
RoomName: room.Settings.RoomName,
MaxPeople: room.Settings.MaxPeople,
Cards: append([]string(nil), room.Settings.Cards...),
AllowSpectators: room.Settings.AllowSpectators,
AnonymousVoting: room.Settings.AnonymousVoting,
AutoReset: room.Settings.AutoReset,
AllowVoteChange: &allowVoteChange,
RevealMode: room.Settings.RevealMode,
VotingTimeoutSec: room.Settings.VotingTimeoutSec,
PasswordSalt: room.Settings.PasswordSalt,
PasswordHash: room.Settings.PasswordHash,
},
Round: room.Round, Round: room.Round,
Participants: participants, Participants: participants,
ActivityLog: append([]ActivityLogEntry(nil), room.ActivityLog...), ActivityLog: append([]ActivityLogEntry(nil), room.ActivityLog...),
@@ -583,6 +669,7 @@ func (m *Manager) marshalRoomState(room *Room, viewerParticipantID string) ([]by
AllowSpectators: room.Settings.AllowSpectators, AllowSpectators: room.Settings.AllowSpectators,
AnonymousVoting: room.Settings.AnonymousVoting, AnonymousVoting: room.Settings.AnonymousVoting,
AutoReset: room.Settings.AutoReset, AutoReset: room.Settings.AutoReset,
AllowVoteChange: room.Settings.AllowVoteChange,
VotingTimeoutSec: room.Settings.VotingTimeoutSec, VotingTimeoutSec: room.Settings.VotingTimeoutSec,
Participants: participants, Participants: participants,
SelfParticipantID: viewerParticipantID, SelfParticipantID: viewerParticipantID,

39
src/state/types.go
View File

@@ -23,6 +23,7 @@ var (
ErrSpectatorsBlocked = errors.New("spectators are not allowed") ErrSpectatorsBlocked = errors.New("spectators are not allowed")
ErrPasswordRequired = errors.New("password required or invalid") ErrPasswordRequired = errors.New("password required or invalid")
ErrInvalidCard = errors.New("invalid card") ErrInvalidCard = errors.New("invalid card")
ErrVoteChangeLocked = errors.New("vote changes are disabled for this room")
) )
type RoomSettings struct { type RoomSettings struct {
@@ -32,6 +33,21 @@ type RoomSettings struct {
AllowSpectators bool `json:"allowSpectators"` AllowSpectators bool `json:"allowSpectators"`
AnonymousVoting bool `json:"anonymousVoting"` AnonymousVoting bool `json:"anonymousVoting"`
AutoReset bool `json:"autoReset"` AutoReset bool `json:"autoReset"`
AllowVoteChange bool `json:"allowVoteChange"`
RevealMode string `json:"revealMode"`
VotingTimeoutSec int `json:"votingTimeoutSec"`
PasswordSalt string `json:"passwordSalt,omitempty"`
PasswordHash string `json:"passwordHash,omitempty"`
}
type persistedRoomSettings struct {
RoomName string `json:"roomName"`
MaxPeople int `json:"maxPeople"`
Cards []string `json:"cards"`
AllowSpectators bool `json:"allowSpectators"`
AnonymousVoting bool `json:"anonymousVoting"`
AutoReset bool `json:"autoReset"`
AllowVoteChange *bool `json:"allowVoteChange,omitempty"`
RevealMode string `json:"revealMode"` RevealMode string `json:"revealMode"`
VotingTimeoutSec int `json:"votingTimeoutSec"` VotingTimeoutSec int `json:"votingTimeoutSec"`
PasswordSalt string `json:"passwordSalt,omitempty"` PasswordSalt string `json:"passwordSalt,omitempty"`
@@ -40,6 +56,20 @@ type RoomSettings struct {
type Participant struct { type Participant struct {
ID string `json:"id"` ID string `json:"id"`
SessionToken string `json:"-"`
Username string `json:"username"`
Role string `json:"role"`
IsAdmin bool `json:"isAdmin"`
Connected bool `json:"connected"`
HasVoted bool `json:"hasVoted"`
VoteValue string `json:"voteValue,omitempty"`
JoinedAt time.Time `json:"joinedAt"`
UpdatedAt time.Time `json:"updatedAt"`
}
type persistedParticipant struct {
ID string `json:"id"`
SessionToken string `json:"sessionToken,omitempty"`
Username string `json:"username"` Username string `json:"username"`
Role string `json:"role"` Role string `json:"role"`
IsAdmin bool `json:"isAdmin"` IsAdmin bool `json:"isAdmin"`
@@ -64,9 +94,9 @@ type persistedRoom struct {
AdminToken string `json:"adminToken"` AdminToken string `json:"adminToken"`
CreatedAt time.Time `json:"createdAt"` CreatedAt time.Time `json:"createdAt"`
UpdatedAt time.Time `json:"updatedAt"` UpdatedAt time.Time `json:"updatedAt"`
Settings RoomSettings `json:"settings"` Settings persistedRoomSettings `json:"settings"`
Round RoundState `json:"round"` Round RoundState `json:"round"`
Participants []*Participant `json:"participants"` Participants []*persistedParticipant `json:"participants"`
ActivityLog []ActivityLogEntry `json:"activityLog,omitempty"` ActivityLog []ActivityLogEntry `json:"activityLog,omitempty"`
} }
@@ -97,6 +127,7 @@ type CreateRoomInput struct {
AllowSpectators bool AllowSpectators bool
AnonymousVoting bool AnonymousVoting bool
AutoReset bool AutoReset bool
AllowVoteChange *bool
RevealMode string RevealMode string
VotingTimeoutSec int VotingTimeoutSec int
Password string Password string
@@ -104,6 +135,7 @@ type CreateRoomInput struct {
type JoinRoomInput struct { type JoinRoomInput struct {
ParticipantID string ParticipantID string
SessionToken string
Username string Username string
Role string Role string
Password string Password string
@@ -113,6 +145,7 @@ type JoinRoomInput struct {
type CreateRoomResult struct { type CreateRoomResult struct {
RoomID string `json:"roomId"` RoomID string `json:"roomId"`
CreatorParticipantID string `json:"creatorParticipantId"` CreatorParticipantID string `json:"creatorParticipantId"`
CreatorSessionToken string `json:"creatorSessionToken"`
AdminToken string `json:"adminToken"` AdminToken string `json:"adminToken"`
ParticipantLink string `json:"participantLink"` ParticipantLink string `json:"participantLink"`
AdminLink string `json:"adminLink"` AdminLink string `json:"adminLink"`
@@ -120,6 +153,7 @@ type CreateRoomResult struct {
type JoinRoomResult struct { type JoinRoomResult struct {
ParticipantID string `json:"participantId"` ParticipantID string `json:"participantId"`
SessionToken string `json:"sessionToken"`
IsAdmin bool `json:"isAdmin"` IsAdmin bool `json:"isAdmin"`
Role string `json:"role"` Role string `json:"role"`
Username string `json:"username"` Username string `json:"username"`
@@ -155,6 +189,7 @@ type PublicRoomState struct {
AllowSpectators bool `json:"allowSpectators"` AllowSpectators bool `json:"allowSpectators"`
AnonymousVoting bool `json:"anonymousVoting"` AnonymousVoting bool `json:"anonymousVoting"`
AutoReset bool `json:"autoReset"` AutoReset bool `json:"autoReset"`
AllowVoteChange bool `json:"allowVoteChange"`
VotingTimeoutSec int `json:"votingTimeoutSec"` VotingTimeoutSec int `json:"votingTimeoutSec"`
Participants []PublicParticipant `json:"participants"` Participants []PublicParticipant `json:"participants"`
SelfParticipantID string `json:"selfParticipantId"` SelfParticipantID string `json:"selfParticipantId"`

7
src/state/utils.go
View File

@@ -62,6 +62,13 @@ func passwordMatches(password, salt, expectedHash string) bool {
return subtle.ConstantTimeCompare([]byte(computed), []byte(expectedHash)) == 1 return subtle.ConstantTimeCompare([]byte(computed), []byte(expectedHash)) == 1
} }
func secureTokenMatches(expected, provided string) bool {
if expected == "" || provided == "" || len(expected) != len(provided) {
return false
}
return subtle.ConstantTimeCompare([]byte(expected), []byte(provided)) == 1
}
func nowUTC() time.Time { func nowUTC() time.Time {
return time.Now().UTC() return time.Now().UTC()
} }

4
src/templates/index.html
View File

@@ -104,6 +104,10 @@
<input type="checkbox" id="auto-reset" name="autoReset" {{ if .AutoResetCards }}checked{{ end }}> <input type="checkbox" id="auto-reset" name="autoReset" {{ if .AutoResetCards }}checked{{ end }}>
<span>Auto-reset cards after each reveal</span> <span>Auto-reset cards after each reveal</span>
</label> </label>
<label class="option-item">
<input type="checkbox" id="allow-vote-change" name="allowVoteChange" {{ if .AllowVoteChange }}checked{{ end }}>
<span>Allow participants to change their vote</span>
</label>
</fieldset> </fieldset>
</section> </section>

9
static/js/config.js
View File

@@ -1,5 +1,6 @@
const USERNAME_KEY = 'scrumPoker.username'; const USERNAME_KEY = 'scrumPoker.username';
const PRESETS_KEY = 'scrumPoker.deckPresets.v1'; const PRESETS_KEY = 'scrumPoker.deckPresets.v1';
const ROOM_SESSION_KEY_PREFIX = 'scrumPoker.roomSession.';
const SCALE_PRESETS = { const SCALE_PRESETS = {
fibonacci: ['0', '1', '2', '3', '5', '8', '13', '21', '?'], fibonacci: ['0', '1', '2', '3', '5', '8', '13', '21', '?'],
@@ -502,6 +503,7 @@ roomConfigForm.addEventListener('submit', async (event) => {
allowSpectators: Boolean(formData.get('allowSpectators')), allowSpectators: Boolean(formData.get('allowSpectators')),
anonymousVoting: Boolean(formData.get('anonymousVoting')), anonymousVoting: Boolean(formData.get('anonymousVoting')),
autoReset: Boolean(formData.get('autoReset')), autoReset: Boolean(formData.get('autoReset')),
allowVoteChange: Boolean(formData.get('allowVoteChange')),
revealMode: (formData.get('revealMode') || 'manual').toString(), revealMode: (formData.get('revealMode') || 'manual').toString(),
votingTimeoutSec: Number(formData.get('votingTimeoutSec') || 0), votingTimeoutSec: Number(formData.get('votingTimeoutSec') || 0),
password: (formData.get('password') || '').toString(), password: (formData.get('password') || '').toString(),
@@ -522,7 +524,12 @@ roomConfigForm.addEventListener('submit', async (event) => {
return; return;
} }
const target = `/room/${encodeURIComponent(data.roomId)}?participantId=${encodeURIComponent(data.creatorParticipantId)}&adminToken=${encodeURIComponent(data.adminToken)}&username=${encodeURIComponent(payload.creatorUsername)}`; localStorage.setItem(`${ROOM_SESSION_KEY_PREFIX}${data.roomId}`, JSON.stringify({
participantId: data.creatorParticipantId,
sessionToken: data.creatorSessionToken,
}));
const target = `/room/${encodeURIComponent(data.roomId)}?adminToken=${encodeURIComponent(data.adminToken)}&username=${encodeURIComponent(payload.creatorUsername)}`;
window.location.assign(target); window.location.assign(target);
} catch (_err) { } catch (_err) {
statusLine.textContent = 'Network error while creating room.'; statusLine.textContent = 'Network error while creating room.';

93
static/js/room.js
View File

@@ -1,4 +1,5 @@
const USERNAME_KEY = 'scrumPoker.username'; const USERNAME_KEY = 'scrumPoker.username';
const ROOM_SESSION_KEY_PREFIX = 'scrumPoker.roomSession.';
const roomID = document.body.dataset.roomId; const roomID = document.body.dataset.roomId;
const params = new URLSearchParams(window.location.search); const params = new URLSearchParams(window.location.search);
@@ -32,6 +33,7 @@ const joinPasswordInput = document.getElementById('join-password');
const joinAdminTokenInput = document.getElementById('join-admin-token'); const joinAdminTokenInput = document.getElementById('join-admin-token');
const joinError = document.getElementById('join-error'); const joinError = document.getElementById('join-error');
let participantID = params.get('participantId') || ''; let participantID = params.get('participantId') || '';
let sessionToken = params.get('sessionToken') || '';
let adminToken = params.get('adminToken') || ''; let adminToken = params.get('adminToken') || '';
const prefillUsername = params.get('username') || ''; const prefillUsername = params.get('username') || '';
let eventSource = null; let eventSource = null;
@@ -43,6 +45,45 @@ const savedUsername = localStorage.getItem(USERNAME_KEY) || '';
joinUsernameInput.value = prefillUsername || savedUsername; joinUsernameInput.value = prefillUsername || savedUsername;
joinAdminTokenInput.value = adminToken; joinAdminTokenInput.value = adminToken;
function roomSessionStorageKey() {
return `${ROOM_SESSION_KEY_PREFIX}${roomID}`;
}
function persistRoomSession() {
if (!participantID || !sessionToken) {
localStorage.removeItem(roomSessionStorageKey());
return;
}
localStorage.setItem(roomSessionStorageKey(), JSON.stringify({
participantId: participantID,
sessionToken,
}));
}
function loadRoomSessionFromStorage() {
try {
const raw = localStorage.getItem(roomSessionStorageKey());
if (!raw) {
return;
}
const parsed = JSON.parse(raw);
if (!participantID && typeof parsed.participantId === 'string') {
participantID = parsed.participantId;
}
if (!sessionToken && typeof parsed.sessionToken === 'string') {
sessionToken = parsed.sessionToken;
}
} catch (_err) {
localStorage.removeItem(roomSessionStorageKey());
}
}
if (!participantID || !sessionToken) {
loadRoomSessionFromStorage();
}
persistRoomSession();
if (!window.CardUI || typeof window.CardUI.appendFace !== 'function') { if (!window.CardUI || typeof window.CardUI.appendFace !== 'function') {
throw new Error('CardUI is not loaded. Ensure /static/js/cards.js is included before room.js.'); throw new Error('CardUI is not loaded. Ensure /static/js/cards.js is included before room.js.');
} }
@@ -62,12 +103,8 @@ function setJoinError(message) {
function updateURL() { function updateURL() {
const next = new URL(window.location.href); const next = new URL(window.location.href);
next.searchParams.delete('username'); next.searchParams.delete('username');
if (participantID) {
next.searchParams.set('participantId', participantID);
} else {
next.searchParams.delete('participantId'); next.searchParams.delete('participantId');
} next.searchParams.delete('sessionToken');
if (adminToken) { if (adminToken) {
next.searchParams.set('adminToken', adminToken); next.searchParams.set('adminToken', adminToken);
@@ -90,11 +127,15 @@ function setRoomMessage(message) {
} }
async function joinRoom({ username, role, password, participantIdOverride }) { async function joinRoom({ username, role, password, participantIdOverride }) {
const activeParticipantID = participantIdOverride || participantID;
const rejoinParticipantID = activeParticipantID && sessionToken ? activeParticipantID : '';
const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/join`, { const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/join`, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ body: JSON.stringify({
participantId: participantIdOverride || participantID, participantId: rejoinParticipantID,
sessionToken,
username, username,
role, role,
password, password,
@@ -108,7 +149,9 @@ async function joinRoom({ username, role, password, participantIdOverride }) {
} }
participantID = data.participantId; participantID = data.participantId;
sessionToken = data.sessionToken;
localStorage.setItem(USERNAME_KEY, data.username); localStorage.setItem(USERNAME_KEY, data.username);
persistRoomSession();
updateURL(); updateURL();
setJoinError(''); setJoinError('');
return data; return data;
@@ -235,9 +278,9 @@ function renderSummary(state) {
summaryRecommended.textContent = recommended === null ? 'Recommended: -' : `Recommended: ${recommended}`; summaryRecommended.textContent = recommended === null ? 'Recommended: -' : `Recommended: ${recommended}`;
} }
function renderCards(cards, participants, isRevealed) { function renderCards(cards, participants, isRevealed, allowVoteChange) {
const self = participants.find((participant) => participant.id === participantID && participant.connected); const self = participants.find((participant) => participant.id === participantID && participant.connected);
const canVote = self && self.role === 'participant'; const canVote = self && self.role === 'participant' && (allowVoteChange || !self.hasVoted);
const selfVote = self ? self.voteValue : ''; const selfVote = self ? self.voteValue : '';
votingBoard.innerHTML = ''; votingBoard.innerHTML = '';
@@ -319,7 +362,8 @@ function renderState(state) {
roundStateLabel.textContent = state.revealed ? 'Cards revealed' : 'Cards hidden'; roundStateLabel.textContent = state.revealed ? 'Cards revealed' : 'Cards hidden';
renderParticipants(state.participants, state.revealed); renderParticipants(state.participants, state.revealed);
renderCards(state.cards, state.participants, state.revealed); const allowVoteChange = state.allowVoteChange !== false;
renderCards(state.cards, state.participants, state.revealed, allowVoteChange);
renderSummary(state); renderSummary(state);
const self = state.participants.find((participant) => participant.id === participantID && participant.connected); const self = state.participants.find((participant) => participant.id === participantID && participant.connected);
@@ -361,7 +405,7 @@ function connectSSE() {
eventSource.close(); eventSource.close();
} }
eventSource = new EventSource(`/api/rooms/${encodeURIComponent(roomID)}/events?participantId=${encodeURIComponent(participantID)}`); eventSource = new EventSource(`/api/rooms/${encodeURIComponent(roomID)}/events?participantId=${encodeURIComponent(participantID)}&sessionToken=${encodeURIComponent(sessionToken)}`);
eventSource.addEventListener('state', (event) => { eventSource.addEventListener('state', (event) => {
try { try {
const payload = JSON.parse(event.data); const payload = JSON.parse(event.data);
@@ -379,7 +423,7 @@ function connectSSE() {
} }
async function castVote(card) { async function castVote(card) {
if (!participantID) { if (!participantID || !sessionToken) {
return; return;
} }
@@ -387,7 +431,7 @@ async function castVote(card) {
const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/vote`, { const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/vote`, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ participantId: participantID, card }), body: JSON.stringify({ participantId: participantID, sessionToken, card }),
}); });
if (!response.ok) { if (!response.ok) {
@@ -400,7 +444,7 @@ async function castVote(card) {
} }
async function adminAction(action) { async function adminAction(action) {
if (!participantID) { if (!participantID || !sessionToken) {
return; return;
} }
@@ -408,7 +452,7 @@ async function adminAction(action) {
const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/${action}`, { const response = await fetch(`/api/rooms/${encodeURIComponent(roomID)}/${action}`, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ participantId: participantID }), body: JSON.stringify({ participantId: participantID, sessionToken }),
}); });
if (!response.ok) { if (!response.ok) {
@@ -421,7 +465,7 @@ async function adminAction(action) {
} }
async function changeName() { async function changeName() {
if (!participantID) { if (!participantID || !sessionToken) {
return; return;
} }
@@ -486,21 +530,18 @@ joinForm.addEventListener('submit', async (event) => {
adminToken = joinAdminTokenInput.value.trim(); adminToken = joinAdminTokenInput.value.trim();
try { try {
const result = await joinRoom({ await joinRoom({
username, username,
role: joinRoleInput.value, role: joinRoleInput.value,
password: joinPasswordInput.value, password: joinPasswordInput.value,
participantIdOverride: participantID, participantIdOverride: participantID,
}); });
if (result.isAdmin) {
const adminRoomURL = `/room/${encodeURIComponent(roomID)}?participantId=${encodeURIComponent(participantID)}&adminToken=${encodeURIComponent(adminToken)}`;
window.location.assign(adminRoomURL);
return;
}
connectSSE(); connectSSE();
} catch (err) { } catch (err) {
if (participantID) { if (participantID || sessionToken) {
participantID = ''; participantID = '';
sessionToken = '';
persistRoomSession();
updateURL(); updateURL();
} }
setJoinError(err.message); setJoinError(err.message);
@@ -508,7 +549,7 @@ joinForm.addEventListener('submit', async (event) => {
}); });
async function tryAutoJoinExistingParticipant() { async function tryAutoJoinExistingParticipant() {
if (!participantID) { if (!participantID || !sessionToken) {
return; return;
} }
@@ -524,16 +565,18 @@ async function tryAutoJoinExistingParticipant() {
connectSSE(); connectSSE();
} catch (_err) { } catch (_err) {
participantID = ''; participantID = '';
sessionToken = '';
persistRoomSession();
updateURL(); updateURL();
} }
} }
window.addEventListener('pagehide', () => { window.addEventListener('pagehide', () => {
if (!participantID) { if (!participantID || !sessionToken) {
return; return;
} }
const payload = JSON.stringify({ participantId: participantID }); const payload = JSON.stringify({ participantId: participantID, sessionToken });
navigator.sendBeacon(`/api/rooms/${encodeURIComponent(roomID)}/leave`, new Blob([payload], { type: 'application/json' })); navigator.sendBeacon(`/api/rooms/${encodeURIComponent(roomID)}/leave`, new Blob([payload], { type: 'application/json' }));
}); });