Move per-connection lifecycle out of the controller and into a new
service.WebSocketService. The controller is now HTTP-layer only:
authenticate, validate origin, upgrade, and hand the connection off.
- web/service/websocket.go (new): owns the read/write pumps, hub
registration, and connection lifetime. Pump constants are prefixed
(wsWriteWait, wsPongWait, wsPingPeriod, wsClientReadLimit) to avoid
collisions in the larger service package namespace.
- web/controller/websocket.go: trimmed to the upgrader, same-origin
check, auth gate, and hand-off to the service.
- web/web.go: wires controller.NewWebSocketController(service.NewWebSocketService(hub)).
The hub package (web/websocket) stays as low-level fan-out
infrastructure. Behavior is unchanged — this is a structural cleanup
to align with the rest of the codebase's controller/service split.
Also includes a small range-int modernization in login_limiter_test.go
that gopls flagged.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Implement CSRF protection and security hardening across the application
- Added CSRF token handling in axios requests and HTML templates.
- Introduced CSRF middleware to validate tokens for unsafe HTTP methods.
- Implemented login limiter to prevent brute-force attacks.
- Enhanced security headers in middleware for improved response security.
- Updated login notification to include safe metadata without passwords.
- Added tests for CSRF middleware and login limiter functionality.
* fix
