fix(server): auth-guard avatar serving, atomic write, user_id assertion in merge

- Move /avatars ServeDir behind require_auth middleware so avatar files can only be fetched by authenticated users (H-11) - Make avatar upload atomic via .tmp write + rename, cleaning up stale extensions only after the rename succeeds (H-12) - Return 401 instead of silently returning an empty username string when the user row is unexpectedly missing a username (L-17) - Add user_id mismatch guard to merge(): returns local payload unchanged with a ConflictReport rather than silently cross-contaminating data (H-2) - Truncate opt-in display_name to 32 chars client-side before sending, matching the server's DISPLAY_NAME_MAX validation (L-5) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 20:22:38 -07:00
parent f8f1f26d64
commit 1eb40433a9
4 changed files with 24 additions and 9 deletions
@@ -350,7 +350,7 @@ fn handle_opt_in_button(
                            None
                        }
                    })
-                    .map(str::to_string)
+                    .map(|n| n.chars().take(32).collect::<String>())
            })
            .unwrap_or_else(|| "Player".to_string());