Bug: No validation that imageid exists or is already used when creating chat message

[edwh]

Summary

The Go API allows creating chat messages with an imageid that either doesn't exist or is already used by another chat message. When the "winner" message (the one with chatmsgid link in chat_images) is deleted, the image is deleted and all other messages referencing that imageid become empty due to the FK ON DELETE SET NULL constraint.

Affected Code

chat/chatmessage.go (lines 192-263):

if payload.Imageid != nil {
    chattype = utils.CHAT_MESSAGE_IMAGE
}
// ...
db.Create(&payload)
if payload.Imageid != nil {
    db.Exec("UPDATE chat_images SET chatmsgid = ? WHERE id = ?;", newid, *payload.Imageid)
}

Issues:

1. No validation that imageid exists in chat_images table
2. No validation that imageid is not already used by another message
3. The UPDATE doesn't check affected rows - silently succeeds even if image doesn't exist

Evidence

Incident: 2026-02-03 at 19:55:36 UTC

• User ID: 33368338
• Chat room: 20498850

Loki logs show requests to Go API with duplicate imageid:

2026-02-03T19:55:36.251Z user_id=33368338 POST /apiv2/chat/20498850/message imageid=1754088 -> 200
2026-02-03T19:55:36.275Z user_id=33368338 POST /apiv2/chat/20498850/message imageid=1754088 -> 200 (duplicate)
2026-02-03T19:55:36.374Z user_id=33368338 POST /apiv2/chat/20498850/message imageid=1754091 -> 200
2026-02-03T19:55:36.427Z user_id=33368338 POST /apiv2/chat/20498850/message imageid=1754091 -> 200 (duplicate)

35+ messages were created for only 9 images, with the same imageid values reused multiple times.

Database state shows orphaned messages:

• 53 chat messages with type=Image and imageid=NULL in last 30 days
• Messages 106184982, 106184994, 106185030, 106185048 were deleted in ModTools review
• These deleted messages had the chatmsgid links, so when deleted, the images were deleted
• Remaining messages that referenced the same imageids now have imageid=NULL

Root Cause

1. Client sends multiple chat messages with same imageid (see Bug: OurUploader sends duplicate chat messages with same imageid iznik-nuxt3#147)
2. Go API accepts all of them without validation
3. Only one message gets chatmsgid link (last UPDATE wins)
4. When that "winner" message is deleted via ModTools (PHP API), image is deleted
5. FK ON DELETE SET NULL makes all other messages' imageid=NULL
6. Users see empty image messages

Proposed Fix

Add validation in CreateChatMessage() to:

1. Check that imageid exists in chat_images:

if payload.Imageid != nil {
    var count int64
    db.Model(&ChatImage{}).Where("id = ?", *payload.Imageid).Count(&count)
    if count == 0 {
        return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{
            "ret": 2,
            "status": "Invalid imageid",
        })
    }
}

2. Check that imageid is not already used by another message:

if payload.Imageid != nil {
    var existingCount int64
    db.Model(&ChatMessage{}).Where("imageid = ?", *payload.Imageid).Count(&existingCount)
    if existingCount > 0 {
        return c.Status(fiber.StatusConflict).JSON(fiber.Map{
            "ret": 2,
            "status": "Image already used",
        })
    }
}

Related Issues

• Bug: OurUploader sends duplicate chat messages with same imageid iznik-nuxt3#147 - Client-side duplicate sends (root cause)
• Bug: No validation that imageid is already used when creating chat message iznik-server#53 - Same validation missing in PHP API