Other: Fix all linter errors

2025-12-15 14:56:42 +00:00 · 2022-10-18 13:54:12 +02:00
parent b36972ce71
commit 7c62312220
45 changed files with 206 additions and 176 deletions
--- a/internal/app/app.go
+++ b/internal/app/app.go
@ -43,7 +43,7 @@ import (
 	"github.com/urfave/cli/v2"
 )

-// Visible flags
+// Visible flags.
 const (
 	flagCPUProfile      = "cpu-prof"
 	flagCPUProfileShort = "p"
@ -63,7 +63,7 @@ const (
 	flagLogSMTP = "log-smtp"
 )

-// Hidden flags
+// Hidden flags.
 const (
 	flagLauncher = "launcher"
 	flagNoWindow = "no-window"
@ -130,7 +130,7 @@ func New() *cli.App {
 	return app
 }

-func run(c *cli.Context) error {
+func run(c *cli.Context) error { //nolint:funlen
 	// Get the current bridge version.
 	version, err := semver.NewVersion(constants.Version)
 	if err != nil {
@ -255,7 +255,11 @@ func withLocations(fn func(*locations.Locations) error) error {

 	// Create a new locations object that will be used to provide paths to store files.
 	locations := locations.New(provider, constants.ConfigName)
-	defer locations.Clean()
+	defer func() {
+		if err := locations.Clean(); err != nil {
+			logrus.WithError(err).Error("Failed to clean locations")
+		}
+	}()

 	return fn(locations)
 }
--- a/internal/app/bridge.go
+++ b/internal/app/bridge.go
@ -42,13 +42,13 @@ import (
 const vaultSecretName = "bridge-vault-key"

 // withBridge creates creates and tears down the bridge.
-func withBridge(
+func withBridge( //nolint:funlen
 	c *cli.Context,
 	exe string,
 	locations *locations.Locations,
 	version *semver.Version,
 	identifier *useragent.UserAgent,
-	reporter *sentry.Reporter,
+	_ *sentry.Reporter,
 	vault *vault.Vault,
 	cookieJar http.CookieJar,
 	fn func(*bridge.Bridge, <-chan events.Event) error,
@ -65,10 +65,7 @@ func withBridge(
 	proxyDialer := dialer.NewProxyTLSDialer(pinningDialer, constants.APIHost)

 	// Create the autostarter.
-	autostarter, err := newAutostarter(exe)
-	if err != nil {
-		return fmt.Errorf("could not create autostarter: %w", err)
-	}
+	autostarter := newAutostarter(exe)

 	// Create the update installer.
 	updater, err := newUpdater(locations)
@ -112,12 +109,12 @@ func withBridge(
 	return fn(bridge, eventCh)
 }

-func newAutostarter(exe string) (*autostart.App, error) {
+func newAutostarter(exe string) *autostart.App {
 	return &autostart.App{
 		Name:        constants.FullAppName,
 		DisplayName: constants.FullAppName,
 		Exec:        []string{exe, "--" + flagNoWindow},
-	}, nil
+	}
 }

 func newUpdater(locations *locations.Locations) (*updater.Updater, error) {
--- a/internal/app/vault.go
+++ b/internal/app/vault.go
@ -52,7 +52,7 @@ func withVault(locations *locations.Locations, fn func(*vault.Vault, bool, bool)
 		}
 	}

-	// TODO: Add teardown actions (e.g. to close the vault).
+	// GODT-1950: Add teardown actions (e.g. to close the vault).

 	return fn(encVault, insecure, corrupt)
 }
--- a/internal/bridge/bridge.go
+++ b/internal/bridge/bridge.go
@ -97,7 +97,7 @@ type Bridge struct {
 }

 // New creates a new bridge.
-func New(
+func New( //nolint:funlen
 	locator Locator, // the locator to provide paths to store data
 	vault *vault.Vault, // the bridge's encrypted data store
 	autostarter Autostarter, // the autostarter to manage autostart settings
@ -131,10 +131,7 @@ func New(
 		return nil, nil, fmt.Errorf("failed to get Gluon directory: %w", err)
 	}

-	smtpBackend, err := newSMTPBackend()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create SMTP backend: %w", err)
-	}
+	smtpBackend := newSMTPBackend()

 	imapServer, err := newIMAPServer(gluonDir, curVersion, tlsConfig, logIMAPClient, logIMAPServer)
 	if err != nil {
@ -416,9 +413,9 @@ func loadTLSConfig(vault *vault.Vault) (*tls.Config, error) {
 		return nil, err
 	}

-	// TODO: Do we have to set MinVersion to tls.VersionTLS12?
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
 	}, nil
 }

--- a/internal/bridge/bridge_test.go
+++ b/internal/bridge/bridge_test.go
@ -461,7 +461,7 @@ func waitForEvent[T any](t *testing.T, eventCh <-chan events.Event, wantEvent T)
 	t.Helper()

 	for event := range eventCh {
-		switch event.(type) {
+		switch event.(type) { // nolint:gocritic
 		case T:
 			return
 		}
--- a/internal/bridge/imap.go
+++ b/internal/bridge/imap.go
@ -120,7 +120,6 @@ func getGluonDir(encVault *vault.Vault) (string, error) {
 		return "", fmt.Errorf("failed to check if gluon dir is empty: %w", err)
 	}

-	// TODO: Handle case that the gluon directory is missing and we can't create it!
 	if !exists {
 		if err := os.MkdirAll(encVault.GetGluonDir(), 0700); err != nil {
 			return "", fmt.Errorf("failed to create gluon dir: %w", err)
--- a/internal/bridge/smtp_backend.go
+++ b/internal/bridge/smtp_backend.go
@ -29,13 +29,13 @@ type smtpBackend struct {
 	usersLock sync.RWMutex
 }

-func newSMTPBackend() (*smtpBackend, error) {
+func newSMTPBackend() *smtpBackend {
 	return &smtpBackend{
 		users: make(map[string]*user.User),
-	}, nil
+	}
 }

-func (backend *smtpBackend) Login(state *smtp.ConnectionState, email, password string) (smtp.Session, error) {
+func (backend *smtpBackend) Login(_ *smtp.ConnectionState, email, password string) (smtp.Session, error) {
 	backend.usersLock.RLock()
 	defer backend.usersLock.RUnlock()

--- a/internal/bridge/user.go
+++ b/internal/bridge/user.go
@ -65,9 +65,7 @@ func (bridge *Bridge) GetUserIDs() []string {

 // GetUserInfo returns info about the given user.
 func (bridge *Bridge) GetUserInfo(userID string) (UserInfo, error) {
-	if info, ok := safe.MapGetRet(bridge.users, userID, func(user *user.User) UserInfo {
-		return getConnUserInfo(user)
-	}); ok {
+	if info, ok := safe.MapGetRet(bridge.users, userID, getConnUserInfo); ok {
 		return info, nil
 	}

@ -139,7 +137,7 @@ func (bridge *Bridge) LoginUser(
 	return userID, nil
 }

-// LoginUser authorizes a new bridge user with the given username and password.
+// LoginFull authorizes a new bridge user with the given username and password.
 // If necessary, a TOTP and mailbox password are requested via the callbacks.
 // This is equivalent to doing LoginAuth and LoginUser separately.
 func (bridge *Bridge) LoginFull(
@ -282,7 +280,6 @@ func (bridge *Bridge) loadLoop() {
 			return

 		case <-bridge.loadCh:
-			// ...
 		}
 	}
 }
@ -440,7 +437,7 @@ func (bridge *Bridge) addUserWithVault(
 // newVaultUser creates a new vault user from the given auth information.
 // If one already exists in the vault, its data will be updated.
 func (bridge *Bridge) newVaultUser(
-	client *liteapi.Client,
+	_ *liteapi.Client,
 	apiUser liteapi.User,
 	authUID, authRef string,
 	saltedKeyPass []byte,
--- a/internal/bridge/user_events.go
+++ b/internal/bridge/user_events.go
@ -79,7 +79,7 @@ func (bridge *Bridge) handleUserAddressCreated(ctx context.Context, user *user.U
 	return nil
 }

-// TODO: Handle addresses that have been disabled!
+// GODT-1948: Handle addresses that have been disabled!
 func (bridge *Bridge) handleUserAddressUpdated(_ context.Context, user *user.User, _ events.UserAddressUpdated) error {
 	switch user.GetAddressMode() {
 	case vault.CombinedMode:
--- a/internal/certs/tls.go
+++ b/internal/certs/tls.go
@ -61,8 +61,8 @@ func NewTLSTemplate() (*x509.Certificate, error) {
 	}, nil
 }

-// GenerateTLSCert generates a new TLS certificate and returns it as PEM.
-var GenerateCert = func(template *x509.Certificate) ([]byte, []byte, error) {
+// GenerateCert generates a new TLS certificate and returns it as PEM.
+var GenerateCert = func(template *x509.Certificate) ([]byte, []byte, error) { //nolint:gochecknoglobals
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "failed to generate private key")
--- a/internal/cookies/jar.go
+++ b/internal/cookies/jar.go
@ -115,7 +115,7 @@ func loadCookies(persister Persister) (cookiesByHost, error) {

 	var cookiesByHost cookiesByHost

-	if err := json.Unmarshal([]byte(rawCookies), &cookiesByHost); err != nil {
+	if err := json.Unmarshal(rawCookies, &cookiesByHost); err != nil {
 		return nil, err
 	}

--- a/internal/dialer/dialer_basic.go
+++ b/internal/dialer/dialer_basic.go
@ -64,14 +64,14 @@ func NewBasicTLSDialer(hostURL string) *BasicTLSDialer {
 	}
 }

-// DialTLS returns a connection to the given address using the given network.
+// DialTLSContext returns a connection to the given address using the given network.
 func (d *BasicTLSDialer) DialTLSContext(ctx context.Context, network, address string) (conn net.Conn, err error) {
 	return (&tls.Dialer{
 		NetDialer: &net.Dialer{
 			Timeout: 30 * time.Second,
 		},
 		Config: &tls.Config{
-			InsecureSkipVerify: address != d.hostURL,
+			InsecureSkipVerify: address != d.hostURL, //nolint:gosec
 		},
 	}).DialContext(ctx, network, address)
 }
--- a/internal/dialer/dialer_pinning.go
+++ b/internal/dialer/dialer_pinning.go
@ -83,7 +83,7 @@ func NewPinningTLSDialer(dialer TLSDialer, reporter Reporter, pinChecker PinChec
 	}
 }

-// DialTLS dials the given network/address, returning an error if the certificates don't match the trusted pins.
+// DialTLSContext dials the given network/address, returning an error if the certificates don't match the trusted pins.
 func (p *PinningTLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
 	conn, err := p.dialer.DialTLSContext(ctx, network, address)
 	if err != nil {
--- a/internal/dialer/dialer_pinning_checker.go
+++ b/internal/dialer/dialer_pinning_checker.go
@ -40,7 +40,7 @@ func NewTLSPinChecker(trustedPins []string) *TLSPinChecker {
 	}
 }

-// checkCertificate returns whether the connection presents a known TLS certificate.
+// CheckCertificate returns whether the connection presents a known TLS certificate.
 func (p *TLSPinChecker) CheckCertificate(conn net.Conn) error {
 	tlsConn, ok := conn.(*tls.Conn)
 	if !ok {
--- a/internal/dialer/dialer_pinning_reporter.go
+++ b/internal/dialer/dialer_pinning_reporter.go
@ -51,7 +51,7 @@ func NewTLSReporter(hostURL, appVersion string, userAgent *useragent.UserAgent,
 	}
 }

-// reportCertIssue reports a TLS key mismatch.
+// ReportCertIssue reports a TLS key mismatch.
 func (r *TLSReporter) ReportCertIssue(remoteURI, host, port string, connState tls.ConnectionState) {
 	var certChain []string

--- a/internal/dialer/dialer_pinning_test.go
+++ b/internal/dialer/dialer_pinning_test.go
@ -36,7 +36,7 @@ func getRootURL() string {
 func TestTLSPinValid(t *testing.T) {
 	called, _, _, _, cm := createClientWithPinningDialer(getRootURL())

-	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password"))
+	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password")) //nolint:dogsled

 	checkTLSIssueHandler(t, 0, called)
 }
@ -47,7 +47,7 @@ func TestTLSPinBackup(t *testing.T) {
 	checker.trustedPins[1] = checker.trustedPins[0]
 	checker.trustedPins[0] = ""

-	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password"))
+	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password")) //nolint:dogsled

 	checkTLSIssueHandler(t, 0, called)
 }
@ -58,7 +58,7 @@ func TestTLSPinInvalid(t *testing.T) {

 	called, _, _, _, cm := createClientWithPinningDialer(s.GetHostURL())

-	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password"))
+	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password")) //nolint:dogsled

 	checkTLSIssueHandler(t, 1, called)
 }
@ -73,8 +73,8 @@ func TestTLSPinNoMatch(t *testing.T) {
 		checker.trustedPins[i] = "testing"
 	}

-	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password"))
-	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password"))
+	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password")) //nolint:dogsled
+	_, _, _ = cm.NewClientWithLogin(context.Background(), "username", []byte("password")) //nolint:dogsled

 	// Check that it will be reported only once per session, but notified every time.
 	r.Equal(t, 1, len(reporter.sentReports))
@ -84,7 +84,7 @@ func TestTLSPinNoMatch(t *testing.T) {
 func TestTLSSignedCertWrongPublicKey(t *testing.T) {
 	skipIfProxyIsSet(t)

-	_, dialer, _, _, _ := createClientWithPinningDialer("")
+	_, dialer, _, _, _ := createClientWithPinningDialer("") //nolint:dogsled
 	_, err := dialer.DialTLSContext(context.Background(), "tcp", "rsa4096.badssl.com:443")
 	r.Error(t, err, "expected dial to fail because of wrong public key")
 }
--- a/internal/dialer/dialer_proxy.go
+++ b/internal/dialer/dialer_proxy.go
@ -75,7 +75,7 @@ func formatAsAddress(rawURL string) string {
 	return net.JoinHostPort(host, port)
 }

-// DialTLS dials the given network/address. If it fails, it retries using a proxy.
+// DialTLSContext dials the given network/address. If it fails, it retries using a proxy.
 func (d *ProxyTLSDialer) DialTLSContext(ctx context.Context, network, address string) (net.Conn, error) {
 	if address == d.directAddress {
 		address = d.proxyAddress
--- a/internal/focus/client.go
+++ b/internal/focus/client.go
@ -63,7 +63,7 @@ func TryRaise() bool {
 	return true
 }

-// TryRaise tries to raise the application by dialing the focus service.
+// TryVersion tries to raise the application by dialing the focus service.
 // It returns true if the service is running and the application was told to raise.
 func TryVersion() (*semver.Version, bool) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
--- a/internal/frontend/cli/accounts.go
+++ b/internal/frontend/cli/accounts.go
@ -70,14 +70,19 @@ func (f *frontendCLI) showAccountInfo(c *ishell.Context) {
 }

 func (f *frontendCLI) showAccountAddressInfo(user bridge.UserInfo, address string) {
-	imapSecurity := "STARTTLS"
+	const (
+		StartTLS = "STARTTLS"
+		SSL      = "SSL"
+	)
+
+	imapSecurity := StartTLS
 	if f.bridge.GetIMAPSSL() {
-		imapSecurity = "SSL"
+		imapSecurity = SSL
 	}

-	smtpSecurity := "STARTTLS"
+	smtpSecurity := StartTLS
 	if f.bridge.GetSMTPSSL() {
-		smtpSecurity = "SSL"
+		smtpSecurity = SSL
 	}

 	f.Println(bold("Configuration for " + address))
--- a/internal/frontend/cli/frontend.go
+++ b/internal/frontend/cli/frontend.go
@ -40,7 +40,7 @@ type frontendCLI struct {
 }

 // New returns a new CLI frontend configured with the given options.
-func New(bridge *bridge.Bridge, restarter *restarter.Restarter, eventCh <-chan events.Event) *frontendCLI {
+func New(bridge *bridge.Bridge, restarter *restarter.Restarter, eventCh <-chan events.Event) *frontendCLI { //nolint:funlen,revive
 	fe := &frontendCLI{
 		Shell:     ishell.New(),
 		bridge:    bridge,
@ -261,8 +261,8 @@ func New(bridge *bridge.Bridge, restarter *restarter.Restarter, eventCh <-chan e
 	return fe
 }

-func (f *frontendCLI) watchEvents(eventCh <-chan events.Event) {
-	// TODO: Better error events.
+func (f *frontendCLI) watchEvents(eventCh <-chan events.Event) { // nolint:funlen
+	// GODT-1949: Better error events.
 	for _, err := range f.bridge.GetErrors() {
 		switch {
 		case errors.Is(err, bridge.ErrVaultCorrupt):
--- a/internal/frontend/grpc/service.go
+++ b/internal/frontend/grpc/service.go
@ -203,8 +203,8 @@ func (s *Service) WaitUntilFrontendIsReady() {
 	s.initializing.Wait()
 }

-func (s *Service) watchEvents() {
-	// TODO: Better error events.
+func (s *Service) watchEvents() { //nolint:funlen
+	// GODT-1949 Better error events.
 	for _, err := range s.bridge.GetErrors() {
 		switch {
 		case errors.Is(err, bridge.ErrVaultCorrupt):
@ -358,6 +358,7 @@ func newTLSConfig() (*tls.Config, []byte, error) {
 	return &tls.Config{
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.NoClientCert,
+		MinVersion:   tls.VersionTLS12,
 	}, certPEM, nil
 }

--- a/internal/logging/imap_logger.go
+++ b/internal/logging/imap_logger.go
@ -19,7 +19,7 @@ package logging

 import "github.com/sirupsen/logrus"

-// IMAPLogger implements the writer interface for Gluon IMAP logs
+// IMAPLogger implements the writer interface for Gluon IMAP logs.
 type IMAPLogger struct {
 	l *logrus.Entry
 }
--- a/internal/logging/smtp_logger.go
+++ b/internal/logging/smtp_logger.go
@ -38,7 +38,7 @@ func (s *SMTPErrorLogger) Println(args ...interface{}) {
 	s.l.Errorln(args...)
 }

-// SMTPDebugLogger implements the writer interface for debug SMTP logs
+// SMTPDebugLogger implements the writer interface for debug SMTP logs.
 type SMTPDebugLogger struct {
 	l *logrus.Entry
 }
--- a/internal/user/events.go
+++ b/internal/user/events.go
@ -27,6 +27,7 @@ import (
 	"github.com/ProtonMail/proton-bridge/v2/internal/events"
 	"github.com/ProtonMail/proton-bridge/v2/internal/vault"
 	"github.com/bradenaw/juniper/xslices"
+	"github.com/sirupsen/logrus"
 	"gitlab.protontech.ch/go/liteapi"
 )

@ -60,7 +61,7 @@ func (user *User) handleAPIEvent(ctx context.Context, event liteapi.Event) error
 }

 // handleUserEvent handles the given user event.
-func (user *User) handleUserEvent(ctx context.Context, userEvent liteapi.User) error {
+func (user *User) handleUserEvent(_ context.Context, userEvent liteapi.User) error {
 	user.apiUser.Save(userEvent)

 	user.eventCh.Enqueue(events.UserChanged{
@ -71,7 +72,7 @@ func (user *User) handleUserEvent(ctx context.Context, userEvent liteapi.User) e
 }

 // handleAddressEvents handles the given address events.
-// TODO: If split address mode, need to signal back to bridge to update the addresses!
+// GODT-1945: If split address mode, need to signal back to bridge to update the addresses.
 func (user *User) handleAddressEvents(ctx context.Context, addressEvents []liteapi.AddressEvent) error {
 	for _, event := range addressEvents {
 		switch event.Action {
@ -89,6 +90,9 @@ func (user *User) handleAddressEvents(ctx context.Context, addressEvents []litea
 			if err := user.handleDeleteAddressEvent(ctx, event); err != nil {
 				return fmt.Errorf("failed to delete address: %w", err)
 			}
+
+		case liteapi.EventUpdateFlags:
+			logrus.Warn("Not implemented yet.")
 		}
 	}

@ -127,7 +131,7 @@ func (user *User) handleCreateAddressEvent(ctx context.Context, event liteapi.Ad
 	return nil
 }

-func (user *User) handleUpdateAddressEvent(ctx context.Context, event liteapi.AddressEvent) error {
+func (user *User) handleUpdateAddressEvent(_ context.Context, event liteapi.AddressEvent) error { //nolint:unparam
 	user.apiAddrs.Set(event.Address.ID, event.Address)

 	user.eventCh.Enqueue(events.UserAddressUpdated{
@ -139,7 +143,7 @@ func (user *User) handleUpdateAddressEvent(ctx context.Context, event liteapi.Ad
 	return nil
 }

-func (user *User) handleDeleteAddressEvent(ctx context.Context, event liteapi.AddressEvent) error {
+func (user *User) handleDeleteAddressEvent(_ context.Context, event liteapi.AddressEvent) error {
 	var email string

 	if ok := user.apiAddrs.GetDelete(event.ID, func(apiAddr liteapi.Address) {
@ -189,7 +193,7 @@ func (user *User) handleLabelEvents(ctx context.Context, labelEvents []liteapi.L
 	return nil
 }

-func (user *User) handleCreateLabelEvent(ctx context.Context, event liteapi.LabelEvent) error {
+func (user *User) handleCreateLabelEvent(_ context.Context, event liteapi.LabelEvent) error { //nolint:unparam
 	user.updateCh.IterValues(func(updateCh *queue.QueuedChannel[imap.Update]) {
 		updateCh.Enqueue(newMailboxCreatedUpdate(imap.LabelID(event.ID), getMailboxName(event.Label)))
 	})
@ -197,7 +201,7 @@ func (user *User) handleCreateLabelEvent(ctx context.Context, event liteapi.Labe
 	return nil
 }

-func (user *User) handleUpdateLabelEvent(ctx context.Context, event liteapi.LabelEvent) error {
+func (user *User) handleUpdateLabelEvent(_ context.Context, event liteapi.LabelEvent) error { //nolint:unparam
 	user.updateCh.IterValues(func(updateCh *queue.QueuedChannel[imap.Update]) {
 		updateCh.Enqueue(imap.NewMailboxUpdated(imap.LabelID(event.ID), getMailboxName(event.Label)))
 	})
@ -205,7 +209,7 @@ func (user *User) handleUpdateLabelEvent(ctx context.Context, event liteapi.Labe
 	return nil
 }

-func (user *User) handleDeleteLabelEvent(ctx context.Context, event liteapi.LabelEvent) error {
+func (user *User) handleDeleteLabelEvent(_ context.Context, event liteapi.LabelEvent) error { //nolint:unparam
 	user.updateCh.IterValues(func(updateCh *queue.QueuedChannel[imap.Update]) {
 		updateCh.Enqueue(imap.NewMailboxDeleted(imap.LabelID(event.ID)))
 	})
@ -258,7 +262,7 @@ func (user *User) handleCreateMessageEvent(ctx context.Context, event liteapi.Me
 	})
 }

-func (user *User) handleUpdateMessageEvent(ctx context.Context, event liteapi.MessageEvent) error {
+func (user *User) handleUpdateMessageEvent(_ context.Context, event liteapi.MessageEvent) error { //nolint:unparam
 	update := imap.NewMessageLabelsUpdated(
 		imap.MessageID(event.ID),
 		mapTo[string, imap.LabelID](xslices.Filter(event.Message.LabelIDs, wantLabelID)),
@ -283,6 +287,10 @@ func getMailboxName(label liteapi.Label) []string {
 	case liteapi.LabelTypeLabel:
 		name = append([]string{labelPrefix}, label.Path...)

+	case liteapi.LabelTypeContactGroup:
+		fallthrough
+	case liteapi.LabelTypeSystem:
+		fallthrough
 	default:
 		name = label.Path
 	}
--- a/internal/user/imap.go
+++ b/internal/user/imap.go
@ -20,15 +20,15 @@ package user
 import (
 	"context"
 	"fmt"
-	"github.com/ProtonMail/gopenpgp/v2/crypto"
-	"github.com/google/uuid"
-	"github.com/sirupsen/logrus"
 	"time"

 	"github.com/ProtonMail/gluon/imap"
 	"github.com/ProtonMail/gluon/queue"
+	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"github.com/ProtonMail/proton-bridge/v2/internal/safe"
 	"github.com/ProtonMail/proton-bridge/v2/internal/vault"
+	"github.com/google/uuid"
+	"github.com/sirupsen/logrus"
 	"gitlab.protontech.ch/go/liteapi"
 	"golang.org/x/exp/slices"
 )
@ -94,6 +94,10 @@ func (conn *imapConnector) GetLabel(ctx context.Context, labelID imap.LabelID) (
 	case liteapi.LabelTypeFolder:
 		name = []string{folderPrefix, label.Name}

+	case liteapi.LabelTypeContactGroup:
+		fallthrough
+	case liteapi.LabelTypeSystem:
+		fallthrough
 	default:
 		name = []string{label.Name}
 	}
@ -163,6 +167,9 @@ func (conn *imapConnector) UpdateLabel(ctx context.Context, labelID imap.LabelID

 	case liteapi.LabelTypeSystem:
 		return fmt.Errorf("cannot rename system label %q", label.Name)
+
+	case liteapi.LabelTypeContactGroup:
+		return fmt.Errorf("cannot rename contact group label %q", label.Name)
 	}

 	if _, err := conn.client.UpdateLabel(ctx, label.ID, liteapi.UpdateLabelReq{
@ -212,7 +219,6 @@ func (conn *imapConnector) CreateMessage(
 	flags imap.FlagSet,
 	date time.Time,
 ) (imap.Message, []byte, error) {
-
 	var msgFlags liteapi.MessageFlag

 	switch labelID {
@ -288,18 +294,18 @@ func (conn *imapConnector) MoveMessages(ctx context.Context, messageIDs []imap.M
 func (conn *imapConnector) MarkMessagesSeen(ctx context.Context, messageIDs []imap.MessageID, seen bool) error {
 	if seen {
 		return conn.client.MarkMessagesRead(ctx, mapTo[imap.MessageID, string](messageIDs)...)
-	} else {
-		return conn.client.MarkMessagesUnread(ctx, mapTo[imap.MessageID, string](messageIDs)...)
 	}
+
+	return conn.client.MarkMessagesUnread(ctx, mapTo[imap.MessageID, string](messageIDs)...)
 }

 // MarkMessagesFlagged sets the flagged value of the given messages.
 func (conn *imapConnector) MarkMessagesFlagged(ctx context.Context, messageIDs []imap.MessageID, flagged bool) error {
 	if flagged {
 		return conn.client.LabelMessages(ctx, mapTo[imap.MessageID, string](messageIDs), liteapi.StarredLabel)
-	} else {
-		return conn.client.UnlabelMessages(ctx, mapTo[imap.MessageID, string](messageIDs), liteapi.StarredLabel)
 	}
+
+	return conn.client.UnlabelMessages(ctx, mapTo[imap.MessageID, string](messageIDs), liteapi.StarredLabel)
 }

 // GetUpdates returns a stream of updates that the gluon server should apply.
--- a/internal/user/smtp.go
+++ b/internal/user/smtp.go
@ -51,7 +51,7 @@ type smtpSession struct {
 	// from is the current sending address (taken from the return path).
 	from string

-	// fromAddrID is the ID of the curent sending address (taken from the return path).
+	// fromAddrID is the ID of the current sending address (taken from the return path).
 	fromAddrID string

 	// to holds all to for the current message.
@ -72,7 +72,7 @@ func newSMTPSession(user *User, email string) (*smtpSession, error) {
 	})
 }

-// Discard currently processed message.
+// Reset Discard currently processed message.
 func (session *smtpSession) Reset() {
 	logrus.Info("SMTP session reset")

@ -82,7 +82,7 @@ func (session *smtpSession) Reset() {
 	session.to = nil
 }

-// Free all resources associated with session.
+// Logout Free all resources associated with session.
 func (session *smtpSession) Logout() error {
 	defer session.Reset()

@ -91,7 +91,7 @@ func (session *smtpSession) Logout() error {
 	return nil
 }

-// Set return path for currently processed message.
+// Mail Set return path for currently processed message.
 func (session *smtpSession) Mail(from string, opts smtp.MailOptions) error {
 	logrus.Info("SMTP session mail")

@ -127,7 +127,7 @@ func (session *smtpSession) Mail(from string, opts smtp.MailOptions) error {
 	})
 }

-// Add recipient for currently processed message.
+// Rcpt Add recipient for currently processed message.
 func (session *smtpSession) Rcpt(to string) error {
 	logrus.Info("SMTP session rcpt")

@ -142,8 +142,8 @@ func (session *smtpSession) Rcpt(to string) error {
 	return nil
 }

-// Set currently processed message contents and send it.
-func (session *smtpSession) Data(r io.Reader) error {
+// Data Set currently processed message contents and send it.
+func (session *smtpSession) Data(r io.Reader) error { //nolint:funlen
 	logrus.Info("SMTP session data")

 	ctx, cancel := context.WithCancel(context.Background())
@ -234,7 +234,7 @@ func (session *smtpSession) Data(r io.Reader) error {
 }

 // sendWithKey sends the message with the given address key.
-func sendWithKey(
+func sendWithKey( //nolint:funlen
 	ctx context.Context,
 	client *liteapi.Client,
 	authAddrID string,
@ -260,6 +260,14 @@ func sendWithKey(

 	case rfc822.TextPlain:
 		decBody = string(message.PlainBody)
+	case rfc822.MultipartRelated:
+		fallthrough
+	case rfc822.MultipartMixed:
+		fallthrough
+	case rfc822.MessageRFC822:
+		fallthrough
+	default:
+		break
 	}

 	encBody, err := addrKR.Encrypt(crypto.NewPlainMessageFromString(decBody), nil)
@ -311,7 +319,7 @@ func sendWithKey(
 	return res, nil
 }

-func getParentID(
+func getParentID( //nolint:funlen
 	ctx context.Context,
 	client *liteapi.Client,
 	authAddrID string,
@ -402,7 +410,7 @@ func createDraft(
 		return strings.EqualFold(email, sanitizeEmail(template.Sender.Address))
 	}); idx < 0 {
 		return liteapi.Message{}, fmt.Errorf("address %q is not owned by user", template.Sender.Address)
-	} else {
+	} else { //nolint:revive
 		template.Sender.Address = constructEmail(template.Sender.Address, emails[idx])
 	}

--- a/internal/user/smtp_prefs.go
+++ b/internal/user/smtp_prefs.go
@ -68,6 +68,17 @@ func newContactSettings(settings liteapi.ContactSettings) *contactSettings {

 		case liteapi.PGPInlineScheme:
 			metadata.Scheme = pgpInline
+
+		case liteapi.InternalScheme:
+			fallthrough
+		case liteapi.EncryptedOutsideScheme:
+			fallthrough
+		case liteapi.ClearScheme:
+			fallthrough
+		case liteapi.ClearMIMEScheme:
+			fallthrough
+		default:
+			break
 		}
 	}

@ -253,7 +264,7 @@ func (b *sendPrefsBuilder) build() (p liteapi.SendPreferences) {
 		p.EncryptionScheme = liteapi.ClearScheme
 	}

-	return
+	return p
 }

 // setPGPSettings returns a SendPreferences with the following possible values:
--- a/internal/user/sync.go
+++ b/internal/user/sync.go
@ -137,7 +137,7 @@ func syncLabels(ctx context.Context, client *liteapi.Client, updateCh ...*queue.
 	return nil
 }

-func syncMessages(
+func syncMessages( //nolint:funlen
 	ctx context.Context,
 	userID string,
 	client *liteapi.Client,
--- a/internal/user/sync_build.go
+++ b/internal/user/sync_build.go
@ -47,7 +47,7 @@ func defaultJobOpts() message.JobOptions {
 	}
 }

-func buildRFC822(ctx context.Context, full liteapi.FullMessage, addrKR *crypto.KeyRing) (*buildRes, error) {
+func buildRFC822(_ context.Context, full liteapi.FullMessage, addrKR *crypto.KeyRing) (*buildRes, error) {
 	literal, err := message.BuildRFC822(addrKR, full.Message, full.AttData, defaultJobOpts())
 	if err != nil {
 		return nil, fmt.Errorf("failed to build message %s: %w", full.ID, err)
--- a/internal/user/types.go
+++ b/internal/user/types.go
@ -35,7 +35,7 @@ func mapTo[From, To any](from []From) []To {
 	for _, from := range from {
 		val, ok := reflect.ValueOf(from).Convert(reflect.TypeOf(to).Elem()).Interface().(To)
 		if !ok {
-			panic(fmt.Sprintf("cannot convert %T to %T", from, *new(To)))
+			panic(fmt.Sprintf("cannot convert %T to %T", from, *new(To))) //nolint:gocritic
 		}

 		to = append(to, val)
--- a/internal/user/user.go
+++ b/internal/user/user.go
@ -38,8 +38,8 @@ import (
 )

 var (
-	EventPeriod = 20 * time.Second // nolint:gochecknoglobals
-	EventJitter = 20 * time.Second // nolint:gochecknoglobals
+	EventPeriod = 20 * time.Second // nolint:gochecknoglobals,revive
+	EventJitter = 20 * time.Second // nolint:gochecknoglobals,revive
 )

 type User struct {
@ -55,7 +55,7 @@ type User struct {
 	syncLock   try.Group
 }

-func New(ctx context.Context, encVault *vault.User, client *liteapi.Client, apiUser liteapi.User) (*User, error) {
+func New(ctx context.Context, encVault *vault.User, client *liteapi.Client, apiUser liteapi.User) (*User, error) { //nolint:funlen
 	// Get the user's API addresses.
 	apiAddrs, err := client.GetAddresses(ctx)
 	if err != nil {
@ -125,7 +125,7 @@ func New(ctx context.Context, encVault *vault.User, client *liteapi.Client, apiU
 		})
 	})

-	// TODO: Don't start the event loop until the initial sync has finished!
+	// GODT-1946 - Don't start the event loop until the initial sync has finished.
 	eventCh := user.client.NewEventStream(EventPeriod, EventJitter, user.vault.EventID())

 	// If we haven't synced yet, do it first.
@ -276,7 +276,7 @@ func (user *User) MaxSpace() int {
 	})
 }

-// GetEventCh returns a channel which notifies of events happening to the user (such as deauth, address change)
+// GetEventCh returns a channel which notifies of events happening to the user (such as deauth, address change).
 func (user *User) GetEventCh() <-chan events.Event {
 	return user.eventCh.GetChannel()
 }
@ -464,7 +464,7 @@ func (user *User) startSync() <-chan error {
 }

 // AbortSync aborts any ongoing sync.
-// TODO: Should probably be done automatically when one of the user's IMAP connectors is closed.
+// GODT-1947: Should probably be done automatically when one of the user's IMAP connectors is closed.
 func (user *User) stopSync() {
 	select {
 	case user.syncStopCh <- struct{}{}:
--- a/internal/user/user_test.go
+++ b/internal/user/user_test.go
@ -96,7 +96,7 @@ func TestUser_Deauth(t *testing.T) {
 	})
 }

-func withAPI(t *testing.T, ctx context.Context, fn func(context.Context, *server.Server, *liteapi.Manager)) {
+func withAPI(_ *testing.T, ctx context.Context, fn func(context.Context, *server.Server, *liteapi.Manager)) { //nolint:revive
 	server := server.New()
 	defer server.Close()

@ -104,11 +104,11 @@ func withAPI(t *testing.T, ctx context.Context, fn func(context.Context, *server
 }

 func withAccount(t *testing.T, s *server.Server, username, password string, emails []string, fn func(string, []string)) {
-	var addrIDs []string
-
 	userID, addrID, err := s.CreateUser(username, emails[0], []byte(password))
 	require.NoError(t, err)

+	addrIDs := make([]string, 0, len(emails))
+
 	addrIDs = append(addrIDs, addrID)

 	for _, email := range emails[1:] {
@ -121,7 +121,7 @@ func withAccount(t *testing.T, s *server.Server, username, password string, emai
 	fn(userID, addrIDs)
 }

-func withUser(t *testing.T, ctx context.Context, s *server.Server, m *liteapi.Manager, username, password string, fn func(*user.User)) {
+func withUser(t *testing.T, ctx context.Context, _ *server.Server, m *liteapi.Manager, username, password string, fn func(*user.User)) { //nolint:revive
 	client, apiAuth, err := m.NewClientWithLogin(ctx, username, []byte(password))
 	require.NoError(t, err)
 	defer func() { require.NoError(t, client.Close()) }()
--- a/internal/vault/helper.go
+++ b/internal/vault/helper.go
@ -32,11 +32,13 @@ type Keychain struct {
 func GetHelper(vaultDir string) (string, error) {
 	var keychain Keychain

-	if _, err := os.Stat(filepath.Join(vaultDir, "keychain.json")); errors.Is(err, fs.ErrNotExist) {
+	filePath := filepath.Clean(filepath.Join(vaultDir, "keychain.json"))
+
+	if _, err := os.Stat(filePath); errors.Is(err, fs.ErrNotExist) {
 		return "", nil
 	}

-	b, err := os.ReadFile(filepath.Join(vaultDir, "keychain.json"))
+	b, err := os.ReadFile(filePath)
 	if err != nil {
 		return "", err
 	}
@ -54,5 +56,7 @@ func SetHelper(vaultDir, helper string) error {
 		return err
 	}

-	return os.WriteFile(filepath.Join(vaultDir, "keychain.json"), b, 0o600)
+	filePath := filepath.Clean(filepath.Join(vaultDir, "keychain.json"))
+
+	return os.WriteFile(filePath, b, 0o600)
 }
--- a/internal/vault/token.go
+++ b/internal/vault/token.go
@ -23,7 +23,7 @@ import (

 // RandomToken is a function that returns a random token.
 // By default, we use crypto.RandomToken to generate tokens.
-var RandomToken = crypto.RandomToken
+var RandomToken = crypto.RandomToken // nolint:gochecknoglobals

 func newRandomToken(size int) []byte {
 	token, err := RandomToken(size)
--- a/internal/vault/types.go
+++ b/internal/vault/types.go
@ -73,7 +73,7 @@ func newDefaultSettings(gluonDir string) Settings {
 		SMTPSSL:  false,

 		UpdateChannel: updater.DefaultUpdateChannel,
-		UpdateRollout: rand.Float64(),
+		UpdateRollout: rand.Float64(), //nolint:gosec

 		ColorScheme:  "",
 		ProxyAllowed: true,
--- a/internal/vault/user_test.go
+++ b/internal/vault/user_test.go
@ -154,7 +154,7 @@ func TestUser_ForEach(t *testing.T) {
 	require.NoError(t, err)

 	// Iterate through the users.
-	s.ForUser(func(user *vault.User) error {
+	err = s.ForUser(func(user *vault.User) error {
 		switch user.UserID() {
 		case "userID1":
 			require.Equal(t, "username1", user.Username())
@ -175,6 +175,8 @@ func TestUser_ForEach(t *testing.T) {
 		return nil
 	})

+	require.NoError(t, err)
+
 	// Try to delete the first user; it should fail because it is still in use.
 	require.Error(t, s.DeleteUser("userID1"))

--- a/internal/vault/vault.go
+++ b/internal/vault/vault.go
@ -20,12 +20,12 @@ package vault
 import (
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/rand"
 	"crypto/sha256"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/fs"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"sync"
@ -184,7 +184,7 @@ func (vault *Vault) attachUser(userID string) *User {
 	vault.refLock.Lock()
 	defer vault.refLock.Unlock()

-	vault.ref[userID] += 1
+	vault.ref[userID]++

 	return &User{
 		vault:  vault,
@ -200,7 +200,7 @@ func (vault *Vault) detachUser(userID string) error {
 		return fmt.Errorf("user %s is not attached", userID)
 	}

-	vault.ref[userID] -= 1
+	vault.ref[userID]--

 	if vault.ref[userID] == 0 {
 		delete(vault.ref, userID)
@ -216,7 +216,7 @@ func newVault(path, gluonDir string, gcm cipher.AEAD) (*Vault, bool, error) {
 		}
 	}

-	enc, err := os.ReadFile(path)
+	enc, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return nil, false, err
 	}