fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations) - Added escapeLikePattern() to prevent LIKE pattern manipulation P0-03: Token refresh blacklist fail-closed - RefreshToken() now returns error if cache.Set fails - Prevents token double-spend on cache failures P0-05: CORS dangerous default configuration - Default changed to empty origins, credentials off - init() panics if default config is dangerous P0-06: UpdateUser IDOR vulnerability fix - Added authorization check (self-or-admin) - Prevents unauthorized user profile modification Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts All 518 frontend tests pass, all backend tests pass.
2026-04-18 09:32:54 +08:00
parent 7849c3c3ed
commit 0795e126cc
6 changed files with 41 additions and 24 deletions
--- a/frontend/admin/src/lib/device-fingerprint.test.ts
+++ b/frontend/admin/src/lib/device-fingerprint.test.ts
@@ -3,7 +3,6 @@ import { describe, expect, it, vi, beforeEach, afterEach } from 'vitest'
 import {
  getDeviceFingerprint,
  clearDeviceFingerprint,
-  type DeviceFingerprint,
 } from './device-fingerprint'

 describe('device-fingerprint', () => {
@@ -99,21 +98,10 @@ describe('device-fingerprint', () => {

  describe('browser detection', () => {
    it('should detect browser from user agent', () => {
-      // 模拟不同的 User-Agent
-      const testCases = [
-        { ua: 'Mozilla/5.0 Chrome/120.0', expected: 'Chrome' },
-        { ua: 'Mozilla/5.0 Firefox/120.0', expected: 'Firefox' },
-        { ua: 'Mozilla/5.0 Safari/120.0', expected: 'Safari' },
-        { ua: 'Mozilla/5.0 Edge/120.0', expected: 'Edge' },
-        { ua: 'Mozilla/5.0 Opera/120.0', expected: 'Opera' },
-      ]
-
-      testCases.forEach(({ ua, expected }) => {
-        // 注意：实际测试中 navigator.userAgent 是只读的
-        // 这里主要验证函数能正常工作
-        const fingerprint = getDeviceFingerprint()
-        expect(fingerprint.device_browser).toBeTruthy()
-      })
+      // 注意：实际测试中 navigator.userAgent 是只读的
+      // 这里主要验证函数能正常工作
+      const fingerprint = getDeviceFingerprint()
+      expect(fingerprint.device_browser).toBeTruthy()
    })
  })

--- a/frontend/admin/src/lib/http/index.test.ts
+++ b/frontend/admin/src/lib/http/index.test.ts
@@ -1,8 +1,6 @@
 import { describe, expect, it } from 'vitest'

 import * as httpIndex from './index'
-import * as client from './client'
-import * as authSession from './auth-session'
 import * as errors from '@/lib/errors'

 describe('lib/http/index', () => {