fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.
This commit is contained in:
2026-04-18 09:32:54 +08:00
parent 7849c3c3ed
commit 0795e126cc
6 changed files with 41 additions and 24 deletions

View File

@@ -783,13 +783,16 @@ func (s *AuthService) RefreshToken(ctx context.Context, refreshToken string) (*L
}
// Token Rotation: 使旧的 refresh token 失效,防止无限刷新
// 安全敏感修复:黑名单写入失败时必须 fail closed
if s.cache != nil {
blacklistKey := tokenBlacklistPrefix + claims.JTI
// TTL 设置为 refresh token 的剩余有效期
if claims.ExpiresAt != nil {
remaining := time.Until(claims.ExpiresAt.Time)
if remaining > 0 {
_ = s.cache.Set(ctx, blacklistKey, "1", 5*time.Minute, remaining)
if err := s.cache.Set(ctx, blacklistKey, "1", 5*time.Minute, remaining); err != nil {
return nil, fmt.Errorf("token revocation failed: %w", err)
}
}
}
}