feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing
This commit is contained in:
2026-04-12 16:15:32 +08:00
parent 861736cf4d
commit 09beb173cc
22 changed files with 3122 additions and 414 deletions

View File

@@ -1091,7 +1091,13 @@ func load(allowMissingJWTSecret bool) (*Config, error) {
originalJWTSecret := cfg.JWT.Secret
if allowMissingJWTSecret && originalJWTSecret == "" {
// 启动阶段允许先无 JWT 密钥,后续在数据库初始化后补齐。
cfg.JWT.Secret = strings.Repeat("0", 32)
// 使用临时随机密钥(而非固定弱密钥)进行验证,确保即使流程异常也不会使用弱密钥。
tmpSecret := make([]byte, 32)
if _, err := rand.Read(tmpSecret); err != nil {
return nil, fmt.Errorf("failed to generate temporary JWT secret: %w", err)
}
cfg.JWT.Secret = hex.EncodeToString(tmpSecret)
slog.Warn("JWT_SECRET not set. Bootstrap mode active - JWT operations will fail until secret is configured.")
}
if err := cfg.Validate(); err != nil {
@@ -1100,6 +1106,7 @@ func load(allowMissingJWTSecret bool) (*Config, error) {
if allowMissingJWTSecret && originalJWTSecret == "" {
cfg.JWT.Secret = ""
slog.Info("JWT_SECRET cleared for bootstrap mode. Ensure secret is set after database initialization.")
}
if !cfg.Security.URLAllowlist.Enabled {
@@ -1516,7 +1523,6 @@ func setDefaults() {
// Subscription Maintenance (bounded queue + worker pool)
viper.SetDefault("subscription_maintenance.worker_count", 2)
viper.SetDefault("subscription_maintenance.queue_size", 1024)
}
func (c *Config) Validate() error {