fix: v6 code review P0 auth/IDOR fixes + frontend regression patches

Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL
2026-04-23 07:14:12 +08:00
parent 82109ec216
commit 3f3bb82f1d
41 changed files with 2681 additions and 283 deletions
--- a/docs/plans/2026-04-21-report-v6-execution-plan.md
+++ b/docs/plans/2026-04-21-report-v6-execution-plan.md
@@ -0,0 +1,89 @@
+# Report v6 Blocking Fixes Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** 修复 `FULL_CODE_REVIEW_REPORT_2026-04-20.md` 中当前阻塞上线的认证、授权和假成功问题，并为每项修复补齐回归验证。
+
+**Architecture:** 以后端授权和认证闭环为主，优先通过测试锁定期望行为，再做最小实现修改。每个批次修复后运行受影响测试集，最后跑完整后端/前端门禁。
+
+**Tech Stack:** Go, Gin, GORM, React, Vitest, PowerShell, Git
+
+---
+
+### Task 1: 锁定 TOTP 二阶段登录闭环
+
+**Files:**
+- Modify: `internal/service/auth.go`
+- Modify: `internal/api/handler/auth_handler.go`
+- Modify: `frontend/admin/src/services/auth.ts`
+- Modify: `frontend/admin/src/types/auth.ts`
+- Test: `internal/service/auth_social_test.go`
+- Test: `internal/api/handler/auth_handler_test.go`
+
+- [ ] **Step 1: 写服务层失败测试**
+- [ ] **Step 2: 运行服务层测试确认当前允许无首因子直接换 token**
+- [ ] **Step 3: 实现临时登录态或 challenge 约束**
+- [ ] **Step 4: 写 handler/前端契约测试**
+- [ ] **Step 5: 运行受影响测试并确认通过**
+
+### Task 2: 修复设备接口 IDOR
+
+**Files:**
+- Modify: `internal/api/handler/device_handler.go`
+- Modify: `internal/service/device.go`
+- Test: `internal/api/handler/device_handler_test.go`
+- Test: `internal/service/device_service_test.go`
+
+- [ ] **Step 1: 写失败测试覆盖跨用户读取/修改/删除/信任设备**
+- [ ] **Step 2: 运行测试确认当前越权成立**
+- [ ] **Step 3: 在 handler 和 service 层补 owner/admin 双层校验**
+- [ ] **Step 4: 运行受影响测试并确认通过**
+
+### Task 3: 修复修改密码接口授权模型
+
+**Files:**
+- Modify: `internal/api/handler/user_handler.go`
+- Modify: `internal/service/user_service.go`
+- Test: `internal/api/handler/user_handler_test.go`
+
+- [ ] **Step 1: 写失败测试覆盖非本人访问 `/users/:id/password`**
+- [ ] **Step 2: 运行测试确认当前缺口存在**
+- [ ] **Step 3: 增加 self-or-admin 校验并明确管理员重置策略**
+- [ ] **Step 4: 运行受影响测试并确认通过**
+
+### Task 4: 清理 `user_roles` 到 `role_codes` 协议漂移
+
+**Files:**
+- Modify: `internal/api/handler/user_handler.go`
+- Modify: `internal/api/handler/avatar_handler.go`
+- Test: `internal/api/handler/user_handler_test.go`
+- Test: `internal/api/handler/avatar_handler_test.go`
+
+- [ ] **Step 1: 写失败测试覆盖管理员跨用户操作被误拒绝**
+- [ ] **Step 2: 运行测试确认当前回归存在**
+- [ ] **Step 3: 统一读取 `role_codes` 或复用 RBAC helper**
+- [ ] **Step 4: 运行受影响测试并确认通过**
+
+### Task 5: 去掉 OAuth 假成功响应
+
+**Files:**
+- Modify: `internal/api/handler/auth_handler.go`
+- Test: `internal/api/handler/auth_handler_test.go`
+
+- [ ] **Step 1: 写失败测试覆盖 OAuth provider 列表与入口行为**
+- [ ] **Step 2: 运行测试确认 handler 当前没有调用 service**
+- [ ] **Step 3: 改成真实 service 分发或显式错误返回**
+- [ ] **Step 4: 运行受影响测试并确认通过**
+
+### Task 6: 全量回归与提交流程
+
+**Files:**
+- Modify: `docs/code-review/FULL_CODE_REVIEW_REPORT_2026-04-20.md`
+- Modify: `docs/status/REAL_PROJECT_STATUS.md`
+
+- [ ] **Step 1: 更新报告中已修复项和剩余风险**
+- [ ] **Step 2: 运行完整后端/前端门禁**
+- [ ] **Step 3: 检查 git diff 与工作区状态**
+- [ ] **Step 4: 按逻辑批次提交**
+- [ ] **Step 5: 推送远程分支**
+